Blog

A small, obscure, and misguided segment of the analyst community promotes Integrated Risk Management (IRM) as a replacement for Governance, Risk Management, and Compliance (GRC). This group incorrectly portrays GRC as focused on compliance, missing the broader and essential elements—governance and risk management—that are foundational and integral to GRC as established over two decades ago by the OCEG GRC Capability Model.

Understanding True GRC

GRC, clearly articulated by the OCEG GRC Capability Model, is defined as “a capability to reliably achieve objectives (Governance), address uncertainty (Risk Management), and act with integrity (Compliance).” It is critical to emphasize the structured sequence and inherent logic in this definition:

• Governance (G). Establishes clear organizational objectives and measures performance against these objectives. Without governance, an organization cannot define or assess success and will lack the foundation for meaningful risk management. This goes from entity level objectives down into operational level objectives.
• Risk Management (R). According to ISO 31000, the international standard for risk management, risk is “the effect of uncertainty on objectives.” Thus, risk management logically follows governance—it requires clearly articulated objectives as its necessary context.
• Compliance (C). Compliance ensures acting with integrity by adhering to both mandatory and voluntary obligations, forming the operational boundaries within which governance and risk management operate.

This logical structure—G flowing to R and bounded by C—is the true essence of GRC.

The Misguided Push for IRM

Despite the longstanding clarity and industry-wide acceptance of the GRC framework, a minor segment (one analyst) has attempted to elevate IRM as a superior or successor concept. Their argument suggests that traditional GRC has “failed” and is overly compliance-focused. This narrative is fundamentally flawed:

• It inaccurately redefines GRC as compliance-centric, ignoring the essential roles of governance and risk management.
• It overlooks that IRM, properly executed, is already encompassed within the risk management component of GRC.
• It mistakenly suggests that IRM technology is distinct or superior, despite the reality that IRM-labeled technology overlaps entirely with existing GRC solutions.

The reality is clear: IRM, when correctly understood, is simply the “R” in GRC—risk management integrated fully with governance and compliance.

OCEG’s Clear and Consistent Perspective

OCEG—the global authority on GRC—recognizes and clearly articulates this correct perspective. IRM, as OCEG presents it, serves governance and enhances compliance by effectively managing uncertainty in alignment with organizational objectives.

OCEG has actively reinforced this proper understanding of IRM by introducing the Integrated Risk Management Professional Certification, complementing their foundational certifications such as:

• Certified GRC Professional
• Certified GRC Auditor

OCEG further supports specialized domain knowledge with certifications such as:

• Integrated Policy Management Professional
• Integrated Data Privacy Management Professional
• Integrated Audit & Assurance Professional
• Integrated Compliance & Ethics Professional
• Integrated Governance & Oversight Professional (coming soon)
• Integrated Strategy & Performance Professional (coming soon)
• Integrated Security & Continuity Professional (coming soon)

This suite of certifications reflects OCEG’s comprehensive approach, ensuring practitioners understand that IRM is not separate from but integral to the broader GRC strategy that governs it.

Organizations seeking meaningful results from their governance, risk, and compliance activities (strategy, people, process, and supporting technology) must reject misleading narratives that position IRM in opposition to GRC. True IRM exists within GRC, guided by clear governance objectives and defined compliance boundaries.

For more clarity and guidance, organizations and professionals are encouraged to explore OCEG’s robust framework and certifications, reinforcing that true IRM is always and only meaningful within the comprehensive context of GRC.

No organization is an isolated entity. It is part of an extended enterprise of suppliers,
vendors, service providers and other third parties. This complex web of relationships drives efficiency and innovation, but it also introduces significant risk and resilience challenges. Ensuring the reliability, integrity, compliance and resilience of third-party relationships is no longer a best practice, it is a business imperative.

Third-party risk management (TPRM) extends beyond traditional procurement and vendor assessments. It encompasses a holistic approach that integrates governance, risk management and compliance (GRC) across the entire lifecycle of third-party relationships, spanning onboarding, ongoing monitoring and offboarding.

In this context, this means organizations must . . .

[The rest of this blog can be read on the IBM blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

In today’s rapidly evolving regulatory landscape, organizations face an increasingly complex and dynamic environment where managing compliance obligations demands agility, efficiency, effectiveness, resilience, and innovation. At the intersection of technology and regulation, RegTech has emerged as a pivotal component/segment within the broader Governance, Risk Management, and Compliance (GRC) market, offering transformative solutions that enable organizations to stay ahead in the fast-moving regulatory world.

