On June 3, 2025, the Federal Reserve removed Wells Fargo’s $1.95 trillion asset cap after a seven-year restriction imposed in February 2018. The cap traced to the absence of a documented governance and risk-management program.
Wells Fargo spent seven years rebuilding what a Risk Intelligent Organisation already has in place: a Board-approved framework, named accountabilities, KRI dashboards, and an audit-committee paper that survives regulator scrutiny.
| Key Takeaways |
| A 2026 Risk Intelligent Organisation runs on six pillars: risk awareness, risk assessment, a documented risk-intelligence framework, a risk-intelligent culture, technology and analytics, and continuous monitoring with audit. Each pillar has named owners, KRI thresholds, and a quarterly audit-committee paper. |
| The Federal Reserve removed Wells Fargo’s $1.95 trillion asset cap on June 3, 2025 after seven years. The cap originated in February 2018 because the bank lacked a documented governance and risk-management program. The lift required a Board-approved program demonstrably implemented across the bank, the textbook definition of becoming a Risk Intelligent Organisation under regulatory pressure. |
| IBM’s 2024 Cost of a Data Breach Report put the global average breach cost at $4.88 million, a 10% YoY increase and the largest jump since the pandemic. 70% of breached organizations reported significant disruption. Organizations with mature risk-intelligence programs absorb breach events more cheaply because the controls and recovery muscle are already in place. |
| Deloitte’s Risk Intelligent Enterprise framework aligns with ISO 31000:2018 principles and COSO ERM 2017 components. The hybrid approach is now the default for US Fortune-500 programs: ISO 31000 supplies the operating-principles backbone, COSO ERM supplies the governance and SOX-aligned overlay, and Deloitte’s Risk Intelligent posture provides the maturity language. |
| 83% of S&P 500 firms now disclose AI as a material risk in their 10-K, up from 12% in 2023. Reputation, cybersecurity, and regulatory uncertainty are the top three concerns. A Risk Intelligent Organisation in 2026 has AI inventory, AI policy coverage, AI incidents reportable, and shadow-AI scans on the standing audit-committee paper. |
| Standards: ISO 31000:2018, COSO ERM 2017, COSO Internal Control – Integrated Framework (2013), ISO 22301:2019 BCM, ISO 27001:2022 ISMS, ISO/IEC 42001:2023 AI management, NIST CSF 2.0, the DOJ Evaluation of Corporate Compliance Programs (Sept 2024 refresh), and the OCC Heightened Standards anchor a US Risk Intelligent Organisation. |
| Most US Fortune-500 chief risk officers run a Risk Intelligent Organisation maturity self-assessment annually against a five-level ladder (Initial, Repeatable, Defined, Managed, Risk Intelligent). Levels 4 and 5 are where audit committees, rating agencies, and DOJ ECCP reviews increasingly expect US public companies to operate by 2027. |
This guide rebuilds the Risk Intelligent Organisation blueprint for a 2026 chief risk officer, audit-committee chair, or general counsel. The original Deloitte framing pairs cleanly with ISO 31000:2018 risk management principles and COSO ERM 2017 governance components.
The IBM 2024 Cost of a Data Breach Report puts the global average at $4.88 million, the largest YoY jump since the pandemic. The cost of not being risk intelligent compounds quarterly.
The DOJ’s September 2024 refresh of the Evaluation of Corporate Compliance Programs raised the bar on documented framework adoption.
Prosecutors now ask whether the company tracks risk-management metrics with documented thresholds, owners, and remediation aging. The Risk Intelligent Organisation answers yes; programs that still run on policy text alone do not.
Six pillars anchor the dashboard below: risk awareness, risk assessment, a documented risk-intelligence framework, a risk-intelligent culture, technology and analytics, and continuous monitoring with audit. Each pillar has named owners, KRI thresholds, and a quarterly audit-committee paper that integrates into one Risk Intelligent Organisation scorecard.
Figure 1. Six pillars that anchor a 2026 Risk Intelligent Organisation.
What Makes a Risk Intelligent Organisation in 2026
A Risk Intelligent Organisation identifies, assesses, and prioritizes risks proactively across the enterprise rather than reactively after a loss event. The discipline integrates risk management into culture, strategy, operations, and capital allocation.
The board sees one consolidated picture; first-line owners run their KRIs; second-line risk and compliance functions challenge the data; third-line internal audit validates the integrity of the program.
Deloitte’s Risk Intelligent Enterprise framework defined the language: a Risk Intelligent Organisation balances risk-taking and risk control rather than minimizing risk for its own sake. Wells Fargo’s seven-year recovery priced the cost.
