For a long time, the established orthodoxy in financial services has been that risk is something to be avoided rather than embraced. This is how many of us interpreted the regulatory approach to risk-taking and risk management.
But this looks like it might be about to change. Regular commentary from the FCA, alongside the PRA’s new secondary objective on competitiveness and growth, reinforces a different emphasis: supporting responsible, managed risk to drive growth and innovation, enabled by outcomes-based regulation.
For Chief Risk Officers, this goes to the heart of how risk appetite is set, how decisions are supported, and how innovation is governed. Here at Jaywing, it made us wonder, how should CRO’s interpret the call for “smarter risk”?
How should CROs interpret the FCA’s call for “smarter risk”?
The smarter risk approach recognises that risk-taking can be accepted and, in some circumstances, encouraged. Of course, this requires a responsible and controlled approach. Where greater risk is taken, firms need to understand the consequences and have established ways of integrating the management of risk outcomes with risk mitigation.
This moves risk management away from a narrow focus on avoidance/mitigation and towards preparation and response. Rather than aiming to eliminate uncertainty, firms focus on how risks crystallise into events and how those events are managed within the organisation’s strategy and operating model. In doing so, firms also recognise that the opportunity cost of inaction can outweigh the risks associated with change, particularly as technology, interconnected systems, and speed introduce risks that cannot be managed in the same way they were a decade ago.
In this context, risk-taking becomes part of operational decision-making in addition to strategic risk appetite. This reflects the reality that firms are already exposed to new forms of risk as they adopt new technologies, data sources, and operating models. Choices about growth, innovation and capital deployment are taken with a view of potential outcomes and the firm’s ability to absorb and manage them – rather than assuming that existing controls alone will remain sufficient as the operating environment changes.
This is a different approach from treating risk as something to be kept at arm’s length, which becomes increasingly difficult as risk emerges from speed, scale, and interconnection rather than from discrete, controllable events. It requires risk leaders to engage earlier in strategic discussions and to support informed decision-making at the coalface, rather than acting solely as a control point. It also requires a cultural move toward greater acceptance of poor outcomes should they arise. Risk is inherently tied to both success and failure. The key is ensuring the successes outweigh the failures, and that organisations have the resources and resilience to manage the failures when they occur.
|
🔍Additional FCA articles worth a read: |
Regulatory myths that hold back innovation in decisioning
So, what actually holds firms back? In my experience, it’s these misconceptions:
Myth 1: Regulators only accept traditional risk approaches
A common belief is that regulators expect firms to rely solely on well-proven, traditional approaches to managing and measuring risk. These are methods that firms already have experience with and feel comfortable with.
Myth 2: Regulators are cautious about new tools and techniques
In practice, regulators are largely agnostic about the tools and methods a firm chooses to use. What matters is that appropriate risk assessments and controls are in place. Where that assurance exists, supervisors are comfortable with a wide range of technologies and analytical techniques.
Myth 3: Existing practices cannot accommodate new approaches
Often, the barriers to innovation are cultural. To adopt new systems and processes effectively, organisations need to have a flexible mindset and a willingness to work in different ways and try new things. This, in turn, unlocks the efficiencies and opportunities new approaches offer, whether that involves new software, advanced machine learning or generative AI. Trying to force something new into an inflexible legacy system rarely delivers the greatest benefits.
The biggest challenge is how firms present what they have done when deploying new technologies. Regulators need confidence that a new technology aligns with regulatory guidance. This is typically a communication issue rather than a technical one. It’s about developing an understanding of the tools and systems your organisation employs, their strengths and weaknesses, and being able to clearly articulate how you use them.
At Jaywing, this is a central focus when applying AI and machine learning. The analytical work itself is rarely the limiting factor. Providing clear documentation, evidence that the solution works and is regulatory compliant is what allows innovation to proceed.
Putting “smarter risk” into practice across governance and decisioning
A key feature of a smarter risk-appetite framework is formulating a risk appetite that works as a partner to a firm’s business plans rather than acting as its master. Appetite evolves dynamically as risks ebb and flow within the business environment, informing decisions rather than constraining them within fixed boundaries.
For that approach to work in practice, changes are needed in how governance, data, and decision-making operate day-to-day.
Action 1: Move beyond retrospective governance
Dashboards and reporting need to become more responsive. Regular governance forums, primarily informed by historic information, can be supplemented by (near) real-time reporting and forecasting-based, forward-looking decision support systems. Thus, providing both current and future views of how the business and its risks have and are developing, rather than relying on information that may already be weeks or months old.
Action 2: Bring the full business pipeline into scope
As systems become more complex and interconnected, attention needs to extend across all stages of the business pipeline. Risk assessment and decision-making depend on having the right data, of the right quality, available when needed, so that risk is understood as it develops rather than reconstructed afterwards.
Action 3: Reframe the CRO’s role in decision-making
With a culture of Smarter Risk, CROs can say “yes” more often and “no” a little less. This does not remove the need to understand the consequences of risk-taking, but it does involve accepting that some initiatives will not work as intended. A degree of failure has to be accepted if risk-taking is accepted as a BAU activity.
In this setting, the role increasingly includes managing risk events and mitigating risks in advance. The CRO moves beyond acting solely as a gatekeeper and plays a broader role as a strategic partner to the business, contributing to innovation and growth while maintaining an objective focus and a disciplined risk management approach.
The capabilities CROs need as risk leadership evolves
As risk leadership broadens beyond gatekeeping, the capabilities required of CROs and their teams change as well. This does not mean that CROs need to become technical specialists in all areas of the business. They do, however, need a working understanding of the capabilities and limitations of the technologies and analytical approaches being used within their organisation. This allows risk leaders to form their own view of where innovation is adding value and where the weaknesses lie.
As technology drives more complex and increasingly interconnected systems, CROs also need the ability to take a holistic, company-wide view. Innovation in one part of the business can have knock-on effects elsewhere. This is particularly true where systems, data, and decisioning are interdependent and utilise common tools across different business areas.
And, of course, the CRO is one member of a wider risk team. Ensuring the team as a whole has appropriate coverage of skills and knowledge is as important as the CRO’s own capability. This includes combining experience in risk, governance and control with an understanding of new technologies and business processes.
From regulatory intent to competitive advantage
The FCA’s emphasis on responsibly managed risk, together with the PRA’s formal competitiveness and growth objective, reflects a wider recognition that growth, resilience, and customer protection are closely linked. Outcomes-focused regulation places greater weight on judgment, evidence, and how firms respond when risks crystallise, rather than on stringent adherence to inflexible policies.
For CROs, this creates an opportunity.
A dynamic risk appetite that evolves alongside the business, governance that reflects current conditions, and teams equipped to assess new approaches all play a part. Together, they allow firms to move with confidence while retaining discipline.
At Jaywing Risk, this is the space we work in every day: helping firms translate regulatory intent into practical, defensible approaches across credit risk, fraud risk, and decisioning. For CROs prepared to engage early and lead from the front, smarter risk provides a route to growth that remains firmly grounded in control. Get in touch to learn how we can help.
You may also like: