Showing posts with label Management. Show all posts
Showing posts with label Management. Show all posts

S/4HANA Role Redesign: Fix Segregation of Duties Before Go-Live or Pay the Audit Bill After

 

Why Privilege Creep Kills SAP Migrations Before the First Production Transaction Runs

Article by Prof. Hernan Huwyler, MBA, CPA, CAIO
AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor

Top 10 Responsible AI and Risk Management by Thinkers360Your migration to SAP S/4HANA is six months out. The project team is focused on data migration, Fiori tile configuration, and cutover planning. Meanwhile, 847 user roles built across eight years of organizational changes, job transfers, emergency firefighter access, and M&A integrations are being lifted wholesale into the new system. Nobody has reviewed them. Nobody has mapped them against the new S/4HANA authorization model. And your external auditors are already asking for the SoD conflict report.

This is the standard failure mode. And it is expensive to fix after go-live.

Migrating unremediated ECC roles into S/4HANA production does not just inherit old access risk. It amplifies it. S/4HANA's simplified data model, new Fiori authorization objects, and transaction replacements create net-new SoD conflicts from role content that was previously clean.

This article gives you the technical remediation workflow to stop that from happening. It covers the SAP-native tools, the sequencing logic, the role design architecture that prevents re-accumulation, and the automated tooling that makes the process viable at enterprise scale.


Why S/4HANA Breaks Your Existing SoD Matrix

SAP S/4HANA fundamentally changes the authorization landscape. This is not an incremental upgrade. The SAP S/4HANA Simplification List documents thousands of transaction replacements, program removals, and process consolidations. Transactions you built roles around in ECC no longer exist, have merged into Business Partner (BP) transactions, or now trigger different authorization objects entirely.

The most visible examples: XD01 and XK01, the customer and vendor master maintenance transactions, are replaced by the SAP Business Partner transaction BP. Any role that controlled access through those old transactions now either fails to control the equivalent S/4HANA function or, worse, grants broader access than intended because the authorization check structure has changed.

SAP Community analysis of S/4HANA security landscape changes confirms that SoD matrices built for ECC become unreliable after conversion. The conflict rules reference transactions that no longer exist, miss new authorization objects introduced in S/4HANA, and fail to account for Fiori app authorizations that bypass the traditional transaction-based access model.

This is not a configuration problem. It is a design-time engineering problem.


What Privilege Creep Actually Looks Like at Migration Time

Privilege creep is the accumulation of access rights that users no longer need. It happens across three vectors in most enterprise SAP environments.

First, job transitions. When a user moves from accounts payable to controlling, they get new access. The old access rarely gets removed. After five years and three job changes, that user holds access spanning procurement, finance, and HR, a combination that violates SoD in ways no single access request ever triggered.

Second, project-based access. Implementation projects, year-end processes, and audit support cycles generate temporary elevated access. Firefighter IDs get reused. Temporary roles become permanent. Emergency access granted during a system outage in 2021 is still active in 2025.

Third, role sprawl. When role designers copy existing roles rather than build from a business capability model, each copy carries forward every transaction and authorization value from the original. Over years, roles accumulate dormant transactions that nobody uses but that still represent active access rights from a SoD perspective.

By the time an S/4HANA migration project starts, a mid-sized SAP environment typically carries hundreds of roles where 30 to 50 percent of assigned transactions have zero usage in the prior 12 months. 

Migrating roles with unused transactions into S/4HANA does not just carry old risk forward. In some cases, S/4HANA's new authorization objects cause those dormant role contents to map to broader access than they did in ECC. A transaction that was harmless in ECC may activate a wider authorization check in S/4HANA.


The SAP-Native Remediation Workflow: SU24, SUIM, and PFCG in Sequence

You do not need a third-party tool to start. SAP provides three native transactions that, used in the right sequence, give you a complete picture of your current access exposure before you touch a single production role.

Step 1: Use SUIM to Inventory Current Access

The SAP User Information System, transaction SUIM, is your starting point for understanding who has what access across the landscape. SUIM lets you query users by role, by authorization object, by transaction, and by combinations of those dimensions.

Run four reports at minimum before remediation begins. Pull all users with access to posting transactions (FB01, VF01, MIGO) combined with approval transactions in the same process area. Pull all users with access to sensitive BASIS transactions such as SU01, SU10, and SE16N. Pull all roles that include more than 150 active transactions, which is a strong indicator of over-provisioned design. And pull all user-role assignments where the last logon date is more than 90 days ago, which surfaces dormant accounts that should be disabled before migration.

SUIM does not tell you whether combinations are SoD violations. It tells you the raw access landscape. That data feeds your SoD analysis.

Step 2: Identify SoD Conflicts Against a Current Ruleset

Your SoD ruleset must reflect S/4HANA transactions, not ECC transactions. If you are using a GRC Access Control ruleset that was last updated during your ECC 6.0 implementation, it will miss conflicts introduced by S/4HANA's process changes. Update the ruleset first, then run the conflict analysis against the SUIM output.

SAP GRC Access Control provides the standard enterprise framework for this analysis. It maintains business process rule libraries, maps conflicting function pairs, and generates conflict reports by user, role, and profile. For organizations without GRC, the same analysis can be run manually using SUIM data cross-referenced against a documented SoD matrix, but at enterprise scale that is not a sustainable approach.

Research from Gutesman et al. on real-time SoD conflict detection establishes the theoretical basis for pre-runtime SoD checking: identifying violations before they are committed to production is significantly less costly than detecting and remediating them after user provisioning is complete. The same principle applies to migration projects.

Step 3: Correct Authorization Defaults in SU24

Before you rebuild roles in PFCG, fix the authorization defaults that PFCG uses as its source of truth.

Transaction SU24 maintains the default authorization objects and their proposed values for each transaction code and each Fiori application. When a role designer adds a transaction to a role in PFCG, PFCG reads SU24 to know which authorization objects to include and what default values to propose.

If SU24 defaults are incorrect, every role built from them inherits the error. In S/4HANA migrations, SU24 defaults for replaced or new transactions may not reflect your security requirements. Review SU24 for every transaction in scope, particularly for Fiori apps that were not present in your ECC system. Set proposal indicators correctly. Mark authorization objects that should always be checked. Remove defaults for authorization objects that your policy excludes.

This step is frequently skipped in migration projects under time pressure. That decision consistently produces roles where authorization checks are either missing or over-permissive, because PFCG built them from uncorrected defaults.

Step 4: Rebuild Roles in PFCG from Business Capabilities

Do not copy roles from ECC. Build them from business function definitions.

SAP's role maintenance transaction PFCG is where roles are constructed, maintained, and generated. A role built correctly in PFCG contains only the transactions and authorization objects required for a defined business function, with org-level values appropriate to the user population.

Use a three-layer architecture. Single roles contain the smallest functional unit, such as "Create Purchase Order." Composite roles bundle single roles into job profiles, such as "Procurement Clerk for Plant 1000." Derived roles replicate the design of a master role across different organizational units without duplicating the permission structure.

This architecture limits role count, simplifies audit reporting, and makes future modifications predictable. When a business function changes, you modify one single role, and the change propagates to every composite and derived role that references it.

Step 5: Validate and Test Before Cutover

After rebuilding roles, run the full SoD conflict analysis again against the new role set. Confirm that all high-priority conflicts identified in Step 2 are resolved. Then run authorization trace analysis, using SAP transaction ST01 or the authorization check framework documented in SAP's authorization evaluation documentation, to confirm that users can complete their required business processes without hitting authorization failures.

SAPinsider's analysis of go-live security sequencing makes the cost case clearly: remediating SoD conflicts before cutover costs a fraction of the effort required after production users are live and dependent on incorrect access. Post-go-live remediation also introduces operational risk, because correcting over-permissive access in production can break business processes that users have already built workarounds around.


When to Start the Role Work: A Sequencing Framework

The timing question is not primarily a technical decision. It is a resource and risk decision.

Before the S/4HANA Project Starts

For organizations with large, complex role landscapes, start role remediation before the S/4HANA project formally begins. This phase focuses on ECC cleanup: removing unused transactions, resolving existing SoD conflicts, standardizing role naming and structure, and establishing the governance model that will govern the S/4HANA design.

Starting early means the S/4HANA project inherits a cleaner baseline. It also means the project team can focus on S/4HANA-specific changes rather than simultaneously debugging both legacy role problems and new S/4HANA authorization requirements.

The main cost argument against early start is that some role work done in ECC will need to be redone when S/4HANA-specific transaction changes are applied. That is true. It is still cheaper than the alternative.

During the S/4HANA Project

Once the S/4HANA development system is available, apply the migration-specific changes. Map ECC transactions to their S/4HANA equivalents using the Simplification List. Add Fiori app authorizations. Test role content in the S/4HANA environment, because authorization behavior can differ from ECC even for transactions that exist in both systems.

This phase should address only S/4HANA-specific changes if the pre-project cleanup was done correctly. If it was not, this phase will be significantly more complex and will compete for time with every other workstream in the project.

After Go-Live

Post-go-live role work should cover edge cases, fine-tuning based on actual user behavior, and deferred items that were explicitly scoped out. It should not be the primary remediation phase. Organizations that defer SoD remediation until after go-live consistently face audit findings within the first annual review cycle.


