Risk Management On The Clock

Simone Garreau is the Co-Founder and CEO of Prism Layer, an AI-native enterprise risk management platform. She previously led risk functions at Block, Robinhood, Remitly, and Western Union.

Most regulated financial institutions have quietly accepted the tension that sits at the center of their organization — business moves in days, risk moves in months — as a permanent condition.

This is not a complaint about risk teams. The professionals doing this work are not slow because they lack urgency. They are slow because the work is genuinely hard, the documentation standards are genuinely demanding, and the consequences of getting it wrong are genuinely severe. The slowness is not a character flaw. It is a structural reality that the industry has never fully reckoned with.

But as the speed of business increases, the cost of that structural reality is compounding. It is time to name it clearly, and solve it if we can.

The Gap Is Wider Than We Acknowledge

A product team at a mid-sized bank decides on a Tuesday to launch a new credit feature. By Friday, it has gone through design review and is queued for engineering. The risk assessment that should accompany that launch is eight weeks from completion. The compliance memo that was supposed to inform the go-to-market decision is sitting behind eleven other memos. The product ships anyway, with informal risk sign-off that no examiner would recognize as such.

This pattern is not confined to growth-stage fintechs operating at the edge of regulatory tolerance. It plays out inside large, well-governed institutions every day, across consumer lending, payments, deposit products, and digital banking features. The business makes decisions at the speed the market requires. Risk management validates those decisions at the speed the process allows. Everything that happens in between is exposure.

Closing the gap between those two timelines has two standard solutions, both of which carry costs that financial institutions systematically underestimate.

Two Bad Choices

The first is to slow the business. In well-governed institutions, the risk function holds genuine authority to gate product launches and delay partnerships until the work is done properly. The risk work gets done, but the costs appear elsewhere: in missed market windows, in competitors who moved faster, in product teams that learn to route around the second line rather than through it.

That last consequence is the most dangerous. When risk is experienced as the function that causes delays rather than the function that makes the business safer, it loses organizational credibility. And a risk function that has lost organizational credibility is worse than ineffective. It is a governance liability. Decisions get made without risk input. The second line gets excluded from conversations it should be shaping. The exposure grows invisibly until an examination makes it visible.

The second approach to closing the gap is to compress the work. This is the more common choice, particularly in high-growth environments and at institutions facing competitive pressure. Assessments that should take months are completed in weeks. Scope narrows. Assumptions get made that should be tested. Senior review gets abbreviated. Documentation thins.

The compressed assessment does not look obviously wrong. It has the right structure, the right headings, the right sign-offs. But it is doing materially less analytical work than the situation requires. And the gap between what it documents and what an examiner will expect is quietly widening.

The OCC, the Fed, the FDIC, and the CFPB have all signaled sustained scrutiny of second-line governance practices in examination cycles. Consent orders issued in the past three years consistently cite the same underlying failure: risk frameworks that exist on paper but are not operationally embedded in how the institution actually makes decisions. The compressed assessment produces exactly that kind of framework. Thorough-looking documentation. Thin underlying analysis. A regulator walking through the door will find the gap.

The Human Cost

There is a dimension of this problem that receives less attention than it deserves, and it is one that should concern every risk leader thinking about talent.

The best risk professionals in financial services are not the ones who have found a comfortable equilibrium between speed and quality. They are the ones who refuse to accept tradeoffs as inevitable. They know exactly how the work should be done. They understand what a defensible process looks like. They understand what an examiner will be looking for. And they are operating in environments where doing it right is structurally impossible at the pace the business requires.

The result is a talent problem that most institutions misdiagnose as a compensation or culture issue. Senior risk professionals leave high-growth environments not primarily because of workload, though that issue is real. They leave because they are being asked to sign assessments they do not fully stand behind. They are being asked to put their professional judgment, and in some cases their personal regulatory exposure, on work they know is inadequate.

Institutions that solve the velocity problem do not just get faster risk decisions. They create conditions where the people committed to doing the work right can actually do it.

