IFF is part of the Knowledge & Networking Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.


Expert views: 4 key insights into the future of operational risk

Roland Kennett Head of Membership and Services Development ORX Association, provides insights into the top risks in 2018 and beyond. ORX aims to develop operational risk as a discipline, with members from over 90 institutions from around the world.

Learning from the knowledge and experiences of others to enhance operational risk management makes sense from both an efficiency and effectiveness perspective and is actively encouraged within regulatory frameworks.

It is standard practice for financial institutions to evaluate significant external operational events, to better understand their own exposure and to help identify control deficiencies (for example, those reported by ORX News).

This diversified view, built on the wisdom of crowds, is also particularly suited to emergent operational risks.

To support this ORX operates an annual benchmark of top (these are deemed to be current risks that are being faced now) and emerging (these are risks that are expected in the next 18-36 months). The below findings are based on the most recent 2017 exercise which usedmore than 600 individual assessments, submitted by 44 global financial institutions.


The top risks for 2018


1. Conduct is the top operational risk

Not surprisingly given the large number of extreme events reported across the world in the last few years, risks associated with misconduct are the most significant current industry concern (75% of participants identify at least one misconduct issue in their top ten operational risks).

Conduct was closely followed by information security and cyber risk (84% included an IT security risk in their top ten). These risks are elevated by two trends – the complexity of the digital landscape, and financial services firms' increasing dependence on systems and data.

Theft and fraud remained the third most highly ranked category, while IT infrastructure and regulatory compliance took fourth and fifth place, respectively


2. New technology dominates emerging risks

Considering the future, digital disruption ranked as the highest emerging risk. This can be described as the operational risk which arises because of the changes driven by emerging digital technologies and digital business models.

Information security and cyber risk came second on both the current and emerging risk lists, showing that risks from hacking, data breaches and other cyber threats are expected to remain high.

Global uncertainty is also believed to pose a significant challenge. Chief concerns include the policy direction in the US and the uncertain consequences of Brexit, as well as ongoing tensions across Asia and the Middle East.


3. Overall risk profile set to increase

The study concluded that almost every risk category is expected to increase in the next three years. Persistent regulatory attention is set to increase as is technological change, with risks associated with digital disruption expected to increase the most. On a positive note, risk managers should be able to take advantage of many of the technological advances to improve risk management.

Interestingly, despite being the highest ranked current operational risk, only half of participants judged that conduct risks are expected to increase over the next three years. There is however some regional variation with conduct considered stable or declining in Europe, but growing in the US following the Wells Fargo event and a focus on employee misconduct (for example, the ‘me too’ movements).

Another key observation is that as internally driven risks, such as misconduct, IT infrastructure and internal fraud appear to decrease – the external threat increases. As well as cyber, digital disruption and geopolitical risks, third party risks, typically outside of the internal control environment, are set to increase.


4. Operational risk taxonomies need to evolve at the same pace

Alongside the list of current and emerging threats lies a more basic risk management issue: being able to compare apples with apples. It is essential that operational risk frameworks support management effort to focus on the most important areas of risk. Central to any framework is the operational risk taxonomy, which underpins a wide range of risk measurement and management processes, including risk control self-assessments, reporting, event management, scenario analysis benchmarking and key risk indicators.

The event-driven taxonomies, initially developed as part of Basel II, do not necessarily align well with either the language of the business or more contemporary risk areas. For some, a solution to this has been a fundamental re-orientation of internal risk taxonomies to better support risk management.

A recent ORX study which assessed these operational risk taxonomies across the industry, showed many are starting to contain some of the emerging risks listed above. As the threat evolves, the frameworks follow. Some of the more emergent themes seen in the taxonomies are listed below. 

Third party



Information security (including cyber)



Financial reporting and tax




Data management




  • Supplier, vendor, outsourcing
  • Selection, contracting, onboarding, management and termination of suppliers
  • Failures of suppliers to meet contractual obligations (including onward outsourcing)
  • Losses in the form of additional tax costs and penalties
    Failure to comply with tax law timely, transparently and effectively
  • Internal and external financial or regulatory reporting
  • Inaccurate, incomplete or untimely reporting
  • Unauthorised access, change, destruction
  • Loss, theft or misuse of information
  • Cyber-attack affecting privacy/confidentiality, availability, integrity of information (link to Fraud where cyber-attack leads to theft of money)
  • Failing to effectively and efficiently govern data, or manage data quality or data knowledge 
  • Throughout data life cycle, including when data is acquired or created, processed, used, shared, accessed, retained and disposed
  • Error in the model design, implementation, usage, coding, input or data errors
  • Misuse of models

Although at a fundamental level many of the operational risks remain the same, the threat vectors are constantly evolving. This means to best manage them, frameworks, controls and mitigations need to remain relevant.

Interested in the operational risk outlook?

Join our webinar, live or on-demand. Find out how you can improve your operational risk management process before it costs your business.

 Who should attend?

Asset managers, private bankers, compliance managers and anyone looking to understand the operational risk landscape.