As the number #2 influencer in RegTech (ask ChatGPT), here are some thoughts . . .

Regulatory Technology, or RegTech, leverages technology — most notably with artificial intelligence (AI) — to streamline compliance processes, enhance risk management, and automate the monitoring and reporting of regulatory obligations. As part of the broader GRC market, RegTech has significantly reshaped how organizations approach compliance, transforming what was once viewed merely as a burdensome cost center into a strategic enabler of business agility, efficiency, and resilience.

A core facet of my analysis at GRC 20/20 has been evaluating RegTech’s evolution, capabilities, and market traction. The landscape is rich, complex, and rapidly expanding. While AI dominates discussions around innovation in RegTech, I frequently caution organizations to look beyond the buzzword. In reality, there are compelling and sophisticated implementations of AI in RegTech, but equally, there are solutions akin to the “Wizard of Oz” — where behind the curtain, humans continue to operate many processes manually, diminishing the true promise and effectiveness of AI-driven RegTech automation.

Ultimately, navigating the RegTech universe demands clear-sighted evaluation of technologies—understanding what truly offers innovative AI capabilities versus solutions where AI is more promise than reality. As we delve deeper into this universe, we equip organizations with the insights and tools needed to leverage RegTech strategically, driving true governance, risk, and compliance effectiveness.

As RegTech continues to evolve and mature within the GRC landscape, staying informed, critical, and forward-looking remains key to successfully managing regulatory risk and harnessing technology’s full potential.

GRC 20/20 maps several key areas within RegTech:

• Regulatory Change Management. Ensuring firms keep pace with evolving regulations globally, from horizon scanning to implementing controls and updating policies.
• Regulatory Reporting. Automating the collection, analysis, and submission of regulatory data.
• Operational Risk and Internal Control Management and Benchmarking. Enhancing and benchmarking resilience and internal control effectiveness.
• Transaction and Trade Monitoring. Real-time monitoring to detect unusual or suspicious activities.
• AML & Financial Crime (FinCrime). Leveraging technology to monitor, detect, and prevent financial crime.
• Know Your Customer (KYC). Streamlining customer due diligence processes and improving accuracy.
• Conduct and Surveillance. Monitoring behaviors and transactions to ensure compliance with internal and external regulations.
• Financial Risk Management. Managing risks associated with financial operations, including market, credit, and liquidity risks.

One area of RegTech experiencing tremendous traction globally is Regulatory Change Management. At GRC 20/20, I’ve observed this as one of the most pressing and prominent use cases gaining traction worldwide. Regulatory Change Management, vital in today’s turbulent compliance environment, encompasses monitoring regulatory changes through horizon scanning, assessing the business impact, and managing responses to ensure organizations remain compliant.

My interactions around the globe underscore that efficient Regulatory Change Management solutions can dramatically mitigate compliance risks and optimize operational efficiency. The traction in Regulatory Change Management has been evident in my international engagements. Soon, I’ll be sharing insights in the upcoming workshops in Toronto and Zurich:

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, TORONTO
• Riding the Compliance Carousel: Managing Emerging Regulatory Risks & New Rules, ZURICH

In the context of AML and FinCrime RegTech, this engagement continues at the AML & FinCrime Summit in New York City tomorrow, where I’ll moderate both the keynote panel and another significant session, bringing into sharp focus how RegTech effectively combats financial crime through smarter AML processes, transaction monitoring, and KYC (Know Your Customer) protocols. These panels are:

• Addressing the Future of Financial Crime Prevention: Challenges, Technology, and Global Threats in 2025
• Behind the Regulatory Doors: Perspectives on AML & FinCrime Tech Innovation

Looking ahead, I am also deeply involved with the Global RegTech Summit 2025 in London (May) and New York City (September), highlighting RegTech’s growing global significance. These summits reflect critical industry insights, innovation trends, and practical adoption strategies to help organizations thrive in increasingly complex regulatory landscapes.

Looking forward, the Global RegTech Summit 2025 in London in May, and later this year in New York City in September, where these events serve as pivotal platforms for industry leaders and innovators to collaborate, exchange ideas, and explore solutions that define the future of regulatory compliance.

