Uncertainty and fast‑evolving threats are driving insurance groups to prioritise operational risks over a much shorter time horizon, according to ORX’s 2026 Operational Risk Horizon Report.
The latest survey, based on responses from 47 global banks, insurers and asset managers, found that firms are concentrating increasingly on the next six to 12 months rather than longer‑term scenarios, as cyber, technology and third‑party exposures develop more rapidly and with greater interdependence than before.
Advancing cybercrime is ranked as the top category of emerging operational risk for 2026. Technology and digital strategy holds second place for the third consecutive year, while supply chain and third parties have moved into third, reflecting growing reliance on external providers, cloud platforms and digital ecosystems across the financial sector, including insurance.
The emphasis on cyber and technology mirrors trends seen in both underwriting and internal risk management at insurance groups. Carriers have been grappling with cyber accumulation risk and ransomware in their books, while also facing their own exposure to system outages, data breaches and IT transformation issues in policy administration, claims and distribution.
The ORX findings suggest those concerns are now firmly embedded at the top of operational risk agendas. Institutions surveyed cited AI‑enabled attacks, geopolitical volatility, regulatory change and supply chain fragility as the main drivers reshaping their threat profiles.
“ORX’s 2026 Horizon Report reflects a significant shift in the operational risk landscape. Uncertainty now dominates, driven by accelerating AI developments, geopolitical volatility and increasingly complex supply chains. The speed of risk evolution means the horizon is moving ever closer, with firms concentrating risk management efforts on shorter‑term threats,” said Steve Bishop, research and information director at ORX.
He added that risk teams “must be agile, resilience‑centred and deeply connected to the business – understanding where vulnerabilities lie, improving the structure and hygiene of data, and strengthening scenario analysis. They must develop clear views of risk interconnectivity, to ‘connect the dots’ before they converge into something more severe.”
According to the report, 56% of firms now capture risk interconnectivity in their material and/or emerging risk reporting. Current techniques include thematic scenarios, mapping emerging drivers to traditional risk types, thematic issue analysis, clustering related risk functions and, in some cases, using AI tools to identify linkages.
Within insurance organisations, this is translating into attempts to join up cyber, IT change, data quality, outsourcing, conduct and regulatory risks that can combine to produce large operational losses or prolonged disruption.
ORX noted, however, that many participants still find it difficult to present these relationships in ways that are genuinely holistic and actionable for senior management.
As attention shifts towards short‑term disruption, longer‑horizon concerns are slipping down the industry’s priority list.
People and skills and conduct now rank close to the bottom of the emerging risk categories identified by respondents, only just above climate risk and health and wellbeing. Climate risk has dropped particularly sharply, moving from fourth place in 2023 to 10th in 2026.
Bishop cautioned against allowing medium‑ and long‑term threats to be crowded out.
“Firms need to also balance medium and longer term threats against short term pressures. Quantum computing, demographic shifts and future skills shortages may seem distant compared to today’s focus, such as AI‑enabled fraud or cyber crime, but addressing them early is essential to building lasting resilience,” he said.
That warning is notable for the insurance sector given continued regulatory attention on culture, conduct and climate‑related financial risks. The lower ranking of these themes in operational risk planning may indicate a gap between formal expectations and day‑to‑day prioritisation.
Alongside the focus on interconnectivity, the report points to data governance, technology readiness and workforce capability as key areas for investment. Improving data structure, hygiene and governance, and upskilling teams in AI, cyber, data and resilience are cited as priorities.
“This year’s findings show that firms are responding – expanding resilience capability, collaborating more and investing in future skills. But the challenges ahead require continued focus. In a world defined by uncertainty, the organisations that thrive will be those able to anticipate change, act decisively and empower risk functions to support strategic decision‑making at pace,” Bishop said.
The ORX conclusions reinforce the need to link operational risk closely with underwriting, reinsurance, IT and third‑party management, and to ensure that cyber, technology and supplier exposures are treated as interconnected issues rather than siloed risks, even as shorter‑term pressures dominate the 2026 horizon.
