Navigating OBBBA: Managing Risk and Uncertainty for the C-Suite

Key points covered in this article: 

•  The One Big Beautiful Bill Act (OBBBA) is rooted in tax reform but creates new risk areas across AI, data and technology, governance and strategy, reputation, and financial and compliance functions, requiring leaders to view people, processes, and governance through a broader risk-management lens. 
•  Expanded reporting requirements affect a number of industries, including new cybersecurity and internal control rules for government contractors, higher state-level single audit thresholds for nonprofits, and new tip and overtime reporting rules for hospitality employers.  

For C-Suite leaders, the One Big Beautiful Bill Act (OBBBA), passed in July, is more than a piece of tax legislation. It’s a call to action. It invites leaders to take a step back and look at how the new law permeates through their entire organization, influencing everything from people and processes to governance and reputation, not just finances.  

When big changes occur, whether it’s new tax laws like the OBBBA or new technologies like AI, there’s an opportunity to anticipate both the potential upsides and downsides of risk, to get out in front of them to lower the levels of uncertainty and mitigate anything that stands in the way of meeting objectives. 

Tamping Down Uncertainty through Risk Management 

Uncertainty is running high across all businesses right now. Leaders are facing risks from all sides: financial pressures stemming from high inflation and cash flow issues to fraud, innovation vulnerabilities tied to emerging AI, and compliance and regulatory issues under the OBBBA, all while navigating the branching paths of state and federal tax laws.

The priority now is to build resilient organizations. Change is cyclical, and leaders who stay agile and adapt through disciplined change management, strong internal controls, and robust cybersecurity systems can create a clear roadmap for turning uncertainty into a competitive advantage.  

 Top Risks C-Suite Leaders Must Address 

 Organizations are up against similar challenges, but how they approach them can be vastly different. As you read through the top risks under the OBBBA, think about the following: 

•  How can I plan for these risks before they plan for me? 
• Even permanent provisions can change: How can I leverage favorable incentives now to fund long-term resilience? 
• Where can these risks also become opportunities to strengthen our organization’s foundation? 

 AI Risks  

 AI is the number one risk for organizations and a top priority for C-suite leaders. It’s no longer a single concept. It’s a spectrum of capabilities, each with different strengths, risks, and governance needs. Between generative AI, AI agents, and Agentic AI, organizations need guardrails for employees, strong oversight for how these tools are used, and transparent communication to maintain trust.

AI risks will start to show up in a few different ways. For example, if data is stored or processed offshore in other countries, it might not have the same level of protection. Third-party AI tools and plug-ins can unintentionally expose internal systems to security risks. And when AI decisions can’t be clearly explained to clients, regulators, or internal teams, it starts to create transparency gaps.  

To balance innovation with risk, following is a framework for building AI governance: 

•  Oversight: Establish clear roles and rules to prevent AI from being misused or spiraling fast. Set a recurring board agenda item for ongoing oversight. 
• Security: “Shadow AI” and data leaks can expose sensitive data and undo years of trust. The best defense is to define who oversees AI use, what it’s allowed to do, and who will monitor it. Conduct impact assessments before deploying any new tools. 
• Ethics: AI can make mistakes, show bias, or “hallucinate” information. Responsible AI usage means checking both the data and the decisions.  
• Training: Inform and educate staff on usage and privacy standards to prevent misuse and foster a culture of accountability.   
• Adoption: Avoiding AI completely will leave businesses behind. The goal is momentum, not perfection. Continue to refine policies as technologies evolve. 

The OBBBA does have funding for transformational AI models, along with now permanent full expensing for domestic R&D costs starting in tax years after Dec. 31, 2024. These incentives can offset the high costs of developing or integrating AI tools and allow organizations to recover more of those costs right away to improve cash flow.

Data and Technology Risks  

The OBBBA changes how organizations manage data risk. New provisions significantly expand tax and compliance reporting, which means more sensitive financial and operational data is being transmitted to regulators. To stay protected, organizations need to safeguard their tax and financial data with the same attention as they do to secure their IT systems.  

Breaches and ransomware are also big concerns. These don’t just hurt operations; they expose filings, tax claims, audit documentation. With the OBBBA’s R&D credits, bonus depreciation, and SALT cap all requiring well organized records, organizations should prioritize cleaning and protecting where that information lives and implement stronger controls for tax reporting, contracting, and audits. 

