Top Risk Drivers for 2025: Key Trends and How to Manage Them

As we start 2025, risk teams across the globe will be looking to identify potential gaps in their risk registers and capture any new or emerging risks. But which risk areas will be driving risk management programs in 2025 and beyond?

In this blog, we share the key risk factors and trends that will be shaping risk management programs in 2025 and explain some of the ways that organizations can manage and address those risks to safeguard their businesses. Our Principal Consultant Brad Smith recently caught up with David Butters from the RMIA on a webinar to discuss the ‘Risk Drivers to Remember in 2025’ and we’ll be sharing some insights from the discussion between these two industry experts.

What were the top 5 global risks in 2024?

The duo started the webinar by looking back on the top 5 risk areas globally in 2024 by sharing results from the World Economic Forum’s Global Risks Report 2024.

The top risk concern was extreme weather. Technology risk like AI misinformation and cyber threats also featured highly which will make cyber and IT risk management a top priority for 2025. Unsurprisingly the cost-of-living crisis was also in the top five with many organizations feeling financial pressures.

Brad and David also shared the results from a recent survey ran by Camms parent company Riskonnect where they surveyed more than 200 risk professionals about the top risk drivers in 2024 and cyber security risk came out on top – closely followed by economic risk and talent risk. Cyber risk came out as the top risk driver for those that completed a poll we ran on the live webinar.

Brad and David also highlighted that risk drivers could differ by sector and shared results from a survey of risk drivers in Australian Local government where the top five were 1). Financial stability 2). Cyber security 3). Assets & Infrastructure 4). Climate Change 5). Disaster & Catastrophe.

Top Risk Drivers for 2025

Based on multiple survey results and their own experience working with a variety of businesses, David & Brad then went on to share what they think will be the top risk drivers in 2025.

1. Cybersecurity

With many businesses adopting a digital first operating model, cybersecurity is likely to be one of the top risk drivers in 2025. Brad highlighted that ‘phishing, ransomware, compromised credentials, hacking, and malware’ are some of the key risks that must be mitigated and controlled due to instances ‘increasing and becoming more sophisticated’. Brad spoke about the OAIC Notifiable data breaches report noting that there had been 527 notifiable data breaches in Australia between Jan and Jun 2024 (which was 9% up on the previous 6 months). 67% were caused by malicious or criminal attacks, 30% were human error and a mere 3% were down to a system fault. The sectors that reported those breaches included Healthcare 19%, Government 12%, Financial Services 11%, Education 8%, and Retail 6%.

Brad highlighted that cybersecurity ‘is an area that’s been thoroughly worked over in recent years’. He added ‘There’s a whole bunch of regulations and government oversight, federal government point of view around cybersecurity and obligations of organizations under this in relation to some of the acts or regulations that are being put out’.

Brad hinted that there will likely be ‘a continuation of the zero trust security measures’ including things like privilege access, continuous verification, and IoT security – where devices that are linked to your network could pose a vulnerability must be secured and regularly updated with firmware & patching.

Firms should also look to address cyber security risks associated with third parties and suppliers through formalized assessment and onboarding processes, regular audits, and cybersecurity training.

Brad touched on some of the controls firms can implement to reduce cyber risk like ‘phishing simulations and incident response drills’. David also highlighted the need to have a ‘clear line of responsibility’ for cyber risk’. He shared that some CRO’s are ‘technologically savvy but are still driven by the expectations of their Chief Information Officer or their Chief Information Security Officer and that technological issues are often handled by the technology team and the risk team are seen as the overall risk function’. He added that ‘some CRO’s have upskilled their digital capability, but the political clout that the Chief Information Officer sometimes still means that the final decision happens on the technology side, not in the risk world’.

2. Artificial Intelligence (AI)

The use of Artificial Intelligence is becoming widely used globally and there is certainly scope to use AI in a business context. A recent report by the Australian Responsible AI Index in Sept 2024 shared that 81% of business currently use AI either broadly or in a limited part of the businesses – with the main barriers to adoption being the ‘need for further training and risk management of their data’.

On the topic of AI, David shared that ‘The better, more successful CROs have taken AI to hand and used it personally to utilize their own careers most successfully. They’ve all got software that they sound check, sense check absolutely everything across, and I’ve seen the output of what they’re using with their own technology to be phenomenal with the use of machine learning’.

Brad added that when using AI it is important to have a strategy behind it and that firms should be ‘looking at some sort of cost benefit analysis in association with it’. They also highlighted that firms need the right staff with the ‘ability to run it, to analyze, and make decisions based on it’ because human oversight and sense checks are important when using AI.

Brad added that firms must also consider ‘the data quality they have to work with. Do they have the necessary data infrastructure in place to manage that data security’. The duo also suggested that firms implement ‘policies and guidelines’ around the use of AI.              

3. Regulatory Compliance

Regulatory compliance is set to be another huge risk driver in 2025 with a lot of new regulations coming into play across a variety of sectors. Organizations in critical infrastructure must manage the requirements of the SOCI act. Financial institutions must contend with CPS 230. There’s the new Aged Care Act impacting the aged care sector. If you happen to be a business that is doing work in the EU which involves personal data transfer, there are new standards and contractual causes coming into place governing that international data transfer, as well as cyber security and AI data protection for the EU. 

Another one coming into play for some organizations from the first of January in 2025 is annual sustainability reporting administered by ASIC involving environmental reporting as part of an ESG approach.  It’s going to be administered under the Corporations Act so it’s applying to Australian businesses across the board and it’s got a three year ramp up starting with larger firms in 2025.        

