China’s market rally is starting to make regulators uneasy. As the country’s benchmark stock index hovers near a decade high, authorities have moved to signal that they are watching closely and are prepared to step in if speculative excesses continue, according to Reuters.
In a joint assessment published this week, Austria’s financial authorities say the regulation is beginning to reshape how digital risk is understood, reported, and managed across the financial system. The Financial Market Authority (FMA and the Oesterreichische Nationalbank (OeNB) described the first year of DORA as a constructive one, pointing to clearer insight into cyber incidents, tighter oversight of critical service providers, and what they call an emerging cultural shift in IT security across financial institutions.
The European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) signed a new Memorandum of Understanding with the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority, formalizing how they will work together to oversee critical ICT third-party service providers under the EU’s Digital Operational Resilience Act.
In my latest post, I discuss how if you look at how enterprise risk management is practiced today, you’d be forgiven for thinking that the entity-level risk register sits at the center of ISO 31000 and COSO ERM. It doesn’t.
In my earlier reflections on enterprise risk intelligence, I focused on a fundamental realization: the world organizations now operate in no longer matches the way risk has traditionally been framed, assessed, or governed. That observation has continued to stay with me, not as an abstract idea, but as something I see play out repeatedly in conversations with boards, executives, and risk leaders across industries.
In his latest article, Norman Marks challenges a familiar reflex in internal audit: treating cybersecurity as a standalone auditable domain. Drawing on the IIA’s Cybersecurity Topical Requirement and his own experience as a chief audit executive, Marks makes the case for a more disciplined, risk-based approach—one that looks past controls and frameworks to assess how management actually identifies and manages cyber-related business risk. The result is a practical rethink of how cyber fits into an audit plan, and why auditing “cybersecurity” itself may miss what really matters.
In the first essay in this series, I argued that the real difference between qualitative and quantitative risk is how uncertainty is treated. This essay looks at one small distinction that matters once we stop collapsing uncertainty into a single answer.