External fraud has entered the list of top five operational risks in our latest Top Risk Review, above business continuity and regulatory compliance. AI has been cited as key to driving this increase, as it fuels more sophisticated and harder to detect fraud schemes, successful at bypassing controls.
The top four rankings of Information Security (incl. Cyber), Third Party, Technology and Data Management have remained unchanged since May 2022. All four top risks reflect continuing digital transformation in financial institutions, which is heavily impacting these scores.
Steve Bishop, ORX's Director of Research and Information explains:
“There appears to be a race to implement artificial intelligence for ‘good’ and ‘bad’. Although the firms we work with do not appear to be suffering major cyber breaches, criminals continue to use AI in an attempt to circumvent security controls. This threat results in increased pressure to have robust prevention and detection measures in place.”
“Now more than ever it is crucial to keep defences robust in light of new and emerging technology.”
The top five ranked risks from the last four Top Risk Review surveys
Top Risk Review Nov 2021 | Top Risk Review May 2022- | Top Risk Review Nov 2022 | Top Risk Review June 2023 | Top Risk Review Nov 2023 | |
1st |
Information Security (including Cyber) |
Information Security (including Cyber) |
Information Security (including Cyber) |
Information Security (including Cyber) |
Information Security (including Cyber) |
2nd |
Third Party |
Third Party |
Third Party |
Third Party |
Third Party |
3rd |
Technology |
Technology |
Technology |
Technology |
Technology |
4th |
Data Management |
Data Management |
Data Management |
Data Management |
Data Management |
5th |
People |
People |
Regulatory Compliance |
External Fraud |
External Fraud |
Information Security (incl. Cyber) continues to dominate first position
Despite Information Security topping the survey for the last four years, indications this year are that it is now being managed more effectively. Regardless, threat levels remain high with awareness of the potential impact of just one successful attack to an organisation’s operational resilience.
External Fraud risk enters the top five for the first time in two years
External Fraud now enters the top five for the first time since November 2021, replacing Regulatory Compliance. Survey participants consistently called out an increasing frequency of fraud and scam events, in particular those targeting customers, as the key reason for scoring the risk highly. Economic pressures and the growing perception of fraud's increasing profitability were also key factors.
Rapid development of AI is creating both opportunities and threats
According to the survey, the use of AI is lowering the barriers to entry, resulting in increasingly difficult to detect fraud methodologies. Banks and Insurers expressed concern around upcoming or potential changing customer reimbursement rules and regulations in some regions/jurisdictions.
The report revealed a sense of urgency in adopting AI, seeing it as part of the methodologies of fraudsters and the decision-making and critical business functions of competitors. However, respondents acknowledged that the use of AI comes with a range of associated risks, from compliance challenges to validation of AI models.
Third parties are a potential vulnerability
Reliance on third parties to perform business critical tasks and processes continues to place significant elements of control environments and risk exposure areas outside the direct control of organisations themselves. Concerns around the robustness of third parties’ risk management practices, combined with a strong regulatory focus on third party-related risks, have reinforced Third Party risk’s position as the second-highest ranked risk with a growing gap down to third place.
ORX members can read the report for free as part of ORX Membership, while non-members can purchase it for analysis and insights