October 2022 Scenarios

Insights into
Material Risks
2022

Managing risk together orx.org1

 Insights into Material Risks 2022

Executive summary Scenarios

Building on our 2022 ORX Scenarios Library Highlights report, our Insights into Material Risks report:

• Analyses key trends identified in the library Available through ORX

• Compares those trends to wider ORX studies
Scenarios, the scenario
library provides subscribers
• Considers how they might impact scenario portfolios in the future
with a comprehensive
Analysis of the 2022 ORX Scenarios Library indicates that institutions are continuing to focus on a set of core
database of anonymised
themes also seen in previous years (e.g., Conduct, Fraud, and Information Security (including Cyber)). scenarios developed by
firms from around the world.
Level 1 ORX risk type % of total library
It provides access to live scenarios
Conduct 17% developed by banks and insurers,
Information Security (incl. Cyber) 15% enabling users to analyse scenario
trends and to benchmark their
Transaction Processing and Execution 9% portfolios against the industry and
Internal Fraud 8% peers.

External Fraud 8% To find out how you could benefit

from subscribing to ORX Scenarios
talk to us today.
Table 1: Scenarios in the library by ORX Reference Taxonomy Level 1 risk type

Looking forward we expect to see:

Find out more about ORX
• Storylines evolving and capturing the interconnected nature of the risk landscape Scenarios
• Increasing numbers of scenarios created or developed that cover geopolitical change, evolving cyber
threats, the use of emerging technology, data management/governance and climate change risk (both
physical and transition)

• Scenarios drawing increasingly on information from other functions (e.g., resilience) and programmes
(e.g., risk appetite) as scenario practitioners look to integrate knowledge, data, and techniques from other
areas of the business as the use of scenarios widens

2
 Insights into Material Risks 2022

Conduct continues to be the most Median Median

wide-ranging material concern severity frequency
(% of GI) (yrs)
Subscribers across all regions have developed a wide range of conduct-related
scenarios covering interrelated themes including technological change, macro-
economic challenges, cost of living crises, staff attrition, hybrid working and Conduct 0.43% 40
regulatory change. These interconnected conduct challenges are, and will likely
continue to be, reflected in future portfolios, with 2021/2022 storylines evolving to Major impact regions
include:

• Staff attrition – challenges in • Digitalisation – realisation of 1 Western Europe 2 Global 3 Europe

retaining internal knowledge and product/technological flaws
impact on risk culture following a period of rushed product
and platform design 37% Retail banking Scenario
• Evolving workforce models – Business 12% Global markets impact rank
reduction in staff visibility and As has been evidenced in other ORX Lines 10% Corporate finance
changes to control environment studies (see Appendix), and as a result Impacted
of the above challenges, it is expected 9% Corporate items 27% Very high
• Global economic downturn that Conduct scenarios will continue to 32% Other
– leading to incidents of staff remain prominent in the library next year
deception for monetary gain as we enter a period of turbulent and
32% High
Improper Business
adverse economic conditions. 40% or Market Practices
• Regulatory landscape – rapidly Event
changing regulator obligations 21%
Suitability, Disclosure,
27% Medium
types and Fiduciary

14% Product Flaws

14% Low
25% Other

Key risk drivers

Library consideration Regulatory Number of
1 Staff training
and culture
2 environment 3 affected customers
Due to the challenging external
environment, Conduct scenarios may
increase in impact, severity and frequency
in future iterations of the library.
Key direct financial impacts
Internal costs (excluding Legal
1 Customer restitution
and compensation
2 legal expenses) 3 costs

3
 Insights into Material Risks 2022

Developments in Information Security (incl. Median Median

Cyber) risk and broader rapid technological severity frequency
(% of GI) (yrs)
changes are in evidence in the library Information
As demonstrated by other ORX outputs, Information Security (incl. Cyber) risk is rapidly
evolving, a trend influenced by, among other factors, geopolitical instability, rapid
Security (incl. Cyber) 0.73% 40
internal digitalisation projects, third/nth party reliance, and emerging technologies. This
dynamic environment is also apparent in the 2022 library, which includes storylines on: Major impact regions

• An evolving cyber threat – The pace of digital change is likely 1 Western Europe 2 North America 3 Global
increasing nation-state involvement to intensify in the coming years as
and growing commoditisation of institutions consider how the use of AI
ransomware-as-a-service (RaaS) and, in the longer term, APIs, robotics, 34% Retail banking Scenario
quantum computing, open banking Business 30% Corporate Items impact rank
• Widening attack surface – legacy and digital currencies (among others)
systems, digitalisation programmes,
Lines 7% Commercial banking
impact their business and customer
increasingly regular remote working Impacted 6%
needs. Private Banking
and a growing reliance on third and 23% Other 42% Very high
subsequent parties to deliver critical These developments will also likely
services be incorporated into new and current
System Security
scenarios impacting risk profiles, 39% External - Wilful Damage 27% High
• Safeguarding data – data business continuity plans and 3rd Event External Theft
breaches impacting institutions’ party arrangements. 29% and Fraud
reputation and customer/ types Improper Business
17% Medium
5%
stakeholder confidence or Market Practices
14% Low
27% Other

