Insights

These past few months have seen AI’s explosion into the market, transforming how many businesses, companies, and even everyday consumers function on a daily basis. AI has even made its way into many governments and offices of CEOs, with many investing time and resources into furthering its function and abilities, all while trying to make sense of the rapidly evolving technology. Despite minimal conversation surrounding its debut, risk and compliance have now become a larger talking point, with officials taking notice.

In this article, Norman Marks reflects on how internal audit must evolve in step with the rapid changes reshaping global businesses. Drawing on his own experience as Chief Audit Executive at Tosco Corporation, Marks argues that internal audit should be designed around the risk universe rather than static frameworks, emphasizing flexibility, agility, and a willingness to rethink traditional models in the face of AI-driven transformation.

In a universe where regulations multiply faster than Tribbles and risk events arrive with all the subtlety of a falling whale, it helps to have a guide. A few weeks ago, we published Don’t Panic A Hitchhiker’s Guide to the GRC Technology Galaxy, a friendly reminder that the GRC universe is vast, strange, and occasionally full of Vogon-level bureaucracy.

When Carole Switzer talks about lawyers and their role in governance, risk, and compliance, she doesn’t sound like someone reading off a checklist. She sounds more like a coach urging a team to play the bigger game.

In my previous piece, Why Boards Still Don’t Ask the Hard Questions About Mission-Critical Risk, I explored why so few boards demand reporting on the risks and uncertainties that threaten an organization’s most important objectives. Like that piece, this one began with a social media post that sparked a strong reaction, because it points to a governance reality many know but rarely admit.

In a recent post, I posed a question that I believe cuts to the heart of modern risk governance: why haven’t most boards asked for reports on risk and uncertainty linked to the mission critical objectives that ultimately define whether organizations succeed or fail?

Third-party risk management is no longer a box to tick, it’s a survival strategy. But according to Mitratech’s latest global study, many organizations are still managing sprawling vendor ecosystems with outdated tools, limited visibility, and far too few resources.