Insights

Political events beyond a company’s control—such as sudden regime changes, civil unrest, or expropriation—can pose serious financial threats, impacting revenues, assets, operations, and contractual obligations. Political risk insurance exists to shield businesses from exactly these uncertainties. By transferring the potential economic fallout to an insurer, companies safeguard themselves against the full brunt of a crisis, preserving financial stability even when unforeseeable disruptions occur.

In my last piece, The Inevitability of Failure, I wrote about something most leaders quietly know but rarely say out loud—failure isn’t an interruption of the journey, it is the terrain. That article opened the door to a conversation I’ve been having with myself for decades, long before GRC became my lens for understanding how organizations move through uncertainty.

In this article, Norman Marks dives into the evolving concept of continuous assurance, challenging traditional notions of continuous auditing and urging internal auditors to focus less on reviewing the past and more on providing real-time confidence in the future. Drawing on his own experiences as a former Chief Audit Executive and early adopter of continuous auditing techniques, Marks explores how true assurance comes from understanding risk as it changes, engaging with management regularly, and providing insight that helps organizations anticipate, not just detect, issues.

In my recent post, I suggested that risk management and internal audit would better serve management, boards, and stakeholders if they operated from a shared purpose. The idea is straightforward: both functions should focus on ensuring leadership receives reliable, decision-useful information about the uncertainties that affect the organization’s mission critical objectives. If they did that consistently, organizations would make better decisions and achieve better outcomes.

In this article, Graeme Keith explores what it really means to build a risk model that is genuinely useful in practice rather than simply mathematically impressive. He emphasizes that effective models must be embedded in real decision-making processes, aligned with clear objectives, and developed collaboratively with stakeholders. The focus is on modeling as a creative, iterative, and context-driven exercise that prioritizes understanding causal relationships and supporting informed action.

In his latest piece, Norman Marks breaks down a critical gap he continues to see across GRC and ERM programs: the absence of a true top-down, objective-focused approach. While many organizations and software platforms emphasize identifying risks first and then mapping them to objectives, Marks argues that this bottoms-up structure misses what matters most. To understand risk and opportunity in a meaningful way, he explains, organizations must start with their enterprise objectives, strategies, and goals, and then determine what could hinder or enable their achievement.

In this article, Ayoub Fandi breaks down why so many organizations still treat GRC as a yearly project tied to audits rather than as a strategic product that continuously delivers value. By reframing GRC as something that evolves, improves, and serves real users across the business, he illustrates how organizations can reduce manual effort, improve their security posture, and align risk management with decision-making. The goal is to move beyond compliance checklists, and instead build a living, continuous GRC program that drives resilience and supports the business every day, not just during audit season.