Take the Risk Maturity Assessment: Are You Protected or Exposed?
When a regional bank in the southeastern U.S. weathered a major hurricane — power out, communications severed, competitors scrambling — it became the first financial institution in the region to reopen. The difference was not capital reserves or market position; it was a mature enterprise risk management(ERM)framework and a tested business continuity plan executed under pressure. While competitors absorbed the full cost of extended downtime, lost customer trust and emergency recovery spending, this bank had converted a potential crisis into a competitive advantage.
That outcome is not typical. According to the HUB International 2026 Profitability & Resiliency Executive Survey,one-third of organizations are operating without a mature, organization-wide risk management strategy. The question worth asking is not whether that describes your competitors. It is whether it describes you.
The cost of risk is rising on every front
The survey identifies three risks that finance leaders expect will most directly threaten profitability heading into 2026: rising operating and labor costs, technology and cybersecurity risks, and regulatory and legal challenges. What matters is not just the ranking — it is the acceleration. Technology and cybersecurity concern jumped 16 points year-over-year to 60% of respondents, with U.S. leaders driving a 25-point surge to 65%. Regulatory and legal challenges showed the largest single-year increase of any tracked risk, climbing 21 points to 50%, as seen in the chart below.
.png.aspx?width=700&height=462 "Chart-1_-Evolving-Risk-Landscape-(1).png")
For CFOs, the financial translation is direct. Rising revenues can mask rising input costs from tariffs, energy prices, raw materials and supply chain volatility — making revenue-based risk metrics unreliable precisely when accuracy matters most. Organizations without tested contingency plans face uninsured losses, prolonged operational downtime and cascading second- and third-order cost impacts across supply chains. And regulatory complexity spanning cybersecurity, artificial intelligence (AI) governance, data privacy and corporate governance is compounding directors & officers (D&O), employment practices liability insurance (EPL) and liability exposure in ways that many organizations have not yet fully priced into their risk calculations. As the “Technology and Cybersecurity Risk” chart below illustrates, the surge in concern is most pronounced among U.S. leaders.
These risks do not operate in isolation. A single regulatory shift can ripple across supply chain, technology and geopolitical exposures simultaneously. Organizations managing these categories separately — rather than through an integrated enterprise risk management lens — are exposed to the compounding effects they are least prepared to absorb.
The gap is wider than most organizations realize
The survey measured risk readiness across 14 defined practices, from foundational compliance protocols to advanced AI-enabled risk management. The results are sobering: 73% of organizations exhibit only two or fewer of the four most basic risk readiness characteristics. Those basics include a business continuity plan, an incident response plan, employee safety protocols and mitigation aligned with laws and regulations. Three-quarters of organizations cannot clear that bar, as shown in the “Basic Risk Management Maturity” chart below.
Across the full maturity spectrum, 30% of organizations operate at a basic level focused narrowly on compliance, while only 5% demonstrate characteristics consistent with advanced maturity — where risk quantification is organization-wide, decision-making is informed by past, current and future risks, and mitigation is tied directly to performance. The 65% majority sits in intermediate territory, meaning most organizations have& compliance posture without operational resilience. As the “State of Risk Maturity Across Organizations” chart below illustrates, only 5% of organizations demonstrate characteristics consistent with advanced maturity.
The cost of that gap shows up in concrete ways. Nearly half of organizations (48%) risk prolonged downtime after a major property loss because they lack formal, detailed business continuity plans — and among those that do have plans, fewer than half conduct quarterly stress tests to verify they still work. Prolonged downtime is not an operational inconvenience; it is a direct hit to revenue, a trigger for customer attrition and, in some industries, a regulatory event in its own right. The bank in the opening story did not avoid those costs by accident. The 48% who have no plan will discover their exposure at the worst possible moment.
ERM frameworks show similar structural weaknesses. Despite 61% of organizations reporting a formal ERM system, only 26% say their framework incorporates past, current and future risks into actual decision-making. Only 43% maintain incident response plans. A formal ERM system that is not actively informing strategy is, in practical terms, a compliance document — not a risk management capability, as shown in the “Gaps in Enterprise Risk Management Approaches” chart below.
