Risk & Resilience

In my earlier reflections on enterprise risk intelligence, I focused on a fundamental realization: the world organizations now operate in no longer matches the way risk has traditionally been framed, assessed, or governed. That observation has continued to stay with me, not as an abstract idea, but as something I see play out repeatedly in conversations with boards, executives, and risk leaders across industries.

In his latest article, Norman Marks challenges a familiar reflex in internal audit: treating cybersecurity as a standalone auditable domain. Drawing on the IIA’s Cybersecurity Topical Requirement and his own experience as a chief audit executive, Marks makes the case for a more disciplined, risk-based approach—one that looks past controls and frameworks to assess how management actually identifies and manages cyber-related business risk. The result is a practical rethink of how cyber fits into an audit plan, and why auditing “cybersecurity” itself may miss what really matters.

In the first essay in this series, I argued that the real difference between qualitative and quantitative risk is how uncertainty is treated. This essay looks at one small distinction that matters once we stop collapsing uncertainty into a single answer.

‍Australia’s corporate watchdog has rolled out a new round of updates aimed at simplifying how market participants and operators comply with technological and operational resilience requirements, as regulators continue to sharpen their focus on infrastructure risk across securities and futures markets.

Australia’s banking and financial crime regulators have moved to tighten oversight of Bendigo and Adelaide Bank after an independent Deloitte review uncovered serious shortcomings in how the lender manages money laundering and broader non-financial risks.

The European Banking Authority said that it has published new guidance to help institutions manage enhanced operational risk reporting, following a formal delay to the first reference date under the amended Implementing Technical Standards. The move follows the European Commission’s adoption of Regulation (EU) 2025/2475, which pushes the application of the new reporting obligations back to the end of June 2026.

U.S. banks are closing out 2025 in strong financial shape, but the risks shaping the federal banking system are becoming less about capital and more about operational resilience. That is what the Office of the Comptroller of the Currency’s Fall 2025 Semiannual Risk Perspective says, which finds banks well positioned to absorb potential stress while warning that cyber threats, fraud, and lagging technology investment are increasingly central to supervisory concerns.