Global Risk Management Benchmarks: How India's CROs Compare to Their Peers in Singapore, London and New York

When the Basel Committee on Banking Supervision finalises a new standard — whether on credit risk capital requirements, operational risk, or climate risk disclosures — the ripple effects reach Mumbai, Chennai, and Bengaluru with increasing speed. India's adoption of Basel III norms, under the RBI's careful sequencing, has brought India's banking system closer to global risk management standards than at any point in its history. But adoption of a framework and mastery of its philosophy are different things — and the gap between India's current risk management practice and the most sophisticated global benchmarks reveals both the distance still to be travelled and the genuine strengths that India's CROs bring to the table.

India's financial sector is benchmarked in this piece against three global risk management centres: Singapore, which has positioned itself as Asia's most rigorous risk governance hub and whose Monetary Authority (MAS) has published some of the world's most detailed technology risk and cyber risk guidelines; London, home to global banks with highly sophisticated risk functions and the Prudential Regulation Authority (PRA) which operates one of the most demanding supervisory regimes globally; and New York, where US money-centre banks have invested decades and billions of dollars in quantitative risk infrastructure.

The Credit Risk Benchmark

In credit risk — the assessment, pricing, and management of lending exposures — India's top-tier private sector banks have made remarkable progress in the past decade. HDFC Bank, ICICI Bank, and Kotak Mahindra Bank have built credit risk infrastructure — statistical models, portfolio monitoring systems, early warning indicators — that is genuinely comparable to global benchmarks at the retail and MSME lending level.

The gap is most evident in corporate and institutional credit risk. Sophisticated credit risk management at the large corporate level requires capabilities that Indian banks are still developing: complex structured finance assessment, multi-jurisdiction credit analysis for cross-border lending, and the real-time monitoring systems that allow a CRO to identify credit deterioration before it becomes a problem visible in published financials. The credit risk modelling capability at major US and European banks — using machine learning on large datasets of corporate credit histories — is significantly more advanced than anything currently deployed in India's banking system.

Public sector banks, which account for a majority of India's banking assets, face a more fundamental challenge. The credit decision-making culture in Indian PSBs has historically been characterised by committee-based processes, bureaucratic risk aversion on legitimate commercial transactions, and political pressure on large corporate lending decisions. The RBI's Prompt Corrective Action framework and the banking sector resolution infrastructure created under the Insolvency and Bankruptcy Code have improved discipline significantly, but the cultural transformation required to build genuine credit risk culture in PSBs is a multi-decade project.

Technology Risk: The MAS Benchmark

The Monetary Authority of Singapore's Technology Risk Management Guidelines represent arguably the most comprehensive and operationally detailed technology risk framework published by any financial regulator globally. MAS's requirements cover IT governance structure, cyber resilience, data management, cloud computing governance, and third-party technology risk — with specific and measurable expectations that go well beyond the principle-based guidance typical of earlier risk frameworks.

India's RBI has been moving in the same direction, but with a meaningful lag. The Master Direction on IT Governance, RBI's IT Risk and Cyber Risk Guidelines, and the recently issued Cybersecurity Framework represent progressive steps toward MAS-level specificity — but Indian banks are generally further from compliance with these guidelines than Singaporean banks are with MAS's equivalents.

The gap is particularly evident in third-party technology risk management. Indian banks have historically had limited visibility into the technology risk practices of their IT service providers — a significant exposure given that the Indian banking system is heavily dependent on a small number of large technology vendors (Infosys Finacle, TCS BaNCS, Oracle FLEXCUBE) and an even larger number of fintech and SaaS providers integrated through APIs. The MAS framework requires banks to perform detailed due diligence on all material third-party technology providers, including on-site assessments, contractual risk controls, and ongoing monitoring. Most Indian banks are far from this standard.

Model Risk: The New York Benchmark

US money-centre banks — JPMorgan Chase, Citibank, Goldman Sachs, Bank of America — have invested decades in model risk management: the governance of the quantitative models that drive credit decisions, market risk capital calculations, and operational risk assessments. The Federal Reserve's SR 11-7 guidance on model risk management, issued in 2011, established the global benchmark for model governance, requiring banks to validate all quantitative models independently of the teams that build them.

Model risk management in India is at an early stage of development. The concept — that models can be wrong, that model errors can cause systematic risk mispricing, and that independent validation of models is a regulatory requirement — is understood in principle by India's most sophisticated risk organisations. SBI, HDFC Bank, and ICICI Bank have model risk management functions. But the depth of independent model validation capability, the documentation standards, and the governance culture around model risk are materially below the US benchmark.

This gap matters because India's financial sector is rapidly deploying machine learning models in credit decisioning, fraud detection, and regulatory capital calculation. ML models introduce model risk dynamics that are qualitatively different from traditional statistical models — their non-linearity makes them harder to validate, their dependence on training data makes them sensitive to distributional shifts, and their opacity makes regulatory review more challenging. The model risk management frameworks that Indian banks have built for traditional statistical models are not adequate for the ML era.

What India Does Better: Relationship Intelligence and Contextual Judgment

The comparative analysis above identifies areas where India's risk management practice lags the global frontier. It would be incomplete without acknowledging areas where India's risk professionals have genuine competitive advantages that their London or New York peers would benefit from studying.

India's CROs have developed exceptional capability in relationship-based credit intelligence — the informal networks of knowledge about borrower behaviour, management quality, and business fundamentals that are captured through long-standing banking relationships and local market presence. This capability is genuinely difficult to codify in a model or a framework, and global banks operating in India have consistently found that their quantitative credit models significantly underperform the relationship-intelligence-based credit judgements of experienced Indian bankers in the domestic corporate market.

"My counterpart in Singapore runs a more sophisticated risk function in terms of tools and technology. But when it comes to understanding a mid-sized Indian manufacturing company's true credit quality, I would back my team's judgment every time." — Executive Director and CRO, a mid-sized Indian private sector bank.

India's CROs have also developed significant capability in managing risk under conditions of regulatory ambiguity — the ability to make sound commercial and risk decisions when the regulatory framework is evolving and the compliance requirements are unclear. This is a skill that is less valued in highly codified regulatory environments like Singapore or the UK, but is extremely valuable in the many emerging market contexts where India's financial institutions are expanding.

The Convergence Trajectory

The direction of travel is clear: India's risk management standards are converging toward global benchmarks, driven by RBI and SEBI's increasing adoption of global frameworks, the internationalisation of India's financial institutions, and the growing presence of global banks and investors who import their home-country risk culture to their India operations.

For India's CROs, the practical implication is that the benchmarking process is no longer optional. Boards, audit committees, and increasingly institutional investors want to understand how the institution's risk management practice compares to global standards — and they want CROs who can answer that question with specificity, not just with reassurances. The CROs who can lead this benchmarking conversation credibly — who understand what the MAS guidelines require, what the Fed's SR 11-7 expects, and how India's current practice compares — will be significantly more effective in gaining board confidence and driving the investment in risk infrastructure that convergence requires.