So did Boeing’s 2024 strike, the 737 MAX 9 door-plug incident, and the Change Healthcare ransomware breach. None of those events surprised a Risk Intelligent Organisation; they surprised programs running on legacy controls.
Useful Key Risk Indicators examples inside a Risk Intelligent Organisation share four traits. They are measurable, owned by one named officer, calibrated to a green / amber / red threshold, and they move ahead of the loss event rather than after it. Without those four traits, the program is a policy library, not a Risk Intelligent Organisation.
How a Risk Intelligent Organisation Differs From a Traditional Risk Program
| Attribute | Traditional risk program | Risk Intelligent Organisation |
| Posture | Reactive, compliance-driven, focused on loss avoidance | Proactive, integrated with strategy, balances risk-taking and risk control |
| Ownership | Risk function in a silo; first-line treats risk as compliance overhead | First-line owns KRIs; second-line challenges; third-line audits; board owns appetite |
| Cadence | Annual risk register refresh; quarterly audit-committee paper | Continuous KRI dashboards; monthly risk committee; quarterly board with appetite review |
| Reporting | Heat maps and policy text; narrative-heavy | Quantitative KRIs with thresholds; trend, breach history, owner, remediation aging |
| Reference | ISO 31000 lite, COSO IC-IF, sector regulator | ISO 31000:2018 + COSO ERM 2017 + Deloitte Risk Intelligent + ISO 22301 + ISO 27001 + NIST CSF 2.0 |
| Culture | Risk awareness driven by training calendar | Risk-intelligent culture: named, measured, behavior-tested, leader-modeled |
Pillar 1: Risk Awareness Inside a Risk Intelligent Organisation
Risk awareness is the first pillar of a Risk Intelligent Organisation. It runs deeper than annual training.
Employees at every level recognize the loss exposures their decisions create, escalate them through documented channels, and earn promotion in part on the quality of risk judgment they show.
Wells Fargo’s fake-accounts scandal showed what happens when the comp plan rewards behavior that risk awareness should have flagged.
Operationally, risk awareness lives in three places. First, the risk-management policy and the risk appetite statement, both signed by the CEO and approved by the audit committee. Second, the role-based training cadence aligned to the DOJ ECCP test of design and resourcing.
Third, the comp plan and performance review, where risk-management behavior shows up alongside revenue and operational targets. Each of the three feeds the next.
US Fortune-500 programs measure risk awareness through hotline tip volume, training completion, conflicts-of-interest disclosure rate, conduct-event frequency, and engagement-survey questions on whether employees feel safe raising risk concerns.
Zero hotline tips in a quarter is a red flag, not a green one. The ACFE 2024 Report to the Nations found tips drive 43% of fraud detection.
Pillar 2: Risk Assessment Inside a Risk Intelligent Organisation
Risk assessment is the discipline by which a Risk Intelligent Organisation translates threat scenarios into ranked exposures. The standard process runs scope-context-criteria, identification, analysis, evaluation, and treatment per ISO 31000:2018 clause 6.
The output is a risk register or risk-assessment paper with named owners, residual risk scores, and remediation timelines.
US Fortune-500 programs typically run an annual enterprise risk assessment with quarterly delta refreshes, supplemented by targeted assessments on material events: M&A, new product launches, regulatory changes, AI deployments, supplier failures.
Cybersecurity and privacy assessments often run on a six-month cycle in regulated industries because the threat surface changes faster than the broader register does. Refresh cost is lower than initial scoping because the framework is in place.
A guide to risk assessment methodology walks through both qualitative and quantitative options.
Most Risk Intelligent Organisations run a hybrid: qualitative across the broad universe, quantitative on the top-10 risks where leadership needs dollar exposure for capital allocation, insurance program design, or 10-K disclosure decisions.
Pillar 3: The Risk-Intelligence Framework Inside a Risk Intelligent Organisation
The framework is the third pillar of a Risk Intelligent Organisation. It defines how the program runs day to day. The 2026 default is a hybrid: ISO 31000:2018 supplies the operating principles and process;
COSO ERM 2017 supplies the governance, strategy, and SOX-aligned internal-control overlay; ISO 22301:2019 covers business continuity; ISO 27001:2022 covers information security; NIST CSF 2.0 covers cybersecurity.
Building the Framework Inside a Risk Intelligent Organisation
Implementing the risk-intelligence framework runs in five stages. Assess current capability through a formal gap analysis. Document policies, procedures, and guidelines aligned to the chosen frameworks.
Establish governance: a Chief Risk Officer or equivalent, an audit-and-risk committee charter, and named owners for each domain.
