The maturity of risk management in Finland has developed steadily in recent years. At the same time, the operating environment has become increasingly dynamic. Geopolitical tensions, cyber threats, rising stakeholder expectations and regulation related to artificial intelligence are placing new demands on risk management. Identifying risks alone is no longer sufficient. What matters is how risk management is embedded in everyday operations, decision making and the use of information.
These themes were explored in Granite’s recent webinar, which examined the findings of the State of Risk Management Finland 2026 study and the underlying developments shaping the results. The discussion featured Granite’s Chief Executive Officer Teppo Kattilakoski and GRC Consultant Jukka Mäkitalo.
Finnish Organisations Are Monitoring Risks More Actively
The findings show that risk management activity in Finnish organisations has increased. Risk identification and monitoring are conducted more frequently than before, and the annual review cycle is no longer the dominant model. Quarterly and monthly monitoring have become more common, and in certain risk areas even weekly and daily reviews are emerging.
This development reflects a broader shift in risk thinking. Risks are no longer viewed as static phenomena but as evolving factors whose effects can materialise rapidly. Jukka Mäkitalo captured this well when he noted that unpredictability has increased, as situations may change from one day to the next.
However, increasing the frequency of assessments alone does not guarantee effectiveness. The value of monitoring becomes evident when risk information genuinely supports decision making. Infrequent reviews inevitably lead to a disconnect between risk observations and executive decisions. In such cases, risk information fails to intersect meaningfully with strategic choices.
Effective Risk Management Is Embedded in Daily Operations
One of the most significant analytical findings of the study concerns operational integration. This refers to the extent to which risk management is embedded in daily activities, processes and leadership practices.
Mäkitalo described the importance of integration in the following way:
“Operational integration of risk management explains how an organisation is able to utilise technology, manage risks and respond to observations in practice.”
According to the findings, organisations with higher maturity levels have integrated risk management into normal daily work. Risk identification, monitoring and mitigation measures are clearly linked to responsibility structures and decision making. In organisations with lower maturity, risk management tends to remain a separate exercise, where information is scattered, manual effort is significant and risk management is not part of everyday practice.
Integration is also visible in participation. The study indicates that risk management is most effective when the board, executive management, middle management and employees are all engaged in their respective roles. If participation is concentrated at only one level, the overall approach remains incomplete.
Operational integration of risk management explains how an organisation is able to utilise technology, manage risks and respond to observations in practice.
Risk Management Is Challenging Without Robust Information Governance
A new theme examined in the study is risk information management. Although most organisations use some form of risk management system, leveraging risk information holistically remains challenging.
The results indicate that risk data is often siloed. Information resides in multiple systems, and the connections between them are not always utilised. This limits the ability to form an up to date overall view of risks and their interdependencies. Decision making becomes more difficult when a coherent situational picture is hard to construct and communicate.
Importantly, all respondents considered the ability to combine risk information and examine connections essential. The need has been recognised, yet practical implementation often falls short due to limited time and resources.
Kattilakoski summarised the role of information governance clearly:
“All activity ultimately rests on information management. Without it, it is difficult to build sensible and effective risk management.”
Artificial Intelligence as an Enabler, Not a Starting Point
Artificial intelligence generates considerable interest in the field of risk management, yet practical adoption remains cautious. Most organisations see artificial intelligence as a significant or moderately significant factor for the future, but only a minority have implemented it in concrete use cases.
The study shows that the primary applications relate to reporting, situational awareness, foresight and trend identification. At the same time, challenges arise in relation to data quality, reliability and competence.
A key observation is that artificial intelligence does not resolve the fundamental challenges of risk management. It can enhance efficiency and support analysis only when operational integration and risk information governance are sufficiently mature. Without these foundations, artificial intelligence risks remaining an isolated experiment.
What Finnish Organisations Can Learn
The State of Risk Management Finland 2026 study presents a picture of risk management that has advanced in many respects but is still at a crossroads in terms of structural choices. The most significant development areas do not concern individual threats but the way risk management is embedded in organisational practice.
The study highlights three central conclusions:
- The effectiveness of risk management stems from operational integration rather than individual tools.
- Up to date and combinable risk information is a prerequisite for maintaining a comprehensive view.
- Technology and artificial intelligence provide meaningful support when fundamental structures are in place.
Developing risk management is primarily an organisational challenge. It concerns how information flows, who participates and how insights are linked to decision making. Finnish organisations are well positioned to move forward, yet the next phase of development requires deliberate structural choices and sustained leadership commitment.