In my previous post, The Death of the CISO: A Eulogy & Reincarnation, I argued that the traditional role of the Chief Information Security Officer (CISO) is evolving—or rather, undergoing a necessary transformation. The response was overwhelming, with over 100,000 views on LinkedIn alone, demonstrating that this shift is not only necessary but deeply resonant across industries. While some loved their CISO title, nobody argued with my premise that this role is not the same and has evolved. Information security in the title does not adequately describe this role anymore.

The question now is, what should the CISO become?

I initially posited the title of Digital Risk & Resilience Officer, but upon further reflection, I believe a better mantle may be Digital Trust & Resilience Officer. Why? Because trust—not just risk management—is the foundation of the modern digital enterprise. Trust is proactive, holistic, and forward-looking. Risk management, while crucial, is what achieves and enables trust, but is often perceived as a cost center rather than a business enabler.

Why Digital Trust is Paramount in Today’s Business Environment

The world operates on digital trust. Every transaction, every customer interaction, every collaboration within and beyond the enterprise is predicated on confidence in the integrity, confidentiality, availability, security, and ethical stewardship of data, information, and digital infrastructure/architecture. Without trust, digital transformation collapses under the weight of skepticism, uncertainty, and regulatory scrutiny.

Consider the following:

1. Trust is the Ultimate Brand Currency. The digital economy has ushered in an era where businesses are built not just on products or services, but on relationships. Those relationships, in turn, are founded on trust. Companies that cultivate digital trust enjoy stronger brand loyalty, higher customer retention, and a distinct competitive advantage. A single breach—whether of data, privacy, or ethics—can shatter that trust, sometimes irreparably. Just ask any organization that has suffered a high-profile cybersecurity incident and watched its stock price plummet and customers flee.
2. Trust Extends Beyond the Enterprise. Organizations no longer operate in isolation. The modern business ecosystem is an extended enterprise that includes third parties, suppliers, contractors, cloud providers, and strategic partners. A security vulnerability or compliance failure anywhere in this network can disrupt operations, expose sensitive information, and damage reputations. Managing risk is necessary—but instilling trust throughout the digital ecosystem ensures continuity, resilience, and shared confidence in business relationships.
3. Stakeholders Demand Trust, Not Just Risk Mitigation. Investors, regulators, employees, and customers are no longer satisfied with mere compliance. They demand ethical AI, responsible data governance, robust cybersecurity, and transparency in risk management. The organizations that lead with trust—rather than just react to risks—are the ones that will attract investment, talent, and long-term loyalty.
4. Trust is the Foundation of Innovation. Organizations that are mired in constant risk aversion struggle to innovate. Fear-based risk management stifles digital transformation and agility. Conversely, a trust-based approach empowers businesses to adopt new technologies, expand into new markets, and experiment with emerging business models—secure in the knowledge that their digital foundation is strong, resilient, and credible.

Digital Trust is More Valuable Than Digital Risk Management

Risk management is essential, but it does not inspire confidence by itself. Trust, on the other hand, is a business driver. Trust fosters engagement, enables growth, and secures long-term business viability. Risk is the effect of uncertainty on objectives. One of those core objectives, in this context, is digital trust. That is the focus and goal and provides the context for risk management.

While risk must be understood, controlled, and mitigated, trust must be actively built, nurtured, and expanded. Consider:

• Trust enhances business value. Companies with strong trust postures outperform their competitors in customer satisfaction, revenue growth, and market valuation.
• Trust is proactive. Risk management seeks to manage uncertainty to objectives and is in reaction to the objective of digital trust. Trust ensures positive engagement.
• Trust builds resilience. Organizations with high trust are more adaptive in crises, better at recovering from incidents, and more likely to maintain customer and investor confidence in uncertain times.

Reframing the CISO as the Digital Trust & Resilience Officer

The modern CISO cannot simply be a guardian of risk and controls. That role, while critical, is too narrow, too limiting. The future demands a leader who ensures trust in the digital enterprise—a leader who integrates cybersecurity, privacy, ethics, governance, compliance, and digital operational resilience into a seamless strategic function. This is not just a semantic shift; it is a fundamental redefinition of purpose and value.

The Digital Trust & Resilience Officer:

• Builds confidence in digital transactions, interactions, and data stewardship.
• Ensures resilience not just against cyber threats, but against any disruption to trust (e.g., AI bias, regulatory misalignment, unethical data use).
• Engages with the board and executive leadership as a strategic partner, demonstrating how trust translates into business value.
• Leads a proactive culture of integrity, security, and digital ethics rather than one of fear and restriction.

