Navigating the operational risk landscape is becoming more challenging for banks and insurers. The ecosystem in which firms operate is becoming more complex and interconnected and regulatory expectations are increasing.
Robust quantification of risks as a means of understanding and managing those risks is essential. Furthermore, a credible and dependable methodology that can achieve business buy-in may yield further benefits across the wider risk management function.
We explored this topic with our Analytics Working Group (AWG), the participants of which represent firms with some of the most advanced quantification approaches in the industry. Participants shared their risk categorisation and quantification methodologies and also assessed their maturity in four quantification areas: cyber risk, third party risk, climate risk and risks associated with AI. The findings are described in our 2024 Risk Quantification Practices Paper.
Firms are at varying degrees of maturity with respect to quantifying risks, with firms considering themselves more mature in cyber risk quantification, followed by third party and climate risk. Firms reported achieving less in the AI-associated risk quantification space.
Progress being made in cyber risk quantification
Modelling and analytics functions are confident in their ability to quantify cyber risk. A range of mature approaches are in play across the industry.
It is important to note that the benefits of adopting such advanced approaches must be carefully weighed against the costs, with significant overheads needing to be absorbed initially. However, it is clear that significant headway has been made, with the industry implementing comprehensive categorisation programmes and appropriately responding to the perceived materiality of this risk type within firms.
No silver bullet for third party risk quantification
The July 2024 CrowdStrike outages and other high profile events such as the MoveIT file transfer data breach underline the vulnerabilities that may be introduced via working with third parties. For financial firms, proper categorisation of related risks and understanding third party risk exposures is paramount to addressing these concerns. The industry collectively considers this risk type to be material and categorisation efforts are well underway. There are however few cases where firms are confident in their quantification approaches, with best practices not yet being identified and adopted more widely.
Climate risk categorisation efforts being made, but challenges persist with quantification
In previous years, conversations with various groups such as the CCAR Community surfaced difficulties around categorisation of climate risk. The industry reported facing a common set of challenges with regards to gathering the right data on physical and transition risk losses across the business and making it available for analysis. Our 2024 study paints a different picture and suggests progress has been made in the space, in particular in the realm of climate risk categorisation and reporting.
Nevertheless, challenges in the quantification space persist and present significant roadblocks for the industry. These include issues relating to data availability and a reliance on proprietary vendor models that are difficult to internally validate.
Questions remain around how to quantify AI-associated risks
As per ORX’s Risk management considerations for generative AI study, over 75% of firms surveyed are already deploying generative AI solutions within their organisations and this trend is likely to continue. Whilst adoption of AI tools delivers distinct advantages across the business, this also introduces associated challenges, such as navigating incoming regulations on AI and increased risk correlations resulting from AI usage.
Despite this, little progress has been made in quantifying – or indeed categorising – risks associated with AI in the industry.
It is clear that the industry will need to step up efforts in the near future. There is an opportunity for the industry to move quickly and take steps now to build the foundations for good AI-associated risk quantification practices.
Resources to assist your risk quantification programme
ORX is available to support you in your quantification journey. As part of the 2024 report, you can learn more about how ORX’s loss data services, research programme and our premium services (ORX Cyber, ORX News, ORX Scenarios) can all help provide data and industry insights to contribute to the success of your firm’s risk quantification programme.
The ORX website also contains a catalogue of our risk measurement research that explores other relevant themes – you can find this on the Risk Measurement Resource Explorer page.
