David Stewart, Managing Director of Taynuilt Resilience Services and a trainer in Risk and Crisis Management for the Institute of Risk Management (IRM), discusses how organisations can proactively manage risk.
Historically, many people and organisations saw risk as merely being a stand-alone process which, although linked to business planning, seemed static in nature and siloed.
In more recent times, Enterprise Risk Management (ERM) has been recognised for being more interconnected and proactive and its importance to a comprehensive perspective of organisational resilience is now understood.
The Covid-19 pandemic also highlighted that events far outside of the control of individual entities (or even countries) can have a massive impact and the importance of horizon scanning and anticipating future threats, hazards and risks has gained greater significance.
Organisations and governments are increasingly using scenario planning, AI-supported risk assessments and stress-testing models to anticipate challenges before they materialize.
There is also a growing awareness that risk management is only one of the critical functions that help to make organisations more resilient.
Looking ahead, resilience and adaptability will be critical to the future of risk management.
As we move through 2025 and beyond, organisations face a rapidly shifting landscape shaped by accelerating technological advancements, the global transition to renewable energy, geopolitical tensions and tightening regulations on sustainability and governance.
At the same time, longstanding risks, including climate change, cyber-threats, economic instability, conflict and public health vulnerabilities continue to evolve, demanding a proactive and strategic response.
The next decade is expected to be defined by a more fragmented geopolitical order, bringing both risks and opportunities to the forefront.
In this environment, ERM is not just a safeguard, but a strategic enabler, equipping organisations to anticipate disruption, build resilience and uncover competitive advantages.
Risk professionals, particularly those with formal qualifications and training, will play a pivotal role in this transformation.
Their expertise helps organisations move beyond risk mitigation to harness uncertainty as a driver of long-term value.
The IRM 2025 Risk Trends Report identified five ‘key shifts’ driven by the explosion of technological advancements and increasing global uncertainties that risk practitioners need to prepare themselves (and their organisations) for in 2025:
The report suggests that risk practitioners do this by:
Depending on who you speak to, you will get many different answers to this so, this is merely my perspective with my background and experience.
I think that there are three specific risk areas that need to be given greater priority.
Firstly, people. That could be the traditional ‘insider threat’ – someone within an organisation acting with malicious intent, whether simply out of spite or for financial gain or competitor advantage.
This is definitely an area where the crossover between risk management and security management is critical.
Proper vetting of individuals, along with strong internal policies and procedures and appropriate management and supervision of staff, is essential.
Secondly, I would highlight supply chain risks.
Covid-19 brought many examples of the impact that a failure of supply chain can have on organisations.
However, we also read far too often of adverse incidents stemming from a failing brought about by a vendor.
Many people use the US-based retailer Target as an example of vendor technology security vulnerabilities but incredibly, although that breach occurred in 2013, barely a year has gone by since where there hasn’t been another similar example.
As recently as 2024, we saw a breach of Ministry of Defence data that was blamed on a hacking attack on an ‘external contractor’ and, while these examples both relate to technology vulnerabilities, organisations need to think more comprehensively about the risks they can potentially be exposed to via their supply chain partners.
Finally, it would be neglectful not to mention, in 2025, the risks that misinformation can bring.
The challenge has only become more real with the advancement of AI tools and deepfake videos.
The World Economic Forum 2025 Global Risk Report listed misinformation and disinformation as its fourth most significant global risk and its top technological risk.
I would say that risk professionals should be pursuing training in emerging areas such as AI ethics, ESG risk management and cyber-risks, as well as staying informed about global trends, regulatory changes and technological advancements through industry groups, thought leadership and professional networks.
They should also be considering using (or at least becoming familiar with) advanced risk management tools to enhance decision making and understanding how blockchain and other emerging technologies can assist in ensuring transparency and security in processes such as supply chain management.
Another thing that’s becoming more important is the building of partnerships with external stakeholders, including regulators, industry peers and technology providers, to share insights and develop industry standards.
This should include collaboration across functions within the organisation to create a unified risk approach to both risk and wider organisational resilience.
Risk management is no longer siloed and modern professionals must move beyond traditional risk silos and develop a holistic understanding of interconnected risks and functions – from finance and technology to geopolitics and sustainability, as well as related activities in the fields of identity threat detection and response (ITDR), business continuity and crisis management.
One specific area that I think adds real value for risk professionals is their engagement and active involvement in testing and exercising.
If we think of overall ‘resilience’ as a combination of anticipation/assessment (risk management), prevention/preparation (development of ITDR/business continuity and crisis and risk management plans) and response/recovery (plans being executed) then, if a risk manager thinks that their role ends after their core activities, they are missing the point.
The reality in any emergency/crisis/business continuity management event is that it has already been identified somewhere in the risk register.
Perhaps not the top risk and potentially more likely to be one with low probability, but high impact.
In any event, risk managers becoming involved in the development and running of plans being tested and exercised allows them to see and appreciate that full ‘resilience cycle’ in action and be a true part of the overall organisational learning experience.
Further to my comments above, it is key that organisations move away from reactive approaches to adverse events and become far more proactive in their approach.
Risk management plays a significant role in supporting this shifting of emphasis.
Implementing real-time risk monitoring, whether through AI-driven analytics, scenario modelling or other methods, will help in the development of the identification of emerging threats.
Short-term risk mitigation and long-term resilience aren’t opposing forces – they must work together.
The best organizations operate with strategic foresight, invest in adaptive capabilities and integrate risk thinking into every business decision.
The future demands agility, collaboration and a forward-thinking mindset, ensuring that risk management continues to serve as a cornerstone of organisational resilience and success.
This article was originally published in the May edition of Security Journal UK. To read your FREE digital edition, click here.
