Gone are the days when digitalisation was a competitive edge. Today, it’s the minimum requirement to survive, says Luke Carrivick, executive director, ORX

The financial sector is undergoing a seismic transformation.

Digitalisation, once seen as a threat posed by agile challengers, is now a defining force behind how financial institutions operate, grow, and survive. Yet while the business model has evolved rapidly, the way firms manage operational and non-financial risk is still catching up.

Luke Carrivick[48]

A new vision for operational risk is not just desirable; it’s essential and must add business value.

With constant and increasingly complex threats, a firm’s ability to manage operational risk well can spell the difference between success or failure.

Our Strategic Vision for Operational and Non-financial Risk paper lays out a roadmap for what risk leadership must look like in the coming years. Those who lead with clarity and agility will thrive.

At the heart of this transformation are four fundamental shifts reshaping the risk landscape—and they are happening simultaneously. Firms don’t need to have all the answers today—but they do need to ask better questions. What risks are emerging from our transformation strategy? How resilient is our digital supply chain? Are our risk tools fit for the pace of innovation?

Digitalising the old and introducing the new

Gone are the days when digitalisation was a competitive edge. Today, it’s the minimum requirement to survive.

Banks and insurers are doing it to stay operational, to remain relevant, and to meet rising customer expectations. But operating at digital speed comes with new types of risk. Accelerated decision-making, AI-driven processes, and systems that can amplify small failures into systemic ones. Operational risk strategies need to be re-engineered to match this new pace of change. 

Financial institutions are also using digital transformation to create entirely new revenue models. But with those new models come new risks as firms enter territory where legacy controls don’t always apply. Risk leaders must now anticipate future risks.

A permeable supply chain in a big, wide world

In a hyper-connected world, few firms have the in-house capabilities to digitise alone. There is now a reliance on a vast ecosystem of partners, platforms, and providers. But this interdependence introduces fourth-party risk—risks inherited from suppliers’ suppliers, often with little visibility or control.

Firms are exposed to vulnerabilities within their digital supply chains and a permeability not previously seen and traditional third-party risk management frameworks are not built to handle this level of complexity.

Let’s not also forget the way the world is moving at large. We have a hugely volatile geopolitical environment, a swathe of economic shocks and cyber threats on our doorsteps. The ability to change in this environment is a strategic advantage.

And this is where the opportunity lies, with some key steps risk managers can take on the way to operational risk resilience.

Back to basics

To get operational risk fit for a digital world, you need to go back to basics—but do it better.

Governance, frameworks, culture, tools, skills are the structural beams of a modern operational risk function.

This means that managers must be able to coordinate activity across a growing set of specialist second line of defence risk functions.

The real challenge? Balancing flexibility and consistency. The sweet spot lies in simplicity with strength where taxonomy, standards, tools and approaches are light enough to be easy to use and be understood, but strong enough to stand up to real-world risks.

Unicorns don’t exist

When talking to banks and insurers, two key stumbling blocks for operational risk teams are culture and skills.

Embedding a positive risk culture to enable change partly means instilling a risk mindset into the business but also a positive risk culture means instilling a business mindset into the risk function. And this means getting risk on the Board agenda – it must be role modelled by the C-suite.

Getting the right skills to match the new world of risk is also tricky as it needs strengths in both digital and business skills. On the digital side, it’s about digital business models and technology, data architecture. On the business side, we want to see teams that can interpret both weak points, and opportunities, and have the confidence to present these judgements to the business.

One way to achieve this is by building multi-disciplinary teams. As one of our members said, “We’re not searching for unicorns; we have to build balanced teams”.

At the digital core

With the right foundations, you can start to build a digital core. Leaders have the opportunity to build risk by design on top of new business operating platforms. We’re aiming for automated, real-time, data-driven risk management offering a single view of risk and controls.

Forward-thinking firms are taking an incremental approach—layering in real-time, data-driven risk tools as part of wider transformation programmes. Done well, we get a single view of risk, tied to process and business objectives.

The operational risk function of the future will drive smarter, more resilient digitalised businesses. But we must build the right foundations, foster the right culture, and empower the right teams.

SR Q2 2025 Edition