Risk Management

Risk management is the backbone of all informed decision-making. This category explores how to identify, assess, and treat risk across organisational and technical domains. From risk registers and treatment plans to residual risk and scenario planning, these articles provide practical guidance rooted in real-world experience and international standards.

Cyber risks I expect to matter more in 2026

Robert Broxup

In previous years I have focused on what other people think will be the top cyber risks for next year. This year I decided to come up with my own list based on professional work in this space, attending seminars, and watching webinars. Much of the future speculation appears to have a marketing angle, but that doesn’t change the actual risk or make anyone wrong to talk about the issues; it just gives professionals a greater interest in specific subject matter. Based on similar experiences, my focus here is deliberately narrow, concentrating on two areas I expect to matter more in 2026.

Shadow AI will become a much higher and growing risk

The rapid adoption of AI tools inside businesses will continue to expand a new class of unmanaged risk. Employees are using public and semi-public AI systems to draft documents, analyse data, and make decisions without visibility, guidance, or approval. In many cases, sensitive information, internal context, or intellectual property is being shared with external systems by default. Although the use of Shadow AI is rarely malicious, I expect it to become more widespread while remaining largely invisible to security teams. I also expect the cumulative risk from unsanctioned AI use to exceed that of many Shadow IT problems because of the scale, speed, and lack of transparency.

  • AI tools are already embedded in everyday work – use of AI to draft, summarise, analyse, or make decisions is normal behaviour, not experimentation. This continues to push usage outside of formal approval processes.
  • Security teams cannot keep pace with adoption – AI tools appear faster than policies, reviews, or risk assessments can be written or enforced.
  • Consumer AI tools outperform approved enterprise tools – staff will default to what works best and fastest, regardless of policy or guidance. 
  • Data sharing is implicit, not explicit – AI tools retain prompts, context, or outputs by default and users rarely understand where the data is stored and how it could be used.
  • AI usage is more difficult to detect – Shadow AI does not behave like traditional Shadow IT and it can leave minimal network or endpoint footprint. 
  • Business pressure rewards speed over control – productivity gains from AI will be expected and staff will often bypass any controls that slow down its usage.

Data exfiltration will become more prevalent than ransomware

I expect to see a shift from system-locking ransomware to pure data exfiltration. Encrypting entire environments is inefficient, noisy, and increasingly well-defended against. It is far simpler for attackers to breach a network, quietly extract valuable data, and apply pressure through the threat of public release. This approach will bypass many ransomware controls and directly target reputational damage, regulatory exposure, loss of customer trust, and financial impact. 

  • Network-wide encryption is noisy and slow – it triggers alerts, response plans, backups, and law enforcement involvement. 
  • Backup and recovery capabilities have improved – ransomware encryption alone doesn’t guarantee payment.
  • Exfiltration is harder to detect than encryption – data theft can be gradual, selective, and disguised as normal traffic.
  • Stolen data creates multiple monetisation options – attackers can extort, sell, reuse, or leak data in stages.
  • Reputational damage is harder to recover from than downtime – public exposure of sensitive data causes lasting harm beyond technical recovery.
  • Regulatory penalties amplify attacker leverage – breach notification laws and fines make data exposure more costly than service disruption.
  • Attackers can pressure businesses without destroying systems – this reduces operational risk for criminals, lowers barriers to entry, and opens up a subscription model for cybercrime.
  • Cloud and Software as a Service (SaaS) architectures centralise valuable data – stealing data is easier than encrypting distributed environments.

Concluding thoughts

These two reflect the same underlying shift:

  • Data is the primary asset
  • Speed and invisibility beat disruption
  • Human behaviour matters more than technical exploits

Many other cyber risks will continue to evolve through 2026 and none of these should be ignored. These two risks represent a significant shift where risk accumulates the fastest and with the least visibility. Focusing on these areas should not involve ignoring or sidelining other risks, but recognising AI governance, privacy, and human behaviour could matter the most.

