For much of the last two decades, systemic risk was treated as a financial markets problem.
It belonged to capital adequacy, liquidity, clearing houses and contagion across balance sheets. The lesson of the global financial crisis was that failures inside financial plumbing could destabilise the entire system.
That framing is no longer sufficient.
Systemic risk has returned, but it is no longer confined to financial markets, nor does it originate solely from financial institutions. In 2026, systemic risk is emerging from interconnected non-financial risks that propagate across digital infrastructure, critical third parties, behavioural dynamics, social platforms and geopolitical stress.
This is not simply a question of new risks.
It is a question of how risks now interact and whether governance structures can see those interactions before instability takes hold.
Systemic risk has moved beyond markets
What made systemic risk dangerous was never its source.
It was its ability to spread.
In the past, that spread was driven by leverage, interbank exposure and confidence shocks. Today, the transmission mechanisms look very different.
Systemic exposure now increasingly flows through:
- Shared digital infrastructure, where disruption to a small number of providers can affect hundreds of organisations simultaneously
- Concentrated third-party ecosystems, rather than bilateral counterparty relationships
- Information and sentiment dynamics, where narratives move faster than formal escalation processes
- Technology platforms, whose scale and integration create common points of dependency across sectors
The implication is subtle but important:
Risk no longer needs to originate in finance to become systemic. It only needs to propagate through shared systems.
Digital concentration is creating hidden single points of failure
One of the clearest sources of emerging systemic exposure is digital concentration.
Cloud services, AI foundation models, payments infrastructure, data platforms and identity services have consolidated rapidly. Across many sectors, resilience now depends on a remarkably small number of providers.
Supervisory bodies are starting to reflect this reality. In Europe, authorities have moved toward identifying certain technology providers as critical third parties, recognising that disruption could have cross-market and cross-sector effects.
At the same time, independent international work on AI safety has highlighted how the widespread deployment of general-purpose AI models into critical systems creates correlated failure risks, particularly where the same models underpin decision-making across multiple organisations and sectors.
Yet within most firms, these exposures are still governed as vendor risks – assessed contract by contract, service by service – rather than as potential system-wide dependencies.
That disconnect matters.
Systemic risk does not arise from one contract failing.
It arises when many organisations depend on the same thing.
Behaviour now amplifies risk faster than governance can respond
Another underappreciated transmission channel is behaviour.
Digital platforms and social media have fundamentally altered the speed at which risk perceptions form and spread. Confidence, trust and sentiment now move faster than verification, investigation or formal escalation.
This matters because behaviour itself can become systemic.
Runs on platforms, sudden customer withdrawals, employee reactions, political pressure and regulatory scrutiny can now be triggered by narrative cascades, not balance-sheet deterioration.
Policymakers are increasingly concerned that algorithmic decision-making and AI-driven systems may further amplify these effects by reinforcing similar responses across organisations at the same time. UK parliamentary and regulatory commentary in 2025 highlighted the risk of herd-like behaviour emerging from shared AI tools and automated decision systems, particularly during periods of stress.
These dynamics do not sit neatly within market risk, conduct risk or operational risk. But their effects can be systemic and governance structures are rarely designed to own them end-to-end.
Supply chains and technology dependencies are becoming macro-level risks
Systemic risk is also becoming more structural.
Concentration in semiconductor manufacturing, data centre capacity, specialist software, network infrastructure and energy supply has created dependencies that extend well beyond individual firms.
Supervisory assessments increasingly recognise that reliance on common third-party services introduces correlated vulnerabilities across financial services and the wider economy. The European Banking Authority’s 2025 risk assessment explicitly links third-party dependency, operational disruption and systemic stability concerns.
This reframes supply chain and technology risk.
They are no longer just questions of efficiency or resilience.
They are questions of system-wide stability.
Yet governance responses remain fragmented, often contractual, reactive and focused on compliance rather than systemic exposure.
Why existing risk frameworks struggle to see what’s forming
Most enterprise risk frameworks still rest on a core assumption:
Risks can be identified, assessed and controlled within discrete categories.
That assumption breaks down when risk propagates across categories faster than governance can coordinate.
In practice, today’s risk events increasingly look like this:
- A cyber incident at a shared service provider triggers operational disruption, customer behaviour changes, reputational pressure and regulatory attention simultaneously
- AI-driven tools deployed at scale behave in correlated ways, amplifying errors or reinforcing the same flawed signals
- Cultural and behavioural weaknesses magnify operational failures rather than containing them
Regulators themselves now acknowledge the interconnected nature of cyber risk, third-party dependency and operational resilience, yet supervisory frameworks still tend to treat these as separate domains.
The result is predictable.
Risk functions see fragments.
Executives see symptoms.
Boards see consequences.
Very few governance structures are designed to see interaction effects as they form.
Regulators are circling the problem, but governance still lags
Supervisory attention is clearly shifting.
Across jurisdictions, regulators are:
- Expanding oversight of critical third parties
- Strengthening expectations around operational resilience
- Exploring systemic implications of general-purpose AI models and platform concentration
The EU’s AI Act and its emerging Code of Practice for general-purpose AI explicitly recognise that some AI systems pose systemic risk and therefore warrant heightened governance, transparency and incident reporting obligations.
At the same time, supervisory bodies are re-examining how third-party dependencies are governed.
The EBA’s December 2025 Risk Assessment Report and associated draft guidance now position third-party risk management as a broader systemic concern, extending beyond ICT services to all arrangements that underpin critical functions across the financial system.
Despite this progress, regulatory frameworks still tend to operate by risk type, even as risk itself does not.
The real challenge is not anticipation, it’s integration
Most organisations are not blind to these risks.
They can list them.
What they struggle to do is connect them in practice.
Systemic risk in this environment does not arise because individual risks are unmanaged. It arises because interactions are unmanaged.
Effective governance now requires:
- Linking cyber, technology, behavioural, third-party and operational risk oversight
- Monitoring how stress in one domain amplifies vulnerability in another
- Moving beyond static taxonomies toward systems-based risk thinking
This is not a tooling problem or a data problem.
It is a governance design problem.
Systemic risk has become a board-level governance test
Systemic risk is no longer something that can be delegated to market risk teams, regulatory policy units or crisis playbooks.
It sits squarely with boards.
Because the question boards now face is not:
“Are our individual risks controlled?”
It is:
“Do we understand how risk behaves when systems interact under stress?”
That requires governance capable of:
- Looking across risk categories, not down them
- Testing interaction effects, not isolated scenarios
- Owning accountability for stability, not just compliance
Systemic risk has returned, not as a financial anomaly, but as a governance challenge that cuts across every risk type.
And 2026 is shaping up to be the year when the limits of fragmented risk oversight are no longer theoretical, but visible.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
