Information Security (including Cyber), has topped a league table of operational risk concerns for global banks and insurers. Followed by Third Party risk and Technology, all three top risks reflect continuing digital transformation in financial institutions, which is heavily impacting these scores. Information security has topped the survey for the last four years, but this year indications are that it is now being managed more effectively.
Rise of AI has potential to adversely impact wide range of risk types
We published our findings in the ORX Top Risk Review June 2023 report. We found that Information Security risk, driven by cyber threats, continues to challenge the industry. Events have shown that it only takes one successful attempt to potentially disrupt an entire organisation and cause widespread financial and reputational damage. However, the good news is that 87% of those who took part in the review said their organisation is managing the risk effectively and are continuously investing in cybersecurity controls and capabilities.
The results in this year’s report also reflect the explosive rise of generative AI, bringing artificial intelligence to the forefront of agendas. Opportunities include improved decision-making and process optimisation but conversely, AI and generative AI have the potential to adversely impact a wide range of risk types, notably Information Security (incl. Cyber), Data Management, Technology, Model, Transaction Processing & Execution, Regulatory Compliance and Conduct risk.
Luke Carrivick, ORX's Executive Director explains:
“I’m not surprised that information security remains the top concern for our members, as digitalisation permeates all areas of operational functions. What is encouraging is the increased confidence in managing and mitigating these risks as they arise and reflects the industry’s improving handle on tackling cyber and other digital threats. Stability is also reflected by 60% of respondents expecting their scores to stay the same in the next six months.
"The prevalence of AI is definitely one to watch and we’ll be spotlighting this in the coming months in our cyber-specific service as a key area of focus for operational risk.”
Third Party risk ranks in second place as oversight challenges continue. With third party arrangements becoming increasingly instrumental in critical business services, supplier risk management is a priority and if not monitored or managed effectively, could lead to significant vulnerabilities.
The top five ranked risks from the last four Top Risk Review surveys
Top Risk Review Nov 2021 | Top Risk Review May 2022 | Top Risk Review Nov 2022 | Top Risk Review June 2023 | |
1st | Information Security (including Cyber) | Information Security (including Cyber) | Information Security (including Cyber) | Information Security (including Cyber) |
2nd | Technology | Third Party | Third Party | Third Party |
3rd | Third Party | Technology | Technology | Technology |
4th | Regulatory Compliance | Data Management | Data Management | Data Management |
5th | External Fraud | People | People | Regulatory Compliance |
Responses also suggest that skills shortages and retention challenges persist, but with a sharp drop from 5th to 11th position, people risk concerns may be starting to ease. Moving from 11th to 6th position since the last review, External Fraud has seen the greatest upward movement of all 16 risks. While availability of advanced technology may be acting as a common enabler, difficult economic conditions were listed as a key driver.
Luke Carrivick adds:
“Benchmarking is an area that our members have been asking for as part of their risk measurement initiatives, and so for the first time since launching the Top Risk Review, participants will receive a personal benchmark highlighting how their responses compare to the industry’s. We can now include average vs individual scores and insights on how their scores compared to the rest of the participant group.”
ORX members can read the report for free as part of ORX Membership, while non-members can purchase it for analysis and insights.