Technology does not create good risk management. Strategy does. Risk, by its nature, is not the enemy. As I often remind listeners on the Risk Is Our Business podcast, the company that avoids risk altogether is already obsolete. The task isn’t to eliminate uncertainty, it’s to orchestrate it. To take the right risks, at the right time, with purpose, visibility, and confidence.
When Delaware’s Chancery Court reminds directors that they have a fiduciary duty to oversee mission critical risks, it’s diagnosing a deeper governance disease, not just offering abstract legal theory.
In his piece, Ayoub Fandi dives into the hidden cracks of modern GRC programs, where siloed tools, mismatched taxonomies, and broken information flows leave organizations vulnerable. Drawing on his engineering background and his work leading GitLab’s Security Assurance Automation team, Fandi makes the case for treating GRC like infrastructure, something that needs careful architecture before automation. Through practical insights and a clear-eyed critique of today’s compliance practices, he reframes GRC as a system that can scale with the speed of modern business.
NAVEX partnered with The Harris Poll to survey nearly 1,000 risk and compliance professionals globally about their R&C programs. The survey was conducted between April-May 2025, representing professionals from various industries and organization sizes globally
In his latest article, Graeme Keith explores the foundations of risk modeling in his latest piece, tracing its roots from ancient mathematics to modern decision-making. He argues that models should begin with real-world problems, not abstract equations, and makes the case for why risk modeling must remain intelligible to decision makers.
As we move further into the digital era, organizations face an increasingly complex landscape of risks—from brand reputation challenges to AI governance and cybersecurity concerns. To help professionals, and executives navigate these evolving threats, I am publishing my research categories for 2025/2026, highlighting the areas that will demand attention, insight, and innovation over the next two years.
In an era defined by disruption, resilience is no longer a side conversation in boardrooms, it is the conversation. Cyber incidents, technology outages, geopolitical instability, and supply chain fragility are not “if” events; they are “when” events. Regulators, investors, and customers all demand that you show us not only that you can take the hit, but that you can recover, adapt, and continue to deliver.