The Non-Human Identity Problem in SAP Authorization

Role design discussions in SAP environments almost exclusively focus on human users. This is increasingly the wrong frame.

Modern SAP landscapes run significant automated workloads: interface users for middleware connections, batch users for background job execution, RFC users for system-to-system communication, and service accounts for cloud integration platforms. These non-human identities frequently hold broad authorizations granted during implementation and never reviewed since.

Research by Poreddy on non-human identity governance frameworks establishes that traditional role-based access control and HR-driven lifecycle models are structurally inadequate for managing machine identities. These accounts do not have managers who receive access review requests. They do not appear in HR offboarding workflows. They accumulate permissions across system upgrades without anyone noticing.

In S/4HANA migration projects, interface and batch accounts are typically migrated without review because the migration team is focused on human user profiles. Those accounts then exist in production with ECC-era authorizations that may map to broader S/4HANA access than was intended.

A batch user account with S_TABU_DIS access to table maintenance in ECC may, in S/4HANA, gain access to new configuration tables that did not exist in the source system. The authorization object and its values are identical. The scope of access has expanded.

The remediation approach for non-human identities follows the same SUIM-SU24-PFCG sequence used for human users, with one addition: every non-human identity should have a documented owner, a defined technical purpose, and a review cycle independent of HR processes. That governance structure is absent in most SAP environments today.


Automated Role Design: Where Authorization Architect Fits

At enterprise scale, manual role redesign is not a viable path. A large SAP environment with 2,000 or more roles, multiple system landscapes, and a six-month migration timeline needs tooling that automates the mechanical steps while maintaining human control over design decisions.

Transaction Usage Analysis as the Design Evidence Base

Authorization Architect uses Transaction Archive tool to analyze actual SAP execution history across the landscape. The recommended observation window is 13 months, long enough to capture a full annual business cycle plus overlap for month-to-month variation. This matters because role cleanup based on shorter windows risks removing access that is genuinely needed but only exercised during annual processes such as year-end close or tax reporting.

The analysis outputs a fact-based view of which transactions in each role are actually used, which are dormant, and which appear only in role definitions but have never generated an authorization check in production. This replaces assumption-based role cleanup with evidence-based redesign.

Performance: the Transaction Archive analysis typically completes in under two minutes for standard role sets, often in seconds. Present this as an operational benchmark for interactive review sessions, not as a contracted service-level commitment.


Authorization architect user dashboard

SoD Screening Before Role Creation

Authorization Architect runs SoD analysis against the proposed role design before the role is built, not after it is assigned to users. This is the architecturally correct sequence. Detecting a conflict in a role proposal costs nothing. Detecting the same conflict in a production role assigned to 200 users costs weeks of remediation effort.

The SoD check uses a functionality against either the client's existing ruleset or the default library. It covers sensitive transaction checks as well as function-pair conflicts. The result is visible to role designers before they submit the role for approval.

Basin et al.'s foundational work on dynamic enforcement of separation of duty constraints established that workflow-independent SoD policy enforcement, applied at design time rather than runtime, provides the most effective compliance architecture. Authorization Architect's pre-creation SoD check applies this principle directly to SAP role engineering.

Workflow Approvals Embedded in the Role Build Process

Authorization Architect routes role proposals through a structured approval workflow. Role operators create proposals and submit them for review. Role owners, the business stakeholders responsible for role content, receive pre-populated approval requests showing the proposed transactions, org levels, and SoD analysis results. Role approvers authorize composite roles for production deployment.

This three-tier structure, operators, owners, approvers, enforces the separation of design and approval duties that most SAP security governance frameworks require but few organizations actually enforce technically.

Automated Role Build Beyond SU24 Recommendations

When a role proposal clears the approval workflow, Authorization Architect builds the role automatically. This includes naming and description, role long text, structured role menu, org level definitions, and the full authorization object set. It generates master and derived role pairs and creates standalone maintain, display, and composite job roles as appropriate for the design.

The automation goes beyond what SU24 recommends. It applies the organization's naming standards, incorporates the corrected SU24 defaults from the remediation workflow, and produces consistent role content regardless of which team member runs the build. That consistency is critical for audit purposes and for future maintenance.

Migration Provisioning for S/4HANA Transaction Replacements

For migrations specifically, Authorization Architect's Migration Provisioning feature maps ECC transactions in existing roles to their S/4HANA equivalents using the Simplification List. Where a transaction no longer exists in S/4HANA, the tool suggests the replacement. Where a transaction remains, it flags it for testing confirmation.

This is the systematic approach to the XD01-to-BP and XK01-to-BP problem described earlier. Instead of manually tracing each transaction through the Simplification List, the tool processes the full role inventory and produces a remediation plan showing every impacted transaction and its proposed resolution.


Authorization Governance After Go-Live: Sustaining What You Built

Role redesign before go-live solves the migration problem. It does not solve the ongoing governance problem.

Access accumulates again after go-live. New projects generate emergency access. Organizational changes produce new provisioning requests. Integrations add non-human identities without formal review. Within 18 to 24 months of a well-executed migration, many organizations are back to a state of meaningful privilege creep if they have not built the governance infrastructure to prevent it.

Bhatia's research on AI-driven compliance architecture in S/4HANA transformations identifies continuous surveillance and dynamic regulatory data feeds as the structural components that prevent post-go-live compliance drift. The point is sound: compliance-by-design at migration time creates the clean baseline, but sustaining it requires automated monitoring that catches new violations before they accumulate into systemic risk.

The practical controls to build into your post-go-live governance model are direct:

Connect provisioning workflows to HR triggers. Every hire, job change, and termination should automatically generate an access review or modification request. Access that does not get reviewed on a triggered basis will not get reviewed.

Run quarterly access reviews for critical roles and high-risk users, not annual reviews. Annual reviews are too slow to catch the accumulation patterns that create material audit exposure.

Use transaction usage data from the production system, the same data that Authorization Architect analyzes at design time, as your ongoing evidence base for access review decisions. Roles with significant unused transaction populations after six months of production operation should be flagged for cleanup.

Set automated deprovisioning rules for dormant accounts. Accounts that have not logged in for 90 days should be flagged. Accounts inactive for 180 days should be disabled, pending review.

Treat non-human identity governance as a separate program, not a subset of human user access management. Document every interface user, batch user, and RFC user with an owner, a technical purpose, and a review schedule. Review those accounts on the same quarterly cycle used for privileged human users.


A Concrete Example

Procurement SoD Remediation Before Cutover

A North American manufacturing company with 4,200 SAP users and 1,800 roles began its S/4HANA migration with a SUIM-based access inventory. The analysis identified 23 users in the procurement organization who held simultaneous access to purchase requisition creation (ME51N), purchase order approval (ME29N), and goods receipt posting (MIGO). All three functions in one user profile is a textbook SoD violation covering the full procure-to-pay cycle without any compensating control.

Further analysis showed that 14 of the 23 users had accumulated this combination over time through separate access requests, each individually approved, none evaluated against the combined access picture. The remaining 9 held roles that had been copied from a prior template without SoD review.

The remediation sequence: SUIM identified the population. SoD analysis confirmed the conflict severity. Role redesign in PFCG split the three functions into separate single roles, assigned to different user populations with clear functional separation. Authorization Architect ran SoD screening against each redesigned role before build. The three composite roles were approved through the workflow process and built automatically.

Total elapsed time from analysis to production-ready roles: four weeks. The same remediation started post-go-live, with 4,200 live users dependent on their current access, would have required business sign-off on access removal for active users, parallel testing to prevent process disruption, and a change management effort to explain why users were losing access they had held for years. The post-go-live version of the same work typically takes three to five months.


Key Failure Modes to Avoid

Copying ECC roles into S/4HANA without transaction mapping. Copied roles carry every legacy transaction, including those that no longer exist or have changed authorization behavior. This produces both access gaps (missing S/4HANA functions) and access excess (dormant ECC transactions that now trigger different authorization checks).

Running SoD analysis after user provisioning, not before role creation. Post-provisioning SoD analysis identifies conflicts but requires user-level remediation, which is operationally disruptive and business-politically difficult. Pre-creation SoD analysis stops conflicts from entering the design.

Treating non-human identities as out of scope for migration role review. Interface, batch, and RFC users carry real access risk. Their authorizations should be reviewed against the S/4HANA authorization model with the same rigor applied to human user roles.

Deferring SoD remediation to post-go-live. The cost differential between pre-go-live and post-go-live remediation is not linear. Post-go-live remediation competes with operational support, requires business process testing to avoid disruption, and generates audit findings in the first review cycle if not completed quickly.

Using Authorization Architect as a role-copy factory. Automated role build accelerates execution. It does not replace design judgment. Automation run against an uncorrected business function model or a flawed SoD ruleset produces wrong roles faster.


What to Do Next

If your S/4HANA project is in planning, start the SUIM inventory now. Pull the four reports described in Step 1 of the remediation workflow. That data will tell you the scope of your remediation problem before the project schedule is locked and the role work gets compressed into the final two months before cutover.

If your project is already underway, the same analysis applies with more urgency. Get SUIM data, run SoD conflict analysis against a current ruleset, and prioritize the highest-severity conflicts for resolution before the transport to production.

