EY’s latest Global Risk Transformation Study draws a sharp line between organizations merely enduring volatility and those converting it into strategic momentum. In today’s NAVI world (nonlinear, accelerated, volatile, interconnected) the margin between thriving and stumbling is defined not by luck, but by leadership mindset and structural alignment.
The numbers don’t lie. 96% of S&P 500 companies have experienced data breaches. 41.8% of fintech breaches can be traced back to third-party vendors. 68% of UK fintechs report rising fraud cases, with losses reaching as much as £5 million.These aren’t isolated incidents; they are symptoms of a systemic issue. As organizations become more reliant on third-party ecosystems, the costs of insufficient Third-Party Risk Management (TPRM) have never been greater.
In my recent post, the central question was posed with disarming clarity. If mission critical objectives (MCOs) define the very survival and long-term performance of an organization, why don’t regulators require boards to focus their oversight on them? It seems like the most direct way to strengthen governance.If boards were explicitly tasked with monitoring risks to MCOs, they would naturally direct management, risk teams, and internal auditors to align their assessments and reporting accordingly. Instead, regulators continue to emphasize processes and disclosures that often miss the mark, leaving businesses exposed and stakeholders carrying the weight of failures that cumulatively amount to staggering losses.
These past few months have seen AI’s explosion into the market, transforming how many businesses, companies, and even everyday consumers function on a daily basis. AI has even made its way into many governments and offices of CEOs, with many investing time and resources into furthering its function and abilities, all while trying to make sense of the rapidly evolving technology. Despite minimal conversation surrounding its debut, risk and compliance have now become a larger talking point, with officials taking notice.
In this article, Norman Marks reflects on how internal audit must evolve in step with the rapid changes reshaping global businesses. Drawing on his own experience as Chief Audit Executive at Tosco Corporation, Marks argues that internal audit should be designed around the risk universe rather than static frameworks, emphasizing flexibility, agility, and a willingness to rethink traditional models in the face of AI-driven transformation.
In a universe where regulations multiply faster than Tribbles and risk events arrive with all the subtlety of a falling whale, it helps to have a guide. A few weeks ago, we published Don’t Panic A Hitchhiker’s Guide to the GRC Technology Galaxy, a friendly reminder that the GRC universe is vast, strange, and occasionally full of Vogon-level bureaucracy.
When Carole Switzer talks about lawyers and their role in governance, risk, and compliance, she doesn’t sound like someone reading off a checklist. She sounds more like a coach urging a team to play the bigger game.