Insights

In this article, Norman Marks explores the absence of a formal US corporate governance code, unlike those adopted in other countries such as the UK, Japan, and South Africa. Marks discusses the newly introduced COSO Corporate Governance Framework, a collaboration with the National Association of Corporate Directors (NACD) and PwC, designed to guide organizations in enhancing their governance practices. While the framework offers valuable principles across six key components, Marks highlights its limitations, particularly its lack of enforceable authority and depth compared to a full-fledged governance code. This piece delves into the implications of the framework and raises important questions about the need for a US corporate governance code.

In the U.S., the regulatory landscape is trying to catch up, but in true American style, it’s a bit of a mess. It’s fragmented, complex, and, at times, contradictory. The goal of the legislation is to manage the risks, promote innovation, and make sure AI is used responsibly. But how we get there, and who’s in charge of making the rules, is anything but straightforward. As AI moves from being an abstract concept to a core part of business operations, understanding this evolving legal maze is crucial for companies.

In my previous article, The Integrity Imperative: Rethinking Compliance in an Era of Relentless Change, I explored the shifting nature of compliance in today’s fast-evolving regulatory environment. As we face a global landscape where laws change by the minute, organizations must rethink how they manage compliance—not just as a set of rules to follow, but as a core function rooted in the organization’s values and integrity. This article continues that conversation, diving deeper into how compliance must evolve from a static function to a dynamic, values-driven imperative.

In Norman Marks' latest article, he explores the complexities of risk management and governance frameworks, shedding light on the often-confusing acronyms that are commonly used in the industry. From Governance, Risk, and Compliance (GRC) to Enterprise Risk Management (ERM), Integrated Risk Management (IRM), and beyond, Marks provides clarity on how these terms interconnect and why understanding their nuances is crucial for effective risk management in today’s business environment.

As organizations evolve and face increasingly complex risks, the shift toward objective-centric Enterprise Risk Management (ERM) and internal audit methods has been widely recognized as more effective. By focusing on the impact of uncertainty on mission-critical objectives, companies can take a proactive approach to managing risk and better align their risk management strategies with overall business goals. Unlike traditional risk list approaches, which often focus on identifying and mitigating individual risks in isolation, objective-centric ERM integrates risk management into the organization’s strategic planning process, ensuring that risks are assessed in the context of their potential impact on key objectives.

The GRC Report is proud to announce the launch of its new podcast, Risk Is Our Business, hosted by renowned GRC analyst Michael Rasmussen. The series promises candid, thought-provoking conversations at the intersection of governance, risk, compliance, and culture—cutting through the noise to explore what truly shapes responsible business today.

In an era where risk is increasingly interconnected, multifaceted, and shifting in real time, organizations can no longer rely on static frameworks to manage governance, risk, and compliance (GRC). Traditional tools such as policies, controls, and spreadsheets, while valuable, no longer offer the adaptability required to navigate the complexities of today’s business landscape. Risk no longer exists in isolated silos; it cascades through supply chains, reverberates across organizational structures, and evolves in response to forces like regulatory change, geopolitical events, environmental disruptions, and rapid technological advancements. To thrive in this turbulent environment, organizations need GRC tools that are as dynamic and fluid as the risks they aim to mitigate.