If you have already gone live and the role work was deferred, build the quarterly review cadence and the non-human identity inventory program now. The clean-up will take longer than pre-go-live remediation would have. Starting immediately limits the accumulation.

The technical workflow is not complicated. The governance discipline required to execute it consistently, across teams, landscapes, and project timelines, is where most organizations struggle. That discipline starts with a clear decision that SoD is a design-time engineering responsibility, not a post-go-live audit finding.


Subscribe to Continue This Work

This publication covers SAP authorization engineering, identity governance, and the technical architecture of secure enterprise systems. Future articles will go deeper on Fiori authorization design, SAP GRC Access Control ruleset maintenance, and non-human identity governance frameworks for cloud-integrated SAP landscapes.

If you are building or fixing authorization governance in an SAP environment, subscribe now so these articles reach you directly. No generalist technology news, no vendor marketing. Just the technical depth that the people actually doing this work need.

SR 26-2 Is Here: The 2026 Model Risk Guidance That Finally Gives Validators Teeth

Article by Prof. Hernan Huwyler, MBA, CPA, CAIO
AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
Top 10 Responsible AI and Risk Management by Thinkers360


On April 17, 2026, the Federal Reserve, the FDIC, and the OCC (collectively, "the agencies") issued SR Letter 26-2, which replaces prior model risk management guidance, the SR 11-7 issued in 2011. This update refines supervisory expectations regarding how banking organizations should calibrate their model risk management frameworks. The guidance is most directly applicable to institutions with total assets exceeding $30 billion, though smaller institutions with complex modeling activities are advised to consider its principles.



Scope and Applicability

The guidance formally excludes simple arithmetic calculations, deterministic rule-based processes, and notably, generative artificial intelligence and agentic artificial intelligence models from the definition of a model. However, the agencies explicitly state that traditional statistical, quantitative, and non-generative artificial intelligence models remain within scope. The primary audience is organizations with over $30 billion in assets, reflecting a tailored supervisory approach that recognizes the lower inherent risk profiles of most community banking institutions.

What Is Covered and What Is Not

SR 26-2 draws a clean line between two categories of artificial intelligence. On one side, traditional statistical models and non-generative, non-agentic AI models are fully within scope. This includes logistic regression for credit scoring, random forests for fraud detection, gradient boosting for loss forecasting, and any probabilistic model that applies statistical, economic, or financial theories to produce quantitative estimates. On the other side, generative AI such as ChatGPT-style models and agentic AI that makes autonomous decisions are explicitly excluded from the guidance. 

The agencies state these technologies are novel and rapidly evolving, so they are not covered here. Simple spreadsheet arithmetic and deterministic rule-based processes with no statistical underpinning are also excluded. For practitioners, this means the bank existing credit risk, market risk, and stress testing models remain subject to the full model risk management framework, while the internal productivity chatbots do not.

How to Treat Probabilistic and AI Models in Practice

For probabilistic models and non-generative AI, the guidance applies the same materiality-based framework as any other quantitative model. U.S. banks under scope must assess each model using two dimensions: exposure (portfolio size and financial impact) and purpose (regulatory significance or critical risk decisions). A machine learning fraud detection model affecting $50 million in transactions may require less rigor than a smaller logistic regression model used for regulatory capital calculations, if the latter serves a more critical purpose. The key operational change is that validators of AI models must now have organizational standing to effect change, not just technical expertise. 

For probabilistic models with inherent uncertainty, banks must document assumptions explicitly and monitor performance drift continuously, not annually. Vendor-supplied AI models receive no lighter treatment; proprietary black-box constraints do not excuse banks from validating conceptual soundness. If a vendor will not provide transparency into model design, development data, or assumptions, banks must either conduct independent back-testing using the internal own data or limit the model to immaterial use cases.

Main Changes and Technical Nuances

The most significant departure from prior guidance is the formal introduction of a materiality-driven framework. Rather than applying uniform rigor to all models, the agencies now require banking organizations to evaluate model risk through two distinct lenses:

  1. Model Exposure: The quantitative significance of a model's output to business decisions, typically measured by portfolio size or financial impact.

  2. Model Purpose: A qualitative assessment of whether the model supports regulatory requirements or manages critical financial risk exposures.

The interaction of exposure and purpose determines model materiality, which then dictates the depth of validation, monitoring, and governance required. Immaterial models require only identification and periodic monitoring for changes in conditions that could elevate their status. Conversely, higher materiality models warrant comprehensive and rigorous oversight throughout the lifecycle.

The guidance also introduces a more explicit expectation regarding aggregate model risk. Institutions must assess risk not only at the individual model level but also across portfolios of models. This includes evaluating dependencies, common assumptions, shared data sources, and correlated methodologies that could cause simultaneous failures. A single point of weakness in a shared data pipeline, for example, could manifest as aggregate risk across multiple high-stakes models.

Effective Challenge and Independence

The agencies reinforce the concept of effective challenge as a non-negotiable component of sound governance. Effective challenge is defined as critical analysis performed by objective experts who possess the technical competence to evaluate model risk, sufficient independence to maintain objectivity, and the organizational standing to compel changes. This elevates the requirement beyond mere peer review to a governance mechanism with teeth. Validation functions must be structured to avoid conflicts of interest, particularly misalignment of incentives between model development and validation reporting lines.



Vendor and Third-Party Products

A critical clarification addresses vendor and third-party models. The guidance states that the use of proprietary products, including those where underlying code or methodology is inaccessible, does not diminish the banking organization's risk management responsibilities. Validation of vendor models must include an assessment of conceptual soundness, design, development data, and ongoing performance. Customizations made to vendor models for specific business needs must be documented, justified, and evaluated as part of validation. The inability to inspect proprietary elements is not an acceptable basis for reducing validation rigor.

Model Development, Validation, and Monitoring

The guidance formalizes three components of validation:

  • Conceptual Soundness: Assessing model design, assumptions, qualitative judgments, and data selection.

  • Outcomes Analysis: Comparing model outputs to real-world results, including back-testing and outlier analysis.

  • Ongoing Monitoring: Evaluating performance against changing products, exposures, data relevance, and market conditions.

Notably, the guidance permits limited circumstances where a model may be used prior to completion of validation, such as an urgent business need. In such cases, the institution must apply heightened attention to model limitations, inform relevant stakeholders, and implement compensating controls including usage limits and closer performance monitoring.

Governance and Documentation

The agencies expect a comprehensive model inventory that supports risk management at both individual and aggregate levels. Documentation must be adequate to ensure continuity of operations, track recommendations and exceptions, and support remediation efforts. Internal audit functions are expected to evaluate the effectiveness of model risk management practices rather than duplicate validation activities.

Enforceability Context

While the guidance explicitly states that non-compliance will not result in supervisory criticism standing alone, the agencies preserve their authority to take action for any violations of law or unsafe or unsound practices stemming from insufficient management of model risk. Practically, this means the guidance defines the supervisory baseline. Deviations from its principles will be cited as evidence of inadequate risk management in the event of a model failure or material loss.

Implications for GRC Professionals

The 2026 guidance signals a maturation of model risk management from a technical validation exercise to an integrated governance discipline. GRC professionals should prioritize three actions: first, implementing a tiered inventory that clearly distinguishes material from immaterial models; second, assessing aggregate risk across model portfolios, particularly where shared assumptions or data sources exist; and third, reviewing vendor management agreements to ensure that contractual terms do not impede the validation and ongoing monitoring required by the agencies. The exclusion of generative and agentic artificial intelligence is temporary; the principles articulated in this guidance will likely inform future supervisory expectations as those technologies evolve.



Critical Implications of the Revised Model Risk Management Guidance (SR 26-2)


Four Critical Changes for Risk Managers


1. Redesign Model Tiering Using Dual-Axis Materiality Assessment

Risk managers must now classify all AI predictive models using both exposure (quantitative portfolio impact) and purpose (qualitative regulatory or risk significance), replacing single-dimension risk ratings. This materiality-based framework means a fraud detection AI model affecting $50M in transactions may warrant less rigor than a $10M credit decisioning model if the latter supports regulatory capital calculations. Organizations must rebuild model inventories to document both dimensions, as immaterial models by exposure may still be material by purpose. The tiering directly determines validation depth, monitoring frequency, and governance escalation pathways for each AI risk model.

2. Establish Effective Challenge with Organizational Authority

Validators of AI predictive models must now possess not only technical expertise but demonstrable organizational standing and influence to effect change, moving beyond advisory roles. Risk managers must restructure validation teams to ensure challengers can delay model deployment, escalate concerns to executive committees, and mandate remediation with teeth. This represents a fundamental shift from validation as documentation exercise to validation as governance gate, particularly critical for complex AI models where technical reviewers previously lacked business authority. Second-line model risk functions must now be empowered to override first-line deployment timelines when AI model risks are inadequately addressed.

3. Implement Rigorous Vendor Risk Model Governance

Third-party AI models for credit scoring, fraud detection, or risk forecasting no longer receive lighter treatment despite proprietary limitations, requiring the same conceptual soundness validation as internal models. Risk managers must negotiate with vendors for sufficient transparency into model design, development data, assumptions, and performance metrics to conduct meaningful validation, even when source code is unavailable. Ongoing monitoring and outcomes analysis are now explicitly required for vendor AI models, including documentation of any overlays or adjustments made to customize outputs. Where vendors cannot provide adequate validation evidence, risk managers must either conduct independent testing using the bank's own data or limit the model's application to lower-materiality use cases.