David added that in 2025 ‘particularly from a financial services perspective, people feel like it’s a regulatory tsunami and it’s just unprecedented’. As companies try to achieve compliance ‘personal protection’ is becoming a big focus and in the event of a compliance failure, organizations want to provide sufficient evidence that they were doing all they could to protect themselves. Brad added that ‘when we look at GDPR, when we look at CPS 230 there’s obviously quite a big element of data protection and individual protection in these sort of reforms’. Others have a focus on climate and environmental protection like the sustainability reporting and SOCI requirements.

The duo highlighted that when implementing processes to comply with regulations, organizations should involve a variety of stakeholders and teams including risk, compliance, HR, and finance. He added ‘the executive team and board need to have governance oversight over these things’ too. Implementing clear policies, training, and governance processes is essential for regulatory compliance along with a comprehensive regulatory change management process linked to business processes and policies. Ensuring accountability for each aspect of the regulation is also key to ensure ownership.

4. Third-party and N^th Party Risk

The risks associated with third parties, external vendors, suppliers, service providers and the extended supply chain is certainly going to continue to be a particular focus throughout 2025. On the webinar Brad explained that some of the main risk focus areas relating to third-parties include:

• Cybersecurity risks: Data breaches, malware attacks, and other cyber threats.
• Operational Risks: Service disruptions, performance issues, and supply chain disruptions.
• Financial Risks: Payment defaults, financial instability, and fraud.
• Reputational Risks: Negative publicity, brand damage, and loss of customer trust.
• Legal and Regulatory Risks: Non-compliance with laws & regulations, fines, and penalties.

Brad highlighted that to address some of these potential risks, firms should be vetting vendors ‘around their security practices, and their financial sustainability’. He added that it is also worth considering if they have ‘business continuity plans in place and looking at contractual agreements. Good third-party risk management also involves ensuring that the contracts have clear security and compliance requirements and SLAs so you can monitor and assess vendor performance. It is also important to check if your vendors have incident response plans in place.

They added that vendor risk software can support organizations to manage these requirements by automating key areas like ‘due diligence, risk assessment and onboarding’. Contractor management can also be managed in these solutions along with monitoring performance against SLAs, incident management, and business continuity & resilience planning.

5. Talent Management

One risk that cannot be ignored is that ‘human factor’ of hiring a professional workforce with the right talent and retaining it – meaning talent risk management will be a key focus for risk professionals in 2025.

Key talent risks for 2025 include:

Skill Shortages: For skills and qualifications in areas like healthcare, technology, engineering, education, construction, data management, and AI.

Flexible Working: Employers are having to adapt recruitment and retention strategies to cater for remote and hybrid working models and other flexible working arrangements.

Employee Expectations: Firms must manage employee expectations in relation to meaningful work, competitive compensation, work life balance and opportunities for growth and development.

Economic Uncertainty: Leading to reduced attraction and retention budgets and increased job security.

Competition for Talent: Demand in roles has increased so employers need to focus on differentiating themselves and what they can offer prospective employees.

David added that ‘flexible working has really jumped out as a key challenge for 2025’ with many employees feeling that ‘my output is just as strong if I’m physically sitting in your company offices as I am working from my children’s bedroom’ and they are pushing employees for more flexible hybrid working options. He also touched on the fact that firms need to ‘upskill for digital knowledge’ and ‘that AI and cyber security have been at the forefront of all Chief Risk Officer’s and most risk professional’s dashboards’.

David added that to address talent risk, ‘wellbeing initiatives are much more important to organizations’ along with benefits programs.

How can GRC software help firms to manage these risk areas in 2025.

To manage these 5 key risk areas in 2025, firms can use GRC software platforms like Camms to effectively manage these risks. Businesses can use the solution to build a digital risk register and use the platform to automate the risk assessment process using online forms. They can establish Key Risk Indicators, monitor risk levels, and implement controls and perform control checks and testing to reduce risk levels. Automated workflows are used for risk escalations, approvals and remediating actions. Employees can view personalized dashboards to understand their outstanding tasks & actions and view key metrics for their area. The system can also automate risk reporting using a variety of outputs including heatmaps, bow-tie analysis, and Monte Carlo analysis – for effective business risk analysis.

In terms of managing cybersecurity, GRC software can enable firms to establish a cyber risk register and implement effective cyber controls and policies to reduce risk. These systems also offer out-of-the-box compliance frameworks to enable firms to align their operations with data privacy regulations like GDPR, ISO 27001, and NIST. They offer best practice cyber incident management processes that link to your existing ticketing process enabling you to resolve cyber incidents quickly and link them back to the originating risks and they also offer cyber asset management capabilities.

GRC platforms can also support organizations to manage third-party risk effectively. Organizations can set up a vendor register capturing critical details and contract data for each third party. They can automate the vendor risk assessment process by rolling out online forms via and external vendor portal. They can link to third-party risk intelligence providers for deep insights into each of the vendors. They can formalize onboarding and offboarding and monitor performance against SLAs and KPIS. These systems also offer a wealth of reporting outputs to understand vendor risk exposure.

A GRC system like Camms offers strategy planning and project management capabilities making it easy for businesses to plan out strategies for AI, cyber security, and talent retention. The workflows in these GRC platforms can also be used for contractor management to help with talent related risks. Teams can use the software to plan out projects, tasks, and actions that will help them to achieve their strategies, track progression, and manage any strategic risks or incidents.

GRC systems can also help with compliance. Firms can build an ‘obligations register’ containing the regulatory and legislative documents and the obligations underneath and document all their compliance checks. They can use out-of-the-box frameworks, templates and forms for a wide variety of commonly used regulations and standards. These tools also provide best practice processes that enable firms to align their internal processes with compliance requirements like COSO, ISO standards, CPS 230 and business continuity and resilience requirements.

For information about how the Camms platform can help your organization to manage risk in 2025, request a demo.