This blog highlights key findings from the 2025 Operational Risk Horizon report, offering insights into the most pressing emerging risks, macroenvironmental factors and industry trends shaping financial firms.
47
firms surveyed
11
emerging risk categories
3
topics in focus
An interconnected risk landscape is changing risk management
The increasing interconnectivity of the risk landscape is changing how risks are viewed and assessed.
Risks can no longer be assessed in isolation, making management and assessment more difficult. Looking at the top five emerging risk categories, it is clear that the boundaries between individual risks are becoming harder to define.
An interconnected top five dominated by the digital and geopolitical factors
Against a backdrop of geopolitical instability and economic pressures, a digital throughline emerges among the top five risks. New technologies such as AI are increasing the sophistication of cyberattacks, leading to operational disruption. Concerns around business service disruptions are spurred on by the reliance on a complex web of third party providers, with a significant concentration in cloud suppliers, posing potential systemic risk to the industry.
Firms recognise the ongoing importance of operational resilience as they navigate the cybersecurity challenges of the interconnected landscape
Driving concerns about resilience is the growing complexity of third-party ecosystems that firms rely on for product and service provision. The interconnection between third parties and cybersecurity is a key concern, as it could lead to security breaches, data privacy risks and service outages. With a high regulatory focus on operational resilience, visibility and oversight of third-party relationships remain a top priority.
Trade-offs of digitalisation
The pace of digital change is forcing institutions to balance the risks of legacy systems and new technologies and fast change against the risk of being left behind. As outlined in our strategic vision for ONFR, this digital transformation is built from a digital core, with data at its centre.
This shift has cascading impacts on legal, cyber, conduct, and resilience risks. Digital transformation is expanding institutions’ risk exposure in ways that are difficult to predict and assess.
A rapidly evolving external environment
Geopolitics
Considering the uncertain and rapidly evolving global geopolitical situation, this remains a key driver across the risk profile, driving cybercrime, business disruption and supply chain challenges, as well as regulatory uncertainty.
Climate
Climate risk has fallen in ranking this year as firms actively manage this risk while regulatory uncertainty has reduced. However, climate remains a driver of other risk categories, notably business service disruption, supply chain challenges and conduct risks. Considering recent and potentially upcoming global geopolitical changes and associated impacts on the regulatory landscape, the uncertainties of climate transition risk could resurge in the future.
Technology
Advancing cybercrime and Technology and Digital Strategy remain the top emerging risk categories, with AI and quantum computing accelerating concerns. The proliferation and accessibility of AI-enabled tools is lowering the barrier to entry for cybercriminals, while the shortage of cybersecurity and technology skills continues to be a challenge.
Regulation
Although regulatory factors ranked lower than expected, they continue to impact the entire risk landscape. The complexity and volume of current and upcoming regulations are growing, with increasing scrutiny in areas such as cybersecurity, AI, ESG, and third-party risk management. The lack of global regulatory alignment presents challenges for firms operating across multiple jurisdictions, while potential deregulation adds further uncertainty.
For more observations on the regulatory landscape, please see our blog, Regulatory Compliance: Navigating Increasing Burden and Divergence.
Risk management actions being taken
- Engagement with regulators, government bodies, and industry working groups to stay informed of localised developments, align expectations and share best practices
- Increased consideration given to macroenvironmental factors during scenario identification and development, particularly in the context of the increasing use of scenarios for non-capital purposes
- Intelligence monitoring of e.g. threat trends and regulatory and geopolitical developments
- Adequate insurance coverage for geopolitical, climate and cyber threats
- Regular staff training e.g. risk awareness campaigns or digital upskilling
- Increased financial hardship support for customers and staff
- Investment in control automation and enhancement, especially for more vulnerable/higher-risk assets, staff or customers. Read more about control automation in our award-winning Reference Control Library
- Increased collaboration and alignment with other frameworks such as risk management and operational resilience. Get in touch to find out how ORX Scenarios can support you with your scenarios library
- De-concentration activities, supplier diversification and further development of contingency plans
- End-to-end process mapping of product lifecycles. Read more about end-to-end process management in our Reference Process and Service Library
- A focus on people: targeted recruitment as well as an effective deployment of internal skills and knowledge – ‘the right people and skills in the right place’
- Continuation of hybrid/flexible working arrangements
Listen to our latest podcast
Find out about Highlights from the ORX Operational Risk Horizon and Cyber Horizon studies from our ORX Operational Risk Podcast.
