In an era defined by disruption, resilience is no longer a side conversation in boardrooms, it is the conversation. Cyber incidents, technology outages, geopolitical instability, and supply chain fragility are not “if” events; they are “when” events. Regulators, investors, and customers all demand that you show us not only that you can take the hit, but that you can recover, adapt, and continue to deliver.
In a recent social media post, I laid out what I see as the joint purpose of risk groups and internal audit. The response reinforced what I’ve long believed—that governance works best when accountability is simple, logical, and aligned with fiduciary duty.
In this article, Jason Busch unpacks Albania’s bold experiment to fight procurement corruption with an AI “minister,” weighing its potential to trim graft against the country’s deep-rooted traditions of bribery, backroom deals, and bureaucratic stalling.
In Norman Marks’ latest piece, he emphasizes why boards, CEOs, and auditors should place their attention on the controls that matter most—those tied directly to enterprise objectives. Drawing on decades of experience, Marks underscores that auditing should be future-focused and risk-based, centering on the design and operation of critical internal controls rather than just data testing.
EY’s latest Global Risk Transformation Study draws a sharp line between organizations merely enduring volatility and those converting it into strategic momentum. In today’s NAVI world (nonlinear, accelerated, volatile, interconnected) the margin between thriving and stumbling is defined not by luck, but by leadership mindset and structural alignment.
The numbers don’t lie. 96% of S&P 500 companies have experienced data breaches. 41.8% of fintech breaches can be traced back to third-party vendors. 68% of UK fintechs report rising fraud cases, with losses reaching as much as £5 million.These aren’t isolated incidents; they are symptoms of a systemic issue. As organizations become more reliant on third-party ecosystems, the costs of insufficient Third-Party Risk Management (TPRM) have never been greater.
In my recent post, the central question was posed with disarming clarity. If mission critical objectives (MCOs) define the very survival and long-term performance of an organization, why don’t regulators require boards to focus their oversight on them? It seems like the most direct way to strengthen governance.If boards were explicitly tasked with monitoring risks to MCOs, they would naturally direct management, risk teams, and internal auditors to align their assessments and reporting accordingly. Instead, regulators continue to emphasize processes and disclosures that often miss the mark, leaving businesses exposed and stakeholders carrying the weight of failures that cumulatively amount to staggering losses.