Rhizome has been taking stock of the risk landscape for the Australian financial sector. Global volatility, AI and regulatory enforcement are nothing new, but the contours of these risks have shifted as they have become increasingly interconnected and self-reinforcing. In our view, risk management this year is all about recognising how different risks amplify one another and building the organisational resilience to withstand the compounded impact.
Global uncertainty from multiple directions
At a global level, the risk list almost feels too long to itemise. The critical point is that new threats including armed conflict and major power instability haven’t replaced earlier concerns, they’ve compounded them. The geopolitical environment has now become so volatile that the European Central Bank is planning a geopolitical reverse stress test – requiring some supervised banks to model a geopolitical event that results in a 3% decline in capital. It’s a warning signal that local organisations shouldn’t ignore.
Evolving AI
Despite rapid improvements and rabid investment (or perhaps because of), no one has quite grasped AI: both its potential and its potential risks. But as businesses move from experimentation to embedding AI, key risks are emerging.
First, at the organisational level, pressure for return on investment is driving risky deployments. With greater reliance on AI – and higher expectations of its performance – comes the need for stronger governance, especially as agents are rolled out. Keeping a human in the loop on decisioning will become increasingly difficult, and unintended consequences will follow.
Second, we see a medium-term risk to credit portfolios as businesses face the dual challenge of AI disrupting business models amid a slowing economy. This is a potential structural shift that is not getting the attention it deserves and we’ll write more on this in an upcoming piece.
Third, the much-discussed AI-fuelled bubble/not bubble and ‘caSaaStrophe’, with its hyperactive debt issuance (see for example, Alphabet’s 100 year bond) will have wide-reaching fallout should the bubble in fact burst, or even deflate at speed. Financial difficulties in a large tech provider will not just affect market stability but also create an enormous third-party supplier risk. Let’s not forget how a highly socially-connected network influenced a run scenario in the case of Silicon Valley Bank.
AI has materially enhanced the sophistication, scale and coordination of scams, fraud and cyber‑enabled attacks. Generative AI tools are now capable of producing highly convincing identity documents, financial statements, loan applications and supporting artefacts that can evade traditional controls and human review. This marks a shift from opportunistic or manual fraud to systematic, automated deception embedded within legitimate‑appearing processes. AI is also lowering barriers for social engineering, phishing and account compromise by enabling more targeted, personalised and credible attack vectors. The Australian Financial Review recently reported on the Commonwealth Bank identifying large‑scale suspected fraud involving AI‑generated lending documentation, which highlights that this threat is no longer theoretical but an emerging feature of the operating environment.
Regulatory retreat?
Among the global uncertainty, with slowing growth and increasing inflation here in Australia, the demand for productivity gains will continue – and this might manifest in pressure for regulators to ease up on the sector. While that may be the case, it is more likely to look like a slowdown of reform, reduced push for upgrades or another round of red tape reduction. The better outcome would be a genuine return on the data management and capability investments regulators have made – driving more efficient supervision for both sides – rather than any retreat from the major enforcement action both regulators remain committed to pursuing.
Super still in the spotlight
Appointing Chief Enforcer Sarah Court as ASIC Chair sends a clear signal: whatever is happening globally, the appetite for decisive action against poor conduct in our financial sector remains strong. To this end, we expect the superannuation reckoning to continue, particularly as the fallout from First Guardian and Shield persist. While super fund risk management is arguably in better shape than it was a few years ago, structures remain fragmented and complex, controls are manual, and legacy systems and incomplete mergers remain sources of member risk. The dissatisfaction with member experience together with the ‘silver tsunami’ is also showing up in consumer behaviour, as funds flow from larger super funds to managed platforms. At the same time, opaque and under-prioritised investment management, as revealed by Shield and First Guardian, harbour additional risk, and risk of regulatory action. This is connected with the increased investment in, and scrutiny over private credit and the potential for contagion from the failure of major service providers.
Executives will be accountable
Regulators will likely have been breathing a sigh of relief that Shayne Elliot withdrew his case against ANZ, with the risk it held of undermining executive accountability. Although not tested in court, the fact that the remuneration consequence will go forward, that Elliot does face consequences of ANZ’s poor conduct is a win for executive accountability, and a warning to other executives. We expect the regulators to continue to push for individual accountability, especially of the remuneration kind, and to continue to wield the FAR as a tool for forcing improvement from institutions.
Understanding and responding
Risk isn’t just growing – it’s compounding. The only certainty in 2026 is that uncertainty will remain, and predicting what the world – let alone the financial sector – will look like in 12 months’ time is anyone’s guess.
So many of these risks fall into areas beyond the control of any organisation. While catastrophic risks might remain low likelihood, the way risks are intersecting means that events in one domain can quickly spread. The key will be to understand the pressure points and connections – where geopolitical events cross-over with enhanced regulator scrutiny, such as in super fund governance; where top of cycle credit practices collide with AI-induced displacement and market restructuring; where vendor and third-party concentration interact with US volatility… 2026 is the year where risk identification, management and analysis really needs to break out of its silos. As is emphasised by CPS230 requirements avoidance is out and resilience is in.
To succeed in the current environment, organisations need to cultivate a level of durability that can withstand multi-level, multi-part risks. Organisations that are ahead of the curve understand where the connections lie and how the risks perpetuate or reinforce one another by mapping connections and conducting frequent, cross-cutting scenario testing that creates pathways for a managed response to compounded risks. They are already building the resilience to withstand events that are largely beyond the realm of controls by testing assumptions and recalibrating often. Their Boards and Executives aren’t distracted by avoidable, manageable risks. Their governance structures recognise and account for intersecting risks, and they are ready to respond. Not all organisations are there yet, but those who manage to do this well will stand out, and stand firm.
For more on how risk management functions and risk management practices should evolve, see our thinking here
This publication is provided for information only and is not intended as a recommendation or an offer or solicitation for the purchase or sale of any security or financial instrument. The opinions, estimates, strategies and views expressed in this publication constitute our views as of the date of this publication and are subject to change without notice. The information contained herein is as of the date of this publication and Rhizome Advisory Group does not undertake any obligation to update such information. Any market prices, data or other information contained herein are not warranted as to completeness or accuracy and are subject to change without notice. This document does not purport to contain all of the information that an interested party may desire and provides only a limited view of a particular market, product and/or service. This document does not constitute advice by or on behalf of Rhizome Advisory Group and nothing in this document should be construed as legal, regulatory, tax, accounting, investment or other advice. No reliance should be placed on the information herein. The recipient must make an independent assessment of any legal, credit, tax, regulatory and accounting issues and determine with its own professional advisors any suitability or appropriateness implications and consequences of any transaction in the context of its particular circumstances. Rhizome Advisory Group assumes no responsibility or liability whatsoever to any person in respect of such matters. Transactions involving securities and financial instruments mentioned herein may not be suitable for all investors.