12 top enterprise risk management trends in 2025

1. Risk maturity models consolidate workflows

More enterprises are considering a risk maturity model as a way to manage the growing interconnectedness of risk vulnerabilities, Valente observed. This method mirrors other frameworks like the capability maturity model widely used in software development. Adopting a risk maturity model requires addressing risk management processes and technologies that can support them.

On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish ERM policies and procedures, and implement the proper controls. Risk managers also need to establish processes for consolidating ERM workflows across disparate entities.

The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.

2. ERM technology stacks expand into GRC

Enterprise risk management has expanded beyond financial issues to also reach into cybersecurity; IT; third-party relationships; and governance, risk and compliance (GRC) procedures. A comprehensive GRC platform can be a critical integration tier for all types of risk management activities. An organization can use one to create and manage policies, conduct risk assessments, understand its risk posture, identify gaps in regulatory compliance, manage and respond to incidents, and automate the internal audit process.

CIOs need to confirm that their risk management technology stack is adequate for each task and used proactively, not just reactively, Valente said. Consider integrating the following functions into a more comprehensive technology stack:

• Risk intelligence tools to analyze geopolitical risks, natural disasters and other incidents.
• Third-party risk assessment tools to track sanctions, security incidents and financial health in other organizations.
• Cybersecurity systems to assess the potential impact of cyber-risks, such as security vulnerabilities, data breaches and cyberattacks.
• Social media monitoring capabilities to identify sudden changes in brand reputation.

3. ERM seen as a competitive advantage

Organizations now often view risk management as a way to increase their competitive advantage instead of simply a risk avoidance exercise, a trend that became especially noticeable after the emergence of COVID-19.

"Although many companies suffered economic losses during the pandemic," Valente noted, "we also saw many companies pivoting to new opportunities that did not exist before."

Valente's research team has described the differences between traditional chief risk officers who are laser-focused on minimizing risk and what Forrester calls transformational CROs. The latter see risk management as a competitive differentiator that can prevent risks from interfering with business strategy and limiting revenue streams.

"Companies with a transformational approach to risk can mobilize their teams and business leaders quickly to jump on a new gap in the market," Valente explained. When, for example, Ikea's store traffic plummeted during the initial pandemic lockdown, the furniture retailer quickly implemented a new contactless pickup system that let customers securely pick up their purchases, according to Valente.

4. Wider use of risk appetite statements

Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. For example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still lets them turn a profit.

Risk appetite statements have now also gained popularity in other industries to replace rudimentary "check the box" exercises with a process that more definitively guides day-to-day risk management decisions, observed Chris Matlock, vice president and analyst team manager for the risk and corporate strategy practice at Gartner. There's a caveat, though.

"It is difficult to do," Matlock warned, but "the payoff for organizations that do it is extremely high."

He explained that companies face numerous challenges in creating an effective risk appetite statement. Some executives believe it could limit their ability to pursue new business opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.

5. Subject matter experts expedite risk assessment and response

Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using their GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues spanning multiple departments emerge, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly assess the risk and take required actions.

Risk assessment at the beginning of a new project is table stakes now. Devising the best plan and creating a process that supports a timely risk response yields the best results. "It is the maintenance of risk and the timely response to risk throughout a project's lifespan that has the biggest impact on success," Matlock said.

6. Risk mitigation and measurement tools multiply

Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, a principal at Deloitte who is the professional services firm's advisory leader on strategic risk and resilience in the U.S. Among the improvements are internal and external risk-sensing tools that help generate the risk intelligence needed to detect trending and emerging risks.

In addition, Calagna reported that enterprises are turning to more integrated tools that do the following:

• Present a holistic view of risks across the organization.
• Capture key risk indicators to show how a risk is trending.
• Promote accountability for the actions taken to mitigate risk.
• Provide real-time risk reporting to aid in management decisions.

Scenario planning and assumption testing capabilities are on the rise as well, Calagna said. Companies are also using simulations, war games, tabletop exercises and other interactive workshops to promote more cross-functional thinking about risk management and help assess the likely impact of future events on corporate business plans and strategies.

7. GRC meets ESG

Another enterprise risk management trend is connecting the dots between business risk and environmental, social and governance (ESG) agendas.

"As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine," cautioned Cliff Huntington, general manager of software vendor OneTrust's GRC products. Organizations need to demonstrate that they aren't just greenwashing and are instead making measurable progress as part of their ESG strategies and programs, according to Huntington.

"Business leaders," he said, "are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives."

8. Extreme weather risks grow in importance

With hurricanes, wildfires and other extreme weather events growing in both impact and frequency, CEOs and boards of directors are being called on to implement risk management strategies that help to mitigate the consequences for employees and business operations.