Siloed or inaccurate data increases risk when applying new credits, deductions, or filing under updated rules. For example, the new rules for tracking employee tips and overtime rely on accurate payroll data that feeds directly into tax reporting. If systems aren’t managed properly, there’s more of a chance for errors or data exposure.  

How can your organization guard against data and technology risks? By staying secure, current, and realistic by: 

•  Strengthening defenses against hacking, breaches, and ransomware.  
• What does your response plan look like? Are you running tabletop drills?  
• If outsourced, does your managed service provider have the right tools and send weekly reports to see your own environment? 
• How are you managing backups; are they air gapped? 
• Modernizing systems to reduce downtime and vulnerability.  
• Are you running on a legacy system? 
• Are you upgrading your software every quarter? 
• Protecting sensitive data with strong privacy control. 
• Do you have a map of your data supply chain? 
• Do recent privacy laws apply to your data? 

As you think about your own technology stack, are you treating it as a risk to manage or as an advantage to invest in? In today’s environment, it must be part of your growth strategy.  

The OBBBA rewards R&D and technology upgrades. This means that cybersecurity upgrades, process improvements, and new software developments may qualify for tax incentives. If you frame every tech dollar as both risk protection and tax savings, you can fund greater cyber resilience without straining the budget. Leveraging the OBBBA can put your organization at a competitive advantage. 

 Governance and Strategic Risks 

 As the business environment shifts with new laws, new technology, and market changes, it can challenge how well leaders guide their teams and make decisions. The C-suite sets the tone for how the organization handles “risk culture.” They model, in action, what behavior is accepted and what is not, whether it’s okay to take shortcuts or ignore issues, or whether accountability and transparency are valued. If it’s unclear who is responsible for key decisions, or who is in charge when a leader exits, small issues can end up escalating into massive problems if they’re not patched quickly. 

One way to address this is to highlight your most critical process and map it in six-to-nine steps, assign one clear process owner, and set escalation thresholds. At PBMares, we use Universal Process Notations to make those roles and decision points visible. It makes it simple, clear, and repeatable across the entire organization.  

Strategically, businesses need to remain agile during times of change and implement a plan that can adapt to market shifts. If your strategy hasn’t changed in a while, it may be out of date, and one of the biggest risks to your strategy might be what competitors are doing while you’re not looking.  

 Reputational Risks 

Under the OBBBA, reputational risk can be increased with new transparency and data reporting requirements. Because more data is being shared and made visible, there’s a greater risk that if something goes wrong, such as a data breach or a compliance failure, negative publicity or controversies could affect trust with stakeholders.  

While legal exposure and liability could arise from negligence or harm to customers, remember, it’s often how organizations respond to crises that matters more than the event itself. In some cases, it could even strengthen an organization’s reputation if handled with care. 

 Financial and Compliance Risks 

Whenever a new tax law is introduced, there are always underlying financial and compliance risks to consider. The OBBBA, in particular, brings sweeping changes affecting tax liabilities, capital planning, and reporting requirements across most organizations. But some sectors may see more direct impacts:  

• Government contractors are facing ever-increasing requirements for cybersecurity and internal controls, contractual obligations that will determine whether government work is won and retained. As of Nov. 10, 2025, the Department of Defense (DoD) will begin incorporating CMMC requirements into all new solicitations, so contractors should be preparing now to meet those standards. 

• Nonprofit organizations will need to review compensation policies, budgeting and internal controls, and any new financial reporting requirements. For example, North Carolina’s threshold for state-funded single audits increased, which changes the audit obligations. 

• Hospitality businesses will need to track employee tips and overtime more closely and determine whether current payroll systems and reporting procedures meet the new standards.  

These are only a few examples of the financial and compliance risks associated with the OBBBA’s new rules. Taking the time to understand how the OBBBA affects your bottom line and reporting requirements could mean the difference between protecting your organizations stability and credibility, or putting both at risk. Strong internal controls can help satisfy compliance requirements but also make it easier to win new work and survive an audit. 

 Where Leaders Go From Here 

While there may be a lot of risk and uncertainty surrounding the new legislation, every challenge comes with opportunity. Change can push leaders to think differently and find new solutions that make their organizations stronger and more resilient in the process.  

Organizations that use the OBBBA’s incentives and new reporting requirements to their advantage will come out better positioned for growth. But leaders need to start now. Many of these provisions have already taken effect; others will start in 2026; and some are set to expire at the end of this year.  

Which risk area deserves the most focus for your organization this year? Contact our Risk Advisory team to dive into the details on how these new provisions apply to your situation and where your organization could go from here.