Key insights

  • Organizations face an increasingly complex and interconnected risk landscape, driving a shift from a reactive approach to proactive risk mitigation strategies.
  • Leaders who prioritize business continuity and rehearse incident response plans are better equipped to respond to disruption.
  • Risk management has gained strategic relevance across industries as business leaders respond to a polycrisis risk environment.
  • Risk managers are becoming more involved in board-level decisions, helping organizations navigate uncertainty with confidence.

In a world defined by polycrisis — overlapping, interconnected and increasingly unpredictable disruptions — an ongoing challenge for businesses is building more proactive risk management.

The Gallagher Business Risk Evolution Survey reveals that two-thirds of business leaders believe their organizations are operating in a significantly more volatile environment. The challenge then is not merely anticipating the next shock but building the capacity to be agile enough to thrive in the new normal.

Markets shift and risks evolve. What's different today is the pace, the interconnectedness and the intangibility of those shifts.

Before the pandemic hit in 2020, companies' registers of top risks were dominated by familiar physical threats: fire, flood, theft and local operational disruption. COVID-19 reshaped that understanding, revealing how intangible systemic risks — such as cyberattacks and supply chain breakdowns, or abrupt regulatory changes and extreme weather events — can cascade rapidly and globally.

Adjusting to an evolving risk landscape

One of the most pressing boardroom concerns emerging from this evolved risk landscape is business continuity.

The pandemic exposed the fragility of lean, globally distributed supply chains, for example. In response, many organizations have taken deliberate steps to build a more robust supply chain — from maintaining stock reserves to diversifying and onshoring or nearshoring their supplier networks.

At the same time, the onset of pandemic lockdowns prompted a shift to a more hybrid work environment. Consequently, businesses had to rethink how to best enable and support their people, while balancing productivity and business security. Many invested in secure remote-working infrastructure, strengthened internal communications and accelerated the move toward digital customer engagement.

Resilient businesses often paired these operational changes with visible leadership, offering flexible work hours and enhanced health and mental wellbeing benefits.

The pandemic also underscored the need for agility and adaptability, prompting many organizations to explore risk transfer as a means to manage risk. Risk financing, insurance and risk advisors have now gone from being behind-the-scenes cost controllers to becoming more strategic C-suite partners.

"We've seen an uptick in companies hiring dedicated risk managers or business continuity professionals," confirms Tom Russell, vice president, Global Business Resiliency and Enterprise Risk leader at Gallagher. "These roles may not have existed in some organizations before the pandemic, but it has become clear that having someone to steer the ship and provide insights during crises is essential."

The next frontier of enterprise risk will involve increased focus on digital transformation and sustainability.

Cyber resilience: From IT problem to boardroom priority

In recent years, rapid technological transformations have ushered in an era of opportunities — but also more challenging risks. These challenges have been heightened as operations become more distributed via cloud storage, global data centers and outsourcing, giving rise to third-party vulnerabilities.

The rise of generative AI and the broadening influence of social media have amplified this shift, enabling information to spread — and threats to scale — at speed, making it difficult for regulators to keep up with cybercriminals who are quick to leverage these technologies.

"For businesses, cyber has become a bigger issue as employees became remote," notes Daniel Smith, regional director of Strategic Growth at Gallagher. "Employees moved from the office, where devices and networks were centrally managed, to personal networks that lacked the robust cybersecurity of a large corporate infrastructure."

Company data could now potentially be accessed via unsecured networks. As a result, cyber and AI-related risks now sit at the top of the risk management priority list for one in four businesses surveyed.

Even so, many organizations have continued to adopt — and adapt to — technologies and their risks. To counter remote vulnerabilities, most businesses surveyed invested in tools such as virtual private networks (VPNs) to enhance cyber resilience. Businesses have also amped up their training programs and data access control. Today, 96% of respondents feel confident in their controls — reflecting both increased investment and a shift in governance mindset.

"Businesses are increasingly investing in people (cyber-awareness training), processes (tested response plans) and technology (multi-factor authentication, endpoint detection) to become cyber resilient," says Sam Cheshire, head of Cyber (UK) at Gallagher.

However, underinvestment or investments misaligned with actual exposure are an emerging reality in the cybersphere. The cost of such gaps in today's interconnected digital landscape extends to more than just financial losses.

"If you experience a cyber incident, you are more likely to face another within three months. Attackers interpret prior breaches as signs of vulnerability," highlights Georgia Price-Hunt, global head of Sales, Cyber Risk Management at Gallagher. "The organizations that recover faster are those willing to learn from their mistakes and truly understand the risks."

Trusted risk advisors, including brokers, are now playing a crucial role to bridge these gaps by helping organizations benchmark their controls, assess their exposures and strengthen preparedness.

"Our cyber specialists now routinely audit clients' security posture, assist with control implementation and coach executives on incident response," says Price-Hunt. "They also negotiate policy wording to cover extortion payments, forensic costs and business interruption. The result is a more mature, more relevant cyber-risk coverage."

