Risk management: Lessons from 2025 and looking ahead to 2026

Looking back, 2025 was a year where uncertainty became the dominant risk. While the specifics from last year’s article may not have played out exactly as expected, the direction of travel feels broadly right.

Foreign exchange volatility resurfaced in 2025. Periods of US dollar strength against the Vietnamese dong affected import costs and cash-flow assumptions, while moves in regional currencies complicated cross-border planning. At the same time, heightened uncertainty supported appreciation in gold and silver, reinforcing how quickly market sentiment can shift and how exposed unhedged positions can become.

For corporates in Vietnam, tariff uncertainty emerged as a particularly challenging feature of the operating environment. The Vietnamese economy grew by an impressive 8% in 2025, but this was not an easy feat. Shifts in policy direction were often accompanied by unclear timelines and outcomes, making it difficult to plan around pricing, demand, and supply chains with confidence. In many cases, the uncertainty itself proved as disruptive as any eventual tariff, underscoring how policy unpredictability can become a material risk even before concrete measures are implemented.

The central lesson from 2025 remained less about prediction and more about preparedness: how organisations identify risk, build effective frameworks and governance, and test assumptions. This becomes especially important when decisions must be made quickly with incomplete or evolving data. 

The risks highlighted last year are not going away. Events in March 2026 have highlighted that events on the other side of the world can have immediate impacts here in Vietnam. Headlines have been focused on oil prices, which rapidly fed through to increases at the petrol pumps. We will see multiple knock-on impacts across multiple sectors. Airlines and shipping are warning of the need to raise prices. The Middle East is a key supplier of fertiliser inputs, and reports suggest that the price of urea rose shaply in the first week of March. Aluminium prices jumped 7% in a week, and reached USD3.5k/t, the highest in 4 years. Lawmakers in Korea highlighted that reliance of helium supplies from the Middle East may impact semiconductor manufacturing.

Last year I highlighted the importance of governance and systematic checklists to ensure a comprehensive assessment when challenges arise.It is important not to assume this alone is sufficient. Critical thinking also plays a vital role. Governance and checklists provide a consistent framework for comprehensive assessment. These frameworks ensure a consistent approach to address the majority of risks. But in practice, it is individual expertise that identifies the final blind spots those frameworks miss and helps organisations prepare for what comes next. 

An example was last year’s flooding.  Business continuity planning provided a consistent approach across multiple areas.  However, it was our teams on the ground in Danang and Hanoi that were able to address new problems as they came up, and provide insights to shape how we respond next time.

As we look at the developing situation this year, it will again be a combination of checklists and systems, along with the expertise of your team to adapt to changing events, that will be key to maintaining resilience.

The value of a “personal board of directors”

As I look ahead to 2026, I find myself developing this concept of critical thinking further and returning to a concept I have discussed often with my team: the idea of a personal board of directors.

The premise is simple. Regardless of formal titles or experience, no individual has a monopoly on good judgement—particularly in complex and fast-moving environments. Actively seeking perspectives from trusted external advisers, peers, or mentors almost always improves the quality of decisions. I value challenge, as it often exposes important blind spots.

From a risk management perspective, this matters. Many failures do not stem from an absence of frameworks or policies, but from overconfidence, groupthink, or an overly narrow lens shaped by past success. Diverse viewpoints—particularly from people with different professional backgrounds, institutional constraints, or experiences—can materially improve how risks are assessed and prioritised.

Learning from peers: broadening the lens

With this in mind, and to avoid relying solely on my own perspective, I asked a couple of fellow Chief Risk Officers to share their reflections on the lessons from 2025 that may help us in the year ahead.

Tong Tran Hieu, Head of the Integrated Risk Management Department, Vietcombank, said in 2025, he became increasingly aware of both the opportunities and risks associated with cybersecurity and artificial intelligence, and he believes we should all actively upskill ourselves in these areas.

Vietnam’s rapid digitalisation—supported by high internet penetration and smartphone usage—creates significant opportunities for growth. At the same time, it expands the number of entry points for cyberattacks. We may not hear about every ransomware incident, as organisations often choose not to publicise them, but attacks are becoming more sophisticated and can result in serious financial and reputational damage.

“Organisations need to think ahead: establish strong information and cybersecurity policies, enhance monitoring, invest in secure infrastructure with layered defences, and ensure a clear incident-response plan is in place. While we hope it is never tested, the plan should be regularly updated, and key executives should retain offline access”, said Tong Tran Hieu.

AI also presents clear opportunities to improve customer experience. At Vietcombank, for example, it has implemented chatbots to support customer enquiries. However, as adoption increases, it is critical to maintain a robust and adaptable AI governance framework. Particular caution is needed when using AI for key decisions, given the ‘black box’ nature of many models. Organisations should guard against bias, unintended discrimination, and data errors, and in many cases retain a ‘human in the loop’ until confidence in outcomes is well established.

“I remain very positive about developing technologies. With the right guardrails, digitalisation and AI can continue to drive innovation and operational efficiency”, emphasized Tong Tran Hieu.

Tran Phuong, Senior Executive, Vice President, BIDV, said there are two key lessons stand out. First, early-warning indicator systems are only valuable if they are linked to action. In many cases, risks—particularly credit risks—were identified early, yet losses still materialised because responses lagged behind warning signals. For both banks and corporates, early-warning systems must be clearly connected to predefined interventions, such as adjusting exposure to a counterparty or addressing system weaknesses before customers are impacted. Management boards play a critical role in establishing accountability and authority for timely action.

Second, organisations need to step back and consider correlations between risks. In banking, for example, periods of stress rarely come from breaches of single ratios. Basel III provide important ratios such as LCR and NSFR. However, these should not be treated solely as compliance metrics. While regulatory metrics support safety, sustainable profitability requires looking beyond compliance to the pace and composition of growth.  This provides medium and long term resilience instead of maximimising short-term accounting profitability.”

My tips for 2026

Reflecting on these perspectives, with thanks to colleagues in other banks, three additional themes stand out as organisations look ahead.

First, make deliberate time to stay on top of emerging trends. In a crowded agenda, it is tempting to focus exclusively on known risks and immediate pressures. Yet many of the most disruptive developments begin at the margins. Continuous scanning and curiosity are essential disciplines. Given increased geopolitical volatility, we may see reshaping and diversification of supply chains, bringing new challenges and opportunities.

Second, prioritise action and connectivity. Risk identification has limited value without execution. Clear ownership, timely escalation, and cross-functional collaboration matter as much as analytical depth in building resilience. Risks should be assessed as part of a system, not in isolation.

Third, strengthen governance and risk management through diversity of thought and actively encouraging critical thinking. Robust risk cultures are characterised by questioning, challenge, and openness to alternative views. Who challenges your assumptions? Who brings a different lens shaped by different experiences? How do you ensure that views from frontline colleagues are encouraged and acted upon? How effectively do you read across when issues are identified in your organisation or elsewhere in the market? While risk managers often play a central role in this process, effective challenge should not sit with them alone. Equally, risk managers benefit from insights across the organisation, helping them support sustainable growth rather than being seen solely as a function that says no.

Getting ready for the rest of 2026

This year, I look forward to hearing more about how organisations ensure resilience for the future. For leaders, the question is not whether new disruptions will emerge, but whether decision-making processes are resilient enough to absorb them and adjust when assumptions fail. Perspective, connectivity, and action will increasingly differentiate those organisations that merely cope with uncertainty from those that navigate it with confidence.