Still Clinging to the Checklist? Why Most Risk & Audit Programs Won’t Change, Unless They’re Forced To

Key Takeaways

• Status Quo Persists: Despite clear flaws, 75–95% of CROs and CAEs are expected to stick with traditional ERM and internal audit models in the absence of regulatory or board-driven pressure.
• Inertia Over Innovation: Professional comfort zones, cultural resistance, and lack of regulatory mandates keep most organizations locked into outdated risk and audit practices.
• Governance Illusions: Risk registers and heat maps may satisfy boards and regulators on paper but rarely support effective decision-making or strategic execution.
• Ecosystem Lock-In: Consulting firms and software tools often reinforce legacy approaches, making it harder for organizations to pivot to more objective-driven models.
• A Better Way Exists: In his recent Risk Is Our Business podcast episode, Tim Leech outlines how Objective Centric Risk and Uncertainty Management (OCRUM) can help organizations align risk with strategy, overcome inertia, and deliver real value.

Deep Dive

Flaws in traditional enterprise risk management (ERM) and legacy internal audit (IA) practices aren’t exactly a secret. Risk registers, heat maps, and audits focused solely on internal control deficiencies may look tidy in a board report, but they rarely reflect how risk really works or how organizations actually fail.

And yet, despite how easy these shortcomings are to spot (and prove), most organizations will continue using these approaches. Not because they’re the best way forward, but because they’re comfortable, well-entrenched, and, most importantly, unchallenged.

In recent posts, I’ve explored these issues from multiple angles, including with a bit of help from ChatGPT. In my latest exchange, I posed a blunt question, "In the absence of regulatory intervention, what percentage of CROs and CAEs are likely to stick with risk list ERM and IA methods focused on identifying management’s internal control weaknesses, despite the clear flaws?"

Here’s the straight answer: Most of Them Will. ChatGPT’s estimate? Between 75% and 95% of CROs and CAEs will likely stay the course, even if that course leads nowhere. Let that sink in.

Why? Because change is hard and risky in itself. It threatens comfort zones. It raises uncomfortable questions about leadership accountability. It means facing resistance from peers, executives, and sometimes boards who’ve grown used to a certain rhythm and routine.

It’s easier, and far safer career-wise, to maintain the illusion of control than to challenge it. Even when the methods are clearly broken.

What Keeps Organizations Stuck?

Here’s a breakdown of the key forces that keep flawed ERM and IA models on life support:

• Professional Inertia: Most risk and audit leaders built their careers on legacy models. Shifting gears means rethinking everything and sticking your neck out without guaranteed board support.
• Cultural and Political Headwinds: Objective-centric risk management surfaces uncomfortable truths. And let’s face it, many organizations would rather not go there.
• No Regulatory Pressure: COSO, ISO, and IIA don’t mandate objective-centric approaches. They leave the door wide open for compliance theater.
• Boards Aren’t Demanding Better: In many cases, boards get dashboards, heat maps, and top risk lists and assume that’s “good governance.” The illusion persists.
• Vendor Ecosystems Reinforce the Old Ways: Software and consulting solutions are often optimized for the status quo. Reinventing the approach would require reinvesting and reeducating.

So What Happens Next?

Unless something external changes, regulators, boards, or stakeholders demanding a better way, the vast majority of organizations will keep doing what they’ve always done. That doesn’t mean it’s working.

As I’ve said before, "Shareholders and other stakeholders, be warned. Entities with purposeless boards and risk programs stuck in checkbox mode are unlikely to achieve their goals. And that describes most public companies, charities, and nonprofits today."

This isn’t just a professional opinion, it’s a structural reality.

There Is Another Way

If you want to dive deeper into what that better way looks like, I recently sat down (virtually) with Michael Rasmussen on the Risk Is Our Business podcast for an episode titled Shields Up, Heat Maps Down: Dismantling ERM Illusions.

We didn’t just critique the status quo. We talked through solutions, including Objective Centric Risk and Uncertainty Management (OCRUM), a model that puts strategy and objectives at the center of risk and assurance work, not static lists or red-yellow-green charts.

Because if risk management isn’t helping your organization actually achieve its purpose, what’s the point?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.