Thriving in the digital business landscape: Gallagher's top tips

Embrace customer-centricity: Technology investments should enhance the overall experience of customers, colleagues and partners. Solely focusing on cost cutting or internal efficiencies is ill advised.
Value the human element: Understand that digital tools can facilitate complex risk management processes but can never replace the power of human relationships.
Prioritize integration: Recognize that new technologies must seamlessly integrate with existing legacy systems. Invest in dedicated teams and strategies.
Strengthen data governance: Establish robust corporate and divisional data teams to ensure data quality, consistency and compliance. These teams are foundational for any digital initiative.
Balance innovation with caution: While exploring emerging technologies such as AI and the Internet of Things (IoT), it's imperative to maintain regulatory compliance and ensure appropriate use cases.

Extreme weather events: An evergreen risk priority

The past few years have seen extreme weather events becoming a defining challenge for organizations, especially in regions not traditionally considered high risk. From wildfires and floods to severe convective storms, such events are increasing in both frequency and severity.

From an economic and insurance loss perspective, while tropical cyclones or earthquakes continue to drive the highest individual losses from natural catastrophes, the impact of secondary perils, such as wildfires, floods and severe convective storms, is becoming more significant. Moreover, today's climate events can also be more challenging for insurance carriers to model and anticipate.

"At Gallagher, we prioritize tracking and modeling historical scenarios and current events to educate our clients on the locations most at risk during any type of crisis," says Kaitlin Simoneaux, vice president of Strategic Growth at Gallagher US, Southeast region. "When we are expecting a hurricane on the coast, we have the ability to track our clients' locations that are in the path of the storm to better prepare our client and their employees."

"We're also supporting regions facing extreme flooding and unpredictable wind events," adds Shannon Gunderman, managing director of Public Sector and K-12 Education, Gallagher. "These catastrophes are happening more frequently and are causing greater loss."

As natural catastrophes increase in frequency and unpredictability, more organizations are turning to risk managers to shift from a reactive to a proactive risk mitigation approach, such as reinforcing building codes and strengthening nature-based solutions.

However, the unpredictability of natural catastrophes makes it difficult for businesses to actively understand — and prepare for — the direct and indirect impact of climate risks.

"Even if a property owner is not directly impacted by a catastrophe, the ripple effects of these events — through shared risk, rising costs and changing risk models — contribute to higher property insurance rates for everyone," says Simoneaux. "At Gallagher, we have the appropriate resources to improve our clients' risk profile to better tell their story to our carrier partners."

Timely, data-driven proactive risk assessment and support have become essential for businesses to navigate these increasingly complex climate risks. Risk advisors, data analytics and predictive tools like Gallagher Forecast help clients turn past climate events into forward-looking, actionable decisions.

"When the property market shifted, it became really challenging during those first few years," Simoneaux continues. "I saw several companies that were significantly impacted, especially those exposed to hurricanes, particularly where they hadn't implemented the appropriate measures. The level of due diligence around risk controls stepped up significantly. Alongside that, we were discussing alternative solutions and educating our clients or potential clients."

"One example is the parametric product," she explains. "This product has become more popular over time because it focuses on a specific risk and provides quicker financial support to help reduce disruptions and losses."

Learning from the past for a better tomorrow

Five questions to ask the board

  1. How do we embed resilience in our governance structures?
  2. Are we treating risk management and insurance as strategic enablers?
  3. How do we leverage risk insights within our strategic planning?
  4. What systems do we have to learn from disruptions and near misses?
  5. How does our risk management approach support our growth ambitions?

What began as sometimes temporary pandemic-driven initiatives have become permanent.

There's also a growing appreciation for proactive risk management itself, with most businesses amping up their insurance uptake, as well as integrating risk management and business continuity teams into their workforce.

"Before COVID, organizations often dismissed worst-case scenario planning," notes Gallagher's Russell. "Now, leadership wants to plan low-probability, high-impact events."

Consequently, risk managers have become a part of boardroom strategy, thanks to their capability to have a bird's-eye view of the various risk factors across the business operations, as well as the experience to navigate such risks holistically.

"Senior leadership is realizing the value that risk management and risk managers bring to the table," explains Lisanne Sison, managing director of Enterprise Risk Management at Gallagher, about this shift in perspective. "They're also learning that having insurance alone is not enough to manage risks."

Yet, challenges remain. On one hand, businesses are learning to adapt to macro-operational challenges such as supply chain and cyber threats.

On the other hand, however, employee mental wellbeing, talent retention and skill gaps emerge as key challenges that businesses are actively racing to address with better employee value propositions.

However, while resilience requires ongoing investment, the returns are tangible.

The pandemic demonstrated this starkly. Organizations that had already embedded crisis response, continuity planning and adaptive decision-making didn't just survive disruption — many outperformed. They protected their people, stabilized operations faster and gained ground while competitors were still regrouping.

Resilience, then, is more than contingency planning. It's a strategic foundation for long-term success, built over time through repeated, deliberate choices. And in a world where volatility is structural rather than exceptional, the organizations that treat resilience as a capability — not a reaction — are the ones that are positioned to succeed.

Published January 2026