In today’s rapidly evolving risk landscape, regulators like the FCA are sharpening their focus on operational resilience. Their message is clear: firms must prepare for a wide range of severe yet plausible scenarios, ones that could cause intolerable harm to customers, disrupt market integrity, or threaten the firm’s survival.
While scenario planning isn’t new to financial institutions, the expectations are shifting. At WTW, we’ve been exploring the intersection between operational resilience scenarios (as defined by regulators) and operational risk scenarios (used in ICAAP/ICARA). We also draw on other valuable sources, like historical incidents and emerging risk surveys, to build a more complete picture.
What the scenario data reveals
Over the past decade, WTW has supported Banks, Asset Managers, FinTech’s, and other financial institutions in navigating scenario-based risk frameworks. From this work, we’ve developed a robust scenario database focused on operational resilience threats.
Risk themes and scenarios
| Risk Theme | Scenario description | Subcategories | |
|---|---|---|---|
| 1 | Cybersecurity | Unauthorised access, attacks, or damage to information systems and data. | Cyber Attack (DoS) |
| Data Breaches | |||
| 2 | Natural Disasters & Public Health | Disruptions from environmental events and natural phenomena. | Natural Disasters |
| Public Health Crises | |||
| 3 | Physical Safety & Security | Acts of violence, unrest, or threats to physical assets or individuals. | Civil Disturbances |
| Terrorist Attacks | |||
| 4 | Technology | Failures in hardware/software impacting key systems. | Application Errors and System Malfunctions |
| Network Outages | |||
| 5 | Critical National Infrastructure | Failures in essential national systems and services. | Localised Loss of Power |
| National Power Outage | |||
| 6 | Third Party, Outsourcing & Supply Chain | Failures with external providers supporting critical operations. | Third-party and Outsourcing Failures |
| Supply Chain Disruptions | |||
| 7 | Key Personnel | Loss or unavailability of key staff. | Staff Absenteeism and Turnover |
Here’s what we’re seeing:
- Existing scenario data is a valuable asset: On average, around 25% of the operational risk scenarios identified, assessed, and mitigated by financial institutions are related to operational resilience. This makes them an excellent foundation for a focused operational resilience strategy.
- Technology Risks Dominate: Non-malicious tech failures, like application errors, system outages, and network disruptions, make up about 33% of all scenarios. Many involve cloud infrastructure, such as connectivity issues between cloud environments and data centers, or compliance breaches tied to cloud data storage.
- Severity Matters: One major advantage of using operational risk data is the inclusion of estimated financial impacts. For example, a cyberattack on payment infrastructure could cost a firm billions. In our database, tech-related failures have reached losses exceeding £500 million, with average losses of around £28 million. This level of detail is often missing from operational resilience scenarios.
Emerging risks: Elevating horizon scanning
Our recent Emerging & Interconnected Risks Survey revealed a striking trend: organizations now view nearly everything as an emerging risk. While climate change often tops industry reports, technology is currently dominating the agenda.
