The impact of non-financial risks: processes for strengthening organizational resilience
In recent years, corporate priorities have been homing in on non-financial risks as major sources of organizational vulnerability. This category includes geopolitical, cyber, business continuity, reputational, technological, and data management risks. Although they many manifest in various ways across sectors and geographical contexts, international risk rankings reveal a clear convergence: most of these risks originate outside companies and lie largely beyond their direct control.
As recent global reports indicate, escalating geopolitical tensions frequently generate interconnected cyber threats; at the same time, corporate reputation is now an integral component of the risk perimeter that must be actively managed. This configuration poses a twofold challenge for management. On the one hand, the external nature of many risks limits the scope for direct mitigation. On the other, endogenous risks, ranging from compliance to data governance, have become more complex to manage, as they often manifest in novel and weakly historicized forms. This makes it more tenuous to apply traditional quantitative models and more difficult to reliably predict impacts.
Recent developments in risk assessment therefore call for both a cultural and an operational reassessment. Indeed, Enterprise Risk Management (ERM) should no longer be interpreted merely as a collection of formal procedures, but rather as a pervasive cognitive infrastructure capable of supporting a continuous, cross-cutting approach to risk. Evidence from highly regulated sectors, particularly banking and finance, suggests that organizational resilience depends less on exhaustive ex ante controls and more on the ability to detect weak signals in a timely manner and to continuously update analytical models. Recent studies (Jabbour, 2024) confirm that the capacity to anticipate, identify, and integrate emerging risks into strategic decision-making processes represents a key driver of competitiveness and sustainability.
Today, the risk assessment process – conceived in best practices as a continuum between risk identification and risk measurement – faces two interconnected challenges: the difficulty of effectively exposing new risks and the growing uncertainty surrounding how to assess them in quantitative terms. Risks that are not recognized do not enter the management cycle, so if they suddenly materialize, they may catch organizations off guard. Similarly, poorly documented risks are excluded from forecasting tools, undermining effective mitigation actions. From this perspective, advanced risk assessment requires an integrated, cognitive approach that merges analytical tools, organizational culture, and strategic orientation in order to address an intensely interconnected risk ecosystem.
New categories of significant risk
The growing complexity of markets, the globalization of supply chains, and the accelerating pace of technological transformation have shifted the center of gravity of risk toward intangible, interconnected, and highly volatile risk categories. Traditional risk assessment frameworks, largely focused on financial and operational dimensions, are failing to adequately capture the systemic and multidimensional nature of these emerging threats.
The World Economic Forum’s Global Risks Report 2025 flags some of the most serious global risks in the medium term: cyberattacks, geopolitical conflicts, disinformation, technological disruption, and the adverse impacts of artificial intelligence. These phenomena are characterized by high levels of unpredictability as well as contagion dynamics that propagate across sectors and countries. Consistently, the Allianz Risk Barometer 2025 ranks cyber risk as the primary concern for businesses worldwide, followed by operational disruptions, geopolitical tensions, and climate change.
- Reputational risks, amplified by the immediacy of social media and the growing demand for transparency, which can rapidly influence stakeholder trust and confidence.
- Cyber risks, consistently topping international rankings, encompassing cyber breaches, ransomware attacks, and manipulation enabled by fake or misleading digital content.
- Geopolitical risks, linked to global instability, trade conflicts, and vulnerabilities in international value chains.
- Data governance risks, relating to privacy, data integrity, and information quality in a constantly changing and increasingly stringent regulatory environment.
- Emerging technological risks, stemming from the widespread adoption of artificial intelligence, the Internet of Things, and cloud technologies, which introduce new ethical, operational, and legal challenges.
As we can see, alongside traditionally recognized risk dimensions, non-financial risks are taking on growing relevance, including those relating to ESG, operational digital resilience, digital identity, and dependence on third parties. As highlighted by the OECD (2024), many of these risks fall into the category of unknown unknowns, namely unprecedented events that can only be revealed and pre-emptively managed with horizon scanning and scenario-based foresight tools. Episodes such as data breaches, disinformation campaigns, social engineering practices, or the misuse of AI-generated content reveal an increasingly hybrid risk landscape, in which geopolitical, technological, and social factors interact to generate systemic effects that are complicated to isolate and contend with using conventional approaches.
Risk assessment and the limitations of traditional models
From the discussion above, risk is clearly assuming a structural and integrated dimension, which calls for a profound rethinking of traditional assessment processes. Risk assessment lies at the core of any risk management system, as it enables the managers to uncover, analyze, and understand threats that may undermine business continuity and organizational resilience. The literature typically distinguishes between two fundamental phases to risk assessment, as we mentioned above: risk identification and risk measurement.
