Operational Risk Benchmarking
Op risk benchmarking
Welcome to Op Risk Benchmarking, a new research service scrutinising op risk practices at a range of financial institutions. Each quarter, we’ll share some of the findings from one of four cohorts – G-Sibs, other banks, asset managers and insurers, and FMIs.
Participants get to see all the data – message us for details: ORMBenchmarking@risk.net

FMIs create culture club for op risk
Exchanges and clearing houses seek to build risk resilience among front-line business, amid concerns of overreliance on second line of defence

Taking the sting out: exchanges and CCPs bolster scenario toolkits
As cyber threats ramp up, the world’s largest exchanges re-assume the worst

Technology is a double-edged sword for FMIs
Exchanges and clearing houses rely on third-party vendors for vital systems, but outsourcing can also lead to duplication and waste

Op Risk Benchmarking 2025: the FMIs
Exchanges and CCPs respond to regulatory scrutiny and evolving threats with tighter vendor management and scenario refreshes

Vendor oversight splinters across FMIs
Op Risk Benchmarking: firms grapple with “chaos” of third-party rule changes, amid growing recognition of cyber and resilience threats

Op Risk Benchmarking: The G-Sibs
Using data submitted by 11 G-Sibs, our new Benchmarking series explores how the world’s largest banks are managing their biggest operational risks. Team sizes and setups, modelling practices, internal reporting, GRC vendors – take a look here.
Big Figure
Safety in numbers?
FMIs demonstrate broad variability in the size of the second-line teams tasked with overseeing infosec – but that’s starting from a relatively low base: many have teams comprising of just one specialist, while the mean average is slightly more than five.

Op Risk Benchmarking: Banks
Our second Op Risk Benchmarking series focuses on op risk frameworks at large domestic and regional banks, taking a deep dive into each of their top five risks: information security; IT disruption; change management; execution & process errors; and regulatory compliance risk.