For risk professionals, leading through 2025’s volatility has been like living in an “Alice in Wonderland” unreality. Risk teams have never been more important as a function to guide their businesses through challenges such as geopolitical risk events, trade disruption, economic volatility, and regulatory disruption. Hopefully, this work doesn’t resemble the chasing of Lewis Carroll’s famous White Rabbit. Our latest report, The State Of Enterprise Risk Management, 2025, showcases a variety of data insights and graphics on industrywide and programmatic shifts impacting enterprise risk management (ERM) programs and how risk decision-makers are responding to them. Our data reveals that:
- Cyberattacks and tech dependency bring enterprise resilience to the fore. The UnitedHealth Group breach and the global disruption triggered by the CrowdStrike software update were good reminders about the critical role that technology plays across our society. It’s thus unsurprising that 40% of local and 38% of multinational ERM leaders cited cyberattack velocity as a top risk driver. In addition, 36% of multinationals and 28% of local firms flagged overreliance on tech as a major risk. Risk leaders must map their software supply chains and ensure that their resilience simulations cater to a range of tech failures — not just cyberbreaches.
- AI and third-party risks remain heightened. While financial, trade, and geopolitical risks are dominating boardroom conversations, the real shift is happening under the radar. Tech vendors are embedding generative AI into core systems and ERM teams are struggling to get involved early enough in the process to build appropriate guardrails in from the beginning. Third-party risks are not receiving as much attention as they require despite increasing cyberattacks and systems failures linked to third-party suppliers, such as the recent spate of cyberattacks in the UK retail sector. Risk pros must prioritize communicating the ROI and value of investing in and maturing both AI risk and third-party risk management programs.
- Critical risk events are more likely when ERM is not a boardroom concern. Nearly 75% of enterprises experienced at least one critical risk event in the past year, and cyberattacks and IT failures account for most critical events globally. Firms without board-level ERM visibility were 20% more likely to suffer six or more critical events. Risk pros need to focus on both getting ERM taken seriously by the board but also getting the board to help drive the right risk culture across the organization.
- Risk management budgets are increasing — but are not meeting the moment that we are in. Most ERM budgets are only increasing by 1–4%, barely keeping up with inflation. Only 4% of firms expect a greater than 10% increase. Many ERM programs still struggle to prove ROI or align with business goals, leaving many to question the value beyond ticking regulatory compliance requirements. Chief risk officers need to show how ERM drives business value — not just compliance — to get the funding required to make better-quality risk management decisions.
- Identifying emerging risks sets ERM programs apart. Forrester clients have been telling us consistently that they want their risk function to implement the right guardrails to allow the business to confidently and quickly take on risks. Organizations remember being caught out by ChatGPT and other emerging technologies and want to transform the engagement and perception of their teams. From our data, only 37% of risk decision-makers reported identifying emerging risks as their primary measure of success.
Forrester clients wanting to discuss further can book a guidance session or inquiry to discuss the research further with any of the authors.