Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Highlights
- Geopolitics has made resilience a board-level priority, and financial services must protect critical services amid regulatory fragmentation, cyber escalation, and disruptions to market infrastructure.
- Move from siloed operational/cyber programs to integrated resilience—connect people, facilities, technology, third parties, and data to manage service-level impact in “severe but plausible” scenarios.
- Use automation and agentic AI to scale resilience—through continuous monitoring, faster crisis decision-making, and better dependency and stress testing — to reduce downtime and customer impact.
On this page
On this pageinpage
Resilience strategy
The world today looks and feels vastly different to a decade ago. Economic and security risks have converged, and business decisions are increasingly viewed through a geopolitical lens. This marks a shift from traditional risk frameworks, which were designed for market volatility — not the speed and complexity of today’s global disruptions. Geopolitical shocks are now reshaping entire industries, supply chains, and corporate strategies.
While all industries are affected, financial services face distinct risks. Digital currencies are disrupting traditional payments, regulatory fragmentation is complicating compliance, and cyber threats to infrastructure, such as the Society for Worldwide Interbank Financial Telecommunication. (SWIFT) are intensifying. Executives must now manage not just market and credit risks, but also an increasingly varied set of non-financial risks and geopolitical pressures that extend beyond purely commercial concerns.
As risks evolve, global firms must strengthen resilience strategies to protect critical services and limit customer impact. Despite ongoing uncertainty, leaders and boards can take proactive steps, and this paper outlines key areas they should prioritise:
- Operational and Cyber Resilience to Integrated Resilience
- Third-Party and Supply Chain Resilience
- Crisis Management and Response
- Automation and Agentic AI Infusion
Integrated Resilience
Operational and Cyber Resilience to Integrated Resilience
Regulatory focus on operational resilience has now evolved to emphasise minimising customer service disruption in severe but plausible scenarios, with global regulators expecting firms to maintain essential services even amid geopolitical events. To meet these regulatory principles, organisations must establish a baseline that determines the viability of critical services and connects resilience across people, facilities, technology, third parties and supply chains.
With geopolitical tensions intensifying the cyber threat landscape, boards must recognise that organisations may be targeted for more than financial gain. To mitigate these risks, firms should adopt threat intelligence that links cyber activity with geopolitical developments, enabling defence strategies that anticipate state-sponsored attacks.
Amid evolving regulations, organisations often struggle with siloed operations that hinder progress. Integrating processes and technology can enhance efficiency, support regulatory objectives, and enable effective management of critical business services across multiple legal entities.
Integrated resilience provides a holistic approach to managing risks and enhancing an organisation’s ability to withstand, adapt to, and recover from disruptions. A comprehensive, cross-functional approach aligned with the organisation’s resilience framework covers Information and Communication Technology
(ICT) dependencies, third-party and supply chain risks, data analytics, and technology integration, enabling effective monitoring and management of service-level impact. Data is critical to managing emerging risks, and regulators closely monitor how it informs impact assessments.
Benefits of Integrated Resilience
Figure 1: Benefits of Integrated Resilience
Considering the regulatory drivers and future state of integrated resilience, it is now an imperative for organisations to:
- Leverage service-level data and dependency information to assess vulnerabilities under severe but plausible scenarios.
- Adapt business continuity plans to address combined threats, including geopolitical risks, and define impact tolerances.
- Diversify technology capabilities with redundant networks and data centres to maintain critical service continuity.
- Plan geographically, ensuring critical workforce coverage across jurisdictions.
- Invest in real-time operational monitoring to track external dependencies, such as banks, payment systems and market infrastructure.
- Connecting early warning systems to geopolitical intelligence sources for proactive risk monitoring.
Supply Chain Risks
Third-Party and Supply Chain Resilience
In today’s dynamic supply chain ecosystem, geopolitical tensions can also create significant operational shocks.
Consider that an organisation’s core banking platform service provider:
- is provisioning the services from a country which goes under sanctions overnight, or
- is under a state-sponsored cyber-attack and is unable to provide any services.
What can be their contingency?
In November 2024, HSBC bank stopped all personal banking payments originating in Russia, following international banks withdrawing due to sanctions related to the Russia-Ukraine war. Specifically, HSBC ceased processing payments via Russia’s domestic Mir System, a third-party network outside global networks such as Visa and Mastercard.