Deploy enabling technology: GRC tool, risk register, KRI dashboard, and continuous-monitoring rules. Build a measurement and reporting cadence that the audit committee actually uses.
The framework reaches across strategic, operational, financial, legal, regulatory, and reputational risks, with explicit hooks into AI risk, climate risk, third-party risk, and privacy.
The DOJ ECCP September 2024 refresh expects evidence-based metrics for each. Programs that still describe the framework in narrative text without underlying KRIs and remediation logs fail the new ECCP test.
Pillar 4: Cultivating a Risk-Intelligent Culture in a Risk Intelligent Organisation
A risk-intelligent culture is what separates a Risk Intelligent Organisation from a program that owns binders of policies.
Culture lives in the comp plan, the promotion path, the way leaders react when bad news arrives, and the daily decisions employees make when no auditor is watching. Wells Fargo’s seven-year cap showed how badly culture absence prices into the equity value.
Promoting Awareness Across a Risk Intelligent Organisation
Awareness inside a Risk Intelligent Organisation runs on three tracks. The first is communication: leaders speak about risk in earnings calls, town halls, and operating reviews.
The second is training, role-based and tied to the DOJ ECCP design / resourcing / access test. The third is leadership behavior: when senior leaders accept a risk deal-block from compliance, the rest of the organization sees it.
Communication should run continuously and explicitly tie risk decisions to strategy. The NACD 2026 Director’s Handbook on Cyber-Risk Oversight expects boards to see risk and strategy on the same agenda.
Most US Fortune-500 boards now run a quarterly enterprise-risk paper alongside the strategy progress report rather than at the year-end compliance meeting alone.
Training and Development Inside a Risk Intelligent Organisation
Training inside a Risk Intelligent Organisation is role-based and measurable. Risk-management staff receive deep training on ISO 31000, COSO ERM, NIST CSF 2.0, and AI risk standards (NIST AI RMF, ISO/IEC 42001:2023).
Line employees receive shorter training on identifying and escalating risks in daily work. Senior leaders receive training on appetite, scenario thinking, and the regulatory expectations that come with the role.
Development opportunities matter as much as training. Job rotations through the risk function, cross-functional projects with risk components, and risk-program participation in M&A or new-market entry decisions all build risk judgment that classroom training never will.
Most US Fortune-500 CROs sponsor a high-potential rotation program through the risk function for the same reason CFOs sponsor finance rotations.
Figure 2. US risk-intelligence data points 2024-2025 driving the Risk Intelligent Organisation agenda.
Pillar 5: Technology and Analytics in a Risk Intelligent Organisation
Technology and analytics are the fifth pillar of a Risk Intelligent Organisation. Modern programs run on a GRC tool (Archer, ServiceNow IRM, Workiva, MetricStream, OneTrust, Riskonnect), a continuous-monitoring rule engine, a KRI dashboard, and increasingly an AI-assisted analytics layer that surfaces anomalies across the risk register, vendor data, and incident logs.
GRC and Analytics Inside a Risk Intelligent Organisation
GRC tools centralize risk identification, assessment, monitoring, and reporting. The audit-committee paper, the risk register, the KRI dashboard, and the management-action tracker live in one place.
Real-time risk information replaces the quarterly status update; the audit committee can drill from a heat-map color into the underlying KRI and remediation history without going through a slide deck.
Analytics layers improve risk intelligence by surfacing patterns that human review misses. Predictive analytics on supplier-quality data, journal entries, claim volumes, sanctions screens, and AI tool inventories now sit on most US Fortune-500 audit-committee papers.
Real-time monitoring on critical KRIs pushes alerts to the responsible officer when a threshold breaches rather than waiting for the next monthly report.
Pillar 6: Monitoring and Audit Inside a Risk Intelligent Organisation
Continuous monitoring and independent audit are the sixth pillar of a Risk Intelligent Organisation.
The IIA’s Global Internal Audit Standards became effective January 9, 2025, sharpening the audit-committee expectation of conformance. Internal audit assesses both the risk-management program and the risk-management framework, while external audit (Big 4 plus QAR teams) validates the integrity of the work.
Regular Audit Inside a Risk Intelligent Organisation
Regular audit means an independent review of the program at least annually, with a deeper external Quality Assessment Review (QAR) every five years per IIA conformance requirements.
The audit assesses policies, procedures, controls, KRI integrity, appetite alignment, and remediation aging. Recommendations feed the next year’s program plan and the audit-committee paper.
Continuous Improvement Inside a Risk Intelligent Organisation
Continuous improvement is data-driven inside a Risk Intelligent Organisation. The CRO and audit committee review YoY trends on KRIs, retained losses, premium ratios, regulator findings, and breach event frequency.
