Looking ahead to the rest of 2025, with Justin Elks from Crowe Consulting;
Risk and Compliance
Cost pressures on risk and compliance management have continued. Our risk and compliance efficiency and effectiveness survey revealed that most CROs have been asked to look at these costs over the last three years. We expect this pressure to continue through 2025. However, this presents both a challenge and an opportunity if approached strategically.
Designing risk and compliance solutions to meet regulatory requirements doesn’t add business value and may not even deliver regulatory outcomes. Simply layering processes to meet regulations and then simplifying is inefficient. After all, the intention of principles-based regulation is to enable organisations to be driven by what is right for them, rather than rigidly following rules. Business processes should be used to support senior management and senior management functions (SMF) holders’ ability to choose the right path for the organisation given the regulatory intentions.
In 2025, CROs should continue to evolve risk management frameworks to reflect emerging trends and support efficient risk oversight. This includes embracing AI, improving IT risk conversations, and integrating opportunity analysis into risk frameworks. There is a lot more that can be achieved by clarifying roles and responsibilities beyond the risk and compliance function and involving the broader organisation.
The regulatory landscape presents multi-faceted challenges of implementing key frameworks like Solvency UK, adapting to evolving requirements such as liquidity, meeting deadlines on operational resilience, and continuing the journey of existing requirements around supplier risk management and consumer duty. Meeting these challenges requires prioritisation and a strategic perspective.
Sustainability
Our 2024 view on integrating sustainability into underwriting remains relevant. In 2025, we expect to see a broader focus on sustainability operating models, as highlighted in our sustainability operating model survey findings. This should enable organisations to be clear on the upside of sustainability through product innovation, e.g. transition related risk transfer solutions, or other means. We’ll be reporting on our second survey of operating models later in 2025.
Transition plans are becoming mainstream, yet our insurer survey revealed a gap: few have draft transition plans in place, though many plan to work on them voluntarily in 2025. This will coincide with regulatory developments, such as the PRA’s updated guidance on climate change risk management, making 2025 a valuable year for businesses to test transition strategies.
Biodiversity and nature are gaining attention, though it’s still early days. Encouragingly, these topics are framed similarly to climate, with insurers beginning to explore practical approaches and identifying priority areas for action.
Enterprise resilience
1 April 2025, marks the start of the post-deadline phase for operational resilience. The challenge of tracking and documenting changes to the business operations and its impact on operational resilience readiness also starts. We envisage organisations continuing to strengthen the identification of vulnerabilities through enhanced scenario testing in 2025. It is important that the annual board attestation is seen as an opportunity to prioritise further enhancements.
However, we also sense a wider focus on enterprise resilience. The main differentiator with operational resilience is the focus on building response capabilities. The continuing regulatory interest in outsourcing and supplier risk management (SRM) is part of that trend, including the pragmatic consideration of critical third parties with ‘too big to fail status’. On outsourcing and SRM, we see renewed efforts to enhance frameworks, including materiality criteria, application to fourth parties and consideration of business continuity planning and exit strategies.
Digital operational resilience, particularly in relation to DORA, and cybersecurity are also becoming central to enterprise resilience. Many UK organisations are impacted by DORA as providers of IT services to EU businesses and are seeking to manage DORA efficiently alongside operational resilience. On the cybersecurity front, there’s growing concern about insider threats and increased focus on people-related risks and training.
Data, analytics and AI
Data, analytics and AI continue to evolve rapidly, but the challenge is making sense of these developments pragmatically. Like electricity, the full adoption of AI will take time.
A major issue remains the disconnect between business professionals and AI experts, which can result in either misuse or underutilisation of AI. Bridging this gap is critical for effective AI implementation.
While generative AI and productivity tools are in the spotlight, there are often simpler, more reliable data analytics solutions that are cheaper and easier to implement.
The abundance of frameworks for AI best practices can overwhelm business leaders. Aligning AI with existing model risk management (MRM) practices could provide a more intuitive and unified control environment.
Change and transformation
Operating models are changing to reflect changing consumers’ needs and technologies. We expect to see an increased focus on change and transformation, reflecting the regulatory focus on enterprise resilience and sustainability. The challenge lies in embedding these priorities into everyday operations while ensuring sustainability in a business-as-usual (BAU) environment. This must take full consideration of the impact on functions’ roles, data and systems.
We also see ongoing reviews of Governance, Risk, and Compliance (GRC) tools to support a more integrated approach to sustainability, operational resilience, and risk management.
AI should go beyond enhancing user experience and should drive cross-functional transformation. It will require assessing capabilities and reimagining existing roles, such as how AI can support underwriters.
In the Lloyd’s market, uncertainty around the delayed Blueprint 2 project continues. Stakeholders must understand the potential wider impacts on operating models and take mitigating steps accordingly.
Cyber security
In an increasingly digital and interconnected world, cybersecurity continues to pose a significant threat; ransomware remains a significant threat. While AI enables more effective cybersecurity tools, criminals are also using AI to increase the speed and sophistication of attacks.
Recent cyber incidents have highlighted the importance of securing supply chains, leading organisations to focus on assessing third-party cybersecurity practices. Enhancing cyber response capabilities, particularly through regular testing of incident response plans, is also a growing priority.
Technology
Cloud transformation remains a priority for many – moving from traditional data centres to cloud architecture and focusing on modernising applications to leverage cloud tools. This is partly driven by the persistent skill gaps across tech functions.
We are seeing more interest in transitioning to modern application architecture, where the organisation retains the capability to update the front-end application and outsources the infrastructure management to a third party to enable rapid product deployment and enhance operational efficiency.
Data, cyber, and regulatory requirements continue to drive the need for technology transformation to keep up with the evolving landscape.
While sustainability is on the rise, green technology has yet to become a significant focus – something for 2026 perhaps.