The Future of Digital Trust & Resilience

As organizations continue to navigate the complexities of digital transformation, trust will become an even more critical differentiator. The role of the CISO—or its successor—must evolve beyond security and risk oversight into one that fosters and maintains digital trust and operational resilience across the digital enterprise.

What do you think? Should the CISO evolve into the Digital Trust & Resilience Officer? Or does the focus on risk still hold more weight and it should be the Digital Risk & Resilience Officer? Or do you prefer sticking to the old CISO title? I’d love to hear your thoughts.

Regulatory frameworks define how businesses operate, innovate, and ensure compliance in different jurisdictions. When comparing the regulatory landscapes of the European Union (EU) and the United States (US), a stark contrast emerges. While both regions aim to balance economic growth with governance, their priorities and methodologies differ significantly.

Principles vs. Prescription: A Cultural and Regulatory Divide

One of the most notable distinctions between EU and US regulations is the approach to compliance. The EU regulatory framework is predominantly principles- and outcome-based, requiring organizations to meet broad objectives while allowing flexibility in how they achieve compliance. This originally started in the United Kingdom under the Financial Services Authority (FSA) before it became the Financial Conduct Authority (FCA). It then moved over to the EU to become part of the better regulatory policy. In contrast, US regulations are often more prescriptive, providing detailed rules and checklists that companies must follow to the letter.

This difference manifests in multiple ways:

• Differences in Risk Management Perspectives. European regulations emphasize a top-down, strategic view of risk, integrating governance and compliance into broader business objectives. The US, however, often adopts a bottom-up, checklist-driven approach to compliance. Therefore, EU regulations take a more risk-based approach to compliance over the US.
• Corporate Responsibility. EU regulations, such as the General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), and Corporate Sustainability Reporting Directive (CSRD), and many more, focus on ethical considerations, consumer rights, and corporate accountability. US regulations, while robust in areas like financial reporting and anti-corruption, tend to prioritize business efficiency and liability mitigation over broader societal concerns. In a panel I hosted last week, #RISK Digital North America – EU Regulations as a Strategic Compass for US Companies, the panelists and I stated that the EU has a more people-first and centric approach to regulation.

Increased Demand for Evidence-Based Compliance

A key trend driving regulatory evolution is the growing demand for evidence-based compliance. As highlighted in recent discussions, EU regulations are increasingly requiring organizations to not only implement policies but also provide auditable, documented proof of compliance. This shift moves compliance beyond check-the-box exercises to defensible, data-driven processes that regulators can scrutinize.

In contrast, US compliance practices still lean heavily on procedural adherence. While legal and regulatory frameworks mandate compliance, they often fall short of requiring the same level of ongoing, evidence-backed validation we are now seeing in EU governance and compliance. This difference further reinforces the EU’s principles-based approach, where organizations must demonstrate not just compliance but also effectiveness in achieving regulatory objectives.

Extraterritorial Impact: The EU’s Regulatory Reach

A defining characteristic of EU regulations is their global reach. Laws such as GDPR and CSRD extend beyond Europe’s borders, affecting any company that handles EU citizens’ data or operates within the EU market. This approach has influenced regulatory developments worldwide, inspiring similar legislation in Brazil (LGPD), India (DPDP Act), and even state-level privacy laws in the US, such as the California Consumer Privacy Act (CCPA).

For many US businesses, this extraterritoriality means that compliance with EU regulations is no longer optional. Companies aiming for global expansion must align with EU standards to maintain market access, mitigate risks, and build consumer trust.

The Competitive Advantage of EU Compliance

While compliance with EU regulations can be complex and resource-intensive, it offers strategic benefits for US companies. Businesses that proactively adopt EU-aligned practices position themselves for success in a global economy by:

1. Enhancing Consumer Trust. European regulations emphasize data protection, ethical AI usage, and environmental and social responsibility and sustainability. Companies that adhere to these principles can differentiate themselves as trustworthy brands in an era of growing consumer concern over privacy and corporate ethics.
2. Strengthening Resilience. EU regulations often take a holistic, long-term approach to risk, ensuring organizations are prepared for regulatory shifts, cybersecurity threats, and environmental changes. This proactive stance can help companies navigate future uncertainties more effectively. There is a stronger regulatory focus on operational resilience across Europe, including the United Kingdom, not just the EU.
3. Facilitating Market Expansion. Aligning with EU regulatory frameworks simplifies entry into multiple international markets that follow similar standards. It also reduces the friction of adapting to evolving global compliance requirements.

