GRC Reflections from London – Risk & Resilience Management in a Dynamic Extended Enterprise

Michael RasmussenWritten by
Published onUpdated onDiscussionLeave a Comment on GRC Reflections from London – Risk & Resilience Management in a Dynamic Extended Enterprise
Flag of United Kingdom Union waving on pole on the 3d topographic map surface and abstract background with a grid

This past week in London was truly a whirlwind of GRC insights, discussions, and deep dives into the future of risk and resilience management. Across multiple events and countless conversations, I had the opportunity to engage with over 150 organizations — through 1:1 meetings, my keynote presentation at the Corporater Connect+ event hosted at Parliament, and my Risk & Resilience Management by Design Workshop (sponsored by Decision Focus).

Let’s unpack the challenges UK organizations are facing that keep them up at night . . .

Key GRC Theme from the Week:

One of the most pressing topics that emerged was the focus on Provision 29 of the UK Corporate Governance Code. Organizations are now required, starting at the Board level, to establish and attest (at least annually) to the effectiveness of their risk management and internal control frameworks. In one notable 1:1 meeting with a firm currently undergoing an RFP process, the organization shared, “[ORG] we do expect that the extension of the definition of public interest entities to include private companies (if it comes into effect) will affect us. Either way, we believe that having the right controls framework is a good way to operate the business. Running parallel to these conversations was considerable focus on the UK’s Economic Crime and Corporate Transparency Act (ECCTA). This legislation adds a mandate for internal controls to prevent fraud — further reinforcing the need for stronger, embedded risk and control frameworks across organizations.

Top Risk and Resilience Challenges Identified:

Reviewing my notes from the week, several consistent challenges emerged across industries and organization sizes:

  • Geo-political risk, this was front and center and part of nearly every conversation, particularly in an extended enterprise context
  • The breadth of cyber, digital, and data risk and resilience challenges facing organizations and their operations, and again across the extended enterprise
  • AI risks, including deep fakes and impersonation, and governing AI within the organization and across the extended enterprise
  • Regulatory mandates for resilience management (UK Operational Resilience, EU DORA, NIS2)
  • Embedding risk management into business operations, including defining, embedding, and nurturing a healthy risk culture
  • Aligning risk management with business change and transformation and leveraging a digital twin to help forecast and understand scenarios of risk and resilience
  • Connecting risk programs with business objectives where the organization can reliably achieve objectives (the heart of what GRC has been about for 20 years, when done correctly)
  • Sourcing and integrating external risk intelligence feeds that help the organization navigate the business for what is developing currently and on the horizon
  • Ensuring risk insights inform decision-making and add business value
  • Breaking down risk management silos to provide an enterprise perspective of risk where the R delivers value to the G in GRC
  • Addressing resilience and risk in a sustainability and ESG context
  • Increasing oversight and due diligence in third-party relationships
  • Addressing inadequate risk reporting and increasing quality in risk reporting
  • Clarifying risk accountability and ownership with the business and aligned with objectives and the objective owner
  • Managing and keeping pace with the volume of third-party, regulatory, and business change
  • Compliance challenges related to third parties
  • Addressing emerging risks and the “unknown unknowns”
  • Environmental risks and resilience (acts of nature)

Third-party and extended enterprise risk emerged as a particularly dominant theme, touching almost every area listed above. Organizations are recognizing that resilience is not just internal — it extends across the broader network of partners, vendors, and suppliers.

Strategic Response: Achieving Risk Agility and Resilience

In light of these discussions, organizations should focus on four core pillars: strategy, process, risk intelligence, and technology — underpinned by risk intelligence.

  1. Strategy:
    • Align risk management directly with corporate strategy, objectives, and performance.
    • Treat resilience as a strategic business enabler, not just a compliance exercise.
    • Develop a forward-looking, dynamic risk accountability framework.
    • Do regular scenario analysis, stress testing, wargaming, and simulations.
  2. Process:
    • Embed risk management in day-to-day business activities and decision-making.
    • Foster a culture of risk ownership across all levels.
    • Strengthen internal control environments.
    • Integrate third-party governance and risk management as a core operational process.
  3. Risk Intelligence:
    • Continuously source external content from trusted providers to stay informed on emerging risks.
    • Integrate real-time risk feeds into GRC management programs enabling risk and resilience management.
    • Utilize external intelligence to enhance scenario planning and stress testing.
    • Benchmark against industry trends and regulatory developments to adjust risk strategies.
  4. Technology:
    • Invest in GRC technologies that provide real-time visibility and adaptability for risk and resilience in a business context.
    • Leverage AI responsibly to enhance risk detection, resilience planning, and reporting.
    • Connect risk intelligence feeds into operational risk and decision-making workflows.
    • Focus on interoperability — connecting risk data across enterprise systems.

The Road Ahead

These themes are not unique to the UK. I am seeing similar patterns globally. Though I am home for a brief week, the dialogue continues. From May 3rd to May 23rd, I will be engaging with organizations across Madrid, Barcelona, Zurich, Copenhagen, and London — further gathering perspectives and advancing the conversation on how organizations can build risk agility and resilience in a rapidly changing world.

Stay tune

Leave a Reply