Navigating 2026: Shaping business strategies and assurance planning

As part of our annual Navigating series, this article brings together our perspectives on the key trends influencing business strategies and audit planning in 2026.

This article draws on client insights, in-depth conversations with colleagues and experts, and feedback discussions during Autumn 2025. We cover a broad spectrum of topics, including resilience, supplier risk management, sustainability, risk and governance, cyber, AI, change and transformation, data and analytics, and technology. 

Resilience 

Looking for a compass after regulatory deadlines      

It is time for a mindset change in resilience, from focusing on regulatory requirements to exploring how resilient the business is. We leave behind the regulatory deadlines in 2025, as firms look for value from focusing on embedding. Inevitably, evidence of progress will be required ahead of the next board self-assessment (due in March 2026), but organisations will want to see more than just addressing commercial vulnerabilities. 

It is also time for organisations to review their operating models to ensure that resilience activities transition from a project environment into business as usual. Related disciplines like business continuity (BC) and supplier risk management must also be shown to work together.

Maintaining resilience requires the ongoing identification of vulnerabilities and their remediation. This is where enhancing the quality of the stress testing, not just scenarios, becomes fundamental. We see more companies moving from tabletop exercises, focused on ‘tell me’ approaches, to more sophisticated exercises that require a ‘show me’ demonstration of their response. 

Supplier Risk Management 

The dawn of a new era

2026 is the year of Supplier Risk Management (SRM). Long neglected, its time has come now that the operational resilience deadline has passed. SRM is emerging as the next big operational issue. 

Most organisations have an SRM framework, but they are not currently adding value or providing effective assurance due to poor integration. A cross-functional approach is needed to better integrate with risk management and resilience frameworks. Too much focus on due diligence is getting in the way of effective oversight. 

At the same time, pressures from cyber, technology, resilience and sustainability are leading to an increased focus on SRM. This is inevitable in a complex and interconnected economy. It means reconsidering procurement’s role as a driver of resilience and value and ensuring that SRM is understood and properly managed. 

Sustainability

Assured disclosures 

This is a complex space with both divergence and convergence. Some countries have halted new sustainability requirements (US), others scaled back (EU), while others, such as the UK, Canada, Switzerland and Australia, continue to strengthen requirements. International organisations continue to seek to navigate this complex environment. 

There is a shift from voluntary disclosures to mandatory disclosures and an increased focus on assurance of sustainability reporting. This requires more robust policies, process documentation and governance. 

Meeting assurance expectations will require coordination, future-ready operating models and tools to support stronger governance. These trends challenge companies’ ability to integrate sustainability into decision-making, particularly around product innovation, risk selection and pricing. 

Risk and governance

The past is not a guide to the future 

In 2025, the UK government’s growth-oriented focus, recalibrated regulatory risk for financial services through the Mansion House speech. In 2026, we expect to see this translated into specific regulatory changes.  

With several key regulations, such as consumer duty, operational resilience and solvency UK, now implemented, the focus moves to monitoring. A different mindset is required that refocuses the risk function on deep dives across the business. This should also help CEOs and CROs to internally reposition risk management as a growth enabler. 

It is time for risk functions to focus on efficiency. They should review the value-add of their activities and consider stopping, automating, and outsourcing lower-value risk activities, freeing up resources for new challenges.

A key initiative in 2026 will be the implementation of the FCA’s non-financial misconduct rule, which is part of its diversity and inclusion drive. This has now been refocused on misconduct using the established regulatory risk playbook – governance, processes and management information (MI). Effective implementation will require an alignment with diversity and inclusion, even if it is not mandated. 

Cyber 

Emerging good practice

Recent high-profile breaches via suppliers highlight the need for stronger third-party risk management, including adequate incident response preparation. This represents a wake-up call for all sectors.

Financial services remain a particular target, with AI enabling advanced social engineering as a precursor to ransomware. Training and awareness of the latest threats alongside robust layering of controls remain essential to identify and slow or stop attacks as quickly as possible.

Cyber will stay as a regulatory priority, beyond IT, given the regulators’ focus on resilience and security. The UK Cyber Security & Resilience Bill (2026) will emphasise SRM and incident response capabilities, shaping good practice for financial services. 

Transformation and AI 

Challenging questions 

AI’s capability to transform businesses remains relatively untapped. At the same time, AI continues to develop, acting as a catalyst for reimagining the future and accelerating transformation opportunities for operating models. 

Capturing this opportunity will require careful investments, evidence of value and governance guardrails to stay ahead of evolving regulatory expectations. This will include processes to use AI responsibly. 

At the same time, wider change and transformation activities continue, evolving from episodic initiatives to continuous and enterprise-wide initiatives. Achieving this shift requires alignment with strategic goals, workforce capabilities and cultural readiness, along with stronger governance and BAU transition plans.

Data, analytics and AI 

Recognise the limitations

The hype around AI and large language models is fading, replaced by sensible use cases like fraud detection and data cleansing. These may not be glamorous, but they add value to business and are often low risk. Firms may train small language models on their own risk framework and policies and create a ‘chatbot’ for first-line use.

It is important that the limits of AI are well understood and should not replace human thinking and communication. The importance of human edge preservation should be recognised by: 

• automating repetitive bureaucracy (start)
• avoiding outsourcing core thinking and communication (stop)
• experimenting and learning through responsible use of LLMs (continue).

Data and analytics extend beyond AI. Value lies in integrating data sources, including untapped data from social media insights (for example) and managing model risk to ensure that predictive models remain robust and interpretable. Progressive firms are exploring enhancing data collection through smart sensors to provide a continuous stream of data to improve risk assessment and customer engagement. 

Ethical use of data will become a decision factor for some and impact how data is used, particularly when it relates to how consumer data is used. Data ethics considerations will begin with data sourcing and include how it is managed and how it is accessed.  

Technology

Governance 

Chief Information Officers (CIOs) will continue managing the multi-year implications of the transition to the cloud. As this progress matures, priorities are shifting to fulfilling the potential of the cloud, delivering business value, by redesigning functional operating models and handling legacy systems. 

The UK takes a principles-based approach to AI regulation, using existing laws and regulators while tightening expectations around safety, transparency, fairness, accountability, and contestability. CIOs need to evolve technology governance, including business cases, to ensure that these regulatory expectations are adequately covered. 

The perspective of technology resilience is also changing. This has been traditionally characterised by threat identification and prevention. Cloud reliance, dependencies on third parties and applications mean that resilience is shaped by the ability to recover, which requires testing and developing effective playbooks. 

Overall, three headline messages emerge for 2026.

1. Recognise and manage third-party dependencies: Supply chain vulnerabilities arise from cyber, technology, resilience and sustainability drivers.
2. Embed and mature risk management: Shifting priorities and external developments challenge existing frameworks. 
3. Cost-efficiencies: Rapid change in cyber, AI, data science and supply chains requires upskilling or partnering to provide adequate cover and meet business objectives. 

How Crowe can help you navigate 2026

At Crowe, we understand that navigating the evolving landscape of 2026, marked by shifting regulatory priorities, technological transformation, and heightened expectations around resilience and sustainability, requires more than just compliance. It demands a holistic, integrated approach that aligns risk management, supplier oversight, and innovation with your unique business model.

Drawing on our experience supporting organisations across sectors, we focus on what works in practice, not just what is expected on paper. Whether you’re looking to strengthen your supplier risk management, embed resilience, or harness the potential of AI and data, we offer practical support tailored to your needs.

If you would like to discuss how these themes might apply to your organisation, we would be happy to explore how we can support you.