4. Deploy Continuous Model Monitoring Infrastructure

Ongoing monitoring is elevated from periodic review to continuous evaluation, requiring risk managers to implement real-time performance tracking for material AI predictive models across changing data distributions and market conditions. Monitoring frameworks must now explicitly assess whether AI models remain fit-for-purpose as products, client bases, or economic environments shift, with predefined thresholds triggering recalibration or redevelopment. Risk managers must establish outcomes analysis comparing AI model predictions to actual results (back-testing) as a standard validation component, not an optional add-on, particularly for models relying on expert judgment or alternative data. The guidance mandates documentation of model deterioration triggers and response procedures, forcing proactive governance rather than reactive remediation when AI risk models fail.

Priority Actions for SR 26-2 Compliance

1. Materiality Triage

Large U.S. banks should redesign model inventories around purpose and exposure, not a single generic risk score. The guidance is explicit that model materiality depends on the business importance of the use case and the significance of the output to decisions, including regulatory and financial risk use. For predictive AI models, credit loss, fraud, liquidity, and capital-related use cases should be tiered above internal analytics or convenience models. Common practice still overweights model complexity and underweights business consequence; that should be corrected.

2. Challenge Authority

Banks should formalize effective challenge as a control with authority, not as a review function. The guidance requires challengers to have sufficient expertise, independence, organizational standing, and influence to effect change throughout the model lifecycle. That means validation functions need documented rights to delay launch, require remediation, and escalate unresolved issues to executive governance forums. Common advice tends to treat validation as commentary; that is not defensible under this guidance.

3. Continuous Monitoring

Scoped banks should move material predictive AI models to ongoing monitoring with explicit deterioration triggers. The guidance requires monitoring for changes in products, exposures, activities, clients, data relevance, and market conditions, and it states that material deterioration may warrant overlays, adjustment, or redevelopment. Monitoring should therefore include pre-defined thresholds for drift, performance decay, and segmentation instability, not just periodic reporting. Common practice often relies on quarterly review cycles; that is too slow for models embedded in live decisioning flows.

4. Third-Party Validation

Banks should validate vendor and other third-party predictive models to the same conceptual standard applied to internally developed models. The guidance states that proprietary constraints do not remove the need to understand design, development data, assumptions, and performance. Where source code is unavailable, banks need compensating controls such as benchmarking, documented customization review, independent testing, and ongoing outcomes analysis. Common advice often treats SOC reports or vendor attestations as sufficient coverage; they are not.

5. Use Expansion Gate

Banks should treat any extension of model use as a new risk event requiring formal review. The guidance states that using a model beyond its intended purpose introduces additional uncertainty and requires additional analysis of limitations and controls. That means a predictive model approved for one portfolio, channel, or decision layer should not be repurposed without re-validation and governance sign-off. Common practice often extends models through informal business requests; that is a control weakness, not agility.

6. Aggregate Risk Map

The banks under scope should maintain a live inventory that maps individual and aggregate model risk, including shared data, assumptions, and dependencies. The guidance specifically calls out aggregate risk arising from interactions among models and from common methodologies or inputs that can fail simultaneously. For predictive AI models, that inventory should also identify upstream data feeds, shared calibration logic, and correlated override points. Common advice tends to validate models in isolation; that misses the concentration risk the guidance now makes explicit.



About the Author:

Hernan Huwyler is a risk and compliance executive who advises financial institutions on model risk management, AI governance, and control frameworks. He has led validation functions for global banks and regularly writes on the intersection of quantitative risk and regulatory compliance.

#ModelRiskManagement, #SR262, #SR117, #ModelValidation, #EffectiveChallenge, #AIModels, #RiskGovernance, #ModelRisk, #VendorRiskManagement, #FinancialRegulation, #FederalReserve, #FDIC, #OCC, #GRC, #Compliance, #RiskManagement, #AIGovernance, #ModelMateriality, #SecondLineOfDefense, #BankingRegulation


How to Stop Producing Risk Registers Nobody Uses

Article by Prof. Hernan Huwyler, MBA, CPA, CAIO
AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
Top 10 Responsible AI and Risk Management by Thinkers360

The Painful Gap Between Risk Reporting and Risk-Informed Decisions

Most Enterprise Risk Management programs fail in the same quiet way. They produce polished registers, colorful heat maps, and quarterly reports that look impressive in board packs. Then the organization makes its next major capital allocation, acquisition, or vendor choice using a single-page summary with one projected number and zero reference to the risk framework that consumed thousands of hours to build.

I've watched this pattern destroy the credibility of risk functions across industries. The risk team works hard. Stakeholders get interviewed. Likelihood and impact get scored. And none of it touches the actual decisions that determine whether the organization wins or loses. The gap between risk reporting quality and decision quality is where ERM programs go to die.

This article addresses that gap directly. It provides a stage-by-stage implementation approach for building an ERM program that changes how your organization decides, plans, and allocates resources. Every recommendation comes from field-tested practice, not theory. If your ERM program currently produces documents that live in SharePoint between annual reviews, this post shows you how to fix that.


Core Framework: The Three Pillars of Decision-Driven ERM

Effective ERM that actually changes decisions rests on three pillars. Each one addresses a different failure mode I've seen repeatedly in organizations that mistake activity for impact.


Pillar 1: Risk-Informed Performance Management

ERM must live inside the performance management system, not alongside it. This means every major risk links to at least one strategic objective and KPI. When risk shows up in performance reviews and operating rhythms, people pay attention. When it lives in a separate portal, they don't.

The most common failure here is creating the linkage on paper but not in practice. I worked with one organization that mapped all 35 risks to strategic objectives in their GRC platform. Beautiful mapping. But the quarterly business reviews still used a completely separate slide deck with no risk content. The fix was simple but politically difficult: we added a mandatory "risk and assumption" section to the existing QBR template and made the business unit head (not the risk team) responsible for completing it. Adoption jumped from near zero to 80% within two quarters because the accountability sat with the person who owned the performance conversation.


Pillar 2: Risk Analysis Embedded in Decision Workflows

Every significant decision, from capital expenditure approvals to vendor selections to product launches, must include explicit risk reasoning. Not a generic "risk section" pasted at the end of a business case. A structured analysis of key assumptions, downside scenarios, and alignment with risk appetite.


o not try to retrofit risk analysis into existing decision workflows by adding a new form or approval gate. That creates resentment and checkbox behavior. Instead, redesign the decision paper template itself. Add three mandatory questions directly into the body of the document: "What are the top three assumptions this recommendation depends on?" "What happens if each assumption is wrong?" "How does this fit within our stated risk appetite?" When these questions sit inside the template that decision-makers already complete, risk thinking becomes part of the work rather than extra work.


Pillar 3: Distributions Replace Point Estimates

Organizations addicted to single "best guess" numbers make systematically overconfident decisions. Fighting this addiction requires replacing point estimates with ranges, scenarios, and probability distributions for all material assumptions.

Do not try to convert every number in your organization to a distribution. Start by identifying "high-leverage assumptions," the five or six variables that most affect NPV, margin, schedule, or safety in your biggest decisions. Convert those to three-point estimates (minimum, most likely, maximum) first. I made the mistake early in my career of trying to build full stochastic models for everything. The result was analysis paralysis and skepticism from leadership. Starting with just the high-leverage variables keeps the effort manageable and produces results that are visually obvious to executives who have never seen a tornado chart before.


Stage 1: Reframe ERM and Align It to the Business Cycle

The first implementation stage kills the annual risk assessment ritual and replaces it with a rolling cadence tied to how the business actually operates.

Map your organization's existing planning calendar: budgeting cycle, strategy refresh, product roadmap reviews, capital planning windows. Then attach risk input as a standard step in each of those existing processes. Risk analysis during budgeting means budget assumptions get challenged. Risk analysis during strategy refresh means strategic bets get stress-tested. Risk analysis during product roadmap reviews means launch decisions include downside scenarios.


The responsible party for each touchpoint is the business owner, not the risk function. The risk function sets the method, provides tools, and samples for quality. But the business leader presents the risk view alongside the performance view. This matters because risk ownership that sits with a central function creates a dynamic where business leaders treat risk as "someone else's job."

What to do: Collapse your risk inventory from whatever unwieldy number it has grown to (I've seen 200+) down to 10 to 20 enterprise-level risks with clear aggregation logic. Local risks roll up into enterprise themes. The board sees 15 risks, not 150. Business units manage their local registers, but reporting flows upward through defined aggregation rules.

The hardest part of this stage is getting the CEO and CFO to agree that risk content belongs in existing performance forums rather than in separate risk committee meetings. I've found the most effective argument is financial: show them a past decision where a single-point estimate led to a materially different outcome than what a range-based analysis would have predicted. One concrete example of a budget miss or project overrun that was foreseeable with basic scenario analysis does more to shift executive behavior than any amount of framework documentation. Find that example in your own organization's recent history. It exists. I guarantee it.


Stage 2: Build Risk Analysis Into Decision Templates and Workflows

This stage addresses the specific mechanics of getting risk reasoning into the documents and approval processes that govern major decisions.