The identification phase is the most critical, as a risk that is not recognized at the outset is obviously excluded from subsequent analysis and mitigation efforts. This phase is predominantly qualitative in nature, which means the organization must have an in-depth understanding of the strategic context, along with internal and external interdependencies, and the ability to detect weak signals. Identification is followed by assessment, when relevant risks are evaluated in terms of their likelihood of occurrence and potential impact. However, the more novel or inchoate a risk is, the less reliable the available data and historical evidence are that would serve to construct predictive models. Uncertainty therefore necessitates striking a balance between quantitative analysis and expert judgment; in such cases, interdisciplinary and interpretative approaches work best.
In this context, risk assessment can no longer be conceived as a purely technical modeling exercise. In fact, firms nowadays operate in ecosystems characterized by interconnected, systemic, and pervasive risks, which demand flexible tools and a risk culture that permeates the entire organization. When traditional tools, such as risk matrices and checklists, are applied in isolation, they fail to capture the speed and complexity of contemporary risk phenomena. Moreover, when risk assessment is the exclusive purview of a small group of specialists, the result is often a fragmented perspective, whereas a participatory approach that involves top management, middle managers, and operational functions promotes a shared interpretation of risks and supports more timely and effective responses.
From a predictive to a cognitive mindset
Traditional risk assessment models, grounded in quantitative metrics and rigid taxonomies, implicitly assumed that operating contexts were stable and that past patterns would continue into the future. But major systemic crises – most notably the global financial crisis of 2007–2008 – have exposed the limitations of these assumptions. In particular, the lack of a “big picture” perspective, excessive reliance on historical data, and slow information flows have frequently led to delayed, reactive decision-making.
As emphasized by the OECD (2024), the contemporary risk landscape calls for methodologies based not on retrospective projection but on a forward-looking, foresight-oriented approach. This paradigm combines quantitative analysis with a systemic interpretation of trends and the use of simulations and predictive tools, while fostering continuous learning and cross-functional collaboration.
In recent years, risk assessment has therefore undergone a cognitive shift, moving from merely measuring risk to interpreting underlying phenomena. Beyond the technical accuracy of models, capabilities such as relationship building, detecting weak signals, and interpreting emerging correlations are now critical. Risk is no longer conceived simply as a factor to be estimated, but as a process to be collectively understood and shared. From this perspective, risk assessment is evolving from a purely analytical activity into a strategic sensemaking process, closely connected to managerial decision-making and organizational resilience. This evolution has contributed to the emergence of a new generation of Enterprise Risk Management (ERM) systems, designed to overcome functional fragmentation, merge cultural and technological dimensions, and translate risk-related knowledge into strategic action and continuous organizational learning.
From new risk assessment to strategic ERM
Enterprise Risk Management (ERM) now represents the structural response to the advances in risk assessment and the limitations of traditional models. From a technical and fragmented activity, risk management has evolved into a strategic governance platform, capable of overcoming organizational silos and engaging all business functions. As underscored in the international literature, true innovation lies not so much in developing new top-down models, but rather in disseminating a corporate risk culture, understood as a shared, continuous learning process in which risk turns into a lever for organizational development.
Thanks to the methodological evolution of risk assessment, from a predominantly analytical tool to a cognitive and strategic process, it can now be fully embedded into ERM frameworks, which today constitute the primary infrastructure through which firms link risk management to strategic planning. In the most advanced models, such as COSO ERM (2017) and the latest OECD guidelines (2024), risk assessment occupies a central operational role, blending risk analysis, risk appetite, and performance monitoring. As summarized in Table 1, this approach abandons silo-based logic in favor of an integrated portfolio perspective, capable of aggregating strategic, operational, financial, compliance, and ESG risks within a coordinated and transparent framework.
ERM is therefore no longer conceived as a mere collection of rules and procedures, but as an sophisticated governance approach that permeates the entire organization and directly connects risk management to the creation of sustainable value. In this context, the role of the risk manager undergoes a profound transformation: from specialized technician to strategic facilitator, capable of providing governance bodies with a comprehensive view of risks and opportunities. The most mature companies have already institutionalized this vision through integrated planning cycles, in which risk analysis is systematically embedded in the definition of industrial and strategic objectives.
In this new scenario, the processes of risk identification, assessment, and reporting serve as tools for organizational learning, ensuring that risk is not treated as a residual variable, but as an intrinsic component of value creation. Thanks to the informational architecture of ERM, based on top-down and bottom-up flows between the Board of Directors, risk owners, and operational functions, organizations can achieve greater transparency and cross-functional coordination. In doing so, they extend risk management into the cultural dimension of the organization.