Implementing Risk Management

Robert Broxup

Key Risk Management points include:

  • Identify and manage risk within your business. Encourage your workforce to report threats to your company and maintain the details in one or more risk registers. Audit critical systems and identify compensating control requirements.
  • Evaluate risks in terms of probability and severity. An assessment will allow you to take a risk-based approach to determine the priorities and allocation of financial and human resources to improve your security posture.
  • Decide on the approach to treat identified risks. Reduce the overall risk by reducing the likelihood of an event, reducing the impact, removing the source, or sharing the risk with other parties. If mitigation costs are disproportionate to an event’s consequences, risk acceptance is a viable option for consideration.
  • Mitigate risks with tactical remediation and strategic solutions. Identifying risks and fixing current problems is only part of the solution; it is crucial to have robust systems, policies, and procedures to prevent history from repeating itself during ongoing business as usual activities. Fixing backwards and forwards is essential.
  • Implement governance throughout the business. Establish risk committees in multiple areas of the organisation to discuss the most critical threats, the action plans, stakeholder management, and a robust framework for reporting risks to the directors and board members.

Thoughts on Risk Analysis

Robert Broxup

There are several ways in which risks can be dealt with, depending on the circumstances and individual or corporate risk appetite.

  • Severity – the consequences of an event taking place
  • Probability – the likelihood of an event taking place
  • Risk = severity x probability – high probability and high severity equate to a high-risk

It is also important to note the difference between Perceived Risk and Actual Risk:

  • Actual risk – quantifiable and based on objective data, for example, according to the Department of Transport, there were 1784 deaths, 25,511 serious injuries and 160,597 casualties of all severities from road traffic accidents in the United Kingdom in 2018. Media coverage was low.
  • Perceived risk – determined by individual perception and influenced by other factors such as news headlines, for example, Dutch aviation consulting firm To70 reported on 534 deaths in 2018 from passenger airline crashes. Almost every aeroplane crash becomes headline news, even in cases where there are no fatalities.

The perceived risk is that it is more dangerous to travel by passenger jet than to travel by car. However, the reverse is true when considering the actual risk. Statistically, it is far more dangerous to travel by car. A similar analysis shows that parachuting is statistically safer than crossing the road, whereas individual perception of the idea of jumping from a plane tells a different story.

The distinction is essential when it comes to managing risk to ensure that actions and investment are proportionate to the risk. Individuals and organisations often need to prioritise risks due to availability of resources, and consequently, investment in a perceived risk over dealing with an actual risk can be catastrophic. The reverse is also true. In cases where perceived risk influences a consumer’s decision to buy, a company can suffer substantial financial losses even if the actual risk is minuscule.

  • Risk Avoidance
  • Risk Mitigation
  • Risk Acceptance
  • Risk Transfer

Risk Avoidance

Risk avoidance is about implementing alternative plans and solutions to circumnavigate the events which carry risk. With no possibility of an event taking place, it doesn’t matter how severe the consequences are because, in the ‘Severity x Probability’ formula, the risk becomes ZERO. It is, of course, possible that implementing alternatives may introduce different risks which need assessment, but that is another story.

Risk Acceptance

Risk acceptance is about accepting that the event will, at some point, take place, and accepting responsibility for the consequences when it does take place. The ‘Severity x Probability’ will help determine the appropriateness of accepting the risk. It is also necessary to consider:

  • The legality of accepting the risk
  • Does the person accepting the risk have the authority to do so?
  • Is the cost of risk mitigation proportionate to risk?
  • Is it sensible to accept the risk?

Businesses accept risks for all sorts of reasons, including:

  • Too expensive compared to the benefit
  • Insufficient finance to mitigate the risk
  • Insufficient human resources or skills to mitigate the risk
  • Mitigating the risk is a lower priority than other risks
  • Plans in place to mitigate risks at a later date

Keeping evidence of risk analysis along with conclusions reached and decisions made is essential.

Risk Mitigation

Risk Mitigation is about:

  • Reducing the probability of an event taking place
  • Reducing the severity of an event when it does take place

The cost of mitigation should be proportionate to the risk of not taking action.

Risk Transfer

Risk Transfer is the reduction of risk by transferring it someone else or to another company:

  • An insurance policy – taking out an insurance policy essentially transfers some of the risks to the insurance company; how much depends on the insurance policy terms and conditions
  • Project Contractual Terms – engaging with 3rd parties to deliver projects or run services often includes terms and conditions of business which transfer risk from one party to another.

Only consider the transfer of risk if the party taking on the risk has the opportunity or means to reasonably reduce the risk, either on an ongoing basis or through adequate evaluation ahead of transferring risk.

Risk Transfer is essentially about paying someone else to take the risk, so it is crucial to make sure that the 3rd party can accept the risk, and for the 3rd party to receive sufficient reward to justify acceptance of the risk.