The New Visibility Imperative

Key Takeaways

• Visibility Has Become the Defining Challenge in Risk Management: Across resilience, enterprise risk, cybersecurity, internal controls, climate risk and emerging technology discussions, speakers consistently emphasized that organizations must improve their ability to see, understand and respond to changing risks before traditional reporting cycles catch up.
• Static Governance Models Are Giving Way to Continuous Risk Intelligence: From risk registers and business continuity plans to control testing and cyber assessments, presenters argued that periodic, point-in-time approaches are increasingly insufficient in environments shaped by AI, interconnected dependencies and rapidly evolving threats.
• Quantification Is Replacing Subjective Risk Assessment: Multiple sessions highlighted a shift away from qualitative scoring and toward measurable financial, operational and resilience-based metrics that allow organizations to better understand exposure and prioritize decision-making.
• AI Is Reshaping Both Risk and Risk Management: Presentations from EY, Deloitte, Mitratech and cybersecurity experts demonstrated how AI is accelerating control testing, monitoring and risk detection while simultaneously creating new governance, accountability and security challenges that organizations must actively manage.
• Tomorrow's Biggest Risks Require Action Today: Whether discussing quantum computing, climate exposure, cyber resilience or AI governance, speakers repeatedly stressed that organizations must develop visibility into emerging risks before those risks manifest as regulatory findings, operational disruptions or financial losses.

Deep Dive

The first day of Risk-!n Zurich featured discussions on business continuity, enterprise risk management, internal controls, cybersecurity, climate resilience, artificial intelligence and quantum computing. On paper, it looked like a conference agenda built around a broad collection of risk disciplines.

In practice, many of the presentations were wrestling with the same question. How do organizations maintain visibility into risks that are moving faster than the governance structures designed to oversee them?

That challenge surfaced repeatedly throughout the day. It appeared in discussions about AI-enabled cyberattacks, in debates about the future of risk registers, in conversations about operational resilience, and even in presentations focused on climate exposure and quantum computing. Different speakers approached the issue from different directions, but many arrived at a similar conclusion: the traditional mechanisms organizations use to identify, measure and manage risk are increasingly struggling to keep pace with the environments they were built to govern.

The issue is not a lack of data. Organizations have access to more information than at any point in history. The challenge is transforming that information into meaningful visibility before circumstances change again.

The Shift From Documentation to Visibility

One of the strongest themes to emerge during the day was the growing distinction between documenting risk and understanding it. Maximilian Glodde, CEO of MEO Continuity, framed the challenge through what he called "The Mushroom Problem." Enterprise risk managers, he argued, operate in environments filled with dependencies, exposures and competing priorities. Like someone walking through a forest filled with mushrooms, the difficulty is rarely finding things that could matter. The difficulty is determining what deserves attention before resources are exhausted.

Glodde's presentation focused on resilience and business continuity, but the broader argument extended well beyond those disciplines. Traditional approaches to risk management often rely on categorization and scoring systems that create an appearance of precision without necessarily improving understanding. A risk assigned a score of four instead of three may appear quantifiable, yet the underlying exposure often remains difficult to interpret in practical business terms.

His alternative was a greater emphasis on quantification. Financial exposure, recovery objectives, operational dependencies and disruption scenarios should be measured in ways that allow organizations to understand actual consequences rather than simply ranking risks against one another. As Glodde noted, changing the unit of measurement often changes the conversation itself.

That emphasis on visibility through quantification reappeared elsewhere during the day.

Representatives from AXA Climate demonstrated how organizations are increasingly attempting to translate climate and biodiversity risks into measurable operational and financial impacts. Rather than treating climate exposure as a standalone sustainability issue, the focus was on identifying vulnerable sites, quantifying potential consequences and linking adaptation decisions to business outcomes.

Similarly, discussions involving E.ON highlighted the growing complexity of operating critical infrastructure in an environment shaped by energy transition, digitalization and significant investment requirements. The challenge is not simply identifying risk factors but understanding how interconnected systems behave under changing conditions.

Viewed together, these sessions suggested a broader shift underway across the profession. Risk management is becoming less focused on maintaining inventories of risks and more focused on creating visibility into how risks interact, evolve and ultimately affect organizational performance.

Static Frameworks Meet Dynamic Risk

If the resilience discussions focused on visibility, Jan Stappers of Mitratech focused on speed. His presentation challenged three assumptions that have traditionally underpinned enterprise risk management: that risks move relatively slowly, that risks can be assigned to a single owner, and that risks largely remain within organizational boundaries.

