Pillar 9 · Cluster 3
Emerging risks in GBS operations
Shadow IT, ESG reporting, ethical AI governance, and social engineering threats represent the evolving risk landscape that GBS organizations must address proactively.
Emerging risk radar — from immediate threats to horizon risks
Sound familiar?
Topic 01 · Technology Risk
Shadow IT — risks and management strategies
Shadow IT is unapproved tooling doing real work — invisible to security, backups, and audits. It grows from good intentions. The model is in THE FIX.
The team’s real tracker
lives in an app IT has never heard of.
KKlaudia discovers the team’s actual workload tracker: a free online board, set up by a helpful colleague, holding customer names.
No approval, no backup, no access control, no idea who else can see it.
It runs the team’s day — and exists nowhere officially.
"Our most important tool was invisible to everyone protecting us."
She feels alarmed — mostly at how normal it had become.
You adopt helpful tools quietly and build critical work on ungoverned ground.
Shadow IT is handled by daylight, not punishment.
The board’s content moves to an approved tool in a week. The need survives; the exposure does not.
Shadow IT in depth
When GBS teams adopt tools, automations, and cloud services without IT approval, they create ungoverned data flows, security gaps, and compliance blind spots.
Shadow IT emerges when official IT processes are too slow, too rigid, or too disconnected from operational needs.
- A finance analyst signs up for a cloud-based reconciliation tool because the approved system is clunky.
- A team lead builds Power Automate flows that move sensitive data between systems without security review.
- An HR team stores employee data in a personal Google Drive.
Each instance creates risk:
- Data leakage
- Non-compliance
- Unsupported systems
- Undocumented processes
- Discover — inventory all tools and applications in use, not just the ones IT approved
- Assess — evaluate each shadow tool for security risk, data privacy compliance, and operational dependency
- Decide — for each tool: adopt (bring under IT governance), replace (migrate to approved alternative), or retire (remove and migrate data)
- Enable — create fast-track approval processes so teams can get legitimate tools approved in days, not months
- Monitor — continuous discovery of new unsanctioned tools through network monitoring and procurement controls
Business continuity — crisis comms, DR, alternate site, data backup
List every unofficial tool your team touches. Circle the ones holding real data.
Some new risks arrive as tools. Some arrive as reporting lines.
Topic 02 · Sustainability
ESG — measuring GBS sustainability impact
ESG reporting now runs through GBS — emissions data, supplier checks, workforce metrics flow through your processes and need audit-grade quality. The model is in THE FIX.
Sustainability was a poster.
Now it is a data request on your desk.
PA request lands with Peter: energy data, travel records, supplier certificates — for the group’s ESG report. Deadline attached.
He assumed sustainability lived in a corporate function far away.
Then he reads the request footer: this data feeds a regulated disclosure. Audit-grade quality expected.
"ESG stopped being a poster the day it became a data request."
He feels alerted — a new reporting stream just found his team.
You treat ESG requests as soft asks while regulators treat the output as hard disclosure.
ESG lands in GBS as a data supply chain.
He handles the request with financial-reporting discipline. Next cycle, the ESG team asks for him by name.
ESG for GBS in depth
Environmental, Social, and Governance reporting is becoming mandatory. GBS organizations contribute to ESG outcomes through energy consumption, workforce practices, and governance standards.
- Environmental — energy consumption of office facilities and data centers, business travel carbon footprint, paper and waste reduction
- Social — workforce diversity metrics, employee wellbeing programs, community impact, labor practices across geographies
- Governance — internal controls effectiveness, anti-corruption compliance, data privacy adherence, ethical AI governance
- Reporting — GBS teams increasingly required to collect, validate, and report ESG data as part of corporate sustainability disclosures
The GBS advantage — concentration risk vs faster response capability
Ask which ESG data flows through your process area. The answer may surprise you.
New reporting risk, meet new decision risk. The model is deciding things now.
Topic 03 · AI Governance
Ethical AI — governance of automated decisions
When AI makes or shapes decisions, someone must answer for them. Ethical AI in GBS means oversight, explainability, and a named human owner. The model is in THE FIX.
The model rejected the invoice.
Who signs for that?
PPriya’s new workflow auto-flags supplier invoices by risk score. One long-standing supplier keeps getting blocked.
Nobody can say why. The vendor asks. The model does not explain; it scores.
