Top Operational Risks 2024

by Elena Pykhova

This year’s view of the risk landscape from Best Practice Operational Risk Forum; members ranked top Operational risks in order of significance:

1. Cyber: With successful attacks occurring every 0.65 seconds¹ in the US alone, cyber risk has been topping the risk charts for several years. And it is not going away in the next decade – Protiviti predicts cyber risk will occupy the top position in 2034,² and the World Economic Forum places it in eighth place over the same time horizon³.
2. Change and Execution: Arises against the backdrop of a testing environment, when demands are continuing to increase while budgets and resources (at best) remain at the same level. There is change fatigue, due to increasing number of programs with limited resources being stretched between innovation as well as regulatory-driven initiatives. Recognising potential weaknesses, Basel Committee purposefully strengthened the requirements in its latest sound practices, demanding that senior management ensures that ‘change management process is comprehensive, appropriately resourced and adequately articulated between the relevant lines of defence⁴.
3. Third (and nth) party risk: Over the past decade, firms’ dependency on third parties has grown significantly, especially as core information technology services are now often outsourced to external cloud providers; and the sub-outsourcing chains have become ever more complex. Since 2022, third-party risk has appeared prominently in the top 5 Operational risks for the financial services sector, as assessed by the Best Practice Forum. There is also a close connection to cyber risk, as a firm’s cyber defence strategy must extend to its service providers.
4. Data mis-management: the risk has increase since last year, moving from the 7^th to 4^th place in 2024. The amount of data continues to raise, and so are data breaches and mis-management. Considering risk data alone, Basel Committee 2023 progress report yet again notes the delay in achieving compliance, ‘seven years after the expected date of compliance’⁵. Organisations progress data management and remediation programs to upgrade their processes and tools.
5. Financial Crime: This is a broad inherent risk, which is expected to firmly remain in the risk chart. ORX continues to cite multiple financial crime-related losses in their monthly Top 5 Losses reports, whether related to committed crimes or fines issued due to inadequate control environment.
6. Legacy technology failures: Protiviti notes the risk of ‘existing operations and legacy IT infrastructure unable to meet performance expectations as well as ‘born digital’ competitors’, ranking it at number 7. System downtime, inadequate use of new technologies or poor change and integration could result in potential customer and market detriment.
7. People risk: skills set, succession & well-being. Multiple external sources cite people risk, such as talent shortages according to Forbes⁶, ability to attract, develop and retain top talent (Protiviti). Best Practice Forum members discussed the importance of focussing on people risk, including the well-being component, and ensuring the topic is firmly on the Bord’s agenda. More remains to be done to ensure employee well-being.
8. Inability to comply with E,S and G requirements: Without doubt, environmental, social and governance considerations are becoming increasingly important for organisations and according to McKinsey, the three-letter acronym has risen to prominence with a ‘fivefold growth in internet searches for ESG since 2019’.⁷ Increasing regulatory and societal pressures reflect the risk of inability to keep the pace and comply with requirements.
9. AI: A new entrant this year, AI can be considered as a driver of other risks materialising; it has appeared in its own right due to growing concerns. To name a few, the exploitation of generative AI by malicious actors to create sophisticated scams and attacks is a worry for 99% of business and IT professionals according to ISACA⁸; misinformation and disinformation, a new risk that shot straight into the number one risk position as cited by the Global Risk Report 2024, acknowledging the ease of access to AI which has “already enabled an explosion in falsified information”.

Displaying agility, leadership and situational awareness, Operational risk professionals can embrace the evolving risk landscape and serve as vital connectors, reaching across the silos and bringing different areas together, to achieve effective risk management. To this end, one of the top risks in 2024 noted by Forbes is ‘inability to connect with others’, as social skills may be reducing with the ever-increasing amount of time being spent by individuals on their personal technological devices. The connection aspect therefore is even more important, and per Charles Eames, American architect and filmmaker,

“Eventually everything connects – people, ideas, objects. The quality of the connections is the key to quality per se.”

(*1) Comparitech (2024), 300+ Terrifying Cybercrime and Cybersecurity Statistics (2024 EDITION), https://www.comparitech.com/vpn/cybersecurity-cyber-crime-statistics-facts-trends/

(*2) Protiviti (2023), Executive Perspectives on Top Risks for 2024 and 2034 https://www.protiviti.com/uk-en/survey/executive-perspectives-top-risks

(*3) World Economic Forum (2024), The Global Risks Report 2024, https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf

(*4) Basel Committee on Banking Supervision (2021) Revisions to the Principles for the Sound Management of Operational Risk, https://www.bis.org/bcbs/publ/d515.pdf

(*5) Basel Committee on Banking Supervision (2023) Progress in Adopting the Principles for Effective Risk Data Aggregation and Risk Reporting, https://www.bis.org/bcbs/publ/d559.pdf

(*6) Segal, E. (2023), Forbes, The 9 Biggest Risks And Threats That Companies Will Face In 2024, https://www.forbes.com/sites/edwardsegal/2023/12/03/the-8-biggest-risks-and-threats-that-companies-will-face-in-2024/

(*7) McKinsey (2022), Does ESG really matter – and why? https://www.mckinsey.com/capabilities/sustainability/our-insights/does-esg-really-matter-and-why

(*8) Information Systems Audit and Control Association (ISACA) (2023), New Study: Business and IT professionals are worried about the exploitation of generative AI by bad actors, https://www.isaca.org/about-us/newsroom/press-releases/2023/new-study-business-and-it-professionals-are-worried-about-the-exploitation-of-generative-ai