In today’s rapidly evolving risk landscape, regulators like the FCA are sharpening their focus on operational resilience. Their message is clear: firms must prepare for a wide range of severe yet plausible scenarios, ones that could cause intolerable harm to customers, disrupt market integrity, or threaten the firm’s survival.
While scenario planning isn’t new to financial institutions, the expectations are shifting. At WTW, we’ve been exploring the intersection between operational resilience scenarios (as defined by regulators) and operational risk scenarios (used in ICAAP/ICARA). We also draw on other valuable sources, like historical incidents and emerging risk surveys, to build a more complete picture.
Over the past decade, WTW has supported Banks, Asset Managers, FinTech’s, and other financial institutions in navigating scenario-based risk frameworks. From this work, we’ve developed a robust scenario database focused on operational resilience threats.
| Risk Theme | Scenario description | Subcategories | |
|---|---|---|---|
| 1 | Cybersecurity | Unauthorised access, attacks, or damage to information systems and data. | Cyber Attack (DoS) |
| Data Breaches | |||
| 2 | Natural Disasters & Public Health | Disruptions from environmental events and natural phenomena. | Natural Disasters |
| Public Health Crises | |||
| 3 | Physical Safety & Security | Acts of violence, unrest, or threats to physical assets or individuals. | Civil Disturbances |
| Terrorist Attacks | |||
| 4 | Technology | Failures in hardware/software impacting key systems. | Application Errors and System Malfunctions |
| Network Outages | |||
| 5 | Critical National Infrastructure | Failures in essential national systems and services. | Localised Loss of Power |
| National Power Outage | |||
| 6 | Third Party, Outsourcing & Supply Chain | Failures with external providers supporting critical operations. | Third-party and Outsourcing Failures |
| Supply Chain Disruptions | |||
| 7 | Key Personnel | Loss or unavailability of key staff. | Staff Absenteeism and Turnover |
Here’s what we’re seeing:
Our recent Emerging & Interconnected Risks Survey revealed a striking trend: organizations now view nearly everything as an emerging risk. While climate change often tops industry reports, technology is currently dominating the agenda.
Artificial intelligence, cyber threats, and the future of tech occupy three of the top four emerging risk categories. That doesn’t mean other risks are fading – economic uncertainty, geopolitical tensions, and climate transition risks remain highly interconnected and influential.
Industry-wide and firm-specific historical data reveal real and significant vulnerabilities. At WTW, we leverage anonymised insurance claims data to generate actionable risk insights. Our analysis highlights a high frequency of technology-related risks, most notably, severe incidents stemming from third-party software failures during updates and sophisticated data breaches.
Scenario data has long been a cornerstone of risk management. But as operational resilience becomes a regulatory priority, firms must go beyond internal data. Relying solely on your own scenarios may leave blind spots. Incorporating external data, like peer scenarios, emerging risk trends, and anonymized insurance claims, ensures a more comprehensive and forward-looking approach.
What internal data are you using to inform your operational resilience strategy? Where are you sourcing insights on emerging risks and how are you integrating them into your planning?
At WTW, we bring deep experience and a rich dataset to help you clarify your risk landscape. Whether it’s peer scenario data, emerging risk insights, or historical incident analysis, we’re here to support your journey toward greater resilience.