In 2023, there were a record 28 billion-dollar weather and climate disasters in the U.S. that caused a combined total of $95.1 billion in damages, according to the National Oceanic and Atmospheric Administration (NOAA). In the first 10 months of 2024, NOAA confirmed 24 such events with combined damages of $61.6 billion. With climate change helping to make high counts of weather-related crises the norm, organizations must put risk mitigation measures in place to protect their assets and avoid business disruptions.

9. Integrating risk management with digital transformation

As business operations increasingly go digital and IT environments become more and more complex, enterprises are increasingly adopting an integrated GRC, or IGRC, program to simplify their risk management activities, said Elizabeth McNichol, a principal at PwC and enterprise technology leader in its U.S. cyber, risk and regulatory consulting practice.

"Due to decentralized, overly complex systems, many companies are not aware of all the kinds of data they have, how it is organized or even if it may be noncompliant with the law," she said. Rules for how organizations handle data and comply with regulations should be clear, straightforward, universal and grounded in a risk-based approach, McNichol added.

IT plays a critical role as both a driver and enabler of IGRC. CIOs and other IT leaders must work with business managers to identify, assess and mitigate risks in accordance with a company's risk appetite. An integrated governance model can help by coordinating strategy, people, process and technology objectives across the enterprise. These steps are crucial for ensuring the risk management component is successfully integrated into broader digital transformation plans.

10. Enhanced and contextualized risk monitoring

Kumar Avijit, vice president and head of the cloud and infrastructure practice at technology research firm Everest Group, is seeing increased demand for risk management monitoring tools tailored for various roles and personas, such as CIOs, CISOs and business managers. This is because various executives and business users are defining new risk management priorities and mandates. These tools enhance traditional risk analysis with drill-down views that provide the right level of granularity.

Examples of some of the growing risk priorities for different roles include the following:

• CEOs want to drive secure business transformation.
• CFOs want to reduce business risks and the cost of data breaches.
• COOs want to run resilient business operations.
• CIOs want to make security a foundational element of IT strategy.
• CISOs want to quantify cybersecurity risks to aid in decision-making.

11. AI augments risk management initiatives

AI will play a growing role in risk management initiatives. For example, AI tools are being deployed to support risk management and mitigation efforts for use cases such as fraud detection, threat intelligence and classification of sensitive data. The following are some other common manifestations of this trend:

• AI-driven risk identification and prediction. Machine learning is beginning to be used to identify risks more accurately and faster than humans can. That's especially the case in dynamic risk management processes for cybersecurity, in which heuristic- or rule-based approaches can become outdated because adversaries are using AI themselves to mount novel attacks. AI and machine learning tools can also monitor risks and predict how they might develop in the future, enabling mitigation strategies to become more proactive.
• Use of chatbots. They can answer risk management questions from employees, customers, business partners and other parties that would otherwise need to be addressed by risk managers. Chatbots can also navigate internal knowledge bases to surface risk-related scenarios and incidents that were previously encountered in an organization, thus saving time and preventing redundant investments in resolving issues.
• AI in legal and model risk management. AI tools are being used to ensure legal compliance and mitigate related risks. They can also be used for model risk management and stress testing of quantitative and qualitative models to meet regulatory requirements in financial services, insurance and other industries.

12. AI introduces new risks that need to be managed

On the flip side, the surge in interest in AI being driven partly by the emergence of generative AI (GenAI) technologies creates various new risks that enterprises haven't had to widely consider before now. Examples include bias in AI algorithms and models, the AI hallucinations often produced by GenAI tools, ethical issues related to AI use and a lack of explainability on the results of AI applications.

Organizations can adopt the following measures to help manage those and other AI risks:

• AI risk management frameworks. If new AI risk management frameworks, such as one developed by NIST, are effective, that would remove a big impediment for organizations in getting started on managing AI risks.
• Responsible AI programs. A cohesive responsible AI strategy will be an important component of AI risk management. But some companies likely will struggle to balance idealistic commitments to responsible AI principles with the level of resources required to support and sustain a program. Organizations will need to think seriously about how to achieve that balance.
• AI governance policies. This involves establishing guidelines that align the governance of AI systems with an organization's values and objectives. Without such alignment, the implementation of an AI governance policy could fail due to internal friction, resulting in limited adoption and an inability to effectively manage AI risks across the organization.
• Management of third-party AI risks. Organizations also must address risks that stem from the use of externally developed AI tools. Incorporating these third-party AI risks into existing risk management strategies will separate companies that are successful in their approaches from those that aren't.

Editor's note: Informa TechTarget editors updated this article in January 2025 for timeliness and to add new information.

George Lawton is a journalist based in London. Over the last 30 years he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.