An additional layer to this discussion is the comparison between the US and the UK/EU on risk and compliance approaches. As noted in previous posts of mine, European regulatory frameworks tend to be more sophisticated in how they integrate compliance into broader risk management structures. The UK’s Financial Conduct Authority (FCA) pioneered the principles-based compliance model before the EU widely adopted it, shaping modern regulatory expectations that prioritize adaptability and accountability.

Meanwhile, US compliance programs frequently rely on detailed, rule-based frameworks that focus on legal adherence rather than proactive risk management. This gap often leaves US companies reacting to regulatory updates rather than integrating compliance into long-term strategy. For organizations that operate internationally, bridging this gap by adopting EU-style governance models can create a significant competitive advantage.

Looking Ahead: The Future of Regulation

The EU continues to lead in shaping global regulatory trends, particularly in AI governance, digital resilience, and ESG (Environmental, Social, and Governance) requirements. Yes, the EU Omnibus has restructured CSRD and CS3D, but it is still significant. Emerging regulations like the EU AI Act and ESG reporting standards signal a shift toward greater corporate accountability and sustainability.

Meanwhile, the US remains fragmented in its regulatory approach, with states enacting their own laws in the absence of comprehensive federal legislation. However, as global regulatory alignment increases, US businesses that take a forward-looking approach by adopting EU-driven compliance strategies will gain a competitive edge.

Conclusion: A Strategic Compass for US Companies

Rather than viewing EU regulations as a burden, US companies can use them as a strategic compass. By embracing principles-based compliance and aligning with global standards, businesses can drive innovation, strengthen risk management, and build long-term value. The shift toward evidence-based compliance in the EU further underscores the need for organizations to develop robust governance frameworks that go beyond mere adherence and demonstrate real effectiveness.

As the regulatory landscape continues to evolve, adaptability and a commitment to ethical governance will define the leaders of tomorrow. US companies that proactively integrate these principles will not only mitigate risk but also unlock new opportunities for growth, resilience, and trust in an increasingly interconnected world.

Too many Governance, Risk Management, and Compliance (GRC) programs are fundamentally backward. Instead of starting with objectives, they focus on compliance checklists or risk registers, often relegating objectives to an afterthought (tags to a risk) — if they are considered at all. What many organizations practice is not true GRC but rather CRG (Compliance, Risk, and Governance in reverse), or worse, just CR (Compliance and Risk) or even simply C (Compliance).

This is not what GRC was meant to be.

The official definition of GRC, as found in the OCEG GRC Capability Model, is:
“GRC is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).”

This definition underscores the correct order of operations in a GRC program—objectives come first. True GRC is about ensuring that an organization reliably sets and achieves its objectives. Risk and compliance are important, but they serve the primary purpose of enabling an organization to meet its objectives while managing uncertainty and maintaining integrity.

Why Objectives Matter in GRC

According to ISO 31000, risk is the effect of uncertainty on objectives. This means that without a clear understanding of objectives, risk management is meaningless. Objectives define what the organization is trying to achieve, and risks are uncertainties that could impact those objectives.

Objectives exist at multiple layers within an organization:

• Entity-Level Objectives – Overall strategic and corporate objectives
• Divisional & Departmental Objectives – Goals specific to business units and teams
• Process & Project Objectives – Performance and operational targets within workflows
• Asset & Third-Party Objectives – Expectations and performance metrics for resources and external partners

Governance is about setting the right objectives and ensuring they are reliably achieved. This means that governance is not just about oversight but about performance. Effective governance structures define and track objectives, ensuring that risks are managed in a way that enables the organization to meet its goals.

The major difference between Europe and the USA in risk management approaches further highlights this issue:

• Europe – Risk management is closely aligned with ISO 31000 and is focused on business objectives.
• USA – Risk management tends to be more compliance-driven, often reduced to checklists primarily for SOX compliance.

Even compliance frameworks in Europe are more principle-based and outcome-oriented, requiring organizations to demonstrate how they achieve compliance objectives. In contrast, the USA’s compliance landscape is often prescriptive, with a heavy reliance on checkboxes rather than achieving meaningful business outcomes.

