GBS Insider ClubField Guide Free
Emerging Risk June 2026

Pillar 9 · Cluster 3

Emerging risks in GBS operations

Shadow IT, ESG reporting, ethical AI governance, and social engineering threats represent the evolving risk landscape that GBS organizations must address proactively.

40%Of enterprise applications are Shadow IT
ESGReporting becoming mandatory in EU from 2024
91%Of cyberattacks begin with a phishing email
Emerging risk radar — AI governance, cybersecurity, geopolitical disruption, business continuity

Emerging risk radar — from immediate threats to horizon risks

AI Governance Bias and oversight Responsible automation Cyber Risk Phishing / Shadow IT Human firewall ESG Sustainability Measure GBS impact
Emerging Risk Landscape

Topic 01 · Technology Risk

Shadow IT — risks and management strategies

TL;DR

Shadow IT is unapproved tooling doing real work — invisible to security, backups, and audits. It grows from good intentions. The model is in THE FIX.

The team’s real tracker
lives in an app IT has never heard of.

2 min read · full theory in the expandable
The Problem
K
Klaudia
Senior associate · Year 3 · Krakow

Klaudia discovers the team’s actual workload tracker: a free online board, set up by a helpful colleague, holding customer names.

No approval, no backup, no access control, no idea who else can see it.
It runs the team’s day — and exists nowhere officially.

"Our most important tool was invisible to everyone protecting us."

She feels alarmed — mostly at how normal it had become.

The Trap

You adopt helpful tools quietly and build critical work on ungoverned ground.

The Fix

Shadow IT is handled by daylight, not punishment.

INVENTORYSurface the tools honestly. Amnesty framing: what do we actually use?
RISK-SORTData sensitivity decides urgency. Customer data in a free app is the fire; a meme channel is not.
LEGALIZE OR REPLACERoute the need through IT. The need was real — meet it with a governed tool.

The board’s content moves to an approved tool in a week. The need survives; the exposure does not.

Shadow IT in depthTHEORY · 4 MIN

When GBS teams adopt tools, automations, and cloud services without IT approval, they create ungoverned data flows, security gaps, and compliance blind spots.

Shadow IT emerges when official IT processes are too slow, too rigid, or too disconnected from operational needs.

  • A finance analyst signs up for a cloud-based reconciliation tool because the approved system is clunky.
  • A team lead builds Power Automate flows that move sensitive data between systems without security review.
  • An HR team stores employee data in a personal Google Drive.

Each instance creates risk:

  • Data leakage
  • Non-compliance
  • Unsupported systems
  • Undocumented processes
Shadow IT management approach
  • Discover — inventory all tools and applications in use, not just the ones IT approved
  • Assess — evaluate each shadow tool for security risk, data privacy compliance, and operational dependency
  • Decide — for each tool: adopt (bring under IT governance), replace (migrate to approved alternative), or retire (remove and migrate data)
  • Enable — create fast-track approval processes so teams can get legitimate tools approved in days, not months
  • Monitor — continuous discovery of new unsanctioned tools through network monitoring and procurement controls
BUSINESS CONTINUITY PLAN IDENTIFYCritical processesWhat breaks first? PLANBackup proceduresManual workarounds TESTSimulate disruptionAnnual drill minimum RECOVERReturn to normalLessons learned KNOW YOUR BCP BEFORE THE CRISIS HITS

Business continuity — crisis comms, DR, alternate site, data backup

Monday Move

List every unofficial tool your team touches. Circle the ones holding real data.

Some new risks arrive as tools. Some arrive as reporting lines.

Topic 02 · Sustainability

ESG — measuring GBS sustainability impact

TL;DR

ESG reporting now runs through GBS — emissions data, supplier checks, workforce metrics flow through your processes and need audit-grade quality. The model is in THE FIX.

Sustainability was a poster.
Now it is a data request on your desk.

2 min read · full theory in the expandable
The Problem
P
Peter
Team lead · Year 2 · Budapest

A request lands with Peter: energy data, travel records, supplier certificates — for the group’s ESG report. Deadline attached.

He assumed sustainability lived in a corporate function far away.
Then he reads the request footer: this data feeds a regulated disclosure. Audit-grade quality expected.

"ESG stopped being a poster the day it became a data request."

He feels alerted — a new reporting stream just found his team.

The Trap

You treat ESG requests as soft asks while regulators treat the output as hard disclosure.

The Fix

ESG lands in GBS as a data supply chain.

THE FLOWSWhat routes through you. Emissions inputs, supplier data, workforce metrics, travel and energy records.
THE STANDARDAudit-grade, not best-effort. Source, method, and evidence — same discipline as financial data.
THE ANGLEEarly skill, scarce skill. ESG data literacy is new enough that owning it gets noticed.

