From risks to results: Enterprise risk management and internal audit plan considerations for financial services organizations

What are some key emerging risks impacting financial services internal audit plans?

The risk environment for financial services organizations continues to shift at a remarkable pace, driven by technological innovation, policy shifts, regulatory developments and the growing sophistication of cyber threats:

• Intensifying regulatory expectations: Regulatory bodies are raising the bar for financial services organizations, expanding the scope and depth of oversight. Regulators now expect organizations to demonstrate robust governance over a wide range of domains, including AI/ML, data governance (including data privacy), anti-money laundering (AML), cybersecurity, environmental, social and governance (ESG) reporting and operational resilience. The regulatory landscape is further complicated by policy shifts, evolving international standards and cross-border compliance requirements. Failure to keep pace with these expectations can result in severe penalties and even reputational damage.
• Escalating cybersecurity threats: Cyber risk remains at the forefront of concerns for financial services organizations. Threat actors are employing increasingly sophisticated tactics, such as ransomware, supply chain attacks and advanced persistent threats. These attacks target not only core banking and financial systems but also critical third-party vendors, expanding the risk perimeter. As the frequency and complexity of cyber incidents rise, financial services organizations and their supporting ecosystem must invest in advanced security technologies, continuous monitoring and comprehensive incident response plans to defend against breaches and mitigate potential losses. Financial services organizations need to have a robust program to assess the adequacy of vendors and the alignment with the minimum-security standards of the organization.
• Growing IT complexity and digital transformation: The adoption of new digital platforms, cloud-based systems and AI are reshaping the operating model almost as quickly as the internet did in the 1990s and early 2000s. While these technologies offer enhanced efficiency and customer experience, they also introduce new risks. Increased information technology (IT) complexity can result in integration challenges, data management issues and greater potential for operational disruptions. Moreover, cloud migration and reliance on external service providers and third-party vendors raises concerns about data security and business continuity as well as expanding a company’s attack surface.
• Operational disruptions and compliance gaps: As financial services organizations expand their digital footprint, the risk of operational disruption grows. System outages, technology failures and vendor-related issues can have huge impacts on operations and regulatory compliance. Proactively identifying and addressing these vulnerabilities is critical to maintaining resilience and preventing costly compliance gaps. Organizations must strengthen their risk assessment and management frameworks, enhance third-party risk management over resiliency and ensure robust contingency plans are in place throughout their value chain.

How has ERM evolved in recent years?

Traditionally, ERM was viewed as a compliance exercise – a framework of policies and controls designed to satisfy regulators. Organizations focused on documenting processes and avoiding penalties, rather than using risk insights to strengthen performance. However, in a fast-changing, interconnected risk environment, that approach is no longer sufficient. Today, leading organizations, especially those in the financial services industry, view ERM as essential to their strategy and decision-making. Modern ERM is not just about mitigation. It also helps identify opportunities, anticipate disruptions and support data-driven choices about growth, resilience and reputation.

This evolution makes risk leaders strategic partners, aligning risk appetite with business objectives so risk insights directly support both defensive and offensive moves.

How are ERM and internal audit related and why is their partnership so beneficial?

When considering the relationship between ERM and internal audit, it is essential to recognize that these functions play distinct yet complementary roles that together strengthen the integrity of corporate governance.

• ERM coordinates the organization’s risk strategy. It aligns risk-taking activities with strategic objectives and a defined risk appetite, develops risk frameworks and methodologies and monitors aggregate exposures to ensure that decisions reflect consistent risk awareness across the enterprise.
• An internal audit independently ensures that risk management, controls and governance are functioning as intended. It tests controls, validates risk management (including ERM), identifies emerging risks and gaps and reports conclusions to the audit committee.

Risk appetite is the link between these functions. It bridges the gap between what the organization intends to do and what it actually does. ERM defines and communicates risk appetite. An internal audit verifies whether decisions, behaviors, and controls remain within established boundaries.

When ERM and internal audit collaborate, while maintaining independence, they create a virtuous cycle. ERM sets expectations through frameworks and appetite statements. Internal audit validates execution against those expectations. Together, they identify and help resolve gaps between strategy, appetite and performance.

This alignment does more than protect value; it enhances it. ERM and internal audit together provide clearer risk visibility, enable faster, better decisions and build competitive advantage through strong risk intelligence and governance credibility.

Why is technology risk management such an important component of ERM?

Technology is at the core of most organizational processes, driving innovation, efficiency and competitive advantage. However, this reliance on technology introduces a spectrum of risks ranging from cyber threats to disruptions caused by digital transformation. For financial services organizations, managing these risks is critical not only for regulatory compliance but also for safeguarding reputation and ensuring operational resilience. Integrating technology risk management into ERM is essential for achieving a holistic, proactive approach to risk oversight.

Information technology (IT) is embedded in every mission-critical process: Core banking platforms, claims adjudication, underwriting engines, payment processing and customer portals. A successful ERM program recognizes technology risk as a fundamental element, requiring deliberate alignment of methodology, involvement of specialized talent, continuous attention to emerging risks and a feedback loop for considering the impact of identified issues and emerging risks.