Key risk drivers

Library considerations Duration of Number of
1 Number of
affected customers
2 the event 3 records affected
Currently, the median frequency Forty-two per cent of Information
for Information Security (incl. Security (incl. Cyber) scenarios were
Cyber) scenarios is 1 in 40 given an impact rank of ‘very
years, but this frequency may high’, with a further 27% Key direct financial impacts
increase in the future given the ranked as ‘high’ – the Customer restitution Legal
potential for RaaS attacks to highest overall impact 1 Internal costs (excluding
legal expenses)
2 and compensation 3 costs
become more common. of all risk types.

4
 Insights into Material Risks 2022

Scenario storylines are increasingly Median Median

reflecting signs of an interconnected severity frequency
(% of GI) (yrs)
and volatile risk landscape Fraud (Internal
As evidenced in the ORX Operational
Risk Horizon 2022 report, the social,
institutions are operating is reflected
in ORX’s Scenario Library, and this
and External) 0.24% 25
geopolitical, and economic turbulence trend is expected to intensify in the
seen over the past 36 months has coming years. Furthermore, within the Major impact regions
highlighted the need for active, regular library, visible risks such as Fraud and
monitoring of the risk landscape via Transaction Processing (page 6) are 1 Global 2 Western Europe 3 Africa
both scenario analysis and other risk both drivers of, and are driven by, other
programmes to ensure the composition prominent risks such as Information
of institutions’ scenario portfolios Security (incl. Cyber) and Conduct. 29% Retail banking Scenario
reflects the dynamic macro and Business 16% Commercial banking impact rank
operating environment. This interconnectivity is also in Lines 15% Corporate Items
evidence in a range of common
Impacted 10% 23%
With over 25% of submitted scenarios storyline themes impacting and driving Global banking Very high

now including 3 or more risk drivers, the five most prevalent risks in the 30% Other

the interconnected landscape in which library (see table on page 6). 22% High

External Theft
35% and Fraud 23% Medium
Event 34%
Internal Theft
and Fraud
types
16% Unauthorized 32% Low
Activity
15% Other

Library consideration
Key risk drivers
Institutions’ preparedness for fraud
Transaction Number of
attempts are emphasised in the 1 Value of fraud or
assets affected
2 values 3 affected customers
library, with 55% of Fraud scenarios
categorised as having a low or medium
impact and median severity being the Key direct financial impacts
joint lowest of the risk types analysed.
Customer restitution Legal
1 Internal costs (excluding
legal expenses)
2 and compensation 3 costs

5
 Insights into Material Risks 2022

Broad cross- Median Median

Prominent Risk types
cutting storyline
sub-themes impacted severity frequency
themes
(% of GI) (yrs)
• Reduction in internal knowledge Transaction
0.24% 25
• Changing risk culture
Changing internal
operating environment
•
•
Hybrid working environment
Increasing staff turnover
Processing
• Resource capability • Conduct
• Inadequate control environments
• Information
Major impact regions
• Global economic downturn Security (incl.
Dynamic external
•
•
Increasing cost of living
Geopolitical landscape
Cyber) 1 Europe 2 Africa 3 Western Europe
environment
• Regulatory change
• Fraud
• Third party reliance
(Internal and
• Cyber-criminal sophistication External) 31% Retail banking Scenario
Evolving cyber threat • Lowering barriers to entry Business 18% Commercial banking impact rank
• Widening attack surface • Transaction Lines
Processing
7% Fund management
• Institutional digitalisation Impacted 6% Corporate finance
17% Very high
• Inappropriate/untimely adoption of technology
Technological change 38% Other
• Failed project/change management
28% High
• Skills shortages to implement technological change
Transaction Capture,
70% Execution, and
In our June 2022 Top Risk Review, Data Management Risk and People Risk 31% Medium
Event Maintenance

entered the Top 5 (for a full table, see Appendix). Both risks are intrinsically types Improper Business
linked to, and impacted by, the interconnected themes highlighted above. Both 10% or Market Practices
24% Low
Data Management Risk and People Risk are likely to become more visible in
20% Other
upcoming library cycles, whether in the form of standalone scenarios, risk drivers
or embedded factors within storylines.
Key risk drivers
Number of System or
1 Transaction
values
2 transactions 3 process type
Library consideration
Only 17% of Transaction Processing and Execution
scenarios were given a very high impact rank. Key direct financial impacts
However, the prominence of this risk type in the Internal costs External costs
library is indicative of the level of consideration 1 Customer restitution
and compensation
2 (excluding legal 3 (excluding legal
expenses) expenses)
given to its potentially significant consequences.