Artificial intelligence, according to Stappers, is challenging all three assumptions simultaneously. AI-driven events can emerge in hours rather than quarters. AI-related exposures frequently span legal, compliance, technology, procurement and human resources functions at the same time. Increasingly, organizations are exposed to risks originating not within their own operations but through third-party models, suppliers and interconnected ecosystems.

The implication is that static risk registers are becoming less effective as primary mechanisms for understanding risk.

Stappers contrasted traditional risk registers with what he described as risk intelligence platforms. The distinction was not simply technological. It reflected a shift from periodic review cycles toward continuous monitoring, from siloed information toward connected intelligence and from documenting risk after the fact toward identifying emerging signals before they become incidents.

His argument reinforced a broader theme visible throughout the conference. The challenge facing risk leaders is no longer simply collecting information. It is maintaining situational awareness in environments where conditions change continuously.

The Control Function Is Becoming Continuous

The same pressures are reshaping internal controls. Presentations from EY and Deloitte focused on practical applications of artificial intelligence within control environments, but the more significant story was what those use cases revealed about the future of assurance.

Traditional control testing remains largely periodic, retrospective and sample-based. Controls are reviewed after execution, tested against selected populations and assessed through processes that often consume significant resources.

The models presented by both firms looked markedly different. EY demonstrated how AI can support control rationalization, automate control quality reviews, generate standardized control descriptions and enable broader testing coverage. Deloitte shared examples of AI-enabled control processes designed to review millions of transactions while maintaining auditability, human oversight and traceability.

Importantly, neither presentation argued that AI should replace governance. In fact, both emphasized the opposite. Explainability, human-in-the-loop oversight, monitoring mechanisms, audit trails and clear accountability structures were recurring themes.

The message was not that controls are disappearing. The message was that controls are becoming continuous. Instead of periodic testing exercises designed to confirm whether controls operated correctly in the past, organizations are increasingly building environments capable of identifying issues closer to the moment they occur.

When Risk Begins Moving at Machine Speed

Nowhere was the tension between traditional governance and modern risk more apparent than in the cybersecurity discussions. One presentation highlighted a recent incident involving an AI platform compromise that reportedly progressed from initial access to extensive system exposure within two hours. The statistic was presented alongside industry figures showing breach identification and containment timelines measured in months rather than hours.

The contrast captured a challenge that surfaced repeatedly throughout the day. Organizations increasingly face risks operating at machine speed while many governance mechanisms continue to operate at human speed.

The presentation argued that AI now occupies three distinct positions within the risk landscape. It functions as an attacker through autonomous offensive capabilities. It functions as an attack surface through copilots, agents, models and supporting infrastructure. It also functions as an asset class that organizations must govern, monitor and increasingly report upon.

Traditional tools such as vulnerability scoring systems, point-in-time penetration tests and static heatmaps were not dismissed outright. Rather, speakers questioned whether those approaches remain sufficient on their own.

The emerging model emphasized continuous validation, threat-informed testing and tighter connections between technical findings and business decision-making. The objective is not simply to generate evidence. The objective is to generate decisions.

Preparing for Risks That Have Not Fully Arrived

While many discussions focused on acceleration, the quantum computing session provided a useful counterpoint. Professor Dr. Kathrin Kind of Qubitnexus.AI focused on risks that remain largely prospective but are becoming increasingly difficult to ignore.

The presentation explored the implications of cryptographically relevant quantum computing, including threats to existing encryption standards, policyholder information, digital identities and long-term data protection strategies. The insurance implications were particularly notable, ranging from underwriting challenges and cyber insurance liability to questions surrounding silent exposure and future regulatory expectations.

What made the session especially relevant within the broader context of the day was its focus on visibility. Quantum computing has not yet created widespread operational disruption. That is precisely why it presents a governance challenge.

Organizations must decide how to prepare for risks before those risks become visible through historical loss events. Waiting for certainty may ultimately prove more expensive than acting on emerging evidence.

A Profession in Transition

By the end of the first day, a clear picture had emerged. The conference was not ultimately about artificial intelligence, cybersecurity, climate risk, business continuity or quantum computing individually. It was about the growing difficulty of seeing risk clearly.

Whether speakers discussed resilience plans, control frameworks, cyber exposures, climate models or emerging technologies, they repeatedly returned to the same underlying challenge. The pace, complexity and interconnected nature of modern risk increasingly exceed the assumptions built into many traditional governance structures.

The organizations that adapt successfully will not necessarily be those with the most data, the largest technology budgets or the most sophisticated models. They will be the organizations capable of turning information into visibility, visibility into decisions and decisions into action before the environment changes again.

That challenge was visible throughout the first day of Risk-!n Zurich. It is likely to define much of the conversation for years to come.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.