The Overconfidence Trap in Financial Services

Overall, the financial services industry appears well-positioned to thrive in this environment. The surprising resilience of the 2026 global economy attests to this, with EY reporting in a February press release that 90% of financial services CEOs globally expect revenue, profitability, and productivity growth this year. For internal auditors in this space, however, such positive positioning presents a risk of its own.

The Overconfidence Trap

Organizational confidence, especially from the C-suite and key decision-makers, can foster a culture of risk-taking. Mark Kane, CEO of Sunwise Capital, cites this psychological phenomenon in a Forbes article:

“Take the 2008 financial crisis. Executives, convinced of their brilliance, built complex financial instruments they didn’t fully understand. Their overconfidence led to underestimating systemic risks, believing their models were untouchable. It wasn’t a failure of leadership — it was a cultural epidemic of arrogance. The fallout? A global financial collapse, livelihoods destroyed and trust shattered. Overconfidence didn’t just hurt — it cost the world.”

A more recent crisis that may have boosted confidence on the part of the financial services industry in the U.S. is the outcome of the banking collapses and bank runs in 2023. This crisis stemmed from a combination of interest rate risk mismanagement and undiversified deposits.

The government's Bank Term Funding Program helped contain the immediate panic, and the broader banking sector demonstrated meaningful resilience.

In addition to the overall interest rate and liquidity risks, there was a short-term panic driven in part by public commentary on social media, as well as gaps in organizations’ controls over how they monitor and respond to that communication, says Justin Zavis, Risk Consulting at EY & IIA Los Angeles Chapter President.

In the aftermath, regulators did propose significant new capital requirements under the Basel III Endgame framework. However, in March 2026, a re-proposal was made to scale back the strictest requirements from the original proposal. Ultimately, with a reduced regulatory burden relative to what was originally proposed, banks emerged from the crisis stronger.

Such a situation does, however, have its inherent risks. Following a history of success, stakeholders run the risk of becoming content in their risk management efforts. Complacency, if left unchecked, can reduce due diligence efforts and quickly turn a secure, proactive risk management function into a vulnerable one.

Overconfidence in the immediate effects of an emerging technology like AI can be another risk. Threat detection and response provider e2e-assure illustrated this in a 2024 study of UK-based cyber risk owners within financial services. According to their data, although 80% of the risk owners surveyed were confident in the AI policies they introduced, 20% also stated that they didn’t know what those policies were, and 17% admitted they had no idea whether their company even had them.

Identifying a Culture of Resilience

There are several ways internal audit can evaluate resilience within its organization. One way, says Zavis, is assessing whether stakeholders emphasize process adherence over a deeper understanding of resilience principles and their applications. A process-driven mindset rather than a capability-driven one can indicate that resilience practices are not fully embedded in the organizational culture or may not perform effectively under stressful conditions.

“Many controls today increasingly rely heavily on automation,” Zavis says. “Stakeholders often depend on these controls for monitoring and reporting. But when I start asking questions on key reports, such as — What exactly is this report showing? What data sources are used to generate it, and how are completeness and accuracy verified? What happens under failure conditions? or How are manual overrides and fallback processes managed? —  the responses can reveal a lot about the organization’s resilience culture.”

These discussions allow internal audit to assess whether stakeholders are simply executing controls as a checklist exercise or critically thinking about what could go wrong and how controls might perform under stress. This is especially true in the age of AI, which risk functions are starting to use to help perform tasks.

Internal audit has a mandate to stress the importance of critical thinking, Zavis continues. “The focus can’t just be on outputs. We need to understand how those outputs are generated and whether the underlying data is reliable. If poor data is feeding automated reporting, the risk doesn’t go away — it scales. For example, during a walkthrough, an internal auditor will want to test the process, not just document it. This may include questioning why the control exists, asking to see the transaction live in the system, and understanding what steps are taken if a key system goes down or is operating in a stressed environment.”

A culture of resilience — or the lack of one — can also be identified through an analysis of key performance indicators or risk tolerance triggers. In financial services, says Zavis, this can include reviewing accounts payable and measuring error rates against established tolerance levels, as well as reviewing customer complaints to uncover underlying trends or correlations. When such trends are identified, the audit committee and other stakeholders must then be informed through strong, established communication lines.

“Communication lines should not be overlooked as part of the resilience conversation,” says Zavis. “The more embedded internal audit is with stakeholders, the more dynamic and responsive the audit plan becomes.”

To strengthen these connections, internal auditors can leverage tools and technologies that shift traditional point-in-time assessments toward continuous monitoring. “Historically, internal audit’s primary interaction with senior stakeholders may have been during the annual risk assessment and audit plan process,” Zavis continues. “Today, continuous monitoring tools create more opportunities to refresh insights and engage more frequently. When those communication lines are used consistently to share emerging trends, internal audit can adapt in real time, scaling its activities to address evolving risks and more effectively support organizational resilience.”

The IIA’s newly released Organizational Resilience Topical Requirement and its accompanying User Guide offer internal audit multiple ways to assess a culture’s ability to adapt to change and covers governance structures, risk management processes, and control processes. The User Guide also includes an optional documentation tool to aid internal auditors in documenting conformance to the requirements, applicable to their organization.

Showing Internal Audit at Its Best

Overconfidence is not something to underestimate, especially in today’s environment. The tone at the top of the business environment in 2026, to this point, has arguably been looser in regions such as the U.S. However, as history shows in both 2008 and 2020, financial institutions should not take less-strict regulatory periods as an opportunity to relax. In fact, times like this can be viewed as a major opportunity for internal audit to demonstrate its worth to stakeholders.

To help establish a resilience culture, internal audit must reflect the behaviors it seeks to promote. “Internal auditors shouldn’t be afraid to try new approaches and take full advantage of the information channels available to them,” says Zavis. “By continuously evolving alongside the industry and risk environment, internal audit can develop a clearer understanding of both current capabilities and future needs and help organizations strengthen the resiliency culture."