Digital transformation and technology rank as the biggest concern for global banks and insurers in the 2021 operational risk scenarios report published by ORX, the world’s largest operational risk association.
In a year of unprecedented change, digital risks replace conduct as the largest percentage of new uploads to the ORX scenarios library. However, conduct remains the number one concern spanning the nine years that the library has been populated.
Each year, financial institutions that subscribe to ORX Scenarios upload their operational risk scenarios to the scenarios library, which provides a global view of which type of extreme, yet plausible, risks financial institutions are focusing on.
In 2021, technology makes up 13% of all scenarios and the greatest proportion of new uploads (16%). Fourteen percent of the library involves a cyber-related scenario, with malware, phishing and ransomware attacks all included.
Popular scenario narratives this year focus on the extent to which process and control failures in IT lead to severe losses across data management, IT change management and any reliance on IT third parties.
Rapid digital change is shifting exposures across risk types
The potential impact of failing to safeguard confidential customer information is a significant focus. Over 70% of cyber-related data breach scenarios are considered high or very high impact. Data breaches not only result in regulatory fines but also erode stakeholder trust and confidence.
There was also an extension of technology risk to include third parties. Publicly reported data breach/cyber disruption events, such as the malware attack on SolarWinds in December 2020 and the Microsoft Exchange server vulnerability exploited in March 2021, is likely to inform future scenarios. This risk could also be exacerbated as reliance on third party vendors, including systemic providers (e.g., cloud computing) continues to grow.
Further, the library highlighted the importance of robust IT change management. Typical scenario storylines include descriptions of failed IT changes resulting in business disruption and cyber attack incidents. Pressure to adopt new technology at pace to avoid falling short of competition (e.g., from fintech) is mounting.
Conduct-related scenarios pose greatest material risk
Conduct and financial crime risks continue to feature prominently in the library, particularly with institutions hurrying to adapt to a new working environment brought about by the pandemic. This is not predicted to ease any time soon with firms’ exposure to these risks predicted to increase as hybrid working becomes the new normal for businesses. Drivers include promoting digital alternatives to customers and shorter product design phases at short notice (e.g., business interruption loan schemes).
Operational resilience and business continuity
Recent turbulent events linked to the pandemic and natural disasters have cemented the importance of responding effectively to sudden business disruption. This theme cuts across several scenario types, including incidents of earthquakes threatening physical safety, serious cyber attacks at third parties taking critical services offline and pandemic scenarios that force sudden changes to operating models. A