To thrive in today’s rapidly evolving risk environment, risk, audit and compliance leaders must develop “reflexive risk ownership” – a future state where business leaders instinctively and automatically recognize, respond to, and manage risks, according to Gartner.
“Risk management is now one of CEOs’ most critical priorities; its importance has increased by over 50% since last year,” says Chris Audet, chief of research in the Gartner Assurance Practice. “This has created a unique moment for assurance leaders.”
To develop an organisation’s risk reflex will require a mix of coaching risk owners and leveraging advancements in enterprise technology, particularly AI.
“Eighty-eight percent of risk owners are highly motivated to meet expectations around managing risks,” says Tegan Gebert, vice-president in the Gartner Assurance Practice. “Yet only 35% feel confident they know how to do so. They need assurance leaders to show them how.”
Much like a sports coach is responsible for creating the systems, stimuli, and structures that foster great athletes, assurance leaders must coach their risk owners to develop a risk reflex. To coach an organisation towards having a risk reflex will involve deliberate, marginal steps towards a larger goal.
“Assurance leaders need to be the coaches their risk owners need: leveraging tools, insights and influence to get them to practice, to improve, and to persist,” says Gebert. “An organisational risk reflex will be enabled by a series of actions that are learned or practiced until they happen so automatically that they appear reflexive. Assurance leaders must create the larger system that both encourages and reinforces the right risk ownership behaviors.”
To transform risk management into something as natural as a learned reflex, Gartner experts recommend assurance leaders focus their efforts on three building blocks.
The three foundations of an organisational risk reflex are:
Engineer
The first foundation is on engineering systems that make the right risk behaviors both easy to perform and difficult to ignore.
“Small, deliberate changes in environment and process can drive large improvements in outcomes. Assurance leaders are already simplifying guidance, streamlining documentation, and integrating risk considerations into everyday workflows,” says Audet.
“However, making things easier is not enough—systems must also be engineered so that compliance is prominent, expected, and socially reinforced. This means making risk actions hard to miss, hard to justify avoiding, and hard to hide.”
For example, Gartner experts foresee an environment where vendors offer contract management systems that double as a third-party risk management platform. This would enable a risk owner to renew a contract or choose from a pre-approved list of suppliers, without long due diligence checks. Compliance would be hard to avoid, and it would improve risk management.
Provoke
The second foundation is to intentional provocation; creating stimuli that prompt risk owners to think deeply and act decisively.
“Assurance leaders must design interactions – risk assessments, workshops, and feedback sessions, for example – that challenge conventional thinking, encourage candid discussions, and share novel, actionable insights,” says Gebert.
Examples include asking more thought-provoking questions in risk surveys, or planning audits to be focused on what is novel or insightful – auditing the underlying project environment, for example, rather than just project governance.
Recognise
The third foundation reinforces the right risk behaviors by putting in processes to make them visible and rewarding.
“Positive reinforcement – through visible, public acknowledgment – helps create and strengthen the neural pathways that turn good risk behaviors into habits. Recognition should focus on effort, transparency, and continuous improvement, not just perfect outcomes,” says Audet. “Assurance leaders are uniquely positioned to define and elevate such behaviours.”
Examples include celebrating proactive risk management, sharing successes across teams, and using dashboards and recognition platforms to highlight exemplary behaviors.