Is it time to reimagine risk management?AI is demonstrating dramatic efficiency gains throughout risk management, including controls. But the real opportunity may be rethinking how the entire risk management model works.Isobel MarkhamRisk management functions have spent decades retrofitting new capabilitiesGift this article5 min read1 hours agoConsider a generative AI-powered solution that reduces the time required to test a control from 20 hours to just five. For risk management functions, such as internal audit, SOX reporting, and compliance, that perform thousands of control tests annually, the math is staggering, and the implications extend far beyond simple efficiency gains.“Think about the potential impact from a continuous monitoring perspective within the first line,” says Geoffrey Kovesdy, a principal with Deloitte & Touche LLP. “Many of the continuous monitoring capabilities today monitor risk, which is very important, but they don’t actually test controls. Imagine if management had true continuous controls monitoring, including evaluating sign offs and other audit evidence. What opportunity would that create for the risk and internal audit functions to drive more strategic engagement?”It’s a question that cuts to the heart of how organisations structure their approach to risk management. And according to Kovesdy, it demands more than incremental adjustments.“Risk management and internal audit — I truly believe that this profession is about to change in a very significant way,” he says.The opportunity isn’t just about adopting new tools. It’s about whether organisations should fundamentally redesign how they approach risk management from the ground up.Backing New Capabilities Into Old ModelsRisk management functions have spent decades retrofitting new capabilities into the three lines model. Continuous controls monitoring, dynamic risk assessments, automation — all backed into existing structures. However, AI is creating an inflection point that demands a different question: If we started with a clean sheet of paper today, would we design the function the same way? For many organisations, the answer is no.The result, Kovesdy posits, is a missed opportunity for more transformational change.“Every time we innovate through risk and internal controls, we tend to back that innovation into our legacy ways of working across the three lines.” he says. “What we have not done as a profession is sat down with a clean sheet of paper and said, ‘knowing everything we now know, how would we evolve the three lines model?’”Kovesdy says the answer to those questions is “a resounding yes”.That carries weight in part because of the convergence of several forces, such as regulatory complexity, expanding risk domains, and resource constraints, but primarily because AI is pushing organisations to confront risk management from two distinct angles simultaneously.The Dual TransformationWhen considering risk management and internal controls for AI, organisations should use two lenses: governance, and how to use AI to drive risk and controls mandates, services, and capabilities.As businesses introduce AI into their operations, it is important for risk functions to assess governance and identify the full spectrum of risks, including financial, operational, regulatory, and cyber. For many organisations, this adds a new and complex domain to already stretched risk management resources.But Kovesdy points to something often overlooked in discussions of AI governance: its role in value creation, not just value protection.“Many companies have been able to implement several use cases,” he says. “The difference between dabbling with a few use cases versus deploying AI at scale comes down to governance. Having the right governance in place, including a continuous process for identifying, prioritising, designing, and deploying use cases can unlock value at scale.”The second lens is where the transformation potential becomes clear. Using AI to drive risk and controls mandate and services can result in dramatic efficiency gains. It is also where reimagining the function becomes not just possible, but necessary.Three Principles for Moving ForwardKovesdy outlines three crucial shifts in thinking for organisations approaching this transformation:It’s not about maturity — it’s about fit. The language of “maturity models” dominates discussions of technology adoption in risk management, but in Kovesdy’s view, this isn’t the right framework.“The reality is, organisations all have different sizes, different structures, and the risk professionals within them have different remits,” he says. For example, some internal audit departments own enterprise risk management; others don’t. Some handle SOX compliance; others focus elsewhere. Rather than measuring against a generic maturity model, it may help teams to focus solely on understanding and aligning with the management team and the board on their desired capabilities, and then what is required to make the shift.Risk functions require their own AI resourcing strategy. Many organisations are establishing enterprise AI centres of excellence, and risk management teams often expect resources and support from these central functions. While that can be valuable, it is often insufficient.“More often than not, when AI resources are deployed from the centre to various business units, risk management departments are deprioritised,” Kovesdy explains.“While we know risk management is generally considered one of the most important responsibilities and capabilities in a business, it can be overshadowed within the business based on certain traditional enterprise-wide value drivers and metrics.”Instead, it can benefit risk management leaders to develop an independent point of view on how their teams plan to leverage, drive, and resource AI.People matter more than technology. While it’s tempting to frame AI transformation as primarily a technology challenge concerned with gaining access to the right tools and data, Kovesdy sees it differently.“Data and technology will get figured out. It’s the risk professional in the business unit who has to use new tools and capabilities, and sometimes do their work differently,” Kovesdy says, adding that the investment in change management and capability building is crucial. “Many times, when these transformations hit a pause, it’s because those in the business are not using the tools and capabilities that the risk teams have provided to them.”More than ever, Kovesdy calls “purple people” indispensable as he riffs on the concept first introduced in 2010. Those purple people, in this case, are risk professionals who combine business process expertise with data and technology capabilities.“Our future workforce needs to know how to work with technology,” he says, emphasising that this doesn’t mean every risk professional must become a technologist, but they do need to be technology-enabled.A reimagining of the risk function can be a transformational opportunity that will likely require the rigour of program management to drive broader change, while demonstrating wins along the way. This requires C-suite executives to coalesce around an enterprise-wide vision for managing risk in the age of AI. At a moment when risk domains are expanding and regulatory expectations are evolving, companies can drive value creation through risk management.Isobel Markham is senior writer, Executive Perspectives in The Wall Street Journal, Deloitte Services LP.As published in the 30 April 2026 edition of the WSJ CFO Journal.  -DisclaimerThis publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.  Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. Please see www.deloitte.com/au to learn more.Copyright © 2025 Deloitte Development LLC. All rights reserved. -More CoverageOne global shock, many different responsesKok Yong Ho and Geoff LamontFive paradoxes shaping the future of cyberLiz DouglassCairns Airport CFO on changing ownership, automation and why we need mangrovesRachel Smith