Austria
Belgium
Denmark
Estonia
Finland
France
Germany
Greece
Iceland
Ireland
Italy
Liechtenstein
Netherland
Norway
Poland
Portugal
Spain
Sweden
Switzerland
Turkey
United Kingdom
Australia
Hong Kong
New Zealand
India
Indonesia
Japan
Malaysia
Philippines
Singapore
Thailand
Brazil
Chile
Colombia
Mexico
Peru
USA
Bahrain
Israel
Morocco
Oman
UAE
Saudi Arabia
Tanzania
Top and Emerging Risks for Banks - based on ORX Insights
Published
Written by
Read time
Overview - ORX Top Risk Review H1 2025
The ORX Top Risk Review H1 2025 provides a snapshot of the most material risks currently impacting financial institutions. Based on input from over 200 respondents across 86 organisations, the report highlights a risk landscape that is stable in structure but rising in intensity, with nearly all risk scores increasing since the last review.
Firms are responding with stronger governance, resilience planning, and investment in data and tech capabilities. However, the pace of change, especially around AI and regulation, is outpacing many institutions’ ability to adapt.
The top five material risks for financial institutions:
- Information Security (Cyber) - AI-driven threats, third-party vulnerabilities, and geopolitical cyberattacks.
- Third Party Risk – Supply chain complexity, vendor lock-in, and limited oversight.
- Technology – Legacy systems, rapid adoption of new tech, and governance gaps.
- Data Management – Fragmented systems, poor data quality, and regulatory pressure.
- Regulatory Compliance – Increasing volume and divergence of global regulations.
Overview - ORX Operational Risk Horizon 2025
The ORX Operational Risk Horizon 2025 report provides a forward-looking view of the most pressing and emerging risks facing the global banking sector over the next 12-36 months. Based on insights from 47 leading financial institutions, the findings highlight a risk landscape that is increasingly interconnected, digitally driven, and shaped by geopolitical and regulatory volatility.
For banks, these risks are not only operational concerns – they have direct implications for insurability, coverage adequacy, and risk transfer strategies.
The top five emerging risks identified are:
- Advancing Cybercrime: Fuelled by AI, ransomware-as-a-service, and third-party vulnerabilities.
- Technology & Digital Strategy: Legacy systems, cloud migration, and governance gaps.
- Business Service Disruption: Driven by geopolitical instability, climate events, and IT failures.
- Supply Chain Risk: Increasing reliance on the third parties and ESG-related scrutiny.
- Data Risk: Poor governance, AI model bias, and regulatory pressure.
Key Themes Shaping the Risk Landscape
- Digital Acceleration: Banks are moving quickly to adopt AI, cloud services, and automation – but this shift is bringing new challenges. Outdated systems, complex integrations, and growing reliance on external tech providers are making it harder to manage risk effectively.
- Geopolitical Volatility: Global tensions – from cyberwarfare to trade disputes – are creating a more unpredictable environment. These pressures are affecting everything from cybersecurity and supply chains to regulatory coordination across borders.
- Regulatory Complexity: The volume and pace of new regulations, especially around AI, ESG and data privacy, are stretching compliance teams. With rules varying widely across jurisdictions, staying compliant is becoming more resource-intensive and harder to manage.
- Operational Resilience: Keeping critical services running is getting tougher. Cyberattacks, climate-related disruptions, and third-party failures are testing firms’ resilience. Regulators and clients are raising expectations, making reliability a top priority.
Insurance Implications
As these risks evolve, insurance programmes need to keep pace.
This means reviewing coverage, understanding where gaps may exist, and ensuring policies reflect the realities of today’s risk environment.
Top 5 Emerging Risk Categories and Implications for Insurance
The top emerging risks for 2025 reflect a landscape shaped by digital transformation, geopolitical instability, and growing operational complexity.
Rank | Risk Category | Key Drivers | Concerns | Actions to take |
|---|---|---|---|---|
| 1 | Advancing Cybercrime | AI-enabled attacks, ransomware-as-a-service, state-sponsored threat, and third-party vulnerabilities. | Business disruption, data breaches, financial loss, and reputational damage. | Cyber simulations, AI-driven detection, red/blue team testing and enhanced cyber insurance. Consider insurance coverage: Cyber Crime policy. |
| 2 | Technology & Digital Strategy | Rapid AI adoption, legacy systems, technical debt, and reliance on niche tech providers. | Operational efficiencies, data loss, regulatory breaches, and loss of competitive edge. | AI governance, cloud migration, legacy remediation, and staff upskilling. Consider insurance coverage: Cyber policy. |
| 3 | Business Service Disruption (Business Interruption) | Cyberattacks, climate events, IT failures, and third-party outages. | Service downtime, regulatory fines, customer dissatisfaction, and revenue loss. | End-to-end process mapping, resilience testing, diversification of operations, and backup centres. Consider insurance coverage: Cyber policy. |
| 4 | Supply Chain Risk (incl. Third Parties) | Lack of visibility, supplier concentration, geopolitical instability, and ESG scrutiny. | Service outages, compliance failures, reputational damage, and systemic risk. | Enhanced supplier monitoring, exit strategies, contract centralisation, and nth-party mapping. Consider insurance coverage: Civil liability. |
| 5 | Data Risk | Poor data quality, fragmented systems, AI model bias, and regulatory pressure. | Breaches, flawed decision-making, reporting failures, and customer trust erosion. | Enterprise data strategies, secure storage, AI-use governance, and cryptographic protections. Consider insurance coverage: Civil liability and Cyber. |
As threats from AI-driven cyberattacks, operational disruptions, and supply chain vulnerabilities increase, firms are advised to assess insurance coverage afforded and limits purchased are sufficient to cover losses and expenses, mitigation costs associated with breaches and business disruption incidents.
Reference:
For more information, contact us:
Robert Bilney
James McPherson