Read More
Thank you for joining us for the fifth installment of our series, Building Enterprise Resilience Through Transformation. In this session, we explore emerging trends in Risk—and how adopting a modernized risk taxonomy can illuminate the strategic goals driving your transformation journey.
Series: Building Enterprise Resilience Through Transformation
Part 1: Introduction - A Holistic and Forward-Looking Perspective
Part 2: Human Capital
Part 3: Cost Optimization
Part 4: Target Operating Model
Part 4a: Wealth Operating Model - Trends in Building Resilience
Part 5: Enterprise Risk Management (You Are Here)
Part 6: Digital Core Foundation (Forthcoming)
The velocity of shocks is higher; contagion travels across supply, tech, and regulation in weeks, not quarters.
If you’re planning a transformation, you’re also redefining risk— whether intended to or not. Yesteryear's risk lens no longer maps to today’s reality. Inflation shocks, geopolitical fragmentation, data‑sovereignty regimes, AI, and private‑market opacity have made the old playbook obsolete. Treat this chapter of your transformation as the moment to upgrade your risk worldview—before scope and budgets lock you into yesterday’s assumptions.
In this post, we’ll cite leading thinkers and operators who are reframing risk for the current cycle—and what that implies for budgeting, sequencing, and governance. Practical constructs you can use tomorrow.
For the purposes of this discussion, we will not cover Change Risk, the risk of executing a transformation. These topic will be covered in a future post.
Assume familiarity with a standard Risk Taxonomy. For this discussion, we reference the classic structure for investment management, which distinguishes two primary categories: Investment Risk and Enterprise Risk - or Financial Risk and Non-Financial Risk.
The reader is actively engaged in transformation planning and holds influence over scope decisions.
Risk sophistication and maturity vary widely across asset and wealth managers, driven by firm size, age, and historical exposure to risk events.
Several recommendations outlined below may already be implemented within leading investment managers and other industry participants.
Global firms and financial institutions face multiple converging macro forces: geopolitical volatility and accelerating tech adoption. According to McKinsey, geopolitical risk is driving structural segmentation—localizing operations, tech stacks, legal entities, and capital to reduce exposure and enable in-market decisions—while cyber risk grows as cloud, AI, and digital identity scale faster than security maturity.
For investment managers, these dynamics are not peripheral; they may directly interfere with business operations and indirectly reprice assets through risk premia, earnings volatility, and compliance costs. Leaders should embed scenario planning, upgrade governance, segment operating models, and align technology priorities with robust security capabilities to balance resilience and growth.
Observation:
Traditional risk frameworks used by investment managers typically focus on two pillars: Financial Risk and Enterprise Risk (Financial and Non-Financial).
Recommendation:
To better capture the full spectrum of external volatility and strategic exposure with forward looking view, we propose adding a third high-level category: Macro Force Risk.
Why It Matters:
This expanded taxonomy enables leadership teams to surface blind spots, align risk signals with transformation goals, and sharpen decision-making across market cycles. Above all, it institutionalizes a framework into anticipating risks that are not yet manifest, but they should be on a firms radar.
In a 2024 paper by Alex Sidorenko (RISK-ACADEMY’S INHERENT AND RESIDUAL RISK GUIDE), definitions are provided for Inherent Risk, Current Risk, and Residual Risk. For this discussion, we will extend the taxonomy to include Unidentified Risk, Accepted Risk, and Eliminated Risk. Here is the lifecycle as illustrated in flowchart form:
Real-time decision-making
Current risk reflects the true exposure executives must manage today—not just what was planned or modeled.
Dynamic environments
Risks change as markets, regulations, and threats evolve. Current risk captures these shifts.
Control effectiveness
If controls degrade, are bypassed, or new risks emerge, current risk may rise above residual risk—signaling the need for urgent action.
Board and regulator expectations
Stakeholders want to know the organization’s actual risk posture—not just theoretical or historical estimates.
