Insights

The true purpose of every Chief Risk Officer (CRO) and Chief Audit Executive (CAE) should be to support management and boards in making informed, critical decisions. Unfortunately, this is not always the case today. Risk units and internal audit functions should be instrumental in guiding management and boards in the decision-making process, particularly when it comes to managing risks and uncertainties linked to mission-critical objectives (MCOs).

The Institute of Internal Auditors (IIA) recently released a Public Consultation Draft for its Third-Party Topical Requirement. At first glance, it may seem like a technical set of guidelines, but the stakes are high. As businesses increasingly rely on third-party relationships—whether with vendors, contractors, consultants, or others—internal auditors face growing challenges in managing these complex connections. The IIA’s draft aims to offer a more standardized, comprehensive approach to assessing and managing the risks tied to external partnerships. For organizations that regularly engage with third parties, the draft provides a clear framework designed to ensure that no critical risks go unnoticed.

In a world where regulations are constantly evolving, businesses must stay agile and informed to maintain compliance and drive innovation. The European Union (EU) and the United States (US) are two of the largest regulatory powerhouses globally, and understanding how their frameworks shape corporate strategy is crucial for any business with global ambitions. While both regions share common goals of promoting economic growth and corporate responsibility, their approaches to achieving these goals couldn’t be more different.

Our recent survey reached over 100 dedicated and experienced professionals from across the GRC spectrum. Ranging from compliance and risk management to cyber risk and integrated GRC, these individuals are the ones on the front lines, and their insights remind us that behind every percentage is not just statistic but a true human story, a tale of vigilance, collaboration, and the unyielding drive to create a resilient, compliant, and better future.

On March 2, 2025, the U.S. Treasury Department made a noteworthy announcement that immediately caught the attention of businesses and legal experts alike. The department revealed that it would not enforce penalties or fines tied to the Corporate Transparency Act’s (CTA) beneficial ownership information (BOI) reporting requirements, including those set for the March 21, 2025 filing deadline. This move effectively gives businesses a breather, halting the looming threat of fines for failing to meet reporting obligations under the current rules.

As 2025 unfolds, organizations are grappling with an unprecedented wave of risk. The world is changing rapidly, and so too are the risks businesses must navigate. Geopolitical tensions are escalating, economic forecasts are fluctuating, and technology—especially Artificial Intelligence (AI)—is completely reshaping entire industries while amplifying threats in ways we’ve never seen before. From AI-driven cyberattacks to increasingly complex global conflicts, the stakes have never been higher.

If you’ve been keeping up with the evolving world of Governance, Risk, and Compliance (GRC), you may have come across my recent article that argues many GRC programs are fundamentally backward by focusing too much on compliance and risk before objectives. The article makes the case that true GRC should always start with clear organizational objectives, and everything else—risk, governance, and compliance—should support those goals. But why does this matter, and how can organizations better align their GRC strategies?