The risk appetite statement gets refreshed annually against external benchmarks (RIMS Benchmark Survey, Protiviti / NC State Top Risks survey, sector peers). Stakeholder feedback (employees, customers, auditors) feeds the program-design backlog.
Figure 3. The five-level Risk Intelligent Organisation maturity ladder.
Common Pitfalls When Building a Risk Intelligent Organisation
Implementation failures around the Risk Intelligent Organisation blueprint repeat at every revenue scale. The traps below show up in audit-committee post-mortems, regulator findings, IIA QAR reports, and DOJ ECCP presentations after a material event.
Each one represents a pattern that turns Risk Intelligent Organisation language into shelf-ware.
| Pitfall | Root cause | Remedy |
| Framework as policy text | Adopted on paper without documented operational rollout or named owners | Map each component to a named owner; track rollout against ISO 31000 process steps and COSO ERM principles in the audit-committee paper |
| Risk function in a silo | First-line treats risk as compliance overhead; second-line owns the register alone | Move ownership to first-line; second-line challenges; third-line audits; rotate high-potential staff through the risk function |
| Vanity heat maps | Beautiful charts no committee acts on | Tie each amber / red KRI band to a triggered action; track action closure as a meta-KRI; remove KRIs that never breach |
| AI risk missing | Framework predates COSO + Deloitte 2023 AI guidance and ISO/IEC 42001:2023 | Add AI inventory, AI policy coverage, AI incidents reportable, and shadow-AI scan as standing KRIs |
| Hotline silence as good news | Quarter with zero tips celebrated rather than investigated | Set the green threshold at >= 3 tips per quarter; investigate any quarter with zero (awareness or retaliation problem) |
| Static appetite | Risk appetite statement set at framework launch and never recalibrated | Refresh appetite annually against external benchmarks and after material strategic events; tie appetite to KRI thresholds explicitly |
| No reassessment cadence | Assessment run once, then not refreshed for three years | Set an annual cadence with material-event triggers (acquisition, system change, regulator inquiry, AI deployment) |
Frequently Asked Questions About a Risk Intelligent Organisation
What is a Risk Intelligent Organisation in 2026?
A Risk Intelligent Organisation in 2026 identifies, assesses, and prioritizes risks proactively across the enterprise rather than reactively after a loss event.
The program runs on six pillars (awareness, assessment, framework, culture, technology, monitoring), uses a hybrid ISO 31000 + COSO ERM framework, and reports through a quarterly audit-committee paper integrated with strategy.
Risk-taking and risk control balance against documented appetite rather than minimizing risk for its own sake.
How does a Risk Intelligent Organisation differ from a traditional risk program?
A traditional risk program is reactive, compliance-driven, and siloed in a risk function. A Risk Intelligent Organisation embeds risk in strategy, capital allocation, and culture, with first-line ownership of KRIs and second-line challenge.
The metrics differ: traditional programs report heat maps and policy compliance; a Risk Intelligent Organisation reports quantitative KRIs with thresholds, trends, owners, and remediation aging on every audit-committee paper.
Which standards govern a Risk Intelligent Organisation?
The dominant references are ISO 31000:2018, COSO ERM 2017, COSO Internal Control – Integrated Framework (2013), Deloitte’s Risk Intelligent Enterprise framework, ISO 22301:2019 BCM, ISO 27001:2022 ISMS, ISO/IEC 42001:2023 AI management, NIST CSF 2.0, the DOJ Evaluation of Corporate Compliance Programs (Sept 2024), and the OCC Heightened Standards. Most US Fortune-500 programs run a hybrid that integrates all of them under one audit-committee paper.
What lessons does Wells Fargo offer for a Risk Intelligent Organisation?
Wells Fargo’s seven-year asset cap (February 2018 to June 3, 2025) showed what happens when culture, framework, and appetite stay below the regulator’s bar. Sales-quota incentives drove behavior that risk awareness, hotline tips, and product-control reviews should have caught.
The cap removal was conditional on a Board-approved governance and risk-management program demonstrably implemented across the bank, the textbook definition of operating as a Risk Intelligent Organisation.
How does AI risk fit inside a Risk Intelligent Organisation?
AI sits inside the framework via NIST AI RMF, ISO/IEC 42001:2023, and COSO + Deloitte December 2023 AI guidance.
A Risk Intelligent Organisation tracks AI tool inventory, policy coverage, incidents reportable to the board, biometric processing without consent, and shadow-AI usage volume on quarterly papers.
The Colorado AI Act takes effect February 2026; the EU AI Act enforces high-risk obligations through 2027. Both raise the bar.
