Simona Covaliu, Chief Risk Officer at PayU GPO explores how risk management must evolve to tackle to the new world of emerging risks

The world of risk has changed.

What we once labelled as ‘highly unlikely’ in our risk assessments is now a common occurrence. Traditional risk management frameworks – built for an idealistic world of predictable patterns and clear boundaries – are colliding with a reality that has neither.

artificial intelligence (4)

In an evolving landscape, vulnerabilities continue to multiply. Third-party dependency risk is higher than ever, with single points of failure capable of bringing entire systems to a halt. The pace of technological development is outstripping our ability to govern it. And we’ve barely scratched the surface of managing environmental, social and governance (ESG) risks.

It’s a given that organisations will claim to have sophisticated risk controls, detailed policies and robust frameworks. Yet as 2025 gathers pace, complex obstacles – including changes of leadership, technological disruption and climate change – demand urgent action.

Risk practitioners are all facing the same critical challenge: how do we adapt to risks at a rate faster than our ability to manage them?

The answer isn’t in creating more complex frameworks or adding layers of controls. It’s sbout changing how we think about risk. Risk avoidance is, in most situations, a luxury we cannot afford in this sector.

It’s really a matter of when a risk event will happen, rather than if it will happen.

AI: solution, or source of risk?

Artificial intelligence (AI) is indispensable.

In the UK, three quarters of financial services firms are using AI, with another 10% joining them over the next three years. In emerging markets, such as Latin America and Africa, the technology is driving financial inclusion and transforming the banking landscape beyond recognition.

Let’s be clear, the inflection point has been passed. But despite its numerous benefits, AI can increase the attack surface for cyber threats, and related risks are now a new charter in one’s risk management framework.

These systems are vulnerable to manipulation, hacking, and data breaches. And the consequences? Financial losses, privacy breaches, and reputational damage that can cripple an organisation overnight.

Implementing robust cybersecurity measures, such as encryption, regular security audits, and AI-specific threat detection systems, is an imperative in 2025.

Equally, regulatory and ethical challenges must be addressed. The use of AI in financial services raises questions about accountability, especially when AI-driven decisions have significant impacts on the lives of customers.

While innovation continues to outpace regulation, creating uncertainty for businesses, change is coming. The EU’s AI Act will place stricter constraints on AI’s role in business decision-making and consumer protection, limiting the use of creditworthiness evaluations and increasing transparency requirements.

Organisations will need to completely rethink how they integrate AI risks into their frameworks, and there's no shortcut to doing this responsibly and transparently.

Beyond frameworks: building resilient organisations 

Even without the advancement of AI, traditional risk management approaches simply won’t cut it anymore.

Heightened requirements around digital resilience, supply chain stability, and cybersecurity will lead to a boom in compliance obligations. The cost to businesses would become insurmountable, if we stuck to old methods.

To navigate a changing landscape effectively, organisations will need to know their business inside out – their people, their technology, their processes, their geographical footprint, and critically, their third-party ecosystem.

This knowledge isn’t just about ticking boxes, but informing the business on what lies ahead, creating risk scenarios that speak directly to business leaders, and building ‘safe routes’ that enable resilience.

Like artificial intelligence, ESG isn’t a regulatory burden, either. While shifts in US leadership will influence global appetite for ESG regulation, its importance continues to grow, reshaping how organisations approach long-term planning and investment frameworks in many markets.

Companies must embed ESG considerations into their risk management processes, moving beyond compliance to address broader societal expectations. These scenarios demand vigorous identification, assessment, and mitigation strategies.

I always say that a weak risk culture will eat any fancy risk management framework for breakfast. People remain at the core of managing risks – doing the right thing when nobody’s watching, taking accountability when things go wrong, and managing risks day in and day out at a tactical level.

Integrating these values across an organisation means more than having policies and procedures in place. It’s about testing that they’re pragmatic, make sense, and be easy to access and apply. Crucially, without the right behaviours, they will fail.

Risk is no longer about predicting every possible threat or building perfect frameworks.

Both help but won’t suffice. We now need organisations that can respond effectively when risks materialise. Ultimately, while technology evolves and regulations shift, one truth remains constant: only a strong risk culture will determine who thrives in this new era.