For Banking, Financial Service, and Insurance (BFSI) risk leaders, the challenge is not just identifying geopolitical third-party risks but anticipating their layered impact on operational resilience and customer trust. Without programs aligned with this reality, options are limited in a crisis.
Timely identification of geopolitical warning signals helps protect operations. Integrating these into third-party risk management frameworks mitigates risks from economic and political uncertainties.
Let’s look at some of the key risks when dealing with a geopolitical scenario, their impact and what financial institutions can do about them:
Figure 2: Third Party Risk Management – Geopolitical Impact & Mitigation Strategy
Effective Crisis Response
Crisis management and response have long been a priority, but integration with enterprise frameworks and alignment to business services remains underdeveloped. Tabletop exercises are often skewed toward technology and cyber scenarios, governed by risk teams in a rigid pass-fail format, and they struggle to scale to today’s integrated business services. Too often, they become check-the-box exercises instead of true drivers of resilience and risk capability.
With the evolving regulatory view and dynamic geopolitical environment, organisations should consider:
- Uplifting incident and crisis management framework — aligned to operational resilience parameters (in line with critical service tolerances).
- Review 1st and 2nd line scenario and tabletop-wargame governance. Rigid governance chokes meaningful analysis—for these exercises, it should be flexible, enabling learning rather than check-the-box.
- Severe but plausible and severe and actual scenarios – with the objective of proactively identifying key service level vulnerabilities.
- Risk intelligence (beyond cyber) is at the core across all business lines, so that risk is managed effectively with current and centralised data feeds for rapid decision-making.
- Rebalancing scenarios from ‘Cyber Threat’ to include broader scenarios which require recovery support from wider crisis management teams.
- Develop a testing regime for the most critical processes across business and technology.
- Board-level accountability and investment: Scenarios, identified risks, remediation plans, and continuous updates.
- Interconnected domains such as supply chain, technology risk, cyber and Information Technology Service Management (ITSM) frameworks should be factored into the testing regime; provide end-to-end assurance.
Automation and AI Infusion
Resiliency processes (across all domains) are being transformed with the rise of agentic AI systems capable of autonomous decision-making and task execution. Where conventional AI systems analysed data or made recommendations, GenAI/ agentic AI acts by automating aspects of planning and monitoring, such as helping to anticipate geopolitical risks, stress test scenarios and manage critical dependencies to maintain service continuity amid global uncertainty. Preliminary outcomes from Proof of Concept (POC) studies hint at productivity and accuracy benefits of approximately 40-60% across various use cases, which is expected to improve as the quality of the underlying data improves.
By combining agentic AI with resources freed from manual tasks, organisations can focus on critical risk discussions and drive greater strategic value. Additionally, GenAI/agentic AI is likely to drive value across key resiliency domains, which include but are not limited to:
Scale and complexity: Autonomously manage and monitor extensive data points across various business services, including people, facilities, technology, third parties, supply chains and impact tolerances. For example, GenAI can autonomously manage and monitor complex ecosystems at scale and process vast amounts of structured and unstructured data to extract actionable insights during high- impact scenarios such as geopolitical events.
Speed and responsiveness: Decision-making is vital, especially during incident and crisis management events. Agentic AI enables real-time decisions based on accurate, complex data to reduce downtime and improve customer service. For example, during times of disruption, GenAI can be utilised to communicate with customers in multiple languages, and agentic AI could be leveraged to automatically process customer complaints to avoid breaches of service-level impact tolerances.
Cybersecurity threats - Detect and respond to cyber threats faster than human teams, improving containment. For example, AI agents can provide deep insights during times of uncertainty by scanning key systems to identify vulnerabilities aligned with business impact and be programmed to support the restoration of non-critical systems and to generate remediation plans for critical applications and infrastructure.
Conclusion
In a dynamic environment where geopolitics can reshape markets, operational resilience is a necessity, enabling organisations to thrive amid unforeseen events. We summarise the key outlined focus areas for consideration as executives navigate through this period of uncertainty.
- Develop a roadmap to integrate resilience: Continue to uplift resilience framework capabilities.
- Shift from traditional risk management: Invest in scenario planning and pre-mortem for ‘unthinkable’ events.
- Proactive continuous monitoring: Use AI-driven systems to detect and adapt to evolving threats.
- Eliminate single points of failure: Diversify critical staff, data centres and suppliers.
- Adapt to change and permanent uncertainty: Embed resilience by design across organisational change and continuously evolve practices.
- Industry collaboration: Engage peers to address interconnected threats and implement mitigation strategies.