Information Security (incl. Cyber), Third Party, Technology, Data Management, and External Fraud remain as the Top 5 ranked risks, with a continued increase in materiality scores in the last six months. The findings were published in the Top Risk Review report from ORX, the world’s largest operational risk association which works with over 125 banks and insurers globally. 

Steve Bishop, ORX's Director of Research and Information explains:

“It’s no surprise that Information Security, driven by cybersecurity, remains the number one top risk. Despite firms reporting that they manage cybersecurity effectively, we know they play a constant game of cat and mouse with criminals who are using ever more sophisticated attack methods, including AI.”

“We’ve also seen recent high profile attacks and data theft at industry suppliers such as MOVEit and EquiLend which reinforce the perceived threat posed by vulnerabilities and cybersecurity failures at third parties.”

Top Six Risks Increase in Materiality 

Figure 1 : % change in materiality scores since the last review

According to the report – Top Risk Review – of the top five risks, External Fraud has seen the greatest percentage materiality rise (5.6%) since the last review, with continued concerns around frequency and sophistication of fraud attempts. This is closely followed by Regulatory Compliance (5.3%) and Information Security (incl. Cyber) (5.1%).

Regulatory Compliance sees the greatest upward movement as key deadlines approach

As key regulatory deadlines approach - notably Basel III, the Digital Operational Resilience Act (DORA) and CPS 230 - regulatory compliance moves up the rankings from eighth to sixth place overall (ranked 5th by the ORX insurance community).

With the pressure of the regulatory burden and other ongoing concerns such as jurisdictional divergences and lack of clarity from regulators, firms are putting significant time and investment into developing new and enhanced frameworks.

Steve Bishop adds:

"Firms face the dual challenge of tight deadlines and limited resources to implement these complex changes, all while dealing with heightened regulatory scrutiny and potential penalties. Many firms are naturally working towards DORA compliance in the EU as implementation is set for January 2025. DORA requirements cut across risk types, not only touching on firms’ digital operational resilience, but on their information and cyber security and their management of third-party relationships as well.”

Only half of firms reassured that third-party risk is being managed effectively                                                                                                     

With cyber incidents and data breaches remaining the most prominent challenges firms face regarding their third-party relationships, only half (50%) of financial firms believe this risk is being managed effectively or highly effectively.

Particular concerns arise from third parties acting as a gateway to corporate and customer data held for clients, and into the clients’ systems. Lack of visibility and oversight firms have over third-party control environments leads to fear that they are not sufficiently robust to meet regulatory requirements.