Insights

There’s a certain kind of growth story you see all the time in digital media. Big launches. Loud claims. Paid distribution quietly doing most of the work behind the scenes. This isn’t that story. What started as a small, independent experiment has, in a remarkably short period of time, turned into something far more consequential: a place where governance, risk, and compliance professionals actually come back, not because they’re chased by algorithms, but because the content respects their time and intelligence.

In my earlier reflections on enterprise risk intelligence, I focused on a fundamental realization: the world organizations now operate in no longer matches the way risk has traditionally been framed, assessed, or governed. That observation has continued to stay with me, not as an abstract idea, but as something I see play out repeatedly in conversations with boards, executives, and risk leaders across industries.

In his latest article, Norman Marks challenges a familiar reflex in internal audit: treating cybersecurity as a standalone auditable domain. Drawing on the IIA’s Cybersecurity Topical Requirement and his own experience as a chief audit executive, Marks makes the case for a more disciplined, risk-based approach—one that looks past controls and frameworks to assess how management actually identifies and manages cyber-related business risk. The result is a practical rethink of how cyber fits into an audit plan, and why auditing “cybersecurity” itself may miss what really matters.

There is a growing problem in how applicant tracking systems are being used in hiring, and it is one that deserves more honest scrutiny. Too often, ATS platforms are treated as decision engines rather than what they actually are: administrative tools designed to support process, not replace judgment.

In the first essay in this series, I argued that the real difference between qualitative and quantitative risk is how uncertainty is treated. This essay looks at one small distinction that matters once we stop collapsing uncertainty into a single answer.

Organizations are very good at moving on. Leadership changes. Systems are replaced. Vendors rotate in and out. Strategic priorities shift with the market. What organizations are far less good at is remembering why things exist the way they do.

In this latest article, Ayoub Fandi dissects a familiar but rarely challenged flaw in many GRC programs: controls designed to satisfy auditors first and protect the business second. Drawing on real-world examples from access management, vulnerability management, and application security, Fandi argues that compliance-driven control design too often results in security theater and controls that generate clean audit evidence while leaving real risks untouched. He makes the case for flipping that priority, showing how controls built around actual threats and business risk naturally produce compliance as an outcome, not an objective.