Michael Rasmussen

If you’ve been keeping up with the evolving world of Governance, Risk, and Compliance (GRC), you may have come across my recent article that argues many GRC programs are fundamentally backward by focusing too much on compliance and risk before objectives. The article makes the case that true GRC should always start with clear organizational objectives, and everything else—risk, governance, and compliance—should support those goals. But why does this matter, and how can organizations better align their GRC strategies?

With the clock ticking down to the 2025 implementation of Provision 29 under the revised UK Corporate Governance Code (UK CGC), companies are in a race to align their risk management and internal controls with the new requirements. The mandate, which calls for boards to provide a declaration on the effectiveness of their risk frameworks, has sparked widespread discussion among compliance professionals, corporate leaders, and risk strategists.

In J.R.R. Tolkien's The Lord of the Rings, the Palantír—a mystical seeing stone—gives its user the power to peer into distant lands and foresee possible futures. While this gift is fraught with danger in the story, it’s a fitting metaphor for today’s organizations facing a world of uncertainty. Just as the Palantír offers a glimpse into potential futures, modern risk management tools provide organizations with the ability to foresee emerging risks and prepare for the unexpected. In this article, we’ll explore how businesses can use a Palantír-like approach—combining foresight with strategic planning—to anticipate challenges and better navigate the evolving landscape of risk.

Environmental, Social, and Governance (ESG) has been generating immense pressure on organizations across various industries and around the globe in recent years. Corporate investors are now making capital investment decisions based on a company’s ESG commitments, metrics, and ratings. Legislators and regulators worldwide are introducing regulations that focus on both the broad scope of ESG and its specific aspects (e.g., modern slavery, carbon emissions). Potential employees are choosing workplaces aligned with their values, not just their benefits. Similarly, customers are favoring products and services that reflect their principles. ESG has captured the attention of every level of an organization, from the boardroom to the operational frontlines.

For professionals in the realm of risk, compliance, and IT security, the role of the Chief Information Security Officer (CISO) has long been a cornerstone of organizational defense. But as technology evolves and risks become more interconnected, the role itself is undergoing a significant transformation. In a recent analysis in my piece The Death of the CISO: A Eulogy & Reincarnation, I discussed the impending end of the traditional CISO in favor of a more expansive role — the Digital Risk & Resilience Officer (DRRO).

Mark Twain famously said, “You’re never wrong for doing the right thing.” While Twain wasn’t contemplating Environmental, Social, and Governance (ESG) principles, his words resonate powerfully in a world where corporate behavior is under an unrelenting microscope. ESG is no longer a "nice-to-have." It’s a guiding ethos that challenges businesses to reconcile profitability with purpose—and to do so transparently, accountably, and authentically.

In today’s hyper-connected world, businesses rarely operate in isolation. Instead, they form part of intricate webs of suppliers, vendors, and third-party partners. These extended enterprise relationships offer a wealth of opportunities—streamlined operations, cost efficiencies, and specialization—but they also come with inherent risks. Managing these risks effectively requires a firm commitment to environmental, social, and governance (ESG) standards, operational resilience, and robust compliance strategies.