SAI360’s latest white paper uses the January 31, 2025 Barclays outage as a clear reminder that digital service failures can rapidly escalate into financial disruption and lasting reputational harm
In this piece, Ayoub Fandi breaks down why so many enterprise GRC programs struggle with the gap between documented controls and real-world execution. He explains how control orchestration closes that gap by shifting GRC from a paperwork exercise to an operational engine, one that drives consistent execution, strengthens security posture, and delivers clearer, real-time visibility into what’s actually happening across the organization.
Third-party risk teams have spent the last few years preparing for a world where ESG reporting would continually grow in scope, depth, and regulatory expectation. Companies were told to map emissions throughout their supply chains, understand human-rights risks in their upstream tiers, and gather detailed data from suppliers that had never before been part of formal reporting channels. For better or worse, the direction felt clear.
Political events beyond a company’s control—such as sudden regime changes, civil unrest, or expropriation—can pose serious financial threats, impacting revenues, assets, operations, and contractual obligations. Political risk insurance exists to shield businesses from exactly these uncertainties. By transferring the potential economic fallout to an insurer, companies safeguard themselves against the full brunt of a crisis, preserving financial stability even when unforeseeable disruptions occur.
In my last piece, The Inevitability of Failure, I wrote about something most leaders quietly know but rarely say out loud—failure isn’t an interruption of the journey, it is the terrain. That article opened the door to a conversation I’ve been having with myself for decades, long before GRC became my lens for understanding how organizations move through uncertainty.
In this article, Norman Marks dives into the evolving concept of continuous assurance, challenging traditional notions of continuous auditing and urging internal auditors to focus less on reviewing the past and more on providing real-time confidence in the future. Drawing on his own experiences as a former Chief Audit Executive and early adopter of continuous auditing techniques, Marks explores how true assurance comes from understanding risk as it changes, engaging with management regularly, and providing insight that helps organizations anticipate, not just detect, issues.
In my recent post, I suggested that risk management and internal audit would better serve management, boards, and stakeholders if they operated from a shared purpose. The idea is straightforward: both functions should focus on ensuring leadership receives reliable, decision-useful information about the uncertainties that affect the organization’s mission critical objectives. If they did that consistently, organizations would make better decisions and achieve better outcomes.