When it comes to operational and non-financial risk (ONFR), banking and insurance organisations are facing elevated threats from all angles.

ORX’s latest Top Risk Review Benchmark report looked at the ONFR challenges faced by finance firms, revealing a sharp rise in risk materiality scores across operational risk, driven by ongoing geopolitical instability, exposure to third-party ecosystems and emerging AI-related vulnerabilities.

Data Management saw the highest year-on-year increase of the industry’s 16 major risks. And, interestingly, for the first time since we launched the Top Risk Review, insurance firms are reporting faster-rising concerns than banks when it comes to material risks, with an 8.8% increase compared to 4.8% in the banking sector.

This could potentially be thanks to the generally volatile and uncertain external environment, driving up all scores, across industries. Undoubtedly, the risk management landscape across all sectors, not just finance, has entered a period of unprecedented complexity.

The cause of complexity

Unsurprisingly geopolitical instability is a primary driver of increased risk across the globe. The geopolitical threat landscape changes day-to-day, with a sense that risks can materialise very suddenly, leaving organisations with little to zero control.

Geopolitical threats have a transversal nature, with risks that overlap and cascade, such as cyber attacks on third parties, which have a ripple effect on their partners. Although essential for operations, third party relationships create channels for potential risks.

“AI adoption by organisations is undoubtedly a significant opportunity, but it also fuels fear around third-party cyber security”

According to the survey, these third-party and ecosystem risks are intensifying and, therefore, are also a primary driver of risk. Concerns over the adequacy of third-party cyber security, combined with a lack of direct oversight and supply chain complexity, are the major causes of concern.

AI adoption by organisations is undoubtedly a significant opportunity, but it also fuels fear around third-party cyber security. AI creates challenges thanks to poor data management, conduct, and model risk. Its capabilities have been, and will continue to be, leveraged by cyber criminals, to develop ever more sophisticated forms of attack e.g. deepfakes, data breaches, data privacy concerns, leakage, and circumvention of controls.

So what does all this mean for organisations, in the finance sector and beyond?

ONFR needs to be at the forefront of business strategy

Where it might once have been thought of as a secondary concern to financial risk within the sector, ONFR needs to be a primary consideration for organisations when they set business strategy.

As key risks are increasingly connected, they cannot be managed in silos and so risk management demands a holistic, integrated approach across the business. Or at least this is required of those resilient organisations that care to protect their people, customers, assets, and reputation.

A major advantage of incorporating holistic risk management into overall business strategy is that it enhances compliance, increases resilience on a forward-looking basis, and encourages a proactive approach to managing risks.

“As key risks are increasingly connected, they cannot be managed in silos and so risk management demands a holistic, integrated approach across the business.”

Embedding ONFR management into strategy is crucial for resilience, helping firms to provide visibility and oversight of third parties, manage cyber threats and ensure continuity of critical services.

Secondly, when ONFR is embedded within the mindset and infrastructure of an organisation, it can stay innovative and nimble, which is crucial for adapting to the pace of digital change, with all its associated benefits and risks. It ensures businesses are forward focused, anticipating and adapting to emerging threats, rather than reacting to incidents after the fact. Firms remain competitive while staying safe.

Just as risks are interconnected, so too are the benefits of ONFR. Compliance and proactive risk planning reduces losses, protects people, assets, customers, and avoids fines and sanctions. Ultimately, protecting a firm’s reputation, and positively impacting commercial success.

How data can be the risk manager’s shield of protection

Truly embedding ONFR into business strategy means continuous risk profile reassessment. Traditional risk management approaches no longer provide adequate protection against today’s dynamic environment. They tend to focus on historical risks, isolate risk types rather than look at them holistically, and are not designed to keep pace with the speed of new risk types.

Instead, ONFR managers can utilise the data they have available to take a more up-to-date, dynamic approach, that is better suited to today’s landscape.

“Any coverage gaps unearthed during benchmarking exercises should be discussed at Board level”

Looking externally is crucial to validate internal perspectives, and risk managers should utilise industry data, such as the ORX Top Risk Review, as a diagnostic tool to assess existing operations and tech stacks.

Just as traditional risk frameworks are not adequate, internal perspectives can be limited by organisational blind spots and historical biases. Organisations can put their risk profiles within industry context while identifying areas where their mitigation strategies fall behind best practices.

Any coverage gaps unearthed during benchmarking exercises should be discussed at Board level and subsequently, your organisation’s risk appetite and mitigation priorities.

Risk management for today

For risk managers looking to strengthen the resilience of their organisation, there is much to consider. As a starting point, those who wish to better anticipate, prepare for, and respond to the complex risk scenarios, should look to implement:

• Unified and simplified frameworks: Put in place frameworks that are robust and easy to use, that are flexible and allow for change.
• A holistic, single view of risk: Recognise the interconnectedness of risk and break down silos. Develop mitigations that recognise this, and that ‘connect the dots,’ to create a consolidated, enterprise-wide view of risk that supports better decision making.
• Ownership within the front line: Risk management needs to be embedded and owned at the first line of defence (1LOD), with business units actively identifying and managing risks.
• Scenario analysis: A vital risk management tool that can be executed at pace, compelling firms to shift their focus towards anticipating and preparing for future events, rather than looking back and relying on historical data.
• Automation and digital tools: To keep pace with the speed and scale of the business, as well as the morphing threat landscape, risk identification, assessment, monitoring and controls all need to be automated and digitised, leveraging the capabilities of AI.

In conclusion, although technology and globalisation bring many opportunities, they are driving up both the scale and interconnectedness of risk. As threats become increasingly nimble, dynamic and intelligent, so too must our defences.

Strategic benchmarking should be the first port of call to help financial firms navigate the heightened risk landscape of today and build a shield against it.