Start by mapping every "decision point" where risk analysis should be mandatory. Board approvals. Capital investments above a defined threshold. Acquisitions. Large contracts. Major technology choices. Key product or market entry decisions. For each type, define a minimum level of analysis. Small decisions get a short qualitative checklist. Large, irreversible, or high-uncertainty bets get full quantitative modeling.


For every significant contract, investment, or vendor choice, attach a one to two page mini risk assessment. The template should cover: objectives, key assumptions, top five risks with likelihood and impact ratings, existing controls, residual risk rating, and proposed mitigations. This format works because it's short enough to complete in an hour but structured enough to surface real issues.


Standardize quick techniques for smaller assessments: what-if questions, simple decision trees, bow-tie diagrams, or 5x5 matrices. Reserve deeper tools like FMEA, HAZOP, or fault-tree analysis for complex technical or safety-critical decisions. Set clear thresholds (contract value, strategic impact, irreversibility, public or ESG exposure) that trigger the more advanced assessment. This way your organization runs dozens of mini-assessments per month with sensible prioritization, not bureaucratic uniformity.

Require that any recommendation comparing Option A to Option B includes risk-adjusted reasoning. Not just base-case numbers. The proposal must show what happens to each option under stress. Which option breaks first? Which option has a wider range of possible outcomes? This single requirement forces genuine analytical thinking and prevents the common dysfunction where the "highest NPV" option wins by default even when its returns depend on a single fragile assumption.

Watch out for "fake risk-based" methods. I've audited vendor and contract risk methodologies across multiple organizations and found that many rely on uncalibrated scoring, arbitrary matrices, or vague checklists that produce a number but do not actually improve the decision. The test is simple: can you show me a specific instance where this risk methodology changed the selection of a vendor, the structure of a contract, or the design of a project? If the answer requires more than 30 seconds of thought, the methodology is theater. Replace it with structured identification, explicit assumptions, harmonized scales, and wherever possible, quantification tied to financial or operational impacts.

Stage 3: Replace Point Estimates With Ranges and Simulations

This is where decision-driven ERM gets quantitatively serious. Most organizations plan using single numbers for exchange rates, commodity prices, demand volumes, system uptime, and dozens of other variables. Every experienced professional knows these numbers are wrong. But the organization plans as if they're certain, then acts surprised when reality differs.

For key drivers, require ranges or probability distributions instead of single numbers. Start with three-point estimates (minimum, most likely, maximum) because they're intuitive and fit into existing spreadsheet workflows. Show P10, P50, and P90 outcomes next to the traditional single case. Standardize a small set of "risk views" for every major item: base case, conservative (P80 to P90), aggressive (P20), and stress case. Make approval documents reference which profile management is accepting.

For large projects, site selections, portfolio decisions, and annual budgets, run Monte Carlo simulations on the combined distributions of key assumptions. Report results in terms executives can act on: probability of loss, probability of meeting budget or schedule, value at specific percentiles, and which variables contribute most to variance. Tornado charts that show "FX drives 40% of your outcome variance" focus mitigation efforts far better than a color-coded heat map ever could.

Build simple internal libraries of typical distributions for recurring drivers. FX volatility ranges. Load factor distributions. Failure rate curves. Price curve bands. When teams can reuse validated assumptions instead of inventing numbers from scratch, the quality of analysis goes up and the time required goes down. I spent months building these libraries at one organization and it cut the time to produce a quantified risk view from two weeks to three days.

The cultural shift matters more than the technical one. I watched a capital allocation committee change their decision after seeing simulation output for the first time. The "highest NPV" option had a 35% probability of delivering negative returns once you modeled realistic input ranges. The second-ranked option had lower expected returns but only a 12% probability of loss. They chose robustness over optimism. That single moment did more to establish the credibility of quantitative risk analysis than two years of framework presentations. Find your version of that moment. Run the simulation on a decision that's already been made and show leadership what they would have seen if they'd had this view at the time. The reaction will tell you whether your organization is ready.

Stage 4: Governance, Ownership, and Culture Infrastructure

Without accountability structures, everything in the previous three stages degrades within 12 months. I've seen it happen. An organization builds beautiful decision templates, runs impressive simulations, and then slowly reverts to old habits because nobody's performance goals include risk-adjusted outcomes.

Define risk ownership at the level of specific "risk objects": products, processes, portfolios, or business units. Each risk object gets a named owner. That owner's performance goals explicitly include risk-adjusted outcomes. Not just revenue. Not just volume. This connects risk management to compensation and career progression, which is the only reliable driver of sustained behavior change.

Run short monthly "risk clinics" with each business unit. These replace the annual committee meeting that tries to cover everything and covers nothing well. In a 60-minute clinic, review changes in the unit's risk profile, challenge key assumptions, and adjust plans. The risk function facilitates. The business unit leads. Keep the format consistent: what changed since last month, what are the top three risks to this quarter's objectives, what decisions are coming up that need risk input.

Build an explicit expectation that major decisions (capex approvals, acquisitions, product launches, outsourcing) must reference key risks and mitigations from the ERM system. Treat the absence of this reference as a process failure. Not a documentation gap. A process failure that gets flagged in the same way a missing financial approval would get flagged. This is a governance design choice that signals organizational seriousness.

The single most common dysfunction I see in ERM governance is the "risk owner in name only" pattern. Someone's name appears next to a risk on the register, but their actual performance review, bonus criteria, and promotion case make zero reference to how they managed that risk. The fix requires executive sponsorship from the CEO or CFO to mandate that risk-adjusted KPIs appear in performance scorecards for anyone who owns a top-20 enterprise risk. Without this, risk ownership is decorative. I failed to get this done at one organization because I tried to push it through the risk committee instead of the compensation committee. The lesson: risk ownership is a people and incentives problem, not a risk framework problem.


 Implementation Tips

These four tips apply across all stages and address the patterns that most commonly cause decision-driven ERM programs to stall or revert.

Tip 1: Maintain Method Integrity Over Time

Original implementation tip: ERM methods degrade naturally. Templates get shortened. Simulation steps get skipped when deadlines are tight. Scoring scales drift as new people join and interpret criteria differently. Schedule a semi-annual "method health check" where the risk function reviews a sample of recent decision papers, mini-assessments, and simulation outputs against the defined standards. Flag deviations. Retrain where needed. Publish a short "quality scorecard" that shows which business units are maintaining standards and which are slipping. Transparency creates peer pressure that formal compliance never matches.

Tip 2: Handle the "Risk Champion" Role Carefully

Original implementation tip: Many organizations appoint "risk champions" in each business unit to act as liaisons with the central risk function. This works when champions have genuine credibility and seniority in their unit. It fails when the role gets assigned to the most junior person available or treated as administrative overhead. Require that risk champions hold a position at least one level below the unit head. Give them explicit time allocation (minimum 10% of their role). Include champion effectiveness as a factor in their performance review. I've seen champion networks transform ERM adoption when they're staffed with respected operators. I've seen them become an excuse for everyone else to ignore risk when they're staffed with interns.

Tip 3: Document Decision Rationale, Not Just Decision Outcomes

Original implementation tip: Create a simple "decision record" template that captures: the options considered, the risk analysis for each option, the trade-offs discussed, the risk appetite alignment, and the rationale for the final choice. Store these records in a searchable repository. Review a sample annually to check whether risk information was captured, how it influenced the choice, and how outcomes compared to expectations. This feedback loop is where organizational learning happens. Most organizations skip it entirely. The ones that do it consistently develop a pattern-recognition capability that makes future decisions measurably better. One organization I worked with found that 60% of project overruns in a three-year sample traced back to the same two assumption categories that were consistently treated as deterministic when they should have been modeled as ranges.

Tip 4: Be Skeptical of Dashboard-First GRC Platforms

Original implementation tip: Before committing to any ERM or GRC platform, ask the vendor one question: "Show me three examples where your platform's output changed an actual decision at a client organization." If they can only show you dashboards, taxonomies, and workflow automations, proceed with extreme caution. The best platforms provide centralized risk repositories, standardized taxonomies, automated data feeds from incidents and audit findings, scenario analytics, and integration with the BI tools and project portfolio systems your leaders already use daily. The worst platforms produce beautiful screens that no decision-maker ever opens. Run a pilot focused on one specific decision type before scaling. Measure whether the pilot improves option selection or outcome quality, not just reporting speed.

Key References

The following standards and frameworks provide authoritative guidance for building decision-driven ERM programs:


ISO 31000:2018, Risk Management Guidelines, provides the foundational principles and process for integrating risk management into organizational governance and decision-making

COSO ERM Framework (2017), Enterprise Risk Management: Integrating with Strategy and Performance, directly addresses the linkage between risk management and strategic planning

IEC 31010:2019, Risk Assessment Techniques, catalogs and guides the selection of specific risk assessment methods (Monte Carlo, FMEA, bow-tie, fault tree, and others) matched to decision context

ISO 31022:2020, Guidelines for the Management of Legal Risk, extends risk management principles to legal and contractual decision-making

NIST Risk Management Framework (SP 800-37), while focused on information systems, provides a strong model for embedding risk analysis into system acquisition and authorization decisions

The Orange Book (HM Treasury, UK), Managing Public Money risk guidance, offers practical templates for integrating risk analysis into investment and spending decisions

IIA Three Lines Model (2020), provides the governance structure for separating risk ownership, risk oversight, and independent assurance

Closing

When ERM stays a compliance artifact, it consumes budget, absorbs staff time, and produces documents that create an illusion of control. Decisions continue to rely on single-point estimates, gut feel, and the loudest voice in the room. The risk register gets updated annually, presented quarterly, and referenced never. The organization pays the full cost of risk management and receives almost none of the benefit.