He handles the request with financial-reporting discipline. Next cycle, the ESG team asks for him by name.

ESG for GBS in depthTHEORY · 4 MIN

Environmental, Social, and Governance reporting is becoming mandatory. GBS organizations contribute to ESG outcomes through energy consumption, workforce practices, and governance standards.

GBS contribution to ESG metrics
  • Environmental — energy consumption of office facilities and data centers, business travel carbon footprint, paper and waste reduction
  • Social — workforce diversity metrics, employee wellbeing programs, community impact, labor practices across geographies
  • Governance — internal controls effectiveness, anti-corruption compliance, data privacy adherence, ethical AI governance
  • Reporting — GBS teams increasingly required to collect, validate, and report ESG data as part of corporate sustainability disclosures
GBS RISK ADVANTAGE STANDARDIZATIONConsistent controls globally CONCENTRATIONExpertise in fewer locations VISIBILITYCentralized monitoring GBS REDUCES RISK BY DESIGN · USE IT AS A SELLING POINT

The GBS advantage — concentration risk vs faster response capability

Monday Move

Ask which ESG data flows through your process area. The answer may surprise you.

New reporting risk, meet new decision risk. The model is deciding things now.

Topic 03 · AI Governance

Ethical AI — governance of automated decisions

TL;DR

When AI makes or shapes decisions, someone must answer for them. Ethical AI in GBS means oversight, explainability, and a named human owner. The model is in THE FIX.

The model rejected the invoice.
Who signs for that?

2 min read · full theory in the expandable
The Problem
P
Priya
Process SME · Migration + BAU · Bangalore

Priya’s new workflow auto-flags supplier invoices by risk score. One long-standing supplier keeps getting blocked.

Nobody can say why. The vendor asks. The model does not explain; it scores.
She asks the question the project never answered:

"Who checks the model — and who answers when it is wrong?"

She feels responsible — for a decision she did not make but must defend.

The Trap

You inherit the model’s decisions without inheriting the means to explain them.

The Fix

Ethical AI in operations is three named things.

OWNERA human answers for the model. Named, reachable, and able to override.
EXPLAINABILITYReasons, not just scores. If a decision affects someone, "the model said so" is not an answer.
DRIFT WATCHModels age. Regular checks that yesterday’s accuracy still holds on today’s data.

The supplier case gets a human review lane and the model gets an owner. Automation stays — accountability arrives.

Ethical AI in depthTHEORY · 4 MIN

When AI makes or influences decisions in GBS — invoice approval routing, hiring screening, performance analytics — the organization needs governance to ensure those decisions are fair, transparent, and auditable.

AI governance principles for GBS
  • Transparency — users affected by AI-driven decisions should know that AI is involved and understand the general logic
  • Fairness — AI models must be tested for bias across protected characteristics (gender, ethnicity, age, nationality)
  • Accountability — every AI-driven decision must have a human owner who is accountable for the outcome
  • Auditability — AI decision logic, training data, and outcomes must be documented and reviewable
  • Human oversight — critical decisions (hiring, performance ratings, financial approvals) require human review, not full automation
Transparency Users know AI is involved Fairness Test for bias, all groups Accountability Human owner per decision Auditability Decisions documented Human Oversight Review critical decisions
AI governance requires human oversight always.
AI & EMERGING RISK DATA PRIVACYPII in AI training data BIAS & ACCURACYAI outputs need validation GOVERNANCE GAPPolicies lag behind tech AI AMPLIFIES BOTH EFFICIENCY AND RISK · HUMAN OVERSIGHT REMAINS ESSENTIAL

AI risk framework — bias, explainability, privacy, oversight, accountability

Monday Move

For one automated decision in your process: name who can override it. Nobody? Escalate that.

Machines can be governed. Attackers target the humans instead.

? CHALLENGE YOURSELF click to expand
  • How would your team operate if your primary system went down for 48 hours? Do you have manual workarounds documented and tested?
  • Can you identify a shadow IT risk in your area — tools or systems being used without IT approval or security review?
  • How is your organization approaching ethical AI? Do you know the guidelines for using AI tools in your work?

Topic 04 · Cybersecurity

Social engineering and phishing awareness

TL;DR

GBS teams are prime phishing targets — payment authority plus process discipline equals exploitable trust. Verification beats vigilance. The model is in THE FIX.

The email knew your vendor.
And your payment day.

2 min read · full theory in the expandable
The Problem
R
Ravi
AP analyst · Month 8 · Pune

An email reaches Ravi: known supplier, correct logo, familiar tone. "Urgent: our bank account changed — update before Friday’s run."

One detail off: the reply-to domain, one letter different.
He almost missed it. The request matched his real calendar too well.