As highlighted by Huber (2025), by merging the Balanced Scorecard (BSC) and ERM, we are taking a decisive step on this path. By linking performance metrics and risk factors, in fact, organizations can translate risk-related knowledge into strategic decisions, redefining management control as a continuous learning system. As a result, ERM – initially complementary to the BSC – gradually assumes a central role, transforming the scorecard into a fully integrated governance tool.
From this perspective, risk assessment in a mature ERM framework is no longer a simple control mechanism, but rather a dynamic process of organizational sensemaking, consisting of learning from data, generating strategic feedback, and contributing to the long-term resilience of the firm. That means that risk management is transitioning from being a reactive function, based on ex post measurement, to taking a proactive, anticipatory approach oriented towards performance and sustainability. Strategic ERM now constitutes an effective bridge for managing emerging risks and unknown unknowns, merging knowledge, technology, and culture into a governance system capable of learning and adapting to complexity.
Risk assessment in the literature: New guidelines
Recent academic literature confirms that risk assessment is evolving toward a cognitive and strategic approach, increasingly embedded in corporate governance mechanisms. Huber (2025) illustrates how the combination of Enterprise Risk Management (ERM) and the Balanced Scorecard (BSC) enhances the strategic coherence of risk assessment processes. Using a case study of a large energy company, the author shows that mapping strategic risks in the BSC perspective facilitates the translation of risk into measurable objectives and supports managerial empowerment. In this process, ERM – initially conceived as a support function – progressively becomes a driver of scorecard transformation, strengthening the link between control systems and strategic direction.
Jabbour (2024) adopts an institutional perspective, arguing that the diffusion of ERM practices results from institutional work involving a broad set of actors, not risk managers alone. From this viewpoint, risk is no longer treated as a purely technical element to be quantified, but as a collective phenomenon that is interpreted and constructed through collaboration, shared meaning, and organizational trust.
Finally, Adhillah (2025), based on a systematic review of the international literature, underscores the urgency of moving beyond compliance-oriented models toward value-driven, technology-enabled approaches capable of blending sustainability, digital transformation, and business resilience.
Taken together, these contributions delineate a clear trajectory of change: risk assessment is no longer a narrowly defined measurement activity, but a managerial and strategic tool that bridges risk analysis and value creation. Risk management is now an integral component of strategic design, supporting organizational learning, anticipatory thinking, and a broader collective awareness of uncertainty and opportunity.
Forward-looking models: The new centrality of risk management
The proliferation of risks that are difficult to predict within corporate risk taxonomies calls for a profound rethinking of management models. The most advanced organizations have begun to adopt a forward-looking approach that blends scenario analysis, what-if simulations, crisis planning, and effective early warning systems. From this perspective, organizational resilience is built on the ability to anticipate crises that cannot be fully mapped ex ante and to interpret weak signals emerging from heterogeneous data sources.
As these trends reveal, a clear shift is underway: from retrospective analysis toward a predictive logic that combines quantitative data with contextual intelligence. Traditional, static approaches based primarily on historical data are progressively giving way to data-driven models and predictive algorithms capable of linking probabilities, impacts, and alternative future scenarios. In this transition, risk management ceases to be a purely reactive function and instead transforms into a continuous learning process.
According to AIFIRM (2025), the Italian banking sector represents an advanced testing ground for this transformation. In fact, banks are increasingly complementing scenario analysis with geopolitical, reputational, and energy-related perspectives, often leveraging AI-based tools to develop genuinely adaptive governance ecosystems. These agile ERM models do not replace existing regulatory frameworks; rather, they complement them. While supervision continues to serve as a safeguard of stability, it is frequently accompanied by rapid-response capabilities that support business continuity in highly uncertain environments.
The PwC Risk Management 2025 and Beyond report equates this evolution with the emergence of truly predictive risk management. This is not merely a matter of algorithms or big data, but of an ongoing dialogue between artificial intelligence and human judgment. While technological tools generate signals and patterns, managers can interpret them thanks to their experience, incorporating qualitative dimensions – such as geopolitical, reputational, and behavioral factors – that are inherently difficult to model. This “anticipatory” logic rests on three key levers:
- The integration of historical and forward-looking data to transform measurement into predictive intelligence.
- The adoption of dynamic metrics capable of adapting to the speed and volatility of emerging phenomena.
- The dissemination of a risk culture that assigns responsibility and reporting capabilities across all organizational levels.
The outcome is a form of risk management that assumes a renewed centrality in corporate governance. No longer confined to a defensive role, it is now a strategic driver capable of guiding decision-making, supporting business model innovation, and transforming uncertainty into opportunities for sustainable growth.