6
 Insights into Material Risks 2022

Elements of operational be opportunity for both functions to collaborate

on scenario developments leading to more More from ORX
resilience related multi-layered scenarios as part of an increasingly
efficient and streamlined scenario process. Operational Resilience: Practical
scenarios are found Development and Implementation
throughout the library Climate-related scenarios This study from ORX explores how financial
Within the Scenario Library there are a number are expected to grow organisations are overcoming some of the
practical hurdles associated with developing
of scenarios covering severe disruptions (e.g.,
pandemic, natural disasters) which, when in prominence in the and implementing operational resilience
combined, account for 6% of the total library. frameworks.
coming years
Operational resilience challenges are also ORX members can view the report here
embedded in some cyber and vendor failure In 2022, ORX developed two new climate change
scenarios with storylines detailing the impact of scenario categories: ORX Scenarios: Climate change
unprecedented disruption from malicious actors on • Climate Change Related Transition Risk Event in scenario analysis
critical infrastructure.
• Climate Change Related Physical Risk Event Based on discussions with the ORX
It is not expected that operational resilience Scenarios Working Group, this paper explores
scenarios will become significantly more prominent No scenarios were submitted under either category climate change in scenario analysis.
in the library due to: in this cycle but as climate risk management
matures we expect to see these categories ORX Scenarios subscribers can
• The current structure and focus of the populated. download the paper
Scenario Library
Physical climate change is included in the library
• The inherent differences in purpose between by subscribers using the Natural Disaster scenario
ORX Scenarios: Greenwashing
operational resilience and operational risk category or within Physical Security and Safety, Scenario Development Handbook
scenarios Technology and Third Party scenarios, where
Arriving in 2023, this handbook will provide
However, we expect that submitted scenarios climate impacts are detailed in storylines. However,
practical guidance on preparation,
will continue to address resilience-like events climate is rarely explicitly labelled as a risk driver
assessment and governance for
(e.g., earthquakes, pandemics, attacks on critical in current scenarios within the library. Climate-
greenwashing scenarios.
services). related scenarios (both physical and transition)
are expected to become more prominent, and
In addition, as institutions further their operational categorised as such, in the library from 2023 as
resilience initiatives and the use of traditional data becomes more readily available.
operational risk scenarios widens, there is likely to

7
 Insights into Material Risks 2022

Appendix: Comparison of the Scenario Library with other ORX research

Scenario Library 2022 Top Risk Review (November 2021) Top Risk Review (June 2022) ORX News (July 21 - July 22)

Information Security Information Security

1st Conduct Conduct
(including Cyber) (including Cyber)

Information Security Information Security

2nd Technology Third Party
(including Cyber) (including Cyber)

Transaction Processing
3rd Third Party Technology External Fraud
and Execution

4th Internal Fraud Regulatory Compliance Data Management Internal Fraud

5th External Fraud External Fraud People Financial Crime

8
 Insights into Material Risks 2022

Managing risk together Advance your operational

ORX believes many heads are better than one. We’re here risk scenario practice
to bring the best minds of the international operational risk
community together.
with ORX Scenarios
By pooling our resources, sharing ideas, information and experiences, we can Subscribe to ORX Scenarios for access to:
learn how best to manage, understand and measure operational risk and become
less vulnerable to losses. • The ORX Scenarios Library

We work closely with over 100 member firms to develop a deeper understanding • Handbooks and resources
of the discipline and practical tools. We set the agenda, maintain industry • Benchmarking
standards, and garner fresh insights.
• A global community of scenario practioners
ORX is owned and controlled on an equal basis by its members.
• And much more...ney with ORX Scenarios
Find out more about us at www.orx.org

Find out more about ORX Scenarios

Contact Visit
www.orx.org
Roland Kennett
Disclaimer: ORX has prepared this document with care and attention. ORX does not accept [email protected] Follow
responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice,
statement or recommendations in this document. ORX shall not be liable for any loss, expense,
damage or claim arising from this document. The content of this document does not itself constitute @ORX_association
a contractual agreement, and ORX accepts no obligation associated with this document except as
expressly agreed in writing. ©ORX 2022 @ORX_Association
 Scenarios

Managing risk together orx.org 10