As organizations close out reporting cycles and certification bodies continue surveillance activity, a familiar pattern is surfacing inside companies across industries. Policies look polished. Dashboards appear reassuring. Certifications remain displayed proudly on websites and office walls. But under audit scrutiny, many of those systems begin to fracture.
In today’s enterprise, change behaves less like a calendar event and more like a weather pattern that refuses to settle down. Markets shift faster than strategies can catch up, teams appear and disappear like pop-up shops, and regulators rewrite the rules just as everyone finishes reading the old ones. Yet most organizations are still using management models that behave like they live in a museum. Reports, governance frameworks, and analytics engines were built for a world where “change management” meant an annual meeting, not a daily lifestyle.
There was a time when the challenge for compliance teams was visibility. Policies sat in binders. Codes of conduct gathered dust. Ethics, where it existed, lived more in aspiration than in practice. That problem, for the most part, has been solved.
There is a definition of risk that most organizations readily cite but far fewer truly operationalize. It comes from ISO 31000 and is echoed in frameworks developed by COSO. Risk, in its simplest and most useful form, is the effect of uncertainty on objectives.
About a year ago, a risk analyst on one of my client teams told me she had just reviewed a 94-page SOC 2 report in twelve minutes. She used Claude. She did it at her kitchen table at 9 PM because she had two kids and the workday had long since ended.
The response to my session at Icon 2026 reminded me of something I have seen many times in this field. Organizations are not struggling to agree with the argument for supplier risk management. They are struggling to act on it. In the latest piece on my website, We Are Measuring the Value of TPRM Wrong, I argued that the business case for supplier risk management has been framed too narrowly and too focused on workflow, controls, and compliance, and not nearly enough on avoided disruption, avoided loss, and the confidence to move through uncertainty.
For decades, anti-money laundering compliance has been defined by accumulation. More alerts, more filings, more controls, more documentation. Each layer added with the quiet understanding that no one would be faulted for doing too much, only for doing too little. The result was not failure, exactly, but a kind of defensive equilibrium. Programs became expansive, but not necessarily incisive. Activity was measurable. Effectiveness was not.