Governance frameworks have made genuine progress on audit independence. Dual reporting lines - administrative to the CFO, functional to the audit committee - are now standard in most mature organizations. The IIA Global Internal Audit Standards codify functional reporting to the board. Audit committee charters address it. Regulators ask about it.
If you want credibility and trust from management, your reports need not only to be accurate but also fair and balanced. Let me give you a real-life example from my time as a VP in IT at a large financial institution.
In my recent LinkedIn post, I argued that risk appetite is the most profound and important principle in risk management, and yet, in practice, it often results in the most shallow and trivial application. The more I reflect on it, the more this paradox seems to explain many of the shortcomings we see in modern risk frameworks.
Over the next five years, Governance, Risk, and Compliance (GRC) will undergo one of the most significant transformations in its history. Once viewed primarily as a function of control and oversight, GRC is evolving into a dynamic system of intelligence that empowers organizations to move faster, make smarter decisions, and operate with greater integrity. What was once a defensive discipline will become a source of strategic advantage.
There are periods when geopolitics hums in the background of corporate life, unsettling, tragic, but still distant enough to be categorized as “external.” And then there are moments when the map seems to press directly against the operating model of the enterprise. Escalation involving Iran sits firmly in that latter category, not because conflict in the region is new, but because it concentrates so many interlocking systems (energy corridors, cyber capability, sanctions regimes, proxy networks, global shipping routes) into a single geography where instability reverberates quickly and unevenly.
Every time you check your bank balance online, send an email, or make a purchase with a credit card, your information is encrypted, a mathematical shield that keeps your data protected from prying eyes. This encryption has worked extremely well for decades. The algorithms safeguarding your most sensitive data would take today’s most powerful traditional computers millions of years to crack. However, a new typeof machine is emerging that could change everything.
In June 2025, procurement vendor Chain IQ Group AG was hit by a sophisticated cyberattack. Hackers accessed data from Chain IQ and at least 19 of its clients, uploading files to the dark web shortly afterward, exposing over 130,000 employee records from firms including UBS and Pictet. None of those firms had hired the attackers’ actual entry point. They had hired Chain IQ.