The "Risk in Focus 2025" report by the European Confederation of Institutes of Internal Auditing (ECIIA) provides a comprehensive analysis of the key risks that organisations and internal auditors should prioritise in the upcoming year. The report is based on insights from 985 Chief Audit Executives (CAEs) across 20 European countries, supplemented by roundtable discussions and interviews.
Key risks identified
The rapid advancement of AI and other digital technologies is reshaping the business landscape. AI and digital disruption are expected to become the second most significant risk by 2028. Organisations are urged to develop mature AI strategies and governance processes to harness the benefits of these technologies while managing associated risks, such as data privacy and ethical concerns.
Cybersecurity continues to be the foremost concern for internal auditors, with 83% of CAEs identifying it as a top risk. The increasing sophistication of cyber threats necessitates robust defences and proactive measures to protect organisational data and systems. The report emphasises the importance of continuous monitoring and updating of cybersecurity protocols to mitigate these risks effectively.
Managing human capital, including diversity, talent acquisition, and retention, is another critical area. With 52% of CAEs ranking it as a top five risk, the report highlights the challenges of balancing demographic shifts, skills shortages, and budget constraints. Effective talent management strategies are essential to ensure that organisations have the necessary skills to navigate the evolving risk landscape.
Economic instability and geopolitical tensions remain significant concerns, though they have dropped to the fifth position in the 2025 risk rankings. The report discusses the impact of global economic fluctuations and geopolitical events on business operations. Organisations need to develop flexible strategies to adapt to these uncertainties and ensure resilience.
Climate change and environmental sustainability are increasingly important, with expectations that these risks will rise to the fourth position by 2028. The report underscores the need for organisations to integrate environmental, social, and governance (ESG) considerations into their risk management frameworks. This includes addressing regulatory requirements and stakeholder expectations related to sustainability.
Strategic recommendations
How can we help?
Internal auditors are positioned to play a pivotal role in helping organisations navigate these complex risks. The report highlights several key areas where internal auditors can add value:
Assess how well the organisation’s AI and digitalisation strategy is supported by a credible business transformation or change-management plan.
Provide assurance on the security culture around cyber-risk and whether training is regular, relevant and the results of testing well communicated.
Provide assurance that workforce planning is effective in both recruitment and retention and is aligned with strategic objectives.
Provide assurance that processes for identifying and mitigating risks that potentially impact multiple parts of the business are properly integrated throughout the enterprise.
Provide assurance that the business is on track to elevate the detail and quality of controls around climate-related data and integrate it into core systems applications.
This article was written by Raquel Micallef, Senior Associate in Risk and Regulation.
Contact us