Crisis response
In a crisis, current risk is the metric that drives response, escalation, and resource allocation.
Digital Transformations are likely to have an AI component these days, its critical to elevate AI as its own risk category instead of being bucketed under technology or cyber-risk. While AI Risk Taxonomies are rapidly evolving, one notable model—the IBM AI Risk Atlas, released July 10, 2025—offers a structured view of AI-related risks which we found to be relevant to investment management. It emphasizes critical domains such as privacy, intellectual property, accuracy, misuse, and legal compliance, among others. While multiple frameworks exist, this model provides a practical lens as a starting point for assessing and managing AI risk in high-stakes financial environments. Let us set the table in their own words:
Curating the AI Risk Atlas is just the first step in providing a reference framework for researchers and practitioners navigating the rapidly evolving AI landscape. By positioning our risk taxonomy in relation to existing definitions and taxonomies, we aim to encourage the community to map new risk definitions, datasets, benchmarks, research papers, and crucially mitigation and detection strategies into a structured framework. This approach will enhance accessibility and facilitate the operationalization of AI governance processes.
Now, let's dive further into their example and consider the five categories and representative risks (non‑exhaustive) detailed in their risk framework:
Training‑data risks: data bias, unrepresentative data, uncertain provenance, contamination/poisoning, reidentification, personal/confidential information in data, usage/acquisition/transfer rights restrictions, and lack of data transparency. These affect model behavior at the source and carry legal/compliance exposure.
Inference risks: prompt‑based attacks (injection, priming, context overload, specialized tokens, encoded interactions, direct/indirect instructions), model extraction/membership/attribute inference attacks, jailbreaking, and poor model accuracy. These compromise runtime integrity and confidentiality.
Output risks: hallucination, incomplete advice, harmful/toxic/dangerous content, output bias, disinformation, nonconsensual use (deepfakes), exposing confidential or personal information, copyright infringement, unexplainable output, inaccessible training data and unreliable source attribution, and improper usage. These drive user harm, reputational risk, and downstream propagation.
Non‑technical risks: legal accountability/ownership, model/system/data transparency gaps, governance/process issues, lack of testing diversity, environmental impact, human exploitation, education impacts, cultural homogenization, model usage rights restrictions, and incomplete usage definition. These are critical for assurance, auditability, and policy adherence.
Agentic‑AI risks (newly emphasized): misaligned actions, unauthorized use, function‑calling hallucination, exploit‑trust‑mismatch across tools/APIs, sharing IP/PI with users/tools, incomplete agent evaluation, unexplainable/untraceable actions, redundant actions & reproducibility gaps, agentic impact on jobs/human dignity/environment, and over/under‑reliance on agents. These arise when AI systems can plan and act, not just predict.
The paper acknowledges other risk taxonomies which can be found below:
A modern risk framework that is continuously updated will help build stronger business justification for enterprise risk monitoring. Ahead of a transformation, it can influence vendor selection, the operating model, and the solution architecture with a forward looking view that aligns with the firms growth strategy and alpha creation process.
According to Graham Capital in the paper TAILRISK AS A STRUCTURAL FEATURE OF MODERN MARKETS, since 2020, tail risk events have shifted from episodic anomalies to structural features of modern markets. Graham Capital’s research highlights three drivers:
Traditional risk frameworks—centered on Financial and Enterprise Risk—fail to capture these systemic shifts. Firms relying solely on historical models and static assumptions risk underestimating exposure to extreme downside scenarios. Here is a sample use case of applying a macro force risk into a firms justification for increased investment risk surveillance.
We trust this piece offered meaningful perspective on modernizing your risk taxonomy. If you're looking to establish, refine or build use cases for your framework, TorreBlanc is ready to partner with you—bringing clarity, structure, and strategic alignment to your risk architecture.
Stay tuned for our next Resilience post, where we’ll unpack the foundations of a firm’s Digital Core—and why it’s central to transformation readiness.
