‘Despite concerns about rising benefit costs and growing mental health challenges, HR and risk professionals are overshadowed by more immediate concerns’
Cyber insecurity has overtaken all other workforce threats as the world’s leading people risk, just as training, culture and work design now sit at the heart of organisational resilience, according to a recent report.
And technology disruption, labour shortages, financial strain and health pressures are converging to redefine how employers must manage their people, according to the 2026 People Risk report, released by Marsh and Mercer Marsh Benefits.
“People risks cannot be secondary concerns, as they impact the health and well-being of the workforce and the business,” the report states. “In 2026, resilience depends on how well organizations invest in their people: building the right skills, supporting health and financial security, and redesigning work so humans and technology can perform at their best together.”
Inadequate cyber threat literacy is ranked as the number one people risk globally, ahead of labour shortages, mental health deterioration and rising benefit costs. Marsh says cyber incidents remain heavily driven by human behaviour, including phishing, credential theft and deepfakes, rather than technology failures alone.
The report urges employers to “treat workforce behaviour, training, and culture as first-line cyber controls” and to view cyber risk as a broader digital exposure spanning HR and benefits systems as well as core IT. For HR leaders, this makes secure work practices, access controls and continual education core elements of people strategy rather than optional add-ons.
Canada’s health care and social services sectors are facing an urgent cybersecurity crisis, with attacks on public systems escalating in both sophistication and frequency, according to a previous report. Four in 5 (80%) Canadian organisations experienced AI-related cybersecurity incidents in the past year, according to a separate study.
AI investment outpaces skills and leadership capacity
Technology skills shortages, including cyber and artificial intelligence roles, are ranked as the third-highest people risk worldwide, according to the Marsh survey of more than 4,500 HR and risk professionals across 26 markets.
Many organisations are investing heavily in AI but failing to generate meaningful productivity, innovation or performance gains because they have not redesigned work around new tools, finds the study.
Marsh warns of “a far greater threat…failing to convert AI investment into meaningful productivity, innovation, and performance gains,” and reports that 40% of HR and risk respondents are concerned their organisations are adopting AI without adequate training and upskilling. Mindset barriers to AI adoption now sit among the top global people risks identified by Marsh.
According to the report, AI success “depends less on the tools that organizations deploy and more on how work processes are designed around them.” Marsh defines work redesign as breaking down jobs into tasks to decide which can be offloaded, augmented, optimised or automated, with the aim of combining “AI’s speed, scale, and precision with human judgment, creativity, and empathy.”
Labour shortages remain the second overall people risk and the top concern in several sectors, including professional services, manufacturing and construction. Pressures are most acute in ageing and super-ageing societies where shrinking working-age populations collide with rising demand for digital and technical skills.
The report also identifies inadequate supervisory and leadership skills as the biggest “cascade” risk, triggering or worsening more other risks than any single factor, from mental health deterioration and unsafe working conditions to flawed investment decisions. Marsh says traditional leadership models focused on hierarchy and stability are “increasingly misaligned with today’s reality, where uncertainty, speed, and complexity dominate.”
HR ‘deprioritising health-related risks’
Employee financial insecurity has moved into the top tier of concerns, ranking fourth globally and appearing in the top 10 in every region, according to Marsh’s study. The company defines it as rising living costs, inadequate wages or benefits, and debt burdens that undermine well-being, leading to attrition, lower productivity and higher misconduct risk.
The report describes financial insecurity as “a material organizational risk — one that directly affects productivity, retention, and behavior.” It links financial stress to greater susceptibility to cyber scams and to ethical lapses as employees under pressure look for short-term relief, a trend HR leaders are being urged to monitor closely.
At the same time, health-related risks are drifting down the agenda even as costs mount. Marsh notes that 90% of HR and risk leaders say rising health and benefit costs are likely to materialise in the next one to two years, yet unaffordable or inaccessible health care ranks last — 25th out of 25 people risks globally.
“Despite concerns about rising benefit costs and growing mental health challenges, HR and Risk professionals are deprioritizing health-related risks as they are overshadowed by more immediate concerns,” said Amy Laverock, Mercer Marsh Benefits’ Global Advisory Specialties Leader. “This highlights a concerning disconnect. Organizations are attempting to separate health outcomes from risk management, when they are inherently intertwined.”
Marsh finds only 14% of respondents rate their organisation’s overall risk maturity as “transformative” or fully embedded, but those that do report people-risk mitigations that are on average 15 percentage points more effective. The report also shows companies where HR and risk teams “fully collaborate” enjoy markedly stronger outcomes on succession planning, reskilling and employer-sponsored health coverage, underscoring a more central risk role for HR.
In March, Ontario announced it is updating its access to information, privacy and cybersecurity framework for the first time in nearly 40 years, in changes that will directly affect HR leaders across hospitals, school boards, children’s aid societies and post-secondary institutions.
In March, Ontario announced it is updating its access to information, privacy and cybersecurity framework for the first time in nearly 40 years, in changes that will directly affect HR leaders across hospitals, school boards, children’s aid societies and post‑secondary institutions.
How can employers reduce cybersecurity risks?
Here’s how HR professionals can reduce data privacy and cybersecurity risks, as Susan Anderson, chief services officer for HR solutions at Mitratech, shares via JD Supra:
-
Treat HR systems as critical infrastructure: Apply least-privilege access, strong audit logging, and clear ownership (the same rigour you’d apply to financial systems).
-
Vet every vendor and integration for data-handling practices, including retention policies and whether data is used to train external models.
-
Build a culture of shared responsibility for security: Make phishing awareness and reporting a norm, not a yearly training requirement. Employees are part of the control environment.
-
Align HR, Legal, IT and Security on incident response before an incident happens. Discover your gaps in a tabletop exercise, not a real breach.
-
Train HR teams on data hygiene as standard practice, not a one-time compliance exercise. Access discipline starts with the people who have the most access.
“A breach in HR systems is a trust event as much as a security incident,” says Anderson. “Employees will judge the organization by how seriously it protects their most personal information.”
