Operational Risk Horizon 2026 : Navigating Uncertainty And Interconnectivity

T

As per one of the study, it identified and ranked eleven emerging risk categories. The following five represent the most significant threats to operational resilience:

1. Advancing Cybercrime

   Remains the top-ranked concern with a rapidly evolving threat landscape and high interconnectivity with other risk areas. AI-enabled attacks, ransomware-as-a-service, and quantum computing threats dominate this category.

   
   

2. Technology and Digital Strategy

   High in the ranking with AI and quantum computing accelerating concerns. Legacy system modernization and agentic AI capabilities present significant governance challenges.

   
   

3. Supply Chain (incl. Third Parties)

   Concentration risk and operational resilience threats from third-party vulnerabilities continue to escalate as supply chains become more complex.

   
   

4. Business Service Disruption

   Operational resilience threats from geopolitical, climate, and cyber sources require robust contingency and diversification strategies.

   
   

5. Data

   An asset to protect and a valuable resource for strategic decision-making. Data quality, governance, and post-quantum protection are critical priorities.

Critical Threat Landscape

1. Artificial Intelligence as a Double-Edged Sword

AI is accelerating both internal governance challenges and external threats.

The malicious use of AI for faster, more sophisticated fraud, including Deepfakes and AI-powered wearables keeps cyber and fraud risks at the top of the ranking. Simultaneously, firms must manage AI-related skills shortages and governance gaps.

2. Geopolitical Tensions and Hybrid Warfare

Geopolitical factors remain prominent across emerging risk categories. Nation-state cyberattacks, trade conflicts, and sanctions create unpredictable operating environments. The top five geopolitical concerns include cyber warfare, trade conflict, global sanctions, interstate political conflict, and energy security threats.

3. Quantum Computing's Looming Threat

Quantum computing has emerged as a medium-term concern, ranking second among technological threats. The "harvest now, decrypt later" strategy represents a present-day vulnerability, prompting firms to urgently implement Post-Quantum Cryptography (PQC) aligned with NIST standards.

4. Skills and Wellbeing Crisis

The industry faces a critical skills shortage, particularly in cybersecurity (68%), data management (55%), and technology (53%). Combined with AI-driven job displacement concerns and prolonged exposure to uncertainty, staff wellbeing and institutional knowledge retention represent emerging risks with long-term implications.

Deep Dive: Key Emerging Threats

1. Advancing Cybercrime: Multi-Layered Extortion Tactics

The cybercrime threat extends beyond traditional ransomware. Organizations now face:

• Multi-layered extortion: Double, triple, or quadruple extortion combining data encryption, theft, DDoS attacks, and reputational damage

  
  

• Third-party vulnerabilities: Cloud services, open-source software, and supply chain partners create expanded attack surfaces

  
  

• Commoditized cyberattacks: Cyberattack-as-a-service (CaaS) and ransomware-as-a-service (RaaS) lower barriers to entry for threat actors

  
  

• Ideological motivation: Beyond financial drivers, activism-driven attacks related to ESG behaviors are increasing

2. Fraud Developments: AI-Enabled Sophistication

Fraud methods are becoming increasingly sophisticated through AI and emerging technologies:

• Deepfake technology: Real-time impersonations of executives for payment authorization and access to sensitive information

  
  

• AI wearables: Smart glasses, watches, and hidden recording devices for internal fraud and information theft

  
  

• Identity theft: AI-forged documents (driving licenses, invoices, bank statements) bypassing authentication controls

  
  

• Ideologically motivated fraud: Activism-driven data breaches from employees with social justice or environmental concerns

• 
  

3. Data Management: Protection, Quality, and Governance

Data challenges span four interconnected themes:

Protection

• Data leakage via AI, unauthorized third-party access, cloud integrity issues, and post-quantum threats

  
  

  Maintenance

• Stressed cloud capacity, remote data center exposure to climate and geopolitical risks

  
  

  Quality & Strategy

• Data quality issues, skills shortages, siloed data usage across global operations

  
  

  Reputation

• Water depletion from cooling and energy grid stress from data center expansion

4. Regulatory Fragmentation and Burden

56.6 is the score for volume of new regulation—the highest regulatory concern. Additional challenges include:

• Cross-jurisdictional divergence requiring complex compliance strategies

  
  

• Shifting regulatory goalposts

  
  

• AI regulatory frameworks coming into force in 2026-2027 without sufficient flexibility for innovation

  
  

• Increased regulatory scrutiny of third parties and Software Bills of Materials (SBOM)

Risk Interconnectivity: The Hidden Amplifier

56% of respondents report on risk interconnectivity in their material and/or emerging risk reporting. However, this is identified as a maturing area for the industry.

The highest-scored emerging risks are highly interconnected around operational resilience, creating a web of dependencies:

Central Hub: Operational Resilience is impacted by five interconnected themes: Technological developments, Data threats and management, Supply chain vulnerabilities, Cyber threats, and Regulatory environment

Key insight: A disruption in one area (e.g., a cyber attack on a cloud provider) can cascade across data security, technology systems, supply chains, and regulatory compliance simultaneously.

The risk function is no longer a back-office compliance function but a strategic business partner essential to navigating uncertainty and supporting resilient growth. Organizations that embrace this transformation will emerge stronger; those that resist will face escalating operational, financial, and reputational risks.