The nineteenth edition of McKinsey on Risk & Resilience examines the escalating challenges faced by global organisations in an era of geopolitical disruption, rapid technological change, and evolving regulatory demands. The publication underscores the importance of embedding resilience as a strategic priority and offers practical insights drawn from research, surveys and case studies. A central theme of this edition is the changing role of the Chief Risk Officer (CRO). McKinsey identifies three distinct CRO archetypes: the Architect, who focuses on building long-term resilience and institutional capability; the Protector, who excels in crisis management and immediate risk mitigation; and the Business Accelerator, who enables growth and strategic progress while remaining vigilant to risk exposures. The most effective CROs demonstrate versatility, moving between these archetypes as circumstances demand.
Governance, risk, and compliance (GRC) form another area of focus. Findings from McKinsey’s 2025 Global GRC Benchmarking Survey reveal that although most organisations have established frameworks and policies, significant gaps remain. Many boards lack sufficient engagement in risk oversight, compliance functions are often under-resourced and technology is not being fully utilised. The insurance sector is said to be the most mature in its approach, while industries such as transport and life sciences fall behind. The report emphasises the need for stronger C-level representation of risk and compliance, the adoption of forward-looking practices such as scenario analysis and stress testing, and greater alignment between incentives and risk-aware behaviour.
The rapid rise of generative artificial intelligence presents both unprecedented opportunities and new categories of risk, particularly in financial services. Traditional governance models are ill-suited to address the legal, ethical and technological complexities of generative AI. To respond, McKinsey proposes a governance framework anchored by a risk scorecard that evaluates exposure, financial implications, data and model complexity and ethical considerations. The framework is supported by four categories of controls: business, procedural, manual and automated, designed to balance innovation with strong risk oversight.
Geopolitical risk also receives significant attention. The rapid expansion of tariffs and trade controls has created levels of disruption not witnessed since the 1930s. McKinsey recommends that companies establish a ‘geopolitical nerve centre’ to track developments, coordinate responses and plan across multiple time horizons. In the short term, companies can focus on minimising tariff exposure through improved operations and supplier management. In the medium term, emphasis should be placed on cost preservation, stakeholder engagement and product redesign. Over the longer term, organisations may need to reconfigure supply chains, consider near-shoring and adjust their business portfolios to secure sustainable competitive advantage.
The report also provides practical demonstrations of resilience. One company’s approach illustrates how structural preparedness and a culture of adaptability can enable an organisation to thrive in the face of disruption. Similarly, the automotive industry offers a case study in strategic resilience, showing how companies that embed resilience into their operating models are able not only to withstand crises but also to transform them into opportunities for growth.
Collectively, the findings of this edition highlight a consistent conclusion: resilience is no longer a defensive posture but a strategic imperative. Organisations that elevate risk management to the level of strategy, integrate technology and data into their risk frameworks, and foster cultures of adaptability are best placed to navigate uncertainty and to prosper in the face of disruption.
The full report is available here.