• Aligned methodology: Effective integration starts with harmonizing risk management methodologies across the organization. This ensures consistent risk identification, assessment, scoring and mitigation processes, whether the risks are financial, operational or technological. Aligning methodologies eliminates silos and enables a unified view of risk throughout the organization, which is essential for informed decision-making and prioritization.
• Involve specialized talent: Technology risk management demands specialized expertise. Engaging professionals with deep knowledge and experience in cybersecurity, IT infrastructure, IT operations, change management and digital innovation ensures that IT risk assessments are accurate and mitigation strategies are robust. These specialists play a vital role in interpreting technical risks in business terms, facilitating better communication between IT and executive leadership.
• Address emerging risks: The risk landscape is continuously changing, with new threats such as ransomware, data breaches and vulnerabilities arising from digital transformation initiatives. Keeping pace requires ongoing horizon scanning, scenario analysis and adaptive risk assessment techniques. Financial services organizations must remain vigilant, updating their risk profiles as technology evolves and new threats emerge.
• Feedback loop: In addition to risks propagating outside the organization, whether they surface at similar firms in the market, other industries, other geographies, etc., successful organizations also have feedback mechanisms through which to assess the impact of identified issues/risks.  The results of audits, assessments, examinations, reviews, tests, etc. (collectively “assessments” should be considered when assessing risks to determine whether both inherent and residual risk ratings are appropriate as well as whether the results of these assessments indicate the existence or emergence of larger/more significant risks.

What are some key ERM challenges that insurance organizations are facing?

ERM plays a critical role in the insurance industry, where organizations must continuously navigate a complex landscape of regulatory requirements, evolving customer expectations, technological advancements and emerging risks. During our Dec. 2025 ERM webinar, the majority of attendees cited AI/automation embedded in core processes as the insurance risk they believe is most quickly outgrowing their organization’s internal audit coverage.

There are several ERM challenges that are unique to insurers, which underscores the need for robust frameworks, strong governance and effective collaboration between risk management and internal audit functions.

Property and casualty (P&C) risks: Internal audit must adapt its approach to address the escalating risks in the P&C sector, from claims volatility to technological limitations:

• P&C insurers are facing increased volatility from severe weather events and climate change, and the unpredictability of these risks demands sophisticated modeling, scenario testing and capital management strategies.
• Automation through AI and digital platforms is transforming claims management by increasing efficiency and reducing manual errors. However, automation introduces new risks, such as algorithmic bias, cyber threats and operational failures.
• Many insurers continue to rely on aging core systems for policy administration, claims and billing. Modernizing these platforms is essential for competitiveness, but the transition involves significant operational, financial and cyber risks.

Life insurance risks: Given the evolving landscape in the life insurance sector, internal audit must strategically adapt its focus to ensure robust oversight of emerging and complex risks:

• Life insurers are continuously innovating to meet changing customer needs and regulatory requirements. ERM must be integrated into the product development lifecycle, from ideation through launch, to identify and mitigate potential risks before products reach the market.
• The distribution of life insurance products involves multiple channels, including agents, brokers and digital platforms. Each channel presents unique risks related to sales practices and suitability. ERM should establish controls and monitoring processes to ensure compliance, prevent misconduct and safeguard the organization’s reputation.
• The ongoing assessment of product performance claims experience and emerging risks is vital after product launch. ERM frameworks should facilitate regular reviews, stress testing and feedback loops to ensure that products remain aligned to the organization’s risk appetite and regulatory expectations.

What are the essential components of a financial institution’s strong ERM framework?

ERM has become a cornerstone of modern banking, serving as a comprehensive approach to identifying, assessing and mitigating risks across all facets of a financial institution. Effective ERM frameworks in the banking industry must address several core risk categories to achieve holistic risk coverage:

• Credit risk governance: Credit risk remains one of the most significant exposures for banks. A sound ERM framework establishes clear guidelines for loan origination, underwriting standards, portfolio diversification and ongoing monitoring. Governance structures must ensure that credit decisions align with the institution’s risk appetite and regulatory requirements, with oversight provided by dedicated credit committees and risk officers.
• Liquidity and capital adequacy: Liquidity risk management is essential for maintaining daily operational stability and meeting obligations under stressed conditions. ERM frameworks integrate liquidity monitoring tools, stress testing scenarios and contingency funding plans. Capital adequacy requires banks to maintain sufficient capital buffers to absorb losses and support growth. These elements are tightly interwoven within ERM to ensure solvency and operational continuity.
• Operational resilience: Operational resilience focuses on the ability of banks to withstand and recover from disruptions, whether caused by cyberattacks or system failures. ERM frameworks incorporate business continuity planning, incident response protocols and regular scenario analyses. This proactive stance enables financial institutions to minimize the impact of adverse events and maintain trust with stakeholders.