Risk and Governance: 2023 Regulatory Challenges

Insights on board importance, risk management, and mitigating misconduct

"In today’s dynamic and ever-changing environment, new risks are constantly identified. Because of this, it is very easy and natural to focus our energy and resources on the hot topic of the moment. While it is important that we quickly assess the risk of these emerging threats, we must not lose sight of the basics. This will help ensure we maintain the effectiveness and integrity of our foundational risk and control environment."  —Kandace Heck, Chief Audit Executive, US Bank


Across all regulatory challenge areas, the importance of risk management and avoidance of “risk complacency” is vital to remaining in compliance with evolving regulatory landscapes and ensuring resiliency.

Explore here insights on Risk and Governance from the KPMG report Ten key regulatory challenges of 2023.


Board importance

Regulators will continue to look to demonstrable evidence of credible challenge and dynamic risk assessment and decisioning from both within and across the board and senior management. As part of these expectations (and as part of supervisory focus and evolving regulatory reporting), regulators will expect increased and formalized documentation, mapping, ownership, and ongoing testing and monitoring of controls.

Regulators will expect board and senior managers to:

  • Demonstrate board and governance domain skills (e.g., this is key element of the SEC’s proposed climate and cyber rules).
  • Stature Risk, Compliance, Information Security, and Audit comparably to other strategic functions, including the quality of autonomy, empowerment, and visibility.
  • Integrate critical challenges (e.g., escalation procedures, actions initiated, decisions made, and proof of altered/terminated paths based on risk determinations) into risk and governance frameworks.
  • Focus on both novel, complex, long-term risks as well as basic, shorter-term risks (e.g., risks associated with the current rate outlook and mixed market signals impacting credit risk).


Risk management: Mission critical

Regulators will continue to focus on the robustness of the risk framework across all three lines of defense – as a part of rulemaking and as an ongoing theme in enforcement actions. This will include assessing whether risk and compliance programs across the enterprise are “geared” to current and emerging risks as well as sufficiently and appropriately resourced, including investment, funding, technology, and skilled staffing. Individual accountability and companies deemed to be “repeat offenders” will be a key focus of investigations and enforcements.

Companies will need to demonstrate:

  • Completeness of the risk framework across all risk pillars (e.g., credit, liquidity, operational, compliance) and to reporting expectations/requirements (e.g., climate risk management, SEC climate, ongoing examination responses).
  • Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.
  • Planning for and mitigation of disruptive risks to functions of the organization (e.g., climate change, ongoing sanctions due to geopolitical conflicts, economic stability, cybersecurity threats).
  • Information governance processes and controls to protect the confidentiality and integrity of corporate and consumer data.
  • Agility to maintain effective risk management processes through significant change such as mergers, acquisitions, separations, workforce shifts (retention/roll over).


Mitigating misconduct

Conduct risk and ethical business practices will take on additional importance with evolving ESG importance.  Regulators will look to the corporate culture and the investment in ethics and compliance programs to ensure they both reward compliant behaviors and accountability and deter misconduct. Areas of regulatory interest will include:

  • Proactive identification, voluntary disclosure, and remediation of misconduct.
  • Compensation program features, including incentives for compliance; accountability, clawbacks, and/or penalties for individuals contributing to the misconduct; and disclosure of the relationship between executive pay and financial performance (e.g., DOJ guidance, SEC disclosure rule; SEC listing standards rule).
  • Surveillance activities, including insider risk programs, that test and monitor for compliance with regulatory requirements and the firm’s code of conduct (e.g., use of authorized communications channels and devices, records retention and disposal requirements).
  • Customer protections, such as conflict of interest disclosure, best execution/best interest, use of MNPI, and outcomes related to the use of decisioning tools (algorithms, models, AI/ML).
  • New technology applications, including digital adoption, models/AI/ML, access authentication and validation.




Call to action: Risk and Governance

☑ Assess board and executive governance structure, skills and composition

☑ Develop and formalize board composition /education program to address critical and emerging risks

☑ Ensure demonstrable board and executive management critical challenge

☑ Actively surveil and mitigate conflicts of interest and conduct risks, particularly in areas of “new” (digital adoption, models/AI/ML, etc.)

☑ Evaluate existing supervision and control testing coverage; explore methods to increase coverage (automation, methodology, etc)

☑ Invest in automation, analytics, and process efficiencies

☑ Appropriately position, scale, and reward risk management




Ten Key Regulatory Challenges of 2023

Read our report for client perspectives, regulatory recaps, and actionable steps to help mitigate risk.

Connect with us

Amy S. Matsuo

Amy S. Matsuo

Regulatory and ESG Insights Leader, KPMG US

+1 919-664-7100
Julie Gerlach

Julie Gerlach

Partner, Internal Audit & Enterprise Risk, KPMG US

+1 704-371-8120
Cameron Burke

Cameron Burke

Principal, Advisory, FS Risk, Regulatory & Compl, KPMG US

+1 404-222-3139

Explore all: Ten Key Regulatory Challenges of 2023

Subscribe to our mailing list to receive our Regulatory Alerts and Points of View.