Insights

In his latest piece, Norman Marks breaks down a critical gap he continues to see across GRC and ERM programs: the absence of a true top-down, objective-focused approach. While many organizations and software platforms emphasize identifying risks first and then mapping them to objectives, Marks argues that this bottoms-up structure misses what matters most. To understand risk and opportunity in a meaningful way, he explains, organizations must start with their enterprise objectives, strategies, and goals, and then determine what could hinder or enable their achievement.

In this article, Ayoub Fandi breaks down why so many organizations still treat GRC as a yearly project tied to audits rather than as a strategic product that continuously delivers value. By reframing GRC as something that evolves, improves, and serves real users across the business, he illustrates how organizations can reduce manual effort, improve their security posture, and align risk management with decision-making. The goal is to move beyond compliance checklists, and instead build a living, continuous GRC program that drives resilience and supports the business every day, not just during audit season.

If you are driving down the highway at 65mph (104.6kph), a broken-down truck in the middle of the road ahead is a serious source of risk. You might consider it the #1 entry in your list of top risks (if you were to put such a list together as you were driving). But what if you can’t see it?

The conversation began with a question posed in a recent post, “Are professional institutes and regulators rejecting AI research and logic because they don’t want to change?”

It’s been a long decade for authenticity. Once the darling of brand strategy, it’s now nursing a moral hangover. Every company claimed a purpose, every CEO went on LinkedIn to “get real,” and every product came with a sustainability story just waiting to be debunked.

For years, AI governance has been built around preventing bad decisions before they happen. Organizations assess training data, test accuracy, evaluate bias, write principles, and sign off on models before they go live. That made sense when AI produced insights and humans made the choices that followed.

Every crisis begins with a moment of disbelief. The thing that wasn’t supposed to happen suddenly has, and the assumptions that felt so comfortable a day earlier now feel paper-thin. That’s when risk management either shows up or falls apart.