Risk-Management Milestones in the US 2025

The U.S. regulatory landscape in 2025 is changing faster than ever, redefining what it means to manage operational risk effectively. From rethinking the concept of reputational risk to revising climate-risk oversight, regulators are forcing organizations to move from reactive compliance to adaptive governance.

For ORM teams, these shifts mean more than keeping up with regulations—they require a new capacity to interpret change, evaluate operational impact, and demonstrate readiness. Let’s explore the key milestones that are reshaping how risk management operates across U.S. financial institutions this year.

The OCC retires “reputational risk” as a supervisory category

One of the most discussed developments came on October 7, 2025, when the Office of the Comptroller of the Currency (OCC) announced that it would no longer classify “reputational risk” as a distinct supervisory category for banks.

According to the OCC, reputation should be treated as an outcome of how other risks are managed, not a risk type in itself. For operational-risk teams, this marks a conceptual shift: the focus now moves to measuring root causes—controls, processes, vendor reliability, incident transparency— rather than trying to quantify reputation abstractly.

What it means for ORM:

• Reputation management becomes a cross-cutting control domain.
• ORM functions must ensure visibility across communication, service continuity, and third-party incidents, which all feed reputational outcomes.
• Documentation and traceability—core strengths of ORM platforms like Pirani—become critical to demonstrating that governance integrity drives reputation, not PR management.

Climate-risk principles withdrawn: resilience takes center stage

A week later, on October 16, 2025, U.S. regulators—including the Federal Reserve, FDIC, and OCC—jointly announced the withdrawal of the Interagency Principles for Climate-Related Financial Risk Management for Large Financial Institutions. 

This decision reflects a broader pivot: rather than mandating climate-specific risk frameworks, agencies now emphasize integrating environmental events and disruptions into operational resilience planning.

Implications for ORM:

• Climate and environmental events are reframed as operational continuity risks, not separate risk categories.
• ORM programs should capture dependencies—supply chains, data centers, logistics—and test them under severe-weather scenarios.
• Regulators still expect evidence of impact tolerance and recovery testing, aligning with OCC’s broader resilience agenda.

In short, the message is clear: focus less on labeling new risks, and more on proving continuity under changing conditions.

KPMG highlights 2025 as the year of regulatory acceleration

Complementing these regulatory moves, KPMG’s Ten Key Regulatory Challenges of 2025 report underscores that financial institutions face an unprecedented pace of change across cybersecurity, AI governance, and third-party risk.

For risk managers, this acceleration translates into a heavier burden of coordination.

ORM leaders are being asked to interpret overlapping frameworks, anticipate reporting obligations, and ensure data integrity across multiple jurisdictions—all while budgets remain static.

Key takeaway:

• Regulatory change itself is becoming a material operational risk.
• Organizations need structured processes to track, assess, and document regulatory impacts as part of their risk registers.
• Automation and audit trails—core functionalities in systems like Pirani—help teams stay aligned with evolving expectations.

A broader pattern: from classification to capability

Looking across these milestones, a clear pattern emerges: regulators are moving away from adding more categories of risk, and instead focusing on an organization’s capability to adapt.

Whether it’s retiring “reputational risk,” reframing climate risk, or accelerating regulatory cycles, the trend points to a maturity model of risk governance—where what matters is not how risks are labeled, but how resiliently they are managed.

This evolution blurs the lines between operational risk, compliance, and strategy.

ORM professionals must now demonstrate that their frameworks support not just loss prevention, but business continuity, transparency, and resilience under pressure.

How ORM technology enables adaptation

Modern risk-management platforms are no longer just repositories for risk registers—they are dynamic systems of record for resilience.

With Pirani, organizations can:

• Map regulatory obligations to specific processes and controls.
• Assess operational impact whenever regulations change.
• Track incidents and evidence to prove regulatory readiness.
• Automate version control and traceability for audit reviews.

By embedding regulatory monitoring within ORM, teams can turn uncertainty into advantage: every change becomes a chance to strengthen operational discipline.

2025 has made one thing clear: change itself is the most persistent operational risk.

As regulatory priorities evolve, ORM functions must mature from compliance gatekeepers to enablers of resilience and agility. With robust frameworks and technology, organizations can anticipate disruption, document adaptation, and demonstrate control—all of which are now core to regulatory confidence.

Navigating regulatory change no longer depends on manual updates and fragmented spreadsheets. With Pirani, your organization can integrate every new requirement into a living operational risk framework—complete with traceability, accountability, and real-time reporting.

Discover how Pirani helps ORM teams stay ahead of evolving regulations and strengthen their resilience.

Schedule a demo today and see how Pirani can become your most trusted ally in managing regulatory change.

FAQ 

• What are the main regulatory changes affecting risk management in the U.S. in 2025?
  In 2025, the OCC removed “reputational risk” as a supervisory category, federal regulators withdrew the Interagency Climate-Risk Principles, and new regulatory-change challenges were highlighted by KPMG. Together, these signal a shift toward measuring organizational adaptability and operational resilience rather than adding new risk categories.
  
  
• Why did the OCC retire reputational risk as a standalone category?
  The OCC stated that reputation is an outcome of how effectively an organization manages its other risks—particularly operational, compliance, and third-party risks—so it should not be assessed in isolation.
  
  
• How does the withdrawal of climate-risk principles affect ORM teams?
  It redirects attention from climate-specific frameworks to broader operational-resilience testing. ORM functions must now evaluate how climate events and environmental disruptions impact continuity, recovery, and third-party dependencies.
  
  
• What does KPMG mean by “regulatory acceleration” in 2025?
  

  KPMG identifies a rapid increase in regulatory updates related to cybersecurity, AI governance, and third-party oversight. For ORM teams, this means managing regulatory change itself as a core operational risk and using technology to maintain traceability and readiness.

• How can technology like Pirani help manage regulatory change?
  Pirani enables organizations to map new regulations to processes and controls, track updates, document evidence, and monitor compliance in real time—helping ORM teams turn regulatory change into a continuous-improvement process.

Try Pirani now, create your free account 👇

Want to learn more about risk management? You may be interested in this content 👇

• Turning Regulatory Change into an Operational Advantage
• Regulatory Compliance: Benefits and Best Practices

• Using GRC Software to Streamline Governance, Risk, and Compliance