When ERM operates as a living decision system, every major choice carries an explicit view of uncertainty, a structured comparison of options under stress, and a clear statement of which risks leadership is consciously accepting. The risk register becomes a hub connected to controls, incidents, KPIs, and projects. Simulations replace single guesses. Performance conversations shift from "you missed the number" to "where did we land in the distribution, and what did we learn?" The difference between these two states determines whether your organization manages risk or merely documents it.

What's one major decision your organization made in the last year that would look completely different if someone had modeled the downside honestly?

Skills for Compliance Officers, Risk Managers, and Auditors

7 Career Capabilities That Will Separate Compliance Officers Who Thrive in 2026 From Those Who Get Replaced by Algorithms


ING just announced 1,250 job cuts in its compliance operations. ABN Amro plans to replace 35% of its AML division with AI. The Dutch audit office published a report questioning whether the €1.4 billion the banking sector spends annually on anti-money laundering checks actually produces effective outcomes.

Read that last sentence again. The government auditor is asking whether the entire manual compliance model works.

This is not a future scenario. This is happening now, across multiple banks, in one of Europe's most regulated markets. And it raises a question that every compliance officer, risk manager, and internal auditor should be asking themselves today: if my primary value comes from executing manual processes that AI can do faster and more consistently, what exactly is my professional future?

The answer depends entirely on skills. Not certifications. Not years of experience. Skills.

I have spent the last fifteen years working with compliance functions across financial services, industrials, and technology companies. The pattern I see repeating is consistent: the professionals who can quantify risk, challenge AI outputs, and translate regulatory complexity into financial terms the business can act on are becoming more valuable every quarter. The ones who built careers around checklist execution, manual alert processing, and qualitative risk scoring are watching their roles disappear. Sometimes gradually. Sometimes overnight.

This post identifies the seven skills that will define professional survival and advancement in compliance, risk, and audit roles through 2026 and beyond. Each one is grounded in what I see organizations actually hiring for, paying premiums for, and struggling to find.

 

Quantification: The Skill That Changes Everything

Here is the dividing line. A compliance officer who says "this risk is high" is offering an opinion. A compliance officer who says "the expected annual loss from this obligation failure is €2.3 million, with a severe but plausible exposure of €9.6 million at the 95th percentile" is offering a decision.

Boards act on the second one. They file the first one.

Quantification means expressing compliance exposure in currency. Expected annual loss. Value at Risk. Conditional Value at Risk. Return on compliance investment. Loss exceedance curves. These are not exotic financial instruments. They are the basic vocabulary of every other risk function in the organization. Credit risk quantifies. Market risk quantifies. Operational risk quantifies. Compliance still shows up with colors.

The Dutch audit office report captures the consequence of this gap perfectly. The Netherlands spends €1.4 billion per year on AML compliance. Nobody can demonstrate whether it works. That is what happens when a function operates for decades without measuring its own effectiveness in terms that finance and strategy teams can use.

Original implementation tip: Start with your five most material compliance obligations. For each one, estimate a frequency (how often could this go wrong, expressed as events per year) and a severity range (what would it cost when it does, expressed as a currency interval with a confidence level). Feed those into a compound Poisson-Lognormal Monte Carlo simulation. You can do this in a free Google Colab notebook with code available on GitHub. No statistics degree required. The output is a loss distribution that tells you more about your compliance exposure in one afternoon than your entire qualitative risk register has told the board in the last five years.

Judgment: The One Thing AI Cannot Automate

AI can process 10,000 transaction alerts in the time it takes a human analyst to review three. It can scan contracts for misaligned clauses, monitor sanctions lists in real time, and flag anomalous expense patterns across the entire organization.

What it cannot do is decide.

An AI model that flags a suspicious transaction has produced a signal. Whether that signal warrants investigation, escalation, a suspicious activity report, or closure with documented rationale requires judgment. Judgment about regulatory expectations in that specific jurisdiction. Judgment about the customer relationship and its commercial context. Judgment about whether the pattern represents genuine risk or a false positive that, if escalated, would waste investigative resources and potentially harm a legitimate customer.

The Dutch audit office report noted that the current system of strict AML controls "does not always lead to useful investigations" and can have "serious consequences for ordinary people." That is a judgment failure, not a technology failure. The controls generated activity. Nobody ensured the activity produced outcomes.

When ING reduces 1,250 FTEs and shifts to AI-driven processing, the compliance professionals who remain need better judgment than the ones who left. They are handling the cases that the algorithm could not resolve. They are calibrating the thresholds that determine what the algorithm escalates. They are explaining to the regulator why a particular decision was made. Every one of those tasks requires experience, context, and the ability to exercise discretion under uncertainty.

Original implementation tip: When you review an AI-generated alert or risk flag, document not just your decision but your reasoning. Write two sentences explaining why you escalated or closed the case. After twelve months, review those documented rationales. You will find patterns in your own judgment that improve future decisions and create an auditable record that regulators value far more than a closed-case count.

AI Fluency: Working With the Machine, Not Around It

AI fluency for compliance professionals has nothing to do with writing code. It has everything to do with understanding what the model is doing well enough to trust it where it is reliable and challenge it where it is not.

This means knowing how to ask the right questions. What data was the model trained on? What assumptions drive the alert thresholds? Where are the known blind spots? What is the false positive rate, and what is the cost of each false positive in analyst time? What happens when the input data quality degrades?

I worked with a financial institution that deployed an AI-powered transaction monitoring system. The compliance team treated it as a black box. Alerts came in, analysts processed them, case counts went into the quarterly report. Nobody asked whether the model was actually catching the right things. When an external review tested the system against known typologies, the detection rate for a specific category of trade-based money laundering was below 12%. The model was generating thousands of alerts for low-risk patterns while missing the high-risk ones entirely.

The compliance team did not lack intelligence or dedication. They lacked the fluency to interrogate the tool they were using every day.

Original implementation tip: Ask your technology team to show you the model's confusion matrix for the last quarter. It will tell you how many true positives, false positives, true negatives, and false negatives the system produced. If nobody can produce this information, you have a tool, but you do not have a control. A control you cannot measure is a control you cannot defend.

Regulatory Mapping: Conflicts, Overlaps, and the Before-the-Fact Discipline

Regulatory fluency in 2026 is not about memorizing rules. It is about mapping obligations across jurisdictions, identifying conflicts before they create exposure, and translating regulatory expectations into operational requirements that the business can actually execute.

The complexity is real and accelerating. The EU AI Act imposes requirements on high-risk AI systems that may conflict with data minimization principles under GDPR. Cross-border data localization requirements in one jurisdiction clash with centralized processing mandates in another. Anti-corruption reporting thresholds differ between the FCPA, the UK Bribery Act, and local legislation in every market where the organization operates.

A compliance officer who can identify these conflicts, quantify the exposure on each side, and recommend a documented compliance path with a defensible rationale is providing strategic value. One who simply flags the conflict and asks the business to "seek legal advice" is adding a step to the process without reducing risk.

The most important application of regulatory fluency happens before the organization accepts the obligation. Before signing the contract. Before announcing the ESG commitment. Before entering the new market. Before launching the AI-powered product. At that point, terms can be changed, commitments narrowed, controls built first, and deal structures adjusted. Once the promise is made, the options get slower and more expensive.

Original implementation tip: For every new market entry, major contract, or public commitment, create a one-page obligation conflict map. List the top five obligations the decision creates. For each, identify whether any conflict exists with obligations in other jurisdictions where the organization operates. Where conflicts exist, quantify the exposure for each compliance path and document the chosen approach with its rationale. This single artifact will be the most valuable document in your file if a regulator ever asks why you chose one path over another.

Making Your Decisions Defensible

A compliance decision that cannot be reconstructed and explained six months later is not a decision. It is a liability.

Evidencing is the discipline of documenting risk assessments, treatment decisions, control design rationale, and residual risk acceptance in a way that creates a defensible record. Not for the sake of documentation, but because regulators, auditors, and courts evaluate compliance programs based on what can be demonstrated, not what was intended.

ISO 37301 explicitly links a robust compliance management system to evidence of due diligence that can mitigate corporate liability. In jurisdictions that recognize effective compliance programs as a mitigating or exonerating factor (Spain, France, Brazil, the UK, and increasingly the US through DOJ guidance), the quality of your evidence directly affects the severity of your sanctions.

I have seen organizations with excellent compliance programs receive harsh regulatory treatment because they could not produce the documentation to prove what they had done. And I have seen organizations with modest programs receive favorable treatment because they could demonstrate a clear, documented chain of risk assessment, decision, control, and monitoring.

The difference was not the quality of the compliance work. It was the quality of the evidence.

