On 27 April, nearly 30 participants from around 20 asset management firms came together for our Asset Management Forum. The day was marked by open sharing of experiences and collaborative discussion. Read on for our key takeaways, including how the risks are becoming more interconnected than ever before, the importance of data-driven risk management and the impact of change.
High engagement and positive feedback
The forum received a 4.8/5 overall rating, with one participant saying:
“A great initiative - extremely useful, well organised and invaluable.”
Strong interconnection of risks
A dominant theme throughout the forum was the increasing interconnectedness of risks, particularly across operational, cyber, third-party, geopolitics and technology risk domains.
It's now impossible to talk about cyber without mentioning third party or geopolitics. This then requires a less siloed approach to how risk is reported and managed. Participants agreed that assessing risks in siloes doesn’t reflect today’s complex operating environment and can't accurately capture the true risk profile of firms.
Cyber and third party risks are closely linked. Third parties often operate with fewer resources, creating weaker cyber controls and increasing vulnerability across the value chain. Therefore, governance, prioritisation and decision making should reflect these interconnections, not treat categories separately.
Despite the challenges, some positive observations also emerged:
- Investments in cyber seem to reduce losses so far, but continuous improvement is vital as threats evolve
- Greater transparency on incentives and stronger regulatory engagement have contributed to fewer conduct incidents
Moving toward integrated, data‑driven risk management
In response to increasingly interconnected risks, we saw progress toward more integrated and data-driven approaches to risk management. Examples included:
- Experimentation with data lakes to aggregate risk signals across functions
- Using sensitivity analysis to understand how different risk drivers interact and amplify one another
Our attendees highlighted both the importance of context and change awareness when interpreting risk data, and the need to translate insights into clear business language that supports effective decision making.
The evolving role of the risk function in change management
The forum highlighted the growing role of the operational risk function in change and transformation initiatives, with timing and proportionality being a particular focus. Although everyone agreed that operational risk must be aware of all significant change programmes from the start, when to actively get involved was the subject of much discussion.
The appropriate level and timing of risk involvement in change initiatives depends heavily on the nature and scale of the change itself. In general, earlier engagement is preferable. But, excessively early involvement can be inefficient, for example if a pilot initiative fails to progress. Conversely, late engagement limits the ability of risk functions to identify and address issues promptly.
Ideally, risk would be aware of all change initiatives and decide when to get involved. This may be after a pilot phase, once initial outcomes are visible and risk teams can provide more informed, relevant and constructive challenge. Alternatively, it may be at the inception of a project. Engagement should be proportionate to the criticality of the project, which some argued was linked to financial expenditure.
Practices discussed included tiered engagement models, such as:
- Risk opinions for large/high-profile projects: documenting key risks, control considerations, alignment with risk appetite and recommended actions
- Scoped risk assessments for medium projects: more focused and flexible than full RCSAs
- Surveys for small projects: used to identify potential risks, build awareness, and determine whether deeper involvement is required
Cultural challenges were also acknowledged. To ensure value, risk should be embedded in existing processes, rather than introduced through additional committees. The concept of 'risk champions' was discussed but not universally accepted. Some delegates felt that risk champions can unintentionally create disengagement, reinforcing the perception that risk is someone else’s responsibility. As a potential alternative, they discussed stronger alignment between risk objectives and remuneration to encourage broader ownership of the risk landscape.
AI: early adoption, high expectations
Although still in the early stages, firms are exploring practical ways to use AI and enthusiasm and expectations are high. Examples shared by participants included:
-
Replacing GRCs or enhancing reporting out of an existing GRC
- Capturing and analysing risk events by reviewing large volumes of unstructured qualitative information (e.g. email threads) to understand causes, decisions and actions
- Supporting regulatory reporting by feeding regulatory templates into AI tools (e.g. DORA templates)
- AI-driven RCSAs, proposing likelihood and severity assessments using inputs such as business descriptions, processes, prior RCSA results and internal/external loss data
- Incident chatbots to collate information and route it to operational risk teams
It was widely acknowledged that the quality of AI outputs depends heavily on prompt design and data quality, and that AI hallucinations remain a concern. Participants shared techniques – such as instructing AI to clearly signal uncertainty and to challenge potential human bias – that can help mitigate this.
Attendees also highlighted two broader points:
-
People will need to evolve alongside AI, with risk professionals needing to develop new capabilities, such as prompt design and output review.
-
While AI won't transform operational models immediately, future transformation could be significant, potentially reducing reliance on traditional GRC tools as firms increasingly build tailored solutions.
Third party and intragroup arrangements
Third party risk remains a significant concern for the asset management sector. Our discussions focused on intragroup arrangements and the challenges they can present, especially where regulators in certain jurisdictions expect the same standards to be applied as for external third‑party arrangements. These arrangements may not adhere to the same level of formalised documentation as external third parties.
In practice, however, intragroup outsourcing can facilitate faster and easier access to information due to closer organisational ties. While the underlying requirements remain consistent – namely, that intragroup providers should be assessed to the same standards as external providers – the approach to meeting these requirements may differ. Intragroup arrangements typically benefit from greater transparency, smoother information flows and improved visibility over fourth‑party dependencies.
The forum showed a sector navigating complex, interconnected risks against a backdrop of AI adoption and rapid business change. Participants agreed on the need for:
- Integrated, data‑driven risk management
- Clear ownership and stronger risk culture
- Governance frameworks that support business without slowing progress
Next steps
Future events
We're looking at holding a similar event in the US later in the year. Please get in touch if you'd like more information or are interested in attending.
Supporting the asset management sector
Our participants highlighted the value of collective knowledge sharing with their peers, with many expressing an interest in continuing this collaborative dialogue. So, we're exploring how we can continue to support the asset management sector. Whether you're an ORX member or not, if you'd like to be involved, please contact us.
