WTW looks to historic loss data to close risk perception gap

Willis Towers Watson (WTW) has released a new report exploring the potential for historic loss data to help financial institutions narrow gaps between perceived and actual operational risks.

Part of the firm’s “Bridging the Gap” series, the report investigates how evolving operational threats are reshaping risk management priorities.

WTW's recent survey gathered insights from over 100 directors at financial institutions globally, capturing their concerns about a range of risks – from cyber threats to regulatory breaches, health and safety issues, and internal control lapses.

Interestingly, directors placed these top risks in close order of importance. However, WTW raises a key question: Are these high-level concerns fully aligned with the priorities risk management teams face daily?

Priorities of directors and officers

According to the report, many of the risks that directors prioritise are severe in potential impact but lower in probability. For instance, cyber risk ranked highest among concerns for financial institutions in WTW’s 2024 Global Directors’ and Officers’ Survey Report.

While cyber threats have resulted in a threefold increase in disruption scenarios over the past five years, the financial exposure remains lower than other, more frequent operational issues.

Risk managers, meanwhile, often focus on the cumulative financial effects of smaller, recurring issues, which can add up over time.

Execution risk, for example, has been a leading operational concern in recent years, making up around 25% of key risk scenarios and 15% of loss events among financial institutions. This kind of ongoing risk requires close monitoring to prevent a slow accumulation of financial impact, described by WTW as “death by a thousand cuts.”

Historical data could help evaluate evolving risks

The growing cyber threat has led directors to examine how historical data might help in evaluating evolving risks.

WTW noted, however, that historical data can be challenging to interpret without detailed breakdowns of specific incidents.

For example, knowing that a wealth manager incurred a $210 million loss from a data breach offers limited insight without understanding that the costs involved included 34% for settlement, 25% for fines, 16% for credit monitoring, and the remainder for notification, legal defence, and other expenses. Such breakdowns offer more actionable insights for decision-makers seeking to strengthen risk frameworks.

Key factors for effective operational risk management

To improve resilience and balance information needs, WTW identified three key strategies for a robust risk management framework:

1. Use subject matter experts: Subject matter experts bring valuable insights into emerging risks and provide a proactive approach, often identifying issues beyond current controls.
2. Leverage internal data: Even limited internal data is essential for a realistic risk profile. Including it in risk measurement allows organisations to align perceived and actual risks more closely.
3. Consider broader industry insights: Incorporating third-party claims data and broader industry experience adds depth to scenario planning, supporting a comprehensive view of potential costs and challenges.

WTW’s findings highlighted the importance of integrating detailed loss data into risk management practices.