Original implementation tip: For every risk that exceeds your stated tolerance, create a treatment decision record with five elements: the quantified exposure before treatment, the treatment option selected with its cost, the expected reduction in exposure, the residual risk explicitly accepted, and the name and level of the person who approved the acceptance. This record takes ten minutes to create and can save millions in regulatory proceedings.

Spending Where It Matters

Compliance budgets are finite. The obligation universe is not. Every organization faces more compliance requirements than it can address with maximum intensity simultaneously. The skill that separates effective compliance leaders from overwhelmed ones is the ability to allocate resources where the expected loss reduction justifies the cost.

This sounds obvious. Watch how many organizations skip it.

The standard approach is to apply roughly uniform compliance intensity across all obligation domains, driven by checklist coverage rather than risk-weighted exposure. The result is predictable: the organization spends heavily on low-risk obligations where the expected loss is modest and underinvests in high-risk obligations where the expected loss is material. The qualitative risk register cannot reveal this misallocation because it does not express exposure in comparable units.

The return on compliance investment formula is simple. Take the reduction in expected annual loss attributable to a control, subtract the annual cost of the control, divide by the annual cost of the control. If a new automated monitoring system costs €400,000 per year and reduces expected annual AML-related compliance losses from €2.8 million to €1.5 million, the ROCI is 225%. That is a compelling business case expressed in language that finance teams understand and approve.

Every compliance budget request should be framed this way. "This €200,000 investment reduces our expected annual loss by €750,000" works. "We need this because the regulation requires it" does not.

Original implementation tip: Rank your top ten compliance obligations by expected annual loss. Then rank them by current compliance spending. Compare the two lists. In my experience, the correlation is disturbingly low. The mismatch between where you spend and where your exposure actually sits is the single highest-value finding your quantitative risk assessment will produce.

Speaking the Language of the Business

Every skill described above becomes useless if the compliance officer cannot communicate findings in terms that decision-makers act on. Translation is the ability to convert regulatory complexity, risk quantification, and control recommendations into the financial and operational language that executives, boards, and business unit leaders use to make decisions.

Decision-makers act on euros. They do not act on risk ratings. They do not act on colors. They do not act on compliance jargon.

A compliance officer who tells the board "we have 47 high risks" has produced information that prompts no specific action. A compliance officer who tells the board "our expected annual compliance loss is €4.2 million, with a P80 exposure of €8.1 million and a tail at P99 of €95 million, and our current reserves cover only to the 55th percentile" has produced a statement that triggers a budget discussion, an insurance review, and a strategic conversation about which obligations create the most exposure.

The difference between these two presentations is not sophistication. It is professional utility. The first produces documentation. The second produces decisions.

Original implementation tip: Before every board or committee presentation, test your key message against this question: "Can a CFO act on this statement without asking for additional information?" If the answer is no, rewrite it until the answer is yes. Replace "high risk" with a currency range. Replace "significant exposure" with a percentile from your simulation. Replace "we recommend enhanced controls" with "this €300,000 investment reduces our P80 exposure from €8 million to €3.5 million." The reaction in the room will change immediately.

Understanding the 2026 skills model for GRC roles

The mistake many firms make is treating future skills as a training catalogue problem.

It is not.

This is a control model problem, a governance design problem, and a workforce economics problem. Once AI and automation take over repetitive tasks, the remaining human work changes shape. That means the required skills also change shape. Fast.

A useful way to think about this is through three buckets.

Transferred skills

These are the capabilities that still anchor professional credibility.

Regulatory judgment still matters. Ethical judgment still matters. Clear documentation still matters. Institutional memory still matters. If you cannot explain why a decision was made, or what a regulator is likely to focus on, no analytics tool will save you.

Original implementation tip: do not treat legacy expertise as “old knowledge.” Extract it systematically. Build decision logs from experienced staff before attrition or restructuring removes your best practical judgment.

Sharpened skills

These are existing skills that now need a higher level of precision.

Communication is the best example. In 2026, compliance, risk, and audit professionals must explain complex risks to business leaders who are moving faster, using more technology, and tolerating less ambiguity. The old style, long memos, defensive language, generic caveats, gets ignored.

Risk prioritization also sits here. You now need to distinguish quickly between a control issue, a design issue, a model issue, and a real exposure issue.

Original implementation tip: if your team still writes findings that cannot be converted into a business decision within five minutes, your communication model is already outdated.

New skills

This is where the real shift sits.

Data literacy. AI oversight. Workflow design. Model skepticism. Cross-border digital regulatory fluency. These were once specialist capabilities. They are becoming baseline skills for high-value governance roles.

This does not mean every compliance officer must code, every auditor must become a data scientist, or every risk manager must build models. It means they must understand enough to challenge outputs, spot weak assumptions, and defend positions under scrutiny.

Original implementation tip: stop designing training around job families alone. Design it around decisions your team must make in the next 12 months.

[Suggested visual: a simple three-column diagram titled “Transferred, Sharpened, New Skills for 2026 GRC Roles”]

Stage 1: Build data literacy before you talk about AI

Start here.

Most teams want to jump straight into AI training because it sounds urgent and visible. In practice, the bigger failure point is much more basic. People cannot interpret dashboards, exception reports, alert quality metrics, model performance summaries, or data lineage issues with enough confidence to challenge what they see.

That weakness creates a quiet professional risk. A compliance officer who cannot interrogate data becomes dependent on whoever built the dashboard. A risk manager who cannot question assumptions behind thresholds becomes a consumer of outputs, not an owner of risk judgment. An auditor who cannot test data reliability properly ends up auditing process theatre.

What to implement:

  • Basic data fluency training for all GRC roles
  • A standard review method for dashboard quality
  • A simple model of data quality checks for governance teams
  • Case exercises on false positives, false negatives, and threshold design
  • Role-specific training on how data feeds decisions

The responsible parties should be shared. Compliance leadership defines use cases. Data teams explain structures and limitations. Internal audit helps design challenge routines. Risk functions connect metrics to exposure.

One detail matters a lot here. Use your own data examples. Not vendor demos. Not generic training screenshots. Real internal dashboards, real alert patterns, real escalation logs. Teams learn faster when the examples are familiar and slightly uncomfortable.

I learned this the hard way. Years ago, I helped run analytics training using polished external case studies. People liked the sessions. Nothing changed. When we switched to the organization’s own ugly, inconsistent reports, participation dropped for a week, then quality of challenge went up sharply. That is when the training started working.

Original implementation tip: teach governance teams to ask four questions every time they see a dashboard. What is missing, what changed, what is the threshold logic, and what decision should this support.

Stage 2: Move from AI enthusiasm to AI oversight

This is where many teams get exposed.

There is a big difference between using AI and governing AI. Most organizations are still much better at the first than the second. They can buy the tool, run the pilot, automate the workflow, and announce efficiency gains. They are far less prepared to answer harder questions about explainability, control effectiveness, model drift, fairness, escalation logic, and accountability.

That gap is now a live governance issue.

For compliance officers, the skill is not coding. It is understanding what the tool is doing, where it can fail, how decisions are documented, and when human review must override automation. For risk managers, the skill is understanding model assumptions and residual exposure. For auditors, the skill is testing whether the governance around the tool is real or decorative.

What to implement:

  • AI use case inventory with clear ownership
  • Minimum control requirements for AI-enabled decisions
  • Challenge sessions for model outputs and thresholds
  • Documentation standards for explainability and overrides
  • Audit steps tailored to automated workflows

Responsible parties should be explicit. The first line owns operational use. Risk sets challenge and model governance expectations. Compliance tests legal and regulatory implications. Audit reviews design and operating effectiveness.

One common failure deserves attention. Firms often reduce headcount before they upgrade capability. That creates the worst possible sequence. Work is automated, people leave, and the remaining staff have not yet learned to govern the new environment. The operation becomes cheaper. The exposure becomes harder to see.

Original implementation tip: never approve an AI-related staff reduction unless the governance capability map has been signed off first. Efficiency without oversight maturity creates hidden regulatory debt.

Stage 3: Strengthen regulatory fluency for digital and cross-border change

Regulatory fluency in 2026 means more than knowing the rulebook.

You need to understand how fast-moving digital regulation, privacy regimes, AI laws, outsourcing standards, conduct expectations, and cross-border obligations interact. That interaction is where real mistakes happen. A team can know each rule in isolation and still fail badly when obligations collide across products, jurisdictions, and data flows.

This is now a daily problem. AI systems cross borders. Customer data moves through vendors. Marketing claims create exposure in one jurisdiction and trigger evidence duties in another. Outsourcing arrangements carry regulatory, contractual, and operational obligations at the same time. Governance teams that cannot work across these layers become bottlenecks, or worse, false comfort providers.

What to implement:

  • Cross-border obligation maps for material products
  • Regulatory horizon scanning tied to business decisions
  • Decision templates for conflicting obligations
  • Joint reviews between legal, compliance, risk, and technology
  • Escalation rules for unresolved jurisdictional conflicts

The critical artifact here is not a long legal memo. It is a decision-ready summary that tells management what changed, why it matters, where the exposure sits, and what options exist.

There is also a capability tradeoff. Small firms cannot build deep expertise in every jurisdiction. Large firms often drown in fragmented expertise. Both need a clearer model of when to centralize interpretation and when to localize execution.

