A recent post I shared on LinkedIn on the future direction of risk management and internal audit generated a lot of discussion. Not because the ideas were particularly radical, but because many risk and internal audit professionals recognize the profession is reaching an inflection point.
A debate over heat maps was always going to draw attention at SWISS GRC DAY 2026. Not because anyone in governance genuinely loves them anymore, but because they still sit everywhere, from inside board decks, quarterly reports, audit presentations, and risk committee updates long after many organizations quietly stopped trusting them.
In my recent article, GRC Alchemy: Imagination, Knowledge, and the Future of GRC, I argued that many organizations have become trapped in the mechanics of governance, risk, and compliance while losing sight of the larger architectural and strategic purpose behind it all. The challenge is no longer simply collecting more data, automating more workflows, or building more dashboards. Most organizations already have more information than they know what to do with.
At one point during the scramble around the EU Deforestation Regulation, people in compliance departments were trying to determine whether a shipment of cattle-derived products could be reliably traced back to land parcels that, in some cases, had changed ownership multiple times across jurisdictions with inconsistent land registries and uneven digital infrastructure. There were meetings about satellite imagery. Meetings about geolocation coordinates. Meetings about whether suppliers in rural regions would even understand the documentation requests they were suddenly receiving from European multinationals. Entire teams found themselves discussing forests they would never see.
In this article, Graeme Keith explores the enduring influence of Nassim Nicholas Taleb’s Black Swan theory and the growing tendency to use unpredictable events as a catch-all explanation for failures in risk management and preparedness. Examining the limitations of traditional modeling frameworks, the dangers of retrospective narrative-building, and the cognitive biases that shape how organizations interpret uncertainty, Keith argues that the real lesson of Black Swan events is not that forecasting is futile, but that current approaches to modeling risk remain fundamentally inadequate for the complexity of the modern world.
As organizations close out reporting cycles and certification bodies continue surveillance activity, a familiar pattern is surfacing inside companies across industries. Policies look polished. Dashboards appear reassuring. Certifications remain displayed proudly on websites and office walls. But under audit scrutiny, many of those systems begin to fracture.
In today’s enterprise, change behaves less like a calendar event and more like a weather pattern that refuses to settle down. Markets shift faster than strategies can catch up, teams appear and disappear like pop-up shops, and regulators rewrite the rules just as everyone finishes reading the old ones. Yet most organizations are still using management models that behave like they live in a museum. Reports, governance frameworks, and analytics engines were built for a world where “change management” meant an annual meeting, not a daily lifestyle.