Gartner tells risk, audit, and compliance leaders to create “reflexive risk ownership,” a way of doing things that prepares businesses for the future by having leaders automatically and regularly identify, deal with, and manage risks as part of their daily decisions. This is because risks now happen more quickly, interact in complicated ways, and don’t fit neatly into categories.
Reflexive Risk Ownership
Gartner, Inc., a research and consultancy group specialising in business and technology insights, recommends that risk, audit, and compliance executives create “reflexive risk ownership.”
This approach describes a future state in which business leaders consistently and automatically identify, address, and manage risks.
Speaking at the opening keynote of the Gartner Enterprise Risk, Audit & Compliance Conference, the firm’s analysts noted that organisations are now encountering risks that appear rapidly, interact with one another in complex ways, and are increasingly difficult to categorise.
Gartner emphasised that these conditions make a shift in risk management practices especially important.
“Risk management is now one of CEOs’ most critical priorities; its importance has increased by over 50% since last year,” added Chris Audet, Chief of Research in the Gartner Assurance Practice. “This has created a unique moment for assurance leaders.”
“88% of risk owners are highly motivated to meet expectations for risk management,” stated Tegan Gebert, Vice President in the Gartner Assurance Practice. “However, just 35% are convinced they know how to do so. They need assurance leaders who can teach them how.”
Gartner defines “reflexive risk ownership” as a practical capability agenda for assurance leaders. This includes making daily routines easier and clearer, designing interactions that challenge assumptions and reveal actionable insight, and making desired behaviours visible and rewarded so they become habits. With CEOs paying more attention and risk owners being more motivated than knowledgeable, the top priority right now is coaching and enabling—turning strategy into small, repeatable changes that boost confidence and consistency throughout the business.
Chris Audet, Chief of Research, and Tegan Gebert, Vice President in Gartner’s Assurance practice, emphasised this point at the opening keynote of the Gartner Enterprise Risk, Audit, and Compliance Conference in Grapevine, Texas.
Gartner analysts said that, much as a sports coach establishes procedures and processes to bring out the best in athletes, assurance executives must support risk owners in creating a stronger reflex for risk management. This approach, they said, entails creating targeted, incremental changes that contribute to a greater organisational competency.
“Assurance leaders need to be the coaches their risk owners need: leveraging tools, insights and influence to get them to practise, to improve and to persist,” he said.
“An organisational risk reflex will be enabled by a set of acts that are learnt or practised until they occur so naturally that they look reflexive. Assurance executives must develop a bigger framework that supports and reinforces appropriate risk ownership behaviours.”
Gartner experts recommend that assurance executives focus on three important pillars to ensure that risk management functions as effortlessly as a learnt reflex.
The first pillar is creating procedures that make proper risk behaviours simple to understand and difficult to ignore.
“Small, purposeful adjustments in environment and method may result in significant gains in results. Assurance executives are already reducing instructions, consolidating paperwork, and incorporating risk concerns into daily activities,” Audet said.
“However, making things easy is insufficient; systems must also be designed such that compliance is visible, anticipated, and socially encouraged. This entails making risky acts difficult to overlook, justify avoiding, and conceal.”
Gartner offered an example of contract management solutions that may also work as third-party risk management platforms. Such technologies would enable risk owners to renew contracts or choose from pre-approved providers without doing lengthy due diligence, making compliance both natural and mandatory.
The second pillar is on purposeful provocation—creating conditions that encourage risk owners to think critically and react effectively.
“Assurance leaders must design interactions—risk assessments, workshops, and feedback sessions, for example—that challenge conventional thinking, encourage candid discussions, and share novel, actionable insights,” says Gebert.
Practical techniques include asking more hard questions in risk surveys and performing audits that examine the whole project environment rather than just governance structures.
The third foundation is on making desired actions apparent and rewarded.
Building skills and coaching models
According to Gartner, the way to “reflexive risk ownership” is to set up simple, repeatable routines, make them stronger with clear systems, and practise and get feedback to build muscle memory. The goal is to make good risk behaviours second nature, so that spotting, responding to, and escalating risks happen just like any other daily task.
Three pillars in action
The first step in turning the keynote into action is to make engineering easier and more visible. This means making guidance easier to understand, documents easier to read, and risk prompts part of daily work so that compliance is hard to miss and easy to follow. Next, create interactions that create useful tension, like assessments and workshops that question assumptions and bring out clear, actionable insights. Finally, show people that the actions you want them to take are important by giving them public recognition that rewards effort, openness, and ongoing improvement.
Practical enablers are often found in existing toolchains. For instance, adding pre-approved supplier pathways to contract lifecycle platforms can make renewal and sourcing easier while also making sure that compliance is stricter. When risk owners come across controls right when they have to make a decision, following them becomes the default instead of an afterthought.
Measurement should match intent: keep an eye on traditional loss metrics as well as leading indicators of reflex formation, like the time it takes to respond to a risk signal, how well people follow embedded controls, and how well they participate in provocational forums. Publishing these indicators at the team level encourages healthy peer comparison and keeps things moving without relying only on top-down oversight.
“Positive reinforcement—through visible, public acknowledgment—helps develop and strengthen the brain circuits that convert favourable risk behaviours into routines. Audet said that recognition should be based on effort, transparency, and constant development, rather than flawless achievements. “Assurance leaders are uniquely positioned to define and elevate such behaviours.”
Examples include rewarding proactive risk management, promoting team triumphs, and highlighting best practices via dashboards or recognition systems.
▾ ARTICLE SOURCES
We cite primary sources where possible and reputable publishers for context.
⚠️ Disclosure