What AI Changes, and What It Does Not

The emergence of AI capable of handling complex, structured analytical work has begun to shift the calculus here. But the shift requires careful framing, because the most common misapplication of AI in financial services risk management makes the underlying problem worse, not better.

The goal is not to automate the judgment out of risk work. Regulatory judgment, contextual interpretation, and accountability for decisions cannot and should not be delegated to a model. Any technology that positions itself as a replacement for experienced risk professionals is selling something that regulated institutions should not be buying.

The goal is to address the specific bottlenecks that make thorough risk work slow, without touching the parts that require human judgment.

Consider what actually consumes time in a comprehensive risk assessment. Data assembly: pulling information from core systems, transaction monitoring platforms, third-party databases, and regulatory sources that were never designed to communicate with each other. A skilled analyst can spend weeks assembling inputs before analysis begins. Framework application: translating regulatory guidance and institutional policy into a structured evaluation of the specific product or partnership under review. Documentation: producing auditable records that demonstrate not just the conclusion but the process, the reviewers, the data sources, and the reasoning.

Each of these is time-consuming. None of them inherently requires a senior risk professional's judgment. They require rigor and consistency, which is precisely what well-governed AI can provide. When those layers are handled by an AI system operating within defined parameters and under appropriate human oversight, the senior risk professional's time is freed for the work that actually requires their expertise: interpreting edge cases, exercising contextual judgment, and standing behind the conclusions with their professional credibility.

Don't miss tomorrow's conversation on the next era of fintech and the future of finance.

Tomorrow, May 20, fintech takes center stage as the Financial Technology Association and Semafor host Banking on the Future,  a half-day forum exploring the ideas, policies, and technologies shaping the next era of financial services.

Join us in person or tune in via livestream for conversations featuring Comptroller Jonathan Gould, HFSC Chairman French Hill, Ranking Member Maxine Waters, Rep. Bryan Steil, House Majority Whip Tom Emmer, Sen. Tina Smith, and leaders from Betterment, Revolut, Wise, and Zip.

Tune in tomorrow!

What This Means for Examiners

Some risk leaders have raised the concern that AI-assisted risk work will be viewed skeptically by examiners: that a process involving automation will be seen as less rigorous than one done entirely by human analysts. That concern deserves a serious answer.

Examiners care about three things: whether the analysis was thorough, whether the documentation is auditable, and whether the conclusions were reached through a defensible process with appropriate oversight. A risk assessment completed in three weeks by an AI-assisted team that can demonstrate each of those elements is more defensible, not less, than an eight-month assessment where documentation was thinned to meet a deadline and senior review was abbreviated because the team was running three other assessments simultaneously.

AI, properly governed, makes that demonstration easier, not harder.

The Competitive Dimension

For business leaders at regulated financial institutions, the framing above may feel like a risk management argument. It is critical to realize that it is also a competitive one.

Every week a product launch is delayed pending risk review has a cost. Every market window that closes while an assessment is in progress has a cost. Every business leader who internalizes that risk is the function that slows things down, and starts finding workarounds, has a cost that compounds over time in ways that are difficult to quantify until a regulator quantifies it for you.

The institutions that close the velocity gap will have a durable advantage over those that do not. They will launch faster. They will partner more confidently. They will enter new products and markets more decisively. And when the examiner arrives, they will be in a position to demonstrate exactly what was done and why.

The ones that do not close the gap will continue managing the tension between risk speed and business speed until that tension resolves itself in the form of an enforcement action.

The clock problem in financial services risk management has a solution. It does not require slowing the business. It does not require accepting inferior risk work. It requires building the infrastructure that risk governance should have had a decade ago, and that is now, finally, within reach.

The window to address this proactively is always narrower than it looks.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].

OPEN BANKER SALON - JUNE 5, 2026

We started Open Banker to raise the quality of financial policy debate. Now, we are bringing the newsletter to life with our first ever event: Open Banker Salon. This isn't a typical conference. No 40-minute talking-head panels. No bland keynotes. The Salon is designed for real intellectual engagement with in-depth debate-style discussions.

Location: The Aspen Institute, Washington, DC

Standard pricing ends on Thursday. Pay just $795. Register here today!