Digital transformation and technology top operational risk scenarios in 2021
- 24 November 2021
Digital transformation and technology rank as the biggest concern for global banks and insurers according to the ORX Scenarios Insights into Material Risks 2021 report.
Digital risks replace conduct
In a year of unprecedented change, digital risks replace conduct as the largest percentage of new uploads to the ORX scenarios library. However, conduct remains the number one concern spanning the nine years that the library has been populated.
Each year, financial institutions who subscribe to ORX Scenarios, upload their operational risk scenarios to the ORX Scenarios Library, which provides a global view of which type of extreme, yet plausible, risks financial institutions are focusing on.
In 2021, technology makes up 13% of all scenarios and the greatest proportion of new uploads (16%). 14% of the library relates to a cyber-related scenario category, with malware, phishing and ransomware attacks all included.
Popular scenario narratives this year focus on the extent to which process and control failures in IT lead to severe losses across data management, IT change management and any reliance on IT third parties.
Top 5 2021 scenario uploads
- Technology (16% of uploads)
- Conduct (13% of uploads)
- Financial crime (13% of uploads)
- Transaction processing and execution (12%)
- Physical security and safety (10%)
Key areas of change and focus in 2021
An ORX review of the 2021 scenario library provided the following insights on where financial services organisations are focussing current scenarios and area where changes may occur:
Rapid digital change is shifting exposures across risk types
The potential impact of failing to safeguard confidential customer information is a significant focus
Over 70% of cyber-related data breach scenarios are considered high or very high impact. Data breaches not only result in regulatory fines but also erode stakeholder trust and confidence.
There was an extension of technology risk to include third parties
Publicly reported data breach/cyber disruption events, such as the Malware attack on SolarWinds in December 2020 and the Microsoft Exchange server vulnerability exploited in March 2021, is likely to inform future scenarios. This risk could also be exacerbated as reliance on third party vendors, including systemic providers (e.g., cloud computing) continues to grow.
The library highlighted the importance of robust IT change management
Typical scenario storylines include descriptions of failed IT changes resulting in business disruption and cyberattack incidents. Pressure to adopt new technology at pace to avoid falling short of competition (e.g., from FinTechs) is mounting.
There is concern over failing to keep abreast of the evolving cyber threat environment
Recent scenarios reference organised cyber-attacks and consistently highlight the growing frequency and degree of sophistication. The industry is increasingly concerned about the potential impact of failing to remain one step ahead of cyber criminals.
"So much of how the financial industry has changed since the pandemic began has centred around being exposed and vulnerable to technology-related risks. In particular, this has been driven by the race to adapt to new ways of working and businesses pivoting to moving operations online. It’s no surprise to see therefore that the digital agenda is driving the 2021 Scenario Library. We very much expect this trend to continue and will be focusing on digitalisation in many of our 2022 ORX activities.” Steve Bishop, Head of Risk Management Programme & Insurance at ORX
Conduct-related scenarios continue to pose the greatest overall material risk
Conduct and financial crime risks continue to feature prominently in the library, particularly with institutions hurrying to adapt to a new working environment brought about by the pandemic. This is not predicted to ease any time soon with firms’ exposure to these risks predicted to increase as hybrid working becomes the new normal for businesses. Key drivers include promoting digital alternatives to customers and shorter product design phases at short notice (e.g., business interruption loan schemes).
Operational resilience and business continuity a key industry focus
Recent turbulent events linked to the pandemic and natural disasters have cemented the importance of responding effectively to sudden business disruption. This theme cuts across several scenario types, including: incidents of earthquakes threatening physical safety, serious cyber-attacks at third parties taking critical services offline, and pandemic scenarios that force sudden changes to operating models.
Discussions within the ORX Scenarios community highlighted how the development of business continuity-related scenarios would benefit from an organisational focus on operational resilience. Considering key operational resilience inputs, such as the identification of critical services and associated interdependencies, in the scenario process can enhance the way scenarios are built and assessed.
Download the summary report for more information
If you'd like to know more about the report and get exclusive insights and information, then you can download our summary report for free. Our members and ORX Scenario subscribers can read the full and analysis and more on our member-only website.