Insights

Earlier this week, I shared a brief post on social media reflecting on a question that has stayed with me throughout my career, "How can we evaluate effectiveness without first being clear about purpose?" The post pointed to a deeper issue that deserves more careful treatment. Whenever I am asked to assess effectiveness, I start in the same place. Before looking at structure, process, or performance, I ask a simple question, "What is the purpose of what I am being asked to assess?"

A week after publishing my first reflections on the World Economic Forum’s Global Risks Report 2026, I find myself returning to the same unease that prompted that first piece—not because the report needs more explanation, but because the initial reaction to it already feels familiar.

Video games were once a hobby defined by premium products. Consoles often cost several hundred dollars, and games themselves were priced around $60 for most of the last two decades. Purchasing a console and building a collection of games was an intentional act. A console is no small purchase, especially for a young audience or the generous parent. The purchase of individual games was typically a decision informed by quality and value from a discerning consumer.

In this article, Norman Marks reflects on a handful of recent and not-so-recent pieces that, taken together, offer a revealing snapshot of where internal audit is headed and where it may be at risk of losing its way. Drawing on insights from industry leaders, consultants, and former global audit officials, Marks contrasts the profession’s growing ambition around agility, insight, and relevance with an increasingly prescriptive standards environment that threatens creativity, judgment, and imagination. The result is both a cautious critique and a hopeful argument for an internal audit function that stays forward-looking, tailored to the business, and grounded in professional judgment rather than rigid process.

In 2025, the balance between risk and reward became materially more consequential. Advances in AI, rising expectations for operational resilience, and intensifying regulatory scrutiny reshaped executive agendas and exposed the limits of reactive risk management. Some organizations adapted quickly, using governance, risk, compliance, ethics, and learning to move faster with confidence. Others struggled to keep pace.

Third-party risk rarely announces itself with alarms. More often, it arrives quietly, disguised as an assumption. The assumption is that responsibility can be shared without consequence. That accountability can be distributed, diluted, and still hold its shape when pressure arrives. That contracts, frameworks, and carefully worded clauses will stand in for human judgment when systems fail and decisions cannot wait.

In this article, Ayoub Fandi examines how organizations can unlock untapped value in their existing GRC platforms by applying an engineering mindset rather than defaulting to new tools or costly overhauls. Drawing on practical experience, he explores why most GRC platforms remain significantly underused and how data optimization, strategic integrations, and workflow design can transform them from passive documentation systems into active drivers of risk and control execution.