The most underpriced risk on most balance sheets
Of all the gaps the survey surfaces, one deserves a harder look than it typically receives: only 31% of organizations factor reputational risk into their Total Cost of Risk (TCOR) calculations. That means nearly 70% of organizations are carrying an unquantified exposure on a risk category that can move faster and cause more lasting damage than almost any other on the list.
Reputational risk does not arrive as a standalone event. It is the downstream consequence of how an organization handles a data breach, a workplace incident, a product failure, a leadership decision or a supply chain disruption. The organizations that calculated their TCOR without reputational exposure are not managing that risk — they are simply not seeing it. For a CFO audience that routinely stress-tests financial assumptions, the absence of reputational risk from the model is a material blind spot. And as regulatory scrutiny and social media velocity continue to accelerate, the cost of that blind spot is increasing.
Closing the gap between your risk profile and your coverage
One of the more actionable findings in the survey is also one of the most straightforward: 44% of organizations meet with their insurance broker only on a semi-annual or annual basis. In a risk environment where material exposures can emerge from a single regulatory announcement, a technology deployment or a geopolitical development, annual coverage reviews are structurally too slow.
Organizations that integrate broker and risk advisor input into quarterly strategic reviews — rather than limiting engagement to annual renewals — close the gap between their evolving risk profile and their actual coverage before an incident forces the issue. The survey bears this out: approximately 72% of companies engaging in monthly or quarterly conversations with their insurance providers reported making changes to their insurance or risk programs within the past three months. The more important implication is what that engagement enables: identifying emerging exposures before they become uninsured losses, and adjusting coverage while there is still optionality to do so.
It is worth acknowledging the counterargument directly. Advancing risk maturity requires investment — in advisory relationships, in technology and data infrastructure, in training and in the organizational bandwidth to run stress tests and maintain living continuity plans. Not every investment in risk maturity produces a measurable near-term return, and finance leaders are right to ask for evidence before committing resources. The honest answer is that the return is asymmetric: the cost of building maturity is predictable and controllable; the cost of an unplanned disruption — uninsured losses, regulatory penalties, recovery spend, customer attrition — is not. Finance leaders who have stress-tested that asymmetry tend to invest in maturity before the event, not after it.
Advancing the maturity curve: the finance leader's starting point
For CFOs looking to close the gap, the survey points to several consistent differentiators among more risk-mature organizations. They maintain ERM frameworks that are actively used in decision-making, not filed and forgotten. They stress test supply chains, financial exposures and continuity plans on a regular basis. They have expanded their TCOR calculations to include reputational and regulatory exposure alongside traditional insurance limits. And critically, they have built accountability for risk across the organization rather than siloing it in a single function — the survey found that only 15% of organizations recognize risk management as a shared responsibility across all employees, creating accountability gaps that surface most visibly in cybersecurity and compliance incidents.
The maturity curve is accelerating. Organizations at the compliance-focused basic level are not standing still — they are falling further behind as the risk environment grows more complex and interconnected. The 5% operating at advanced maturity are not there because risk management is easier for them. They are there because they treated it as a strategic capability rather than an operational obligation.
Where does your organization stand?
The bank that reopened first after the hurricane did not start building its ERM framework the day the storm hit. The organizations best positioned for what comes next in 2026 are the ones making that investment now — before the incident that makes the gap visible.
For CFOs specifically, the stakes extend beyond the organization's balance sheet. When a disruption occurs and risk gaps become visible, audit committees ask why they were not identified earlier, boards examine whether fiduciary oversight was adequate, and the CFO's posture on risk management becomes part of the record. Risk maturity is not only an organizational protection — it is a personal defensibility position.
Understanding where your organization sits on the risk maturity curve is the prerequisite for closing the gap. HUB International's Risk Maturity Assessment provides a structured starting point — helping finance and risk leaders identify specific gaps, benchmark readiness against peers and define what meaningful advancement looks like for their organization.
Take the Risk Maturity Assessment: Are You Protected or Exposed?
Source: HUB International 2026 Profitability & Resiliency Executive Survey. Survey represents business leaders across the U.S. and Canada, spanning 10 industries, with the majority reporting revenues between $150 million and $1 billion.