Role of external content in operational risk assessments