Insights

In my recent post, the central question was posed with disarming clarity. If mission critical objectives (MCOs) define the very survival and long-term performance of an organization, why don’t regulators require boards to focus their oversight on them? It seems like the most direct way to strengthen governance.If boards were explicitly tasked with monitoring risks to MCOs, they would naturally direct management, risk teams, and internal auditors to align their assessments and reporting accordingly. Instead, regulators continue to emphasize processes and disclosures that often miss the mark, leaving businesses exposed and stakeholders carrying the weight of failures that cumulatively amount to staggering losses.

These past few months have seen AI’s explosion into the market, transforming how many businesses, companies, and even everyday consumers function on a daily basis. AI has even made its way into many governments and offices of CEOs, with many investing time and resources into furthering its function and abilities, all while trying to make sense of the rapidly evolving technology. Despite minimal conversation surrounding its debut, risk and compliance have now become a larger talking point, with officials taking notice.

In this article, Norman Marks reflects on how internal audit must evolve in step with the rapid changes reshaping global businesses. Drawing on his own experience as Chief Audit Executive at Tosco Corporation, Marks argues that internal audit should be designed around the risk universe rather than static frameworks, emphasizing flexibility, agility, and a willingness to rethink traditional models in the face of AI-driven transformation.

In a universe where regulations multiply faster than Tribbles and risk events arrive with all the subtlety of a falling whale, it helps to have a guide. A few weeks ago, we published Don’t Panic A Hitchhiker’s Guide to the GRC Technology Galaxy, a friendly reminder that the GRC universe is vast, strange, and occasionally full of Vogon-level bureaucracy.

When Carole Switzer talks about lawyers and their role in governance, risk, and compliance, she doesn’t sound like someone reading off a checklist. She sounds more like a coach urging a team to play the bigger game.

In my previous piece, Why Boards Still Don’t Ask the Hard Questions About Mission-Critical Risk, I explored why so few boards demand reporting on the risks and uncertainties that threaten an organization’s most important objectives. Like that piece, this one began with a social media post that sparked a strong reaction, because it points to a governance reality many know but rarely admit.

In a recent post, I posed a question that I believe cuts to the heart of modern risk governance: why haven’t most boards asked for reports on risk and uncertainty linked to the mission critical objectives that ultimately define whether organizations succeed or fail?