AWS re:Invent 2025 - Building a Cloud-Native Risk Decisioning Platform for Resilience (AIM273)

Building a Cloud-Native Risk Decisioning Platform for Resilience

Overview

• Capital One, a leading financial institution, has built a cloud-native Integrated Risk Management (IRM) platform to transform their approach to risk management.
• The platform aims to provide real-time, intelligent risk management capabilities that help anticipate and proactively manage risks, rather than just reacting to events.
• The decision to build the platform in-house, rather than adopting a vendor solution, was driven by the need for flexibility, control, and the ability to continuously customize the platform to meet evolving business and regulatory requirements.

Driving a Software-Centric Approach to Risk Management

• Capital One views itself as a "software company that happens to be a bank," which has shaped its approach to governance, risk, and compliance (GRC).
• The engineering team has embedded security and compliance practices into the development lifecycle, treating security as an engineering discipline.
• This includes using developer tools to ensure secure coding practices from the start, leveraging cloud-native security features, and maintaining a high velocity of secure code deployment.

Building a Flexible, Cloud-Native IRM Platform

• Capital One's IRM platform is designed around a flexible object model that represents risks, controls, issues, and events, allowing for dynamic relationships and interactions between these elements.
• This object-oriented approach, combined with a cloud-native architecture, enables the platform to scale, adapt, and integrate new capabilities as the business and regulatory landscape evolves.
• The platform has been designed to provide a world-class user experience, with a focus on driving user adoption and demand across the organization, not just within the risk management function.

Integrating Acquisitions and Regulatory Oversight

• When Capital One acquired Discover, the integration of the IRM platform was a key consideration, as it allowed Discover to inherit Capital One's risk management practices and policies.
• The regulators have been involved in the platform's development, providing feedback and oversight, which has helped ensure the platform meets regulatory expectations and can be easily integrated into the regulatory reporting process.

Leveraging AI and Machine Learning for Risk Management

• Capital One is exploring the convergence of AI, compliance, and risk management, recognizing the potential for AI to enhance real-time risk monitoring, regulatory reporting automation, and proactive risk identification.
• The cloud-native architecture of the IRM platform allows for the seamless integration of new AI and machine learning capabilities as they become available, ensuring the platform remains future-ready.

Key Takeaways

• Capital One's decision to build a custom, cloud-native IRM platform was driven by the need for flexibility, control, and the ability to continuously evolve the platform to meet changing business and regulatory requirements.
• The platform's object-oriented design and cloud-native architecture have enabled scalability, adaptability, and the integration of new capabilities, including AI and machine learning.
• Embedding security and compliance practices into the development lifecycle, treating security as an engineering discipline, has been a critical aspect of the platform's design.
• The platform's focus on user experience and adoption has been a key differentiator, driving demand across the organization and aligning with Capital One's vision of being a software-centric financial institution.
• The close involvement of regulators in the platform's development has helped ensure it meets regulatory expectations and can be easily integrated into the reporting process.