"It did not look like a scam. It looked like my Tuesday."

He feels shaken — by how close a click came.

The Trap

You scan for bad grammar while modern attacks arrive fluent, timed, and researched.

The Fix

Defense is a verification rule, not sharper eyes.

OUT-OF-BANDBank changes verified by known phone number. Never through the requesting email’s channel.
NO URGENCY OVERRIDEPressure is the tell. Real vendors survive a one-day verification delay.
REPORT FASTNear-misses go to security. Your almost-click protects the colleague who would have clicked.

The callback exposes the fraud in two minutes. The report protects four other teams targeted the same week.

Phishing awareness in depth — GBS attack patternsTHEORY · 4 MIN

The most sophisticated security architecture is defeated by one employee clicking a malicious link. Social engineering exploits people, not systems.

Phishing red flags every GBS professional must know
  • Urgency pressure — "Your account will be suspended in 24 hours" is designed to bypass rational judgment
  • Impersonation — emails appearing to come from executives, IT support, or HR requesting credentials, wire transfers, or sensitive data
  • Domain spoofing — email addresses that look legitimate but use subtle misspellings (rn instead of m, l instead of I)
  • Unusual requests — any request to bypass normal processes, share passwords, or transfer funds through non-standard channels
  • Attachment risk — unexpected attachments, particularly .exe, .zip, or macro-enabled Office documents from unknown senders
Response protocol
  • Do not click, do not reply, do not forward to colleagues
  • Report to IT security through the designated channel (phishing button, security email)
  • If you already clicked — disconnect from the network immediately and contact IT security
  • If financial fraud is suspected — contact the finance controls team and freeze the affected transaction
  • Verify through a separate channel — if the request seems legitimate, call the sender directly using a known phone number
Monday Move

Agree the out-of-band rule with your team: bank changes get a callback, no exceptions.

Pillar 9 complete. Risks guarded — Pillar 10: now move whole processes safely.

JT
JULIAN'S PERSPECTIVE
  • AI is not going to replace GBS professionals — but GBS professionals who use AI will replace those who do not. The routine, rule-based work is automating fast. The judgment calls, the stakeholder management, the exception handling — that is where your value moves. Start building those skills now.
  • The risk most GBS leaders are not talking about: concentration risk. When you centralize processes into fewer hubs, you gain efficiency but increase exposure to local disruptions — political instability, infrastructure failures, talent market shifts. BCP is not a compliance exercise; it is an operational necessity.
? CAREER CHECK click to expand
  • Emerging risks like AI, ESG, and cybersecurity are reshaping GBS. How are you staying current on these topics?
  • BCP ownership is increasingly a line-management responsibility, not just a compliance function. Are you prepared to own it for your area?
  • The professionals who understand both operational risk and emerging risk become the advisors leadership trusts. Which dimension needs more of your attention?
GBS Insider Club learning paths offer structured career frameworks, practical templates, and guided exercises tailored to your GBS role — from entry-level to leadership.

Reference

Glossary

Full glossary at the GBS Insider Club Field Guide.

Shadow ITTechnology tools, applications, and cloud services adopted by business teams without formal IT department approval or governance.
ESGEnvironmental, Social, and Governance — the three pillars of sustainability reporting. Increasingly mandated by regulation and expected by investors.
CSRDCorporate Sustainability Reporting Directive — EU regulation requiring companies to disclose detailed ESG information. Effective from 2024 for large companies.
AI biasSystematic errors in AI model outputs that result in unfair treatment of individuals based on protected characteristics. Can emerge from biased training data, model design, or deployment context.
PhishingA social engineering attack using deceptive emails, messages, or websites to trick individuals into revealing credentials, clicking malicious links, or transferring funds.
BECBusiness Email Compromise — a sophisticated phishing attack where criminals impersonate executives or trusted partners to authorize fraudulent wire transfers or data disclosures.
Sources and further reading
  1. Gartner — Managing Shadow IT in the Enterprise, 2025
  2. EU — Corporate Sustainability Reporting Directive (CSRD), 2022
  3. NIST — AI Risk Management Framework, 2023
  4. Verizon — Data Breach Investigations Report, 2025
  5. FBI IC3 — Internet Crime Report, 2024
Theory done. Now make it count.

Knowing the frameworks is the entry ticket. Applying them — visibly, at your actual job — is what gets you promoted.

The GBS Insider Club Career Playbooks turn this theory into a guided 90-day program for your role: self-assessment, practical exercises, templates, and Julian's unfiltered practitioner playbook.

Explore the Career Playbooks → Back to Compliance and Risk
Leave a comment
← Previous Regulatory and Internal Controls Next → Transition Strategy