Effective planning in permacrisis requires unified, collaborative risk leadership

Planning in the era of permacrisis is an exercise in humility. According to a poll I conducted on LinkedIn, nearly 60% of internal auditors were forced to revisit or reconsider their audit plans during the first quarter of 2025.

Internal auditors aren’t the only ones scrambling. Today’s risk management and compliance teams often face even bigger planning challenges.

The first half of 2025 has been a relentless parade of turbulence and disruption. Tariff wars, geopolitical and economic instability, a volatile regulatory and policy landscape, ongoing technological change, and other disruptions are making effective planning more challenging — and more essential. Businesses are set for a wild ride in the second half of 2025.

At 2025’s midpoint, internal audit, risk management, and compliance teams face different but interconnected planning challenges. Putting some of these challenges under the spotlight helps illuminate an important truth of permacrisis: Organizations have a better chance of navigating and taking advantage of risk-induced disruption when its key risk players share insights and work together.

The connected risk imperative

I’ll date myself with this reference, but it feels apt: In 2025, we are all on Mr. Toad’s Wild Ride. The classic Disneyland dark ride is characterized by abrupt turns, near-collisions, sudden explosions, and hazards around every corner. Barrelling through the dark, it’s never clear what comes next.

Charting a course through chaos and obscurity requires risk and assurance teams to combine forces, enhancing their organizations’ ability to anticipate emerging risks, mitigate threats, and capitalize on opportunities. That’s why my most recent book, Connected Risk: Conquering the Perilous Risk Exposure Gap, is a call to action for improving collaboration. Connected risk — a cross-functional, technology-enabled approach to managing enterprise risk — empowers new ways of working across traditional lines. This is vital not only for effective planning amid uncertainty, but for the value creation, protection, and enhancement essential for resilience.

Collaboration is most effective, however, when parties understand each other’s perspectives. What looms largest on their radar? Where are they focusing planning, and where are efforts falling short? What insights or resources can one team provide that the other lacks?

Below are some current representative challenges in compliance, risk management, and internal audit as I understand them. The point is that my understanding as an internal auditor will be stronger if my risk and compliance colleagues share their perspectives. I hope this article encourages more teams to do exactly that.

Key compliance challenges

• Navigating a complex, uncertain regulatory landscape. The Trump administration has an aggressive deregulatory agenda, but new requirements are kicking in (e.g., state laws/regulations on privacy, cybersecurity, and AI; EU AI Act) just as others are being rolled back. A heightened focus on fraud from tariff/trade uncertainties comes alongside proposals to dissolve fraud watchdogs like the Public Company Accounting Oversight Board (PCAOB). A KPMG report finds compliance teams rethinking roles and skills needs, using automation and analytics to improve monitoring and compliance effectiveness assessments, and collaborating across the business to gauge impacts.
• Responding to rising regulatory scrutiny around cybersecurity, operational resilience, and incident response/reporting. KPMG’s report suggests teams are looking to enhance board/executive oversight and third-party risk assessments, improve contingency and recovery plans, and mitigate exposures to align with risk tolerance and regulatory postures. Responding effectively may require targeted upskilling.

Key risk management challenges

• Managing tariff risk by rethinking supply chain risk management. Impacts may include cost increases, reduced supply options, and competitors accessing suppliers your business can’t. Risk Management recommends integrating risk assessments into supply chain, pricing, and procurement strategies; heightening due diligence around impact to existing/potential suppliers; managing contracts to mitigate impact; and using risk-based contingency planning to identify and manage potential impacts.
• Managing deepening cybersecurity threats. With the rise of AI-enabled and state-sponsored cybercrime threatening critical infrastructure, cybersecurity risk has become a strategic, enterprise-level threat. The cybersecurity rule also changed the game, mandating rapid public-company disclosure of material incidents. Risk managers seek to empower front-line management, enhance assessments, improve incident response plans, and develop capabilities for continuously monitoring and quantifying cybersecurity threats.
• Balancing AI implementation and governance. Governance isn’t keeping pace. Risk teams are working to understand, categorize, and manage AI use and risks, including key risks around security, explainability, transparency, and accountability; establish AI governance teams; use frameworks; identify gaps and recommendations; and leverage governance for competitive advantage.

Key internal audit challenges

• Identifying emerging risks before they crystallize. Developing our capacity for foresight is essential for identifying and managing emerging risks related to tariffs, trade wars, geopolitical conflicts, deregulation, disruptive technologies, labor availability, cybersecurity, and other risks. Internal auditors are looking to enhance stakeholder dialogue, use scenario-based audit planning, and integrate real-time risk monitoring to track internal and external data, analytics, and other geopolitical, economic, industry, and regulatory indicators to detect warning signs earlier.
• Auditing organizational resilience. With business continuity a top-five risk, teams need to audit resilience. How quickly can the company respond to disruptions? Are crisis response plans in-place and tested? Over half of U.S. organizations have not integrated risk and resilience capabilities.

Band together for more effective risk leadership and planning

These examples have remarkable crossover. If teams don’t share insights and coordinate efforts in these and other areas, we’re passing up vital opportunities to improve planning and provide our organizations with more effective risk leadership.

In many ways, Connected Risk: Conquering the Perilous Risk Exposure Gap is a roadmap for navigating 2025. As the first half of the year has borne out, permacrisis is alive and well, and risk-induced disruption is our new normal. I explored these themes — including how siloed risk management creates its own risks — in the book’s first half. The latter half looks toward solutions, explaining why and how greater cross-functional collaboration is core to reimagining risk management in permacrisis.

Are your organization’s risk and assurance teams collaborating as effectively as they could be? The future belongs to the organizations whose leaders are willing to rethink planning, adapt, and band together to face the challenges to come. Nobody knows what’s around the next corner, but effective collaboration will give us a far better chance of being prepared.

About the authors

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.