Norman Marks

In his latest piece, Norman Marks breaks down a critical gap he continues to see across GRC and ERM programs: the absence of a true top-down, objective-focused approach. While many organizations and software platforms emphasize identifying risks first and then mapping them to objectives, Marks argues that this bottoms-up structure misses what matters most. To understand risk and opportunity in a meaningful way, he explains, organizations must start with their enterprise objectives, strategies, and goals, and then determine what could hinder or enable their achievement.

If you are driving down the highway at 65mph (104.6kph), a broken-down truck in the middle of the road ahead is a serious source of risk. You might consider it the #1 entry in your list of top risks (if you were to put such a list together as you were driving). But what if you can’t see it?

In this candid and thought-provoking piece, Norman Marks challenges conventional definitions of risk and risk management, arguing that most frameworks fail to resonate with how real-world decisions are made. Drawing from his decades of executive experience and referencing the ideas of Grant Purdy and Roger Estall, Marks reframes “risk” as simply “what might happen”, a practical, plain-English approach that bridges the gap between theory and management reality.

In Norman Marks’ latest piece, he emphasizes why boards, CEOs, and auditors should place their attention on the controls that matter most—those tied directly to enterprise objectives. Drawing on decades of experience, Marks underscores that auditing should be future-focused and risk-based, centering on the design and operation of critical internal controls rather than just data testing.

In this article, Norman Marks reflects on how internal audit must evolve in step with the rapid changes reshaping global businesses. Drawing on his own experience as Chief Audit Executive at Tosco Corporation, Marks argues that internal audit should be designed around the risk universe rather than static frameworks, emphasizing flexibility, agility, and a willingness to rethink traditional models in the face of AI-driven transformation.

In the latest piece from Norman Marks, the veteran governance, risk, and audit thought leader takes a bold leap into the near future, imagining how AI could fundamentally reshape decision-making, risk management, and the role of internal audit. Through a vivid crystal-ball scenario, Marks explores what happens when AI becomes a trusted partner for executives, operations, and assurance functions alike.

In Norman Marks’ latest piece, he dives into the persistent misconception that cyber risk stands apart from broader business concerns. Drawing on timeless advice from former Protiviti executive Ed Hill and tying in new findings from Qualys’ 2025 cyber risk report, Marks makes the case for breaking down silos and treating cyber as just one of many risks competing for limited resources and executive attention.