In this article, Norman Marks breaks down the difference between traditional, retrospective assurance and the kind of forward-looking insight that truly supports decision-making. Drawing on his decades of experience, he challenges internal auditors to shift their focus from the past to the future, and to deliver assurance that helps organizations navigate the risks and opportunities ahead.
In this article, Tim Leech expands on a recent post he shared in the LinkedIn discussion group Objective Centric Risk & Uncertainty Management to explore a fundamental, and often overlooked, question in modern governance: Do boards actually agree on their purpose? Drawing on decades of research and a collaborative analysis with ChatGPT, Leech argues that the staggering cost of governance failures may stem from one core issue, there is no consensus on the very purpose of corporate governance itself.
The UK’s data protection regime has just undergone its biggest recalibration since Brexit. On June 19, 2025, the Data (Use and Access) Act (DUAA) received Royal Assent, introducing a suite of reforms aimed at modernizing how organizations collect, use, and share personal information. But unlike GDPR’s transformative shake-up in 2018, this legislation is more evolutionary than revolutionary, nudging UK data protection in a direction that’s lighter on red tape, but still recognizably rights-driven.
As the world becomes more interconnected and regulatory frameworks grow in complexity, organizations are under increasing pressure to manage risks effectively while remaining compliant. The role of artificial intelligence (AI) in Governance, Risk, and Compliance (GRC) is evolving rapidly, offering promising solutions to enhance decision-making, automate repetitive tasks, and ensure compliance across various business functions. While the integration of AI into GRC tools provides unprecedented efficiency, it also introduces challenges that organizations must carefully navigate.
In this reflective piece, risk management expert and author Norman Marks draws from his own leadership experience in IT and governance to explore the relationship between resilience and risk management. From disaster recovery planning to strategic decision-making, he explains why resilience, while essential, is just one tool in a much larger toolkit. Sometimes, being resilient isn’t enough. Sometimes, the smartest move is to change course altogether.
In a previous article I wrote, The “R” in GRC: What Risk Management Software Should Really Deliver, I discussed the challenges many organizations face with risk management technology—how too often, what’s marketed as “risk management” software falls short, becoming little more than digital filing cabinets that serve bureaucratic needs instead of strategic decision-making. While many risk modules excel at routing forms, assigning tasks, and storing data, they fail to provide the kind of insight necessary for meaningful risk management.
In this article, Graeme Keith dives into the limitations of traditional risk matrices and presents an alternative approach to risk management. By exploring the need for a model that better aligns with real-world decision-making, Keith highlights the shortcomings of compliance-driven exercises and offers a framework that allows businesses to better assess and prioritize risks across the enterprise.