Risk & Resilience

In his latest article, Norman Marks challenges a familiar reflex in internal audit: treating cybersecurity as a standalone auditable domain. Drawing on the IIA’s Cybersecurity Topical Requirement and his own experience as a chief audit executive, Marks makes the case for a more disciplined, risk-based approach—one that looks past controls and frameworks to assess how management actually identifies and manages cyber-related business risk. The result is a practical rethink of how cyber fits into an audit plan, and why auditing “cybersecurity” itself may miss what really matters.

In the first essay in this series, I argued that the real difference between qualitative and quantitative risk is how uncertainty is treated. This essay looks at one small distinction that matters once we stop collapsing uncertainty into a single answer.

‍Australia’s corporate watchdog has rolled out a new round of updates aimed at simplifying how market participants and operators comply with technological and operational resilience requirements, as regulators continue to sharpen their focus on infrastructure risk across securities and futures markets.

Australia’s banking and financial crime regulators have moved to tighten oversight of Bendigo and Adelaide Bank after an independent Deloitte review uncovered serious shortcomings in how the lender manages money laundering and broader non-financial risks.

The European Banking Authority said that it has published new guidance to help institutions manage enhanced operational risk reporting, following a formal delay to the first reference date under the amended Implementing Technical Standards. The move follows the European Commission’s adoption of Regulation (EU) 2025/2475, which pushes the application of the new reporting obligations back to the end of June 2026.

U.S. banks are closing out 2025 in strong financial shape, but the risks shaping the federal banking system are becoming less about capital and more about operational resilience. That is what the Office of the Comptroller of the Currency’s Fall 2025 Semiannual Risk Perspective says, which finds banks well positioned to absorb potential stress while warning that cyber threats, fraud, and lagging technology investment are increasingly central to supervisory concerns.

Ben & Jerry’s is an activist brand. It operates under a unique mission-driven board configuration that sets it apart from most subsidiaries of large corporations. Although owned by Unilever, the company maintains a semi-independent board specifically tasked with safeguarding its social mission, which includes environmental sustainability, human rights, and ethical business practices. This hybrid governance model combines traditional corporate oversight with dedicated representatives who ensure that Ben & Jerry’s activism and ethical commitments remain central to its decision-making. The board includes independent directors, Unilever representatives, employee voices, and social mission advocates, creating a structure designed to balance profitability with purpose, a rare approach in the corporate world.