How often should a Risk Intelligent Organisation refresh its program?
Annually as a minimum, with targeted refreshes at material events: M&A, system changes, regulator inquiries, AI deployments at scale, market shifts.
The full enterprise risk assessment runs once a year; quarterly delta refreshes update the top-10 risks.
The risk appetite statement gets refreshed annually against external benchmarks and after any material strategic event. The framework mapping gets refreshed at each ISO surveillance audit and SOX 404 walkthrough.
How does a Risk Intelligent Organisation measure ROI?
Use the Total Cost of Risk (TCOR) framework: track program spend against retained losses, insurance premium ratios, regulator fines, and incident-related costs YoY.
A Risk Intelligent Organisation typically pulls TCOR down through the cycle as control investment displaces loss-event spend.RIMS benchmark data places top performers below the peer median; the audit committee tracks the gap and the trajectory at each quarterly review.
Can a small business run a Risk Intelligent Organisation program?
Yes, with calibration. A small or mid-sized business can run the same six pillars but should narrow scope to 15 to 20 KRIs that match the actual risk surface.
The framework choice is usually ISO 31000:2018 alone (rather than ISO + COSO hybrid) because COSO ERM is heavier than typical mid-market governance can sustain without listing pressure. Discipline and ownership are the binding constraints, not headcount or GRC-tool spend.
Looking Ahead: The Risk Intelligent Organisation in 2026 and 2027
Regulatory pressure on the Risk Intelligent Organisation increases through 2026. The DOJ ECCP September 2024 refresh and SEC FY2024 record $8.2 billion in financial remedies set the new expectation baseline.
Audit committees, OCC examiners, and rating agencies expect documented framework adoption, named owners, KRI dashboards, and remediation logs that survive an examination.
AI integration accelerates inside the Risk Intelligent Organisation. NIST CSF 2.0 Govern function, ISO/IEC 42001:2023, and the Colorado AI Act (effective February 2026) push AI inventory, AI policy coverage, and
AI incident reporting to the standing audit-committee paper. By 2027, AI-assisted risk analytics that surface anomalies across KRIs, vendor data, and journal entries become the table-stakes capability rather than the differentiator.
Climate, ESG, and supply chain risk widen the scope. California SB 253 first-disclosure deadline lands August 10, 2026; the EU CSDDD takes phased effect through 2027 and 2028 and reaches US suppliers via in-scope EU buyers.
The Risk Intelligent Organisation handles all three on a single audit-committee paper with shared KRIs, integrated framework language, and one set of named owners.
A live KRI dashboard with quarterly recalibration and a clear integrated risk management approach is what holds up under audit-committee, OCC, FRB, SEC, and rating-agency scrutiny. Without it, the Risk Intelligent Organisation language becomes marketing rather than operating reality, and the next regulator inquiry prices in losses the program could have prevented.
Ready to Build a Risk Intelligent Organisation?
At riskpublishing.com we help US chief risk officers, audit-committee chairs, and general counsel build a Risk Intelligent Organisation that holds up under audit-committee review, OCC and FRB examination,
DOJ ECCP review, customer security audits, and rating-agency surveillance. We start with the maturity self-assessment, gap analysis, and the six-pillar build sequence anchored to the client’s regulatory tier.
The work usually includes a documented framework mapping (ISO 31000:2018 + COSO ERM 2017 + ISO 22301:2019 + ISO 27001:2022 + ISO/IEC 42001:2023 + NIST CSF 2.0), a risk register design, a KRI dashboard, an updated risk appetite statement, a quarterly audit-committee paper template, and a maturity progression plan tied to the DOJ ECCP and SEC disclosure expectations.
Explore our risk advisory services, or contact us to scope a Risk Intelligent Organisation maturity review tailored to the regulatory tier, segment mix, and 2026-2027 audit-committee agenda. We benchmark each pillar against US Fortune-500 peer programs and align the program to the next 10-K risk-factor cycle.
Related reading on riskpublishing.com (KRI library): Key Risk Indicators examples, how to use Key Risk Indicators, Key Risk Indicators dashboard, Key Risk Indicators in Enterprise Risk Management, and Key Risk Indicators developing risk appetite.
Related reading (frameworks and ERM): enterprise risk management framework, ISO 31000 vs COSO ERM Framework, integrated risk management approach, importance of enterprise risk management, and implement COSO Enterprise Risk Management.
Related reading (assessment, audit, mitigation): how to conduct a risk assessment, a guide to risk assessment methodology, the risk-based internal audit guide, risk appetite statements examples, and how to mitigate risk.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.