In May 2025, the Cross Market Operational Resilience Group (CMORG) published a refresh of the Strategic Risk Register (SRR), a list of the key operational risks facing the financial services sector.

The SRR is organised into short, medium and long term risks, reflecting the evolving threat landscape. 

Collaboratively developed by industry experts, regulators, and infrastructure providers, the SRR has been refreshed to incorporate the risks most important to Chief Operating and Risk Officers of systemically important firms, the latest threats and risks determined by the sector’s Heads of Operational Resilience, and inputs from Government and the regulatory authorities. More specifically, the following have been used as inputs to the SRR:

• CMORG board member views on the most significant threats to the sector. As the C-suite/SMF24 representatives from the UK’s most systemically important firms across retail, wholesale, FMI and insurance subsectors, CMORG members provide a deep insight into the risks facing the UK’s Financial Sector;
• The threat monitoring framework, developed by the Operational Resilience Collaboration Group (ORCG), is a collective industry view of key incoming threats;
• The Dynamic Scenario Library (DSL) is the industry guide of severe but plausible scenarios that firms are testing under the operational resilience framework;
• The National Risk Register (NRR) examines the significant risks facing the UK. The SRR includes the risks from the NRR that are deemed to be most relevant to financial services;
• Cross-authorities’ recommendations which provided views on the key risks posed to the sector.

How to use the SRR

Firms can use the SRR to benchmark against their own risk registers to inform their severe but plausible scenarios for their Important Business Services. The SRR can be used to inform scenario testing plans, allowing firms to align their strategic priorities for building resilience against emerging risks like quantum cryptography requirements.  

The SRR does not look to quantify likelihood and impact, as it assumes all risks are severe but plausible, with firms needing to make their own assessment based on their business and operations.

Key themes in the 2025 SRR

This latest edition of the SRR includes a number of additional risks, as well as several changes to horizon postures.

Notably, geopolitical volatility drove changes to cyber threats, and there was a leap in the increasing complexity of third parties and emerging technologies such as Artificial Intelligence. Six new threats were added to the register, with eight existing risks re-prioritised as an increased risk. 

The 2025 priority risks that require sector-wide attention:

• Cyber and technology risk: As threat actors become more sophisticated, the potential for systemic impact through disruption to financial services and payment infrastructure is increasing. The SRR calls for a continued focus on exercising, information sharing and scenario planning.
• Third party concentration: With the UK’s Critical Third Party (CTP) regulatory regime progressing, the SRR recognises the growing dependency on a small number of technology and data providers. It emphasises the need for sector coordination on exit planning and testing.
• Geopolitical disruption: Heightened geopolitical tensions and the risk of targeted attacks on both financial services infrastructure and critical national infrastructure (CNI) are reshaping threat intelligence and contingency planning. The SRR supports increased scenario testing and public-private engagement to improve readiness.
• Emerging technology risk: Generative AI and quantum computing introduce a new area of risk. The SRR highlights the need to closely monitor these developments and assess their potential to amplify other risks.

Collective action

The SRR provides a refreshed view of the threat landscape, acting as a roadmap for firms to prioritise their resilience efforts. It is designed to inform resilience discussions, guide sector-wide action, and help to promote the importance of operational resilience in the financial services. 

Reviewing the SRR regularly will ensure that it remains a relevant and useful tool for firms to inform their resilience efforts. With the purpose of the SRR to be a dynamic, collective view of the risk landscape, the sector is better positioned to anticipate and respond to risks.

To access the Strategic Risk Register, please sign up to the CMORG website: Create new account | Cross Market Operational Resilience Group

The link to the SRR is here: CMORG Strategic Risk Register 

To find out more about CMORG’s work please visit: Welcome to CMORG | Cross Market Operational Resilience Group