Chief risk officers (CROs) are navigating a risk landscape that’s more volatile, fragmented, and tech-driven than ever. Society even had to invent horrid new words like “permacrisis” to describe today’s reality. CROs are being buffeted by geopolitical instability, regulatory whiplash, and the ESG winter, driving a need for a different type of risk program and risk culture. This disruption has shaken them.

Yet many CROs still rely on advice from risk consulting services providers that are stuck in the audit compliance cottage industry of yesteryear, gently stirring into action. My new report — An Anatomy Of Risk Consulting Services (Forrester Clients only) — launches a new coverage area for Forrester, helping risk professionals select their risk consulting providers. In the report, we define the risk consulting market, outline the major disruptive trends, and highlight where firms and clients in the industry see things evolving. This all sets the stage for the evaluation I will run on this market in 2026 and early 2027 with a Forrester Landscape and Wave™.

CROs Need Providers Who Can Help Them Automate Craft-based Manual Work

CROs are looking for providers that can help them disrupt both the culture and practice of how they manage enterprise risk. In response, risk consulting firms are reinventing their delivery models, with most already utilizing AI to automate much of the drudgery of controls testing and assurance work that’s been their bread and butter. Risk consulting firms are fundamentally transforming many of their services through automation — one of the most significant changes I’ve witnessed.

This aligns perfectly with CROs’ visions of more automated risk analysis, freeing up time to position the risk function as a strategic advisor on risk. Today, risk practitioners still manually chase audit evidence, review documents, perform risk analysis, and manage risk registers and compliance workflows. One global bank I found in a recent research interview has over 2,500 people performing manual risk and control assessments as their main job function. Expect a future where risk professionals shift their focus from doing this manual work to exercising more acute professional judgement. CROs will choose risk consulting services partners with different skills, training, and development needs, as well as partners who challenge the status quo rather than conform to it.

Interviewed firms consistently emphasized that their time should be spent forming professional judgments rather than performing routine tasks. As supporting risk technologies like GRC evolve — and automation and generative and agentic AI become more embedded in core risk organizational management workflows — we’ll see a seismic shift over the next 5 years in how risk consulting firms shape their services. Some firms will even start to offer technology-driven managed risk services — a trend I’ll be tracking.

Forrester clients can read my latest report here to dive further into the trends, provider strategies, and recommendations for CROs when selecting a provider.