Insights

Why Risk & Internal Audit Aren't Focused on What Matters Most

In a recent LinkedIn post, I posed what I believe is one of the most important questions facing the risk management and internal audit professions today. If risk is defined in ISO 31000 as "the effect of uncertainty on objectives," why don't both professions begin with an organization's Mission Critical Objectives? It seems like an obvious place to start. Yet in most organizations, it isn't.

When Brands Go Quiet: The Fragility of Consumer Loyalty

For the past decade, many major brands experimented with political voice as a growth strategy. They spoke on social justice, democracy, climate, privacy, labor, and civil rights not as side commentary, but as identity. Consumers were encouraged to see purchases as moral alignment. Then something shifted. Some of those same brands have become quieter, more cautious, or selectively neutral. To consumers, that silence is not invisible. When a brand that once framed itself as values-driven retreats from political expression, the market interprets it as a renegotiation of trust. 

The End of Point-in-Time Security

The most dangerous assumption in enterprise security is rarely the one anyone remembers making. It settles quietly into the organization, becoming less a decision than a background condition, until eventually everyone begins treating a moment in time as though it were a durable fact. A system was patched, supplier was assessed, and administrator's access was reviewed. The penetration test found nothing significant and the audit closed without material findings. The evidence exists, neatly timestamped and carefully preserved, carrying all the reassuring weight that documentation has always carried. Then the environment changes around it and almost never dramatically.

When Trade Changes Suppliers, Third-Party Risk Changes Too

A supplier that looked perfectly sensible in January can become a liability by April without having changed at all. The factory is the same, the quality standards are the same, and the people answering the phone are the same people they were a few months earlier. What changed happened somewhere else, perhaps in a government office thousands of miles away, perhaps in the latest round of trade negotiations, perhaps in a policy announcement that never mentioned the supplier by name. Yet procurement is suddenly looking elsewhere, finance is recalculating costs, and operations is asking how quickly production can move if it has to.

From Static Checklists to Decision Systems: How AI Is Changing Compliance Work

Compliance is becoming too dynamic, evidence-heavy, and operationally connected to cybersecurity to be managed as a static documentation exercise. The opportunity for AI is not to replace governance judgment, but to help organizations turn evidence into defensible decisions faster.

The Future of Agentic AI Depends on Context

Recently, I asked buyers to inspect the machinery. This week, I am asking vendors to open the hood. The conversation about AI in GRC has reached a turning point. The market has heard the vision. It has seen the demos. It has absorbed the language of orchestration, agentic intelligence, autonomous assurance, and dynamic decision support. The frameworks have been published. The white papers have circulated. The analyst briefings have been given. The conference keynotes have landed.

The UAE Governance Reset: How 2026’s Regulatory Cluster Is Forcing Boards to Prove Control Effectiveness

The simultaneous arrival of a new capital-market authority, a rewritten companies law, and stricter governance and audit rules is transforming UAE corporate governance from a compliance exercise into a demonstrable system of control.