She asks the question the project never answered:
"Who checks the model — and who answers when it is wrong?"
She feels responsible — for a decision she did not make but must defend.
You inherit the model’s decisions without inheriting the means to explain them.
Ethical AI in operations is three named things.
The supplier case gets a human review lane and the model gets an owner. Automation stays — accountability arrives.
Ethical AI in depth
When AI makes or influences decisions in GBS — invoice approval routing, hiring screening, performance analytics — the organization needs governance to ensure those decisions are fair, transparent, and auditable.
- Transparency — users affected by AI-driven decisions should know that AI is involved and understand the general logic
- Fairness — AI models must be tested for bias across protected characteristics (gender, ethnicity, age, nationality)
- Accountability — every AI-driven decision must have a human owner who is accountable for the outcome
- Auditability — AI decision logic, training data, and outcomes must be documented and reviewable
- Human oversight — critical decisions (hiring, performance ratings, financial approvals) require human review, not full automation
AI risk framework — bias, explainability, privacy, oversight, accountability
For one automated decision in your process: name who can override it. Nobody? Escalate that.
Machines can be governed. Attackers target the humans instead.
Topic 04 · Cybersecurity
Social engineering and phishing awareness
GBS teams are prime phishing targets — payment authority plus process discipline equals exploitable trust. Verification beats vigilance. The model is in THE FIX.
The email knew your vendor.
And your payment day.
RAn email reaches Ravi: known supplier, correct logo, familiar tone. "Urgent: our bank account changed — update before Friday’s run."
One detail off: the reply-to domain, one letter different.
He almost missed it. The request matched his real calendar too well.
"It did not look like a scam. It looked like my Tuesday."
He feels shaken — by how close a click came.
You scan for bad grammar while modern attacks arrive fluent, timed, and researched.
Defense is a verification rule, not sharper eyes.
The callback exposes the fraud in two minutes. The report protects four other teams targeted the same week.
Phishing awareness in depth — GBS attack patterns
The most sophisticated security architecture is defeated by one employee clicking a malicious link. Social engineering exploits people, not systems.
- Urgency pressure — "Your account will be suspended in 24 hours" is designed to bypass rational judgment
- Impersonation — emails appearing to come from executives, IT support, or HR requesting credentials, wire transfers, or sensitive data
- Domain spoofing — email addresses that look legitimate but use subtle misspellings (rn instead of m, l instead of I)
- Unusual requests — any request to bypass normal processes, share passwords, or transfer funds through non-standard channels
- Attachment risk — unexpected attachments, particularly .exe, .zip, or macro-enabled Office documents from unknown senders
- Do not click, do not reply, do not forward to colleagues
- Report to IT security through the designated channel (phishing button, security email)
- If you already clicked — disconnect from the network immediately and contact IT security
- If financial fraud is suspected — contact the finance controls team and freeze the affected transaction
- Verify through a separate channel — if the request seems legitimate, call the sender directly using a known phone number
Agree the out-of-band rule with your team: bank changes get a callback, no exceptions.
Pillar 9 complete. Risks guarded — Pillar 10: now move whole processes safely.
- AI is not going to replace GBS professionals — but GBS professionals who use AI will replace those who do not. The routine, rule-based work is automating fast. The judgment calls, the stakeholder management, the exception handling — that is where your value moves. Start building those skills now.
- The risk most GBS leaders are not talking about: concentration risk. When you centralize processes into fewer hubs, you gain efficiency but increase exposure to local disruptions — political instability, infrastructure failures, talent market shifts. BCP is not a compliance exercise; it is an operational necessity.
Reference
Glossary
Full glossary at the GBS Insider Club Field Guide.
- Gartner — Managing Shadow IT in the Enterprise, 2025
- EU — Corporate Sustainability Reporting Directive (CSRD), 2022
- NIST — AI Risk Management Framework, 2023
- Verizon — Data Breach Investigations Report, 2025
- FBI IC3 — Internet Crime Report, 2024
Knowing the frameworks is the entry ticket. Applying them — visibly, at your actual job — is what gets you promoted.
The GBS Insider Club Career Playbooks turn this theory into a guided 90-day program for your role: self-assessment, practical exercises, templates, and Julian's unfiltered practitioner playbook.
Explore the Career Playbooks → Back to Compliance and Risk