Organizational capabilities and new governance paradigms
The ability to adopt a forward-looking perspective depends not only on technological capabilities, but also – crucially – on organizational culture. As highlighted by KPMG (2025), truly resilient organizations share three distinctive characteristics: information agility, cross-functional collaboration, and the capacity to learn from weak signals.
Dynamic risk assessment emerges from permeable processes and effective cross-functional communication. The speed with which an organization can detect deviations from expected trends or operational anomalies is critical for anticipating emerging risks. In this framework, tools such as whistleblowing mechanisms and incident reporting systems are no longer merely instruments of control, but rather channels for collective learning, through which information is aggregated and disseminated to amplify the organizational response.
The cultural transformation of risk management can be articulated along three main lines of development:
- The infusion of risk-based thinking into decision-making processes, so that risk assessment is an integral component of strategic and innovation-related choices.
- The diffusion of accountability, assigning each organizational level an active role in identifying and communicating risks.
- The use of risk metrics as performance levers, including from an ESG and reputational perspective, whereby resilience is an indicator of long-term sustainability.
As noted by EY (2025), these practices signal a transition from formal, compliance-oriented management toward a transformative risk culture, in which awareness and collaboration are embedded in the organization’s DNA. This shift gives rise to a new governance paradigm: the risk function is no longer confined to a group of specialists, but extends across the entire organization, supported by continuous training, agile decision-making processes, and a shared understanding of value creation through the effective management of uncertainty.
Conclusions
The trajectory mapped out in this work – from the global risk landscape to cognitive–strategic risk assessment, and from integrated ERM frameworks to predictive and agile models – demonstrates how risk management is transforming into an intelligent governance function, capable of combining analytical rigor with strategic relevance. Indeed, risk management can no longer be understood merely as a cautious discipline. Rather, it is gradually taking the form of an infrastructure of knowledge and decision-making, in which data, human judgment, and organizational culture converge to support the creation of sustainable value. Risk is no longer viewed solely as a threat to be mitigated, but more and more as a frontier for interpretation and growth: resilient organizations do not simply react to uncertainty; they actively reconfigure themselves through uncertainty.
From this perspective, risk assessment assumes the role of a strategic governance tool and a platform for building connections between quantitative models, organizational culture, and managerial vision. Risk management proves to be a dynamic system of continuous learning, in which methodology, analysis, and collective intelligence all serve to attain a shared objective: transforming uncertainty into value and complexity into knowledge.
References
- Adhillah, M.N. (2025). “Systematic literature review: The development of enterprise risk management.” Journal of Accounting, Management and Business Environment.
- Agarwal, R., Ansell, J. (2024). Strategic change in enterprise risk management: Cognitive and learning perspectives. University of Edinburgh Research Series.
- AIFIRM (2025). Le banche governano tutte le sfumature del rischio: Modelli forward looking e framework adattivi.
- Allianz Group (2025). Allianz Risk Barometer 2025: Cyber incidents top global business risks. Munich: Allianz Group.
- Aon (2024). Managing non-financial risks to build organizational resilience.
- Crawford, J., Stein, V. (2024). “The relationship between ERM and distributed sensemaking.” International Journal of Management Reviews.
- EY (2025). Risk management’s strategic opportunity in a time of change: EY Global Risk Outlook 2025.
- Huber, C. (2025). “Integrating the balanced scorecard and enterprise risk management.” Journal of Accounting and Organizational Change.
- Huber, C. (2025). “Integrating the balanced scorecard and enterprise risk management: A case study of a large energy company.” Computers & Industrial Engineering, 186.
- Jabbour, M. (2024). “Enterprise risk management: An institutional work perspective.” Accounting, Auditing & Accountability Journal.
- Jabbour, M., Crawford, J. (2024). Enterprise risk management: Technical, cognitive, and social perspectives. London: Routledge.
- Jidda, D.J. (2025). “Value of enterprise risk management integration and firm resilience: Evidence from global supply chains.” SAGE Open, 15(1).
- KPMG (2025). Top geopolitical risks 2025.
- OECD (2024). Managing emerging critical risks: Implementing the framework on management of emerging critical risks. Paris: OECD Publishing.
- ORX (2025). Geopolitical uncertainty is accelerating cybercrime as top risk.
- PwC (2025). Risk management 2025 and beyond: PwC Global Risk Study 2025. PwC Deutschland & PwC Global Financial Services.
- The IIA Research Foundation (2025). Enhanced enterprise risk management and strategic decision-making.
- The Institute of Internal Auditors (IIA) (2024). Risk in focus 2025: Internal audit priorities for the year ahead. ECIIA – IIA Europe.
- World Economic Forum (2025). The global risks report 2025 (20th ed.). Geneva: World Economic Forum.
- WTW (2025). Global reputational risk readiness survey 2024/25.