Original implementation tip: when a new digital or cross-border rule appears, do not ask first “what does the rule say?” Ask “which current decisions, products, or claims become harder to defend because of this?”

Stage 4: Replace checklist execution with risk-based prioritization

A lot of compliance, risk, and audit work still suffers from equal treatment of unequal problems.

That made some sense when workflows were mostly manual and teams needed visible consistency. It makes far less sense now. In a world of automated monitoring, large-scale data, and constrained headcount, the real differentiator is prioritization quality.

This skill is becoming central across all three functions.

Compliance officers must know where to intensify monitoring and where a control can be simplified. Risk managers must know which exposures deserve scenario work and which do not. Auditors must know where testing depth should increase and where assurance effort is no longer worth the cost. This is no longer just a planning issue. It is a professional judgment issue.

What to implement:

  • Risk-based planning linked to expected loss or materiality
  • Segmentation of issues by decision impact
  • Dynamic review cycles for emerging risk indicators
  • Monitoring plans tied to control value, not legacy frequency
  • Documentation of why low-value work was reduced

Here is where many teams hesitate. They fear that reducing low-value work will look careless. In reality, supervisors and boards increasingly expect the opposite. They want to know that scarce governance resources are being directed where they matter most.

I have seen teams spend months polishing low-risk control evidence while material third-party and data governance exposures sat under-reviewed. Nobody intended that outcome. It came from inherited planning habits that were never seriously challenged.

Original implementation tip: each year, require every governance team to identify 15 percent of recurring work that no longer justifies its cost. If nobody can name it, the planning process is too passive.

[Suggested visual: sample matrix comparing “effort spent” versus “risk value created”]

Stage 5: Turn judgment into a visible professional skill

Judgment used to hide behind experience.

That is no longer enough. As automated systems handle more routine work, human contribution must become more explicit. This means professionals need to show how they interpret ambiguity, challenge outputs, weigh tradeoffs, and defend decisions.

This is especially important because supervisors, boards, and executives now expect more than procedural compliance. They expect reasoning. They want to know why a case was escalated, why a model output was overruled, why a business request was delayed, or why a regulatory interpretation was considered proportionate.

Judgment also has to be teachable. This is where many organizations struggle. Senior people often have excellent instinct but poor transfer discipline. They know when something feels wrong, but they do not articulate the reasoning path clearly enough for others to learn from it.

What to implement:

  • Decision logs for difficult cases
  • Review sessions on borderline escalations
  • Written rationale requirements for overrides
  • Judgment-based case discussions in team meetings
  • Mentoring focused on reasoning, not just outcomes

The responsible parties here are mostly leaders. Team heads must create space for reasoning, not just throughput. Senior reviewers need to model their thought process in real cases. Audit leaders should document why a finding matters, not only what failed.

One vulnerable truth. Many experienced professionals are less prepared for this shift than they think. Deep experience with manual processes does not automatically translate into strong explicit judgment. I have seen very senior people struggle when asked to explain why they trusted one control output and challenged another. Experience gave them confidence. It had not given them a repeatable method.

Original implementation tip: after any material review or escalation, ask the decision-maker to write five lines explaining the reasoning. Over time, this becomes one of the best judgment training tools in the function.

Stage 6: Build influence across the first, second, and third lines

Governance functions lose value when they arrive late.

This is true in contract review, product change, AI deployment, customer segmentation, vendor onboarding, and issue remediation. If compliance, risk, and audit only appear once the decision is mostly made, they do not shape outcomes. They document concerns around decisions already moving forward.

The skill behind early influence is not authority. It is relevance.

Compliance officers need to explain business implications in terms leaders care about. Risk managers need to connect exposure to choices, timing, and tradeoffs. Auditors need to shift part of their credibility from post-event review to pre-event insight, while preserving independence.

What to implement:

  • Early-stage governance gates for key business changes
  • Short decision memos, not only long reports
  • Financial framing of major compliance exposures
  • Joint workshops with business, legal, data, and operations
  • Clear escalation routes when tradeoffs remain unresolved

A good practical test is simple. Can your team explain, in three minutes, why a proposed control change matters to revenue, cost, risk, or supervisory defensibility? If not, the technical analysis may be fine, but the influence skill is weak.

This is where careers widen or narrow. The professionals who can connect risk to business reality become trusted participants in decision-making. The ones who stay in narrow technical phrasing become background reviewers.

Original implementation tip: teach teams to present every material issue with three elements only. Exposure, decision options, and recommendation. Everything else can sit in the appendix.

Cross-cutting implementation tips for 2026 GRC skills

Skills do not hold unless the operating model supports them.

That is where many development programs break down. They train people in isolation while leaving workflows, incentives, reporting lines, and documentation unchanged. The result is temporary awareness with no durable capability.

Here are four cross-cutting practices that make the shift stick.

1. Tie skills to real decisions

Training works when it connects directly to live work.

Use current alerts, current controls, current dashboards, current regulatory changes. Build training around decisions the function must make this quarter, not abstract capability aspirations.

Original implementation tip: before approving any skills program, ask which three live decisions it will improve within 90 days. If nobody knows, the program is too generic.

2. Protect documentation quality during automation

As automation rises, documentation often gets weaker.

People assume the system record is enough. It usually is not. You still need rationale, evidence of challenge, override logic, and clear ownership of decisions. This matters in supervisory review, audit defense, and internal accountability.

Original implementation tip: for every automated control or AI-supported workflow, define what the system records automatically and what human rationale must still be documented manually.

3. Design for capability transfer, not heroics

Too many GRC functions still depend on a few very experienced people.

That model breaks under restructuring, attrition, or rapid technology change. Capability must sit in methods, playbooks, decision logs, review routines, and mentoring structures. Not only in memory.

Original implementation tip: if a critical governance task can only be defended by one person in the team, you do not have a skill. You have a dependency.

4. Measure whether the skill shift changes outcomes

This is the test that matters.

Did alert review quality improve. Did time to escalation fall. Did issue prioritization become sharper. Did audit findings become more decision-useful. Did management decisions change earlier in the process. If none of these move, your skills program may be producing awareness, not value.

Original implementation tip: define three operational metrics before the training starts and compare them after 90 and 180 days. Skill development without outcome measurement becomes corporate theatre.

Key references for 2026 compliance skills, risk management skills, and audit skills

The following standards, guidance sources, and institutional references are especially relevant for building 2026-ready skills in compliance, risk, and audit functions:

  • ISO 37301, Compliance management systems
  • ISO 31000, Risk management guidelines
  • IIA Global Internal Audit Standards
  • NIST AI Risk Management Framework
  • EU AI Act
  • GDPR and related EDPB guidance
  • Basel Committee guidance on operational risk and governance
  • FATF guidance on digital transformation, AML, and risk-based controls
  • EBA guidelines on internal governance, outsourcing, and ICT risk
  • DOJ guidance on evaluation of corporate compliance programs
  • ECB supervisory expectations for governance and risk control functions
  • Industry reports from PwC, KPMG, Deloitte, and major banking supervisory bodies on AI, compliance, and governance capability trends

Use these as anchors. But do not stop at reading them. Convert them into capability design, workflow changes, and role-specific expectations.

The capabilities that now matter most

If you need a simple shortlist, this is it.

Analytics

  • Turn alerts into quantified, decision-ready risk signals
  • Data literacy now matters more than checklist experience

Automation

  • Automate routine KYC, redeploy humans to complex judgment
  • Efficiency without capability shift increases regulatory exposure

Governance

  • AI needs oversight, not blind operational dependence
  • Model decisions must remain explainable to supervisors

Judgment

  • Compliance value shifts from processing to defensible decisions
  • AI flags risk, humans must interpret and escalate

Regulation

  • Cross-border compliance now requires multi-jurisdictional legal fluency
  • Digital rules expand faster than legacy compliance models

Prioritization

  • Risk-based planning beats uniform compliance effort allocation
  • Focus resources where expected loss is materially concentrated

Treat these skills as a soft HR topic and you will get a well-designed learning calendar with very little impact on control quality.

Treat them as part of your governance operating model and they become something else entirely. Better judgment. Faster escalation. Stronger supervisory defensibility. Clearer decisions. That is where the real value sits.

The professionals who stay valuable in 2026 will not be the ones who process the most checklists. They will be the ones who can explain, challenge, and defend risk in a system where more of the first pass is done by machines.

The Real Test: Does Your Work Change Decisions?

All seven skills point to a single criterion. Does the compliance risk process demonstrably change organizational decisions?

Does it alter contract terms before signature? Does it delay a market entry until controls are in place? Does it narrow a public commitment to what the organization can actually substantiate? Does it redirect compliance investment from low-exposure obligations to high-exposure ones? Does it produce reserve levels and insurance coverage calibrated to a loss distribution rather than to last year's budget plus 5%?

If the answer to all of these is no, the process is producing documentation, not decisions. And documentation without decision impact is precisely the kind of compliance work that AI will replace.

The professionals who build these seven skills will find themselves more valuable in 2026 than they are today. The compliance function needs fewer people who can process alerts and more people who can interpret signals, calibrate models, quantify exposure, challenge AI outputs, map regulatory conflicts, evidence decisions, and translate risk into financial terms.

One question worth asking yourself this week: which of these seven skills would you be most uncomfortable being tested on in front of your board or your regulator? Start there.