Insights

In this article, Ayoub Fandi examines how organizations can unlock untapped value in their existing GRC platforms by applying an engineering mindset rather than defaulting to new tools or costly overhauls. Drawing on practical experience, he explores why most GRC platforms remain significantly underused and how data optimization, strategic integrations, and workflow design can transform them from passive documentation systems into active drivers of risk and control execution.

For years, cybersecurity has been treated like a home alarm system. You install it, arm it, and hope it only goes off when something truly bad happens. The problem is that modern cyber threats no longer behave like burglars rattling windows at night. They act more like termites, quietly weakening structures over time, or like flash floods that overwhelm defenses faster than alarms can react. In this environment, reacting after the fact is no longer enough. Organizations must move from reactive cybersecurity to proactive cyber resilience.

In my latest post, I discuss how if you look at how enterprise risk management is practiced today, you’d be forgiven for thinking that the entity-level risk register sits at the center of ISO 31000 and COSO ERM. It doesn’t.

Managing risks across the AI/ML lifecycle is critical for building reliable, secure, and ethical models. From data collection and labeling to training, fine-tuning, and evaluation, each stage presents unique challenges that can affect performance, reproducibility, fairness, and safety. Implementing well-defined controls ensures models are trustworthy, auditable, and resilient to both technical and operational issues. 

There’s a certain kind of growth story you see all the time in digital media. Big launches. Loud claims. Paid distribution quietly doing most of the work behind the scenes. This isn’t that story. What started as a small, independent experiment has, in a remarkably short period of time, turned into something far more consequential: a place where governance, risk, and compliance professionals actually come back, not because they’re chased by algorithms, but because the content respects their time and intelligence.

In my earlier reflections on enterprise risk intelligence, I focused on a fundamental realization: the world organizations now operate in no longer matches the way risk has traditionally been framed, assessed, or governed. That observation has continued to stay with me, not as an abstract idea, but as something I see play out repeatedly in conversations with boards, executives, and risk leaders across industries.

In his latest article, Norman Marks challenges a familiar reflex in internal audit: treating cybersecurity as a standalone auditable domain. Drawing on the IIA’s Cybersecurity Topical Requirement and his own experience as a chief audit executive, Marks makes the case for a more disciplined, risk-based approach—one that looks past controls and frameworks to assess how management actually identifies and manages cyber-related business risk. The result is a practical rethink of how cyber fits into an audit plan, and why auditing “cybersecurity” itself may miss what really matters.