Five Actionable Insights From the 2025 Risk in Focus: North America Report

An inability to identify the critical risks facing our organizations is a key strategic risk facing internal audit. If we can’t learn to anticipate the risks emerging beyond the visible horizon, we risk losing credibility and relevance. I’ve written about this potential existential crisis, and improving this capability is a core goal of the Internal Audit Foundation’s (IAF’s) “Vision 2035.” Permacrisis demands we do better. 

Fortunately, the IAF’s 2025 Risk in Focus: North America report, sponsored by AuditBoard, delivers actionable insights that can help internal auditors get a running start on 2025’s risks. This year’s report yielded several unexpected insights; below is my take on the top five. 

1. Emerging Risks Are Influenced by Direct and Indirect Forces

The report introduces the concept of two types of drivers for emerging risks based on how each influences risk levels, priorities, and responses. “Direct pressure” drivers include financial impacts, business opportunities, and specific regulations — influences to which business leaders and boards are naturally attuned. However, “indirect pressure” drivers of public opinion, politics, and social impact also influence risks and can create direct pressure as they impact markets, regulations, and reputations.

This view on risk isn’t all-inclusive. It’s nonetheless useful for guiding discussions about risk drivers. As your organization strives to identify and understand its emerging risks, this approach can support a more holistic perspective encompassing value protection, realization, and creation. For example, how is AI directly impacting your organization in terms of opportunities, regulations (e.g., data privacy, cybersecurity), revenues, assets, and the potential for fraud? Looking outward, what influence could indirect drivers have moving forward? I also recommend the PESTLE model for identifying emerging risks by evaluating the political, economic, social, technological, and environmental factors impacting operations and decision-making. 

2. Digital Disruption Risks, Including AI, Are Surging

Digital disruption risk saw the North America survey’s most dramatic increase, rising to #3 from 2024’s #6 finish. Only cybersecurity and human capital rank higher for 2025, but respondents believe digital disruption will become a “close second” to cybersecurity within three years. 

I suspect that the risks of digital disruption could rise even further, surpassing cybersecurity to become the top-ranked risk. As the report explores, organizations are already challenged to keep pace with AI’s rapid proliferation. As I pointed out earlier this year, there are critical risks that AI presents for organizations that internal auditors can’t afford to ignore. Internal auditors have a vital opportunity to help organizations establish the controls, governance, risk assessments, technology enablement, and collaboration necessary to strengthen risk management in this critical area.

3. Climate Risks Not Seen as Rising in Short Term — But That’s About to Change

North American respondents collectively haven’t seen much change in the severity of climate change risks, ranking it #14 in 2024 and 2025. Such a low rank would typically place it below the threshold of many internal audit departments’ ability to provide audit coverage. Looking ahead three years, however, respondents expect a significant jump to #8 given pending disclosure requirements, potential noncompliance consequences, and ever-increasing climate impacts. 

Notably, however, Canadian internal audit leaders are more clear-eyed about the coming uptick: 30% of Canadian respondents rank climate change as a current top-five risk to their organizations versus 9% of U.S. respondents. 

I’m encouraged to see the expected rise in prominence, but organizations can’t afford to wait. Beyond reinforcing this message, internal auditors should proactively assess and monitor their organizations’ climate reporting data, metrics, controls, and compliance readiness.

4. Geopolitical Uncertainty Is Flat Despite Strife in Europe and the Middle East

No matter how turbulent the geopolitical landscape continues to be, its risks don’t seem to register for many North American organizations. Geopolitical uncertainty ranked #8 in 2024 and #9 for 2025 and the three-year outlook. 

Are our organizations truly so insulated from the unstable global economy and political climate, the conflicts in Europe and the Middle East, extreme weather events, and the attendant downstream impacts (e.g., supply chain, cost-of-living pressures, growing polarization, mis/disinformation)? More likely, are internal auditors simply unable to connect the dots for organizations in this important area? 

Admittedly, geopolitical uncertainty risk is not readily auditable. That doesn’t mean we can ignore it. Rather, assurance should be provided around organizations’ management of the risk: Does the organization recognize its geopolitical risks and have a plan to mitigate them? Equally importantly, we must identify the 2nd to nth order risks that geopolitical uncertainty creates (supply chain disruption, fuel price increases, and broader macroeconomic uncertainty).

5. Internal Audit Is Starting to Recognize How AI Exacerbates and Creates Risks

The 2025 Risk in Focus: North America contains a robust discussion of internal audit’s growing understanding of AI’s threats and opportunities. Respondents increasingly understand how AI interconnects with risks such as cybersecurity, fraud, human capital, communications/reputation, regulatory and market changes, and beyond. While I worry that many underestimate AI’s potential impact on organizational culture, governance, and corporate reporting risks, I’m nonetheless encouraged. AI presents critical risks that internal auditors cannot ignore. 

Luckily, respondents report growing involvement in advisory support on AI governance, risk assessments, and board/management education. Leadership often welcomes internal audit’s help in managing AI implementation and understanding needed controls. Internal auditors who aren’t already involved in such efforts should see this openness not only as an open door, but an urgent opportunity to assist in value protection, realization, and creation. 

As the first half of the 2020s comes to a close, the next half-decade’s key risks are starting to reveal themselves. Though the 2025 Risk in Focus: North America report corroborates internal audit’s continuing struggle to identify what those risks are and what to do about them, it also highlights meaningful opportunities for action. As we look to tomorrow, the IIA’s report is a valuable resource.