Insights

In Norman Marks' latest article, he explores the complexities of risk management and governance frameworks, shedding light on the often-confusing acronyms that are commonly used in the industry. From Governance, Risk, and Compliance (GRC) to Enterprise Risk Management (ERM), Integrated Risk Management (IRM), and beyond, Marks provides clarity on how these terms interconnect and why understanding their nuances is crucial for effective risk management in today’s business environment.

As organizations evolve and face increasingly complex risks, the shift toward objective-centric Enterprise Risk Management (ERM) and internal audit methods has been widely recognized as more effective. By focusing on the impact of uncertainty on mission-critical objectives, companies can take a proactive approach to managing risk and better align their risk management strategies with overall business goals. Unlike traditional risk list approaches, which often focus on identifying and mitigating individual risks in isolation, objective-centric ERM integrates risk management into the organization’s strategic planning process, ensuring that risks are assessed in the context of their potential impact on key objectives.

The GRC Report is proud to announce the launch of its new podcast, Risk Is Our Business, hosted by renowned GRC analyst Michael Rasmussen. The series promises candid, thought-provoking conversations at the intersection of governance, risk, compliance, and culture—cutting through the noise to explore what truly shapes responsible business today.

In an era where risk is increasingly interconnected, multifaceted, and shifting in real time, organizations can no longer rely on static frameworks to manage governance, risk, and compliance (GRC). Traditional tools such as policies, controls, and spreadsheets, while valuable, no longer offer the adaptability required to navigate the complexities of today’s business landscape. Risk no longer exists in isolated silos; it cascades through supply chains, reverberates across organizational structures, and evolves in response to forces like regulatory change, geopolitical events, environmental disruptions, and rapid technological advancements. To thrive in this turbulent environment, organizations need GRC tools that are as dynamic and fluid as the risks they aim to mitigate.

In his latest article, Norman Marks investigates the evolving role of artificial intelligence (AI) in Sarbanes-Oxley (SOX) compliance, offering valuable insights into how AI can revolutionize internal controls and risk management practices. In this article, he explores the potential of AI to enhance the efficiency and effectiveness of SOX programs, from risk assessment to process documentation, and emphasizes the importance of maintaining a focus on financial statement integrity while navigating the opportunities and challenges AI presents.

As organizations continue to evolve in an increasingly interconnected world, it has become abundantly clear that the way we manage third-party relationships is at the heart of effective governance, risk management, and compliance (GRC). What was once seen as a linear process of managing external partnerships has now transformed into an intricate web of interconnected relationships that extend across global suppliers, contractors, service providers, and more. These third-party connections form what is known as the extended enterprise, and within this ecosystem lies some of the most pressing challenges organizations face today.

In today's risk landscape, regulatory-driven practices often fail to deliver meaningful value. Graeme Keith examines the challenges and opportunities presented by the dichotomy between Risk Management 1 (RM1) and Risk Management 2 (RM2). By exploring the unintended consequences of regulatory pressure on risk management systems, Keith presents a case for evolving traditional risk practices into a more strategic, decision-supportive approach.