The top 10 op risks, reloaded

Survey to be expanded as part of benchmarking exercise

Click here to read this year’s top 10 operational risks

You can plan a pretty picnic but you can’t predict the weather, as the song has it.

It’s an often-heard frustration among operational risk managers that trying to anticipate when and how large losses will occur is extremely difficult.

In recent years, the industry has been encouraged to consider esoteric risks that might previously have been assigned a low or near-zero probability as part of routine stress testing, including regulator-set exams – in other words, knowing what your exposures are and thinking about what losses would occur if there were significant changes to your operating environment (or packing an umbrella, or scoping out a nearby café, to torture the picnic metaphor in ways that Outkast’s André 3000 and Antwan never imagined).

Of course, whether firms choose to act on the outputs these exercises throw up, and update control environments accordingly – like the bank that built a stress scenario for a global pandemic two years before Covid-19 struck, before tearing it up, dismissing it as unrealistic – is another matter.

For more than a decade, has tried to help guide op risk managers pool their collective insights as a list of shared concerns over broad categories of risk in the form of the Top 10 Op Risks.

The analysis that results is consistently the most popular piece of content produces all year: many of the world’s largest banks spend time debating the survey as part of so-called external perspectives exercises, puzzling over the ranking of a particular category, asking whether they’re paying enough attention to it and have enough internal expertise to respond appropriately if threats are realised.

As was the case with Covid, however, Russia’s invasion of Ukraine – while not wholly unexpected – has also exposed the inherent limitations of the Top 10 as a static, point-in-time exercise. So the survey needs to evolve, too.

Later this year, we’ll be getting in touch with respondents and asking for your input. How regularly should we run the survey: a semi-annual poll, to see how broad areas of concern to managers have evolved over the course of the year? Or a free-form exercise designed to identify emerging risks? What time horizon should we be thinking along?

The outcome might be a more regular, more granular survey offering a breakdown of the hierarchy of perceived threats, and accompanying detail on how some op risk chiefs are responding. But we don’t have a fixed vision yet, so if there’s something you’d like to see, please get in touch: tom.osborn [at]

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here