The FINMA Risk Monitor 2025 places cyber risk, operational resilience and data integrity among the key supervisory priorities for the coming year. While much of the discussion focuses on systems and outsourcing, an underlying theme runs through the document and the related audit programmes: risk is amplified when human behaviour does not align with control design.
In 2026, institutions should expect FINMA and audit firms to assess human risk through observable evidence, not through attendance records.
From training to accountability
FINMA Circular 2023/1 embeds operational risk and resilience within governance, requiring defined responsibilities and effective control frameworks. The cyber risk audit programme for fund management companies and managers of collective assets translates this into testable requirements around access management, incident handling and control effectiveness.
The supervisory question has evolved. It is no longer sufficient to demonstrate that staff completed annual awareness training. Auditors will examine whether behaviour aligns with risk classification, access rights and escalation procedures.
The Risk Monitor’s emphasis on data integrity and interconnected systems reinforces this shift. A single lapse in judgement can propagate quickly across automated processes and outsourced environments. Human risk is therefore treated as part of operational resilience, not as a separate soft control.
What evidence means in practice
Evidence of human risk management tends to fall into three areas.
- Alignment between roles and access. Audit programmes require testing of need-to-know principles, segregation of duties and privileged access controls. This implicitly tests whether institutions understand which individuals carry elevated risk exposure.
- Documented review and follow-up. Where access anomalies or policy breaches occur, institutions must demonstrate response and remediation. Sample-based testing by auditors means that isolated oversights may be selected for examination.
- Escalation discipline. FINMA’s guidance on incident reporting, referenced in the cyber risk audit programme, assumes that staff recognise and escalate incidents promptly. Evidence must show that reporting lines function in practice.
Distinguishing expectations by institution type
Supervisory depth differs according to size and complexity, yet expectations of effectiveness remain consistent.
Large banks and private banks
Expect scrutiny of formal governance structures. Boards are expected to oversee operational and ICT risk, including behavioural exposure. Evidence may include structured access reviews, internal audit assessments and documented remediation of control breaches.
Smaller banks
Proportionality applies, but simplicity does not replace accountability. FINMA will look for clarity in role definitions, documented access reviews and clear incident escalation paths. Informal knowledge within small teams is difficult to evidence under audit sampling.
Fund management companies and independent wealth managers
Supervised under FinIA and assessed through the dedicated cyber risk audit programme, these institutions often rely heavily on external IT providers. Supervisory focus will include oversight of outsourced security functions and assurance that management understands residual behavioural risk.
For smaller managers, human risk often concentrates around a limited number of key individuals with broad access. This concentration is itself a supervisory consideration.
Beyond awareness
Awareness programmes remain relevant. They are, however, a baseline rather than a defence. FINMA’s supervisory direction, reflected in the Risk Monitor and the 2025 audit programmes, places emphasis on operational effectiveness, traceable documentation and governance accountability.
In 2026, auditors are likely to ask:
- How do you identify roles with elevated behavioural risk?
- How are privileged users monitored and reviewed?
- How do you know staff escalate incidents correctly?
- What evidence demonstrates improvement over time?
The difference is subtle but significant. Human risk is no longer framed as a training topic. It is treated as a measurable component of operational risk management.
Institutions that align behaviour, access and governance will find audits predictable. Those that rely on attendance lists may discover that awareness alone does not satisfy supervisory scrutiny.
