Internal audit is under increasing pressure as the risk environment grows more complex and interconnected. Risk management has risen over 50 percent in importance among CEOs in the past year, reflecting the urgency for organizations to adapt.
During the keynote address to Assurance leaders at the Gartner Enterprise Risk, Audit & Compliance Conference last year we advised that the traditional model of risk management is collapsing under the weight of increased risk velocity, complexity, and cross functional boundaries. This pressure creates an opportunity for internal audit to enable business process, risk, and control owners to be more proactive and coordinated in their risk identification and response.
Internal audit should help create a culture where the business’s risk ownership becomes second nature, or what Gartner calls a “risk reflex.” In practice, that means helping the business spot issues earlier, escalate concerns faster, and act with greater confidence when the path forward is not entirely clear.
Bridging the Risk Confidence Gap
While 88 percent of business risk owners are highly motivated to manage risk, only 35 percent feel confident in their ability to do so, according to Gartner research. This confidence gap represents a critical vulnerability. When risk owners hesitate or treat risk management as a separate activity, organizations lose the ability to respond quickly and cohesively to emerging threats.
Internal audit leaders must step in as coaches who guide business leaders to recognize, respond to, and internalize risk responsibilities until these behaviors become instinctive. This transformation requires a deliberate approach that combines better design, better conversations, and the right reinforcement, supported where appropriate by technology and AI-enabled tools.
Three foundations that audit leaders should focus on to build stronger risk reflexes are:
1. Engineer Systems That Make Risk Ownership Unavoidable
Focus oversight on identifying processes and tools where risk management tasks can be integrated into daily workflows and cannot be easily bypassed.
Small, deliberate changes, such as embedding risk checkpoints in contract renewals, project milestones, or approval workflows, make risk actions more prominent, more expected, and more socially reinforced. For internal audit, the opportunity is to assess whether key controls and risk responsibilities are truly built into the way work gets done, rather than sitting alongside the business as separate exercises.
For example, a contract management system that doubles as a third-party risk platform can ensure due diligence is completed before renewals, making compliance a more seamless part of the process. The same principle can apply in transformation work, issue management, and operational decision-making: if the right behavior is easy to find and hard to avoid, organizations are more likely to do the right thing at the right time.
2. Provoke Deeper Engagement
Create intentional stimuli that prompt business leaders to think critically, respond thoughtfully, and act decisively. If audit wants quicker action or more insightful responses from the business, then audit must first deliver greater insights or ask more insightful questions.
For example, move beyond surface-level risk assessments by asking more specific, thought-provoking questions, such as: “What would cause us to miss our objectives?” or “How open is management to hearing bad news?” Internal audit can strengthen the quality of insight it receives by designing questions or conversations that challenge business partner’s conventional thinking and encourage candid responses.
This also means designing the audit plan or scoping audit engagements to intentionally deliver more provocative, actionable insights. For example, designing project audits to assess not only governance, but also the project environment, including incentives, information flows, and stakeholder alignment When assurance leaders provoke better thinking, they get better results or actions in return. In fact, when audit provides insights on the project environment and enables the root cause of project failure to be addressed, it is 95 percent of projects achieve all their success targets.
3. Recognize and Reinforce Good Risk Behaviors
Reinforce positive risk behaviors through visible recognition and practical reward systems.
Highlight and celebrate proactive risk management, transparency and continuous improvement rather than perfect outcomes. Use dashboards, leadership communications, and recognition platforms to showcase exemplary behaviors and share success stories across teams, motivating others to emulate best practices.
For internal audit, this can be as simple as calling out teams that escalate issues early, collaborate well on remediation, or surface risks before they become findings. Recognition helps normalize the idea that strong risk ownership is not only expected but valued.
Building a Culture of Risk Ownership
Identify opportunities to engineer systems so risk ownership is unavoidable: Integrate risk management into existing workflows and make it difficult to overlook or bypass.
Provoke deeper engagement: Use intentional questions and insights to challenge risk owners and drive thoughtful, proactive action.
Recognize and reinforce good risk behaviors: Publicly celebrate effective risk management to foster a culture of continuous improvement.
Especially in today’s environment of rapid change and interconnected risks, internal audit cannot alone rely on its centralized assessment of risk and controls. Success depends on building a culture where business risk ownership is reflexive and supported by systems, interactions, and recognition that make the right behaviors more automatic.
By closing the risk confidence gap, assurance leaders can enhance not only risk management processes but also the speed, resilience, and decision quality of the entire organization. The time to strengthen your organization’s risk reflexes is now. 
Tegan Gebert is Vice President, Advisory, at Gartner. Chris Audet is Vice President and Chief of Research at Gartner. And Doug Eckstein is Distinguished Vice President, Research at Gartner.