Risk in Focus 2026: cybercrime tops rankings, but interconnected risks need new solutions 

Cybersecurity is the most significant risk for chief audit executives (CAEs) across the UK and Europe, according to Risk in Focus 2026. This is the tenth iteration of the annual report conducted jointly by the Chartered IIA, European Confederation of Institutes of Internal Auditing and 14 other European Institutes of Internal Auditing, meaning that CAEs can now compare perceptions and predictions of risk by their peers across the past decade. 

The top ranking for cybersecurity risk is not surprising at a time when an attack on Jaguar Land Rover  looks set to close the car manufacturer’s factories for the whole of September. Meanwhile, Marks & Spencer is counting the estimated £300m cost of the hack that brought down its online shopping operations in April – when The Co-Op and Harrods were also attacked. 

This risk led the field by a considerable margin – 81% of the 900 respondents put it in their top five risks. It was followed by human capital, diversity and talent management (48%). CAEs were particularly concerned about AI causing “deskilling” and their ability to attract and retain skills. Digital disruption, new technology and AI risk has risen up the rankings to third place (47%)  

Despite CAEs highlighting the risk of cybercrime, attacks are becoming more frequent and more powerful. The Chartered IIA is therefore urging boards to harness the power of their internal audit teams to identify cyber controls weaknesses and recommend improvements. AI is adding to the power and sophistication of hacks and must also be employed in defences against attacks. 

“The recent wave of cyberattacks on major UK businesses is a stark reminder that cybersecurity must remain at the top of every board’s agenda,” said Anne Kiem, CEO of the Chartered IIA. She urged readers of the report to communicate and share the value of internal audit in combating cybercrime and the other key risks identified. 

“Internal audit is uniquely positioned to provide independent assurance for boards that cyber and digital controls are robust and effective, helping organisations to build resilience and protect their bottom lines,” she said. 

Risk shifts and interconnections 

Climate change, biodiversity and environmental sustainability fell from eighth to tenth place in the risk rankings this year. CAE interviewees said they were frustrated by regulatory uncertainty. The number who believed it would be a top-five risk by 2029 fell from 40% last year to just 24% this year. 

The disruptive effects of AI and the way AI developments are outpacing strategies and business models are causing CAEs a range of concerns. More key risks are now closely interconnected meaning that organisations must find new ways to assess and mitigate risk impacts that take account of multiple risks.  

CAEs should also look closely at areas where respondents say that the time and effort they spend exceeds the importance of the risk – for example, in the case of “organisational governance and corporate reporting”, “fraud, bribery and the criminal exploitation of disruption” and “health, safety and security”. This may help them to target resources more effectively. 

The report suggests ways that internal audit can help organisations deal with each of the risk areas identified. These along with the other findings can be used to start important conversations with risk managers, audit committees and boards. 

The full report is available on the Chartered IIA website.