Organisations in 2025 have faced an extraordinary combination of pressures: geopolitical instability, accelerated digital transformation, rising cyber threats, supply chain fragility and regulatory expansion. Yet despite this heightened risk landscape, ERM maturity across most industries remains stubbornly low.
In what has been a year marked by volatility and rapid innovation, traditional ERM operating models are struggling to keep pace. As we look ahead to 2026, risk leaders face a pivotal moment. The organisations that modernise their risk functions now will gain a strategic advantage, while those that delay will find themselves continually ‘fighting fires’ rather than shaping outcomes.
2025 review: what the data tells us about ERM maturity
Although global risk awareness is higher than ever, recent 2025 findings from industry surveys reveal several consistent themes:
1. Legacy tools still dominate
A significant proportion of organisations continue to rely on spreadsheets or manual tools for risk assessment, tracking, and reporting.
Despite widespread availability of integrated risk platforms and automation technology, adoption has lagged due to cost concerns, lack of executive sponsorship, and organisational inertia.
2. Limited use of advanced analytics or AI
Only a minority of ERM teams in 2025 leveraged artificial intelligence, predictive models, or automated risk detection.
AI adoption is happening in pockets - such as cyber risk and fraud analytics - but holistic integration across enterprise risk remains in its infancy.
3. Inconsistent risk ownership
Risk accountability is still scattered.
Many risk owners lack training, time, or capability to maintain risk registers or develop robust mitigation plans. As a result, risk functions spend more time chasing updates than enabling strategic decisions.
4. Strategy and ERM remain poorly connected
Although risk is increasingly discussed at board level, it is often not embedded in strategic planning, investment decisions, or transformation initiatives.
ERM teams still struggle to influence the moments that matter.
5. Fragmentation across risk types
Operational risk, cyber risk, compliance risk, ESG risk, and third-party risk often operate in silos.
This fragmentation makes it difficult to establish a unified view of exposure: a critical requirement as risks become more interconnected.
Why ERM maturity isn’t improving quickly enough
Several factors explain why, despite elevated risk and regulatory pressure, ERM maturity in 2025 remains largely static:
- Risk is often perceived as a reporting function rather than a strategic enabler.
- Technology investment is focused on front-office transformation, leaving back-office functions like risk underfunded.
- Risk culture remains inconsistent, with many business units treating risk as paperwork rather than part of operational discipline.
- ERM teams are overstretched, often supporting crisis response, compliance tasks, and audits with limited headcount.
Organisations recognise the importance of ERM but have struggled to convert that recognition into structural change.
What “Good” looks like going into 2026
As organisations reassess their ERM capabilities at the close of 2025, a new benchmark for maturity is emerging. Leading risk functions are characterised by:
1. Integrated Risk Technology
A shift away from spreadsheets toward unified systems that connect risk registers, incidents, controls, audits, KPIs, and KRIs.
2. Real-Time Intelligence
Continuous monitoring, automated data ingestion, and early-warning indicators powered by analytics.
3. Strong Risk Ownership
Business units with clearly defined accountability, supported by training, coaching, and transparent performance metrics.
4. Embedded Strategic Influence
Risk teams that play an active role in investment decisions, M&A, transformation projects, and product launches — not just year-end reporting cycles.
5. Cross-Risk Collaboration
Cyber, operational, ESG, resilience, and third-party risk functions working under a unified framework, sharing data and methodologies.
2026: the year for ERM transformation?
If 2025 was the year risk management felt the pressure, 2026 should be the year ERM finally starts to evolve. Several trends are set to drive rapid maturity gains:
1. ERM will become data-driven by default
The gap between static risk registers and real-time risk intelligence will become too large to ignore.
In 2026, expect to see:
- Broader adoption of predictive analytics
- Automated risk scoring models
- Unified data lakes feeding ERM dashboards
- Real-time alerts replacing annual assessments
As organisations increasingly operate in volatile conditions, risk functions will shift from hindsight to foresight.
2. AI will move from experimentation to embedded capability
AI in 2025 was experimental for most organisations.
By mid-2026, AI-enhanced ERM will become mainstream:
- Natural language models scanning contracts, policies, and news for emerging risks
- Machine-learning-based identification of anomalies and exceptions
- AI assistants drafting risk reports or mitigation plans
- Automated aggregation of risk data across functions
However, model governance will also become a central responsibility for ERM teams.
3. Regulators will push for higher ERM standards
Across industries - especially financial services, defence, energy and tech - regulators in 2026 will increase expectations around:
- Operational resilience
- ESG and sustainability disclosures
- Third-party and supply chain oversight
- AI governance and model risk management
This regulatory pressure will accelerate ERM investment at board level.
4. Risk ownership will mature rapidly
Organisations are realising that poor risk ownership is one of the biggest blockers to ERM maturity.
In 2026, risk leaders will introduce:
- Formal risk owner training programmes
- Performance incentives linked to risk metrics
- Playbooks and templates to support consistency
- Risk committees embedded within business units
This shift will lighten the administrative burden on ERM teams and improve the quality of risk reporting.
5. ERM will finally integrate with strategy
As geopolitical, technological, and financial uncertainties intensify, boards will demand ERM insights earlier in the decision-making process.
2026 will see:
- ERM embedded into project design phases
- Risk-adjusted investment decisions
- Scenario analysis influencing organisational strategy
- Greater collaboration between risk, strategy, and finance teams
This integration will help organisations become more resilient and adaptive.
The opportunity for 2026: a breakthrough year for ERM
While 2025 highlighted the shortcomings of current ERM practices, it also created momentum for change.
Boards are more engaged. Executives are more attuned to uncertainty. Technology is more accessible. And risk teams are increasingly seen as critical business partners.
The organisations that embrace this shift in early 2026 will:
- Improve risk visibility
- Respond more quickly to emerging threats
- Build stronger resilience to disruption
- Make better strategic decisions
- Free ERM teams from administrative tasks to focus on value creation
In short, 2026 will be the year that ERM moves from compliance to competitive advantage for those organisations which are willing to modernise.
If you would like further advice on hiring in ERM, please get in touch with Adam Bond.
