Business resilience is now one of the five highest risk areas for organizations in North America, according to the annual Risk in Focus report published by The Institute of Internal Auditors. Business resilience risk increased 5 percentage points from 2024 to 2025 and now represents the second-highest priority for internal audit activities after cybersecurity. [1] The survey results for Risk in Focus 2026 are based on responses from more than 4,000 internal audit leaders across Asia Pacific, Europe, Latin America, North America, Africa, and the Middle East. In addition, 18 roundtables were conducted with 182 participants, along with 24 in-depth interviews with audit leaders
Business resilience is now one of the five highest risk areas for organizations in North America, according to the annual Risk in Focus report published by The Institute of Internal Auditors
The prominence of business resilience as a critical risk area reflects today’s increasingly complex risk environment, characterized by evolving geopolitical tensions, regulatory change, and technological disruption. These dynamics have intensified the need for organizations to maintain operational continuity and ensure long-term sustainability.
As such, clarifying the meaning of organizational resilience and understanding internal audit’s role in enhancing it—without stepping beyond internal audit’s mandate—have become priorities for boards, senior management, and risk and compliance professionals.
Defining Organizational Resilience
According to the International Organization for Standardization (ISO),[2] organizational resilience is defined as an organization’s ability to effectively absorb and adapt to changes within the organization’s environment. Lack of resilience can disrupt an organization’s ability to deliver its core products and services, fulfil its strategic objectives, maintain financial stability, and retain stakeholder trust.
Organizations face existential threats that may emerge abruptly—for example, natural disasters, cyberattacks, and geopolitical shocks[3]– or may build up gradually over time—for example, resource scarcity, public health crises, technological disruption, and regulatory change. Notably, two of these areas—digital disruption and regulatory change—were among the five fastest-growing risks in North America, according to this year’s Risk in Focus report.
Building and sustaining organizational resilience requires strategic planning across the organization, and encompasses effective governance, robust enterprise risk management, and comprehensive internal control frameworks.
Internal Audit’s Role Across Governance, Risk, and Controls
The internal audit function contributes to organizational resilience by providing assurance and advisory services for the effectiveness and completeness of governance systems, risk management processes, and internal controls related to key resilience vulnerabilities.
Supporting effective governance structures:
Human capital and communication are central components of effective governance in any organization. Internal auditors play a critical role in facilitating consistent dialogue between boards and senior management to ensure that resilience is embedded in long-term planning, annual budgeting, and organizational culture.
To support effective governance for resilience, internal auditors can assess whether several components have been accomplished, and the degree of their maturity within the organization. These are:
- A formal organizational resilience strategy has been established and is updated periodically, including assessing whether the strategy supports the achievement of organizational goals and objectives during disruption.
- The financial resources necessary to support resilience—for example, liquidity, insurance coverage, and contingency funding—are periodically analyzed and communicated to the board.
- Roles and responsibilities are clearly defined and effectively filled across the organization.
- Staff receive periodic training—including scenario-based simulations—on resilience policies and procedures.
- Competencies of team members who fill critical roles in the resilience strategy are regularly reassessed, and a succession plan exists.
Ensuring robust risk management
Internal audit works closely with enterprise risk management teams to evaluate how the organization identifies, monitors, reports, and responds to resilience-related risks. A key component of this work is assessing whether proper procedures exist to monitor resilience risks and promptly respond to those risks that exceed the organization’s defined risk tolerance or that violate regulatory requirements.
Internal audit also evaluates whether accountability structures for risk management are clearly established, including whether a team or individual is designated to routinely monitor and report how resilience-related risks are being managed. Further, internal audit practitioners should assess whether the organization’s risk management strategy is reviewed on a regular basis. The objective of such a review would be to maintain the strategy’s alignment with evolving strategic goals and the external risk environment, and to ensure that the strategy is clearly and effectively communicated across the organization.
Evaluating the strength of internal controls
Internal audit also plays an essential role in evaluating the effectiveness and implementation of internal controls designed to mitigate negative impacts on organizational resilience.
This evaluation includes assessing whether business continuity and disaster recovery plans are not only established but also routinely tested. The results of this testing, and key improvement opportunities that it reveals, are reported regularly to the board and the executive line within the organization.
To further support operational stability, internal auditors are also responsible for assessing whether sufficient policies, processes, and procedures are in place to adapt the working environment during crises—for example, implementing alternative workplace arrangements such as remote work or temporary facilities if needed. During the COVID-19 pandemic, organizations worldwide experienced firsthand the importance of remaining agile and prepared for changes in the working environment[4]—a key aspect of resilience that continues to be critical today.
With respect to human capital, internal audit evaluates whether staff receive adequate training on resilience policies and procedures, so that they’re prepared if and when crises and emergencies occur.
Conclusion
By encouraging cross-functional communication and collaboration and providing strategic guidance on governance frameworks, risk-based strategies, and controls, internal audit is poised to continue playing a critical role in supporting organizational resilience.
Citations
Alonso, César. June 26, 2025. “ISO 22316. Organizational resilience.” GlobalSuite Solutions. https://www.globalsuitesolutions.com/iso-22316-organizational-resilience/.
Institute of Internal Auditors. n.d. “Public consultation draft: Organizational resilience topical requirement” https://www.theiia.org/globalassets/site/standards/topical-requirements/public-comment-period/organizational_resilience_tr_pubcom-draft-english.pdf.
Internal Audit Foundation. September 24, 2025. “Risk in Focus North America 2026” (report). https://www.theiia.org/globalassets/site/foundation/latest-research-and-products/risk-in-focus/2026/2026-na-report-en-riskinfocus.pdf.
Pabilonia, Sabrina Wulff, and Jill Janocha Redmond. October 2024. “The rise in remote work since the pandemic and its impact on productivity.” Beyond the numbers 13, no. 8. U.S. Bureau of Labor Statistics. https://www.bls.gov/opub/btn/volume-13/remote-work-productivity.htm#:~:text=The%20COVID%2D19%20pandemic%20brought,for%20most%20workers%20and%20firms.
[1] Internal Audit Foundation, “Risk in Focus North America 2026” (report), 8, 10, 12.
[2] Alonso, “ISO 22316. Organizational resilience.”
[3] Institute of Internal Auditors, “Public consultation draft: Organizational resilience topical requirement.”
[4] Wulff and Redmond, “The rise in remote work since the pandemic and its impact on productivity,” U.S. Bureau of Labor Statistics.