Understanding this nuance between Europe and USA is why many USA solution providers fail in their marketing in Europe. There is a different focus and messaging.

Environmental, Social, and Governance (ESG) initiatives are another example of how objectives should drive GRC. ESG is fundamentally about setting and achieving sustainability and ethical business objectives. Risks and compliance requirements follow from those objectives, not the other way around. An organization has the objective of being carbon neutral by a certain date, to eliminate PFAS (forever chemicals) in its products, or to have zero tolerance for modern slavery. These are objectives. Organizations that start with ESG risks without defining clear objectives are missing the point.

The Problem: Many GRC Programs and Technologies Get It Wrong

The vast majority of GRC programs within organizaitons and GRC technology that supports those programs fail to align with this definition. They start with risk registers, controls, or compliance requirements, leaving objectives as a tertiary consideration (if at all). This approach fundamentally undermines the value of GRC by detaching it from what actually drives the organization—its strategic, financial, operational, and ethical objectives.

Unfortunately, most GRC technology platforms do not start with objectives. Many organizations have adopted GRC solutions that are nothing more than compliance management systems or risk registers. They focus on risk registers, controls, and compliance requirements, treating objectives as an afterthought or a tag to a risk. These solutions focus heavily on checklists, regulatory mappings, and control frameworks, but they fail to establish a direct link to the business’s core purpose: achieving objectives.

Only a few solutions in the market truly address the “G” in GRC by prioritizing business objectives and performance against those objectives. If you’re looking for a GRC solution that genuinely starts with objectives, feel free to reach out — I can point you to those that get it right, or mostly right. As an analyst I cover the range of solutions available in the market.

Conclusion: Get GRC Right by Starting with Objectives

If your organization’s GRC program starts with risk and compliance instead of objectives, it’s time for a reset. Good GRC is about ensuring the organization reliably achieves its objectives, manages uncertainty effectively, and acts with integrity. Governance, risk management, and compliance should work together in that order—starting with a clear understanding of business goals.

To truly unlock the value of GRC, organizations must shift their focus from checkboxes and control frameworks to strategic and operational performance. Objectives are not an afterthought; they are the foundation of good GRC.

Environmental, Social, and Governance (ESG) is a growing challenge for organizations to manage and report on. It has become a core part of corporate strategy, driven by values, stakeholder expectations, and regulatory requirements, such as the EU Corporate Sustainability Reporting Directive (CSRD) which impacts 50,000 firms that have to report annually. With over 1,100 data points that goes into CSRD reporting, organizations have to get their ESG act together.

There are different views on ESG, and I respect that. At the heart of ESG is stewardship. Every organization should put a stake in the ground in its commitments and objectives to the environment, to its social commitments, and to the governance of the organization. These may very well vary between organizations. The environmental aspects is much more than climate change, it includes air, water, waste, use of natural resources, and things like elimination of PFAS (forever chemicals). The social and governance aspects also include a lot of elements.

I do not think anyone reading this will disagree that modern slavery, part of the social, is a bad thing. In the end, ESG is best summed up in the words of my favorite fictional U.K. Premier League Coach and philosopher, Ted Lasso, “Doing the right thing is never the wrong thing.” It is up to organizations to define what the right thing is for their organization in context of the environment, the social communities it serves, and the governance of the organization.

But how do organizations ensure their ESG initiatives are well-governed, ESG objectives are set and performance measures, risk-aware of uncertainty in achieving objectives, and compliant with values and commitments of the organization? The answer lies in Governance, Risk Management, and Compliance (GRC).

The Role of GRC in ESG

The OCEG defines GRC as: “an integrated capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).” This definition is a perfect starting point for understanding ESG within an organization. Effective ESG management must begin with well-defined objectives, not just risk assessments. Too many ESG management platforms start with risks, which is like putting the cart before the horse. ESG objectives should drive risk identification, not the other way around. As an analyst, I will NEVER recommend an ESG solution that does not start with ESG objectives, and ESG program management.

At its core, ESG is about setting and achieving objectives. Organizations must begin with a clear vision of what they aim to accomplish in the environmental, social, and governance domains.

• Environmental Objectives. Companies must define their commitments to sustainability, whether through carbon footprint reduction, waste management, energy efficiency, elimination of PFAS, or responsible sourcing of materials. These objectives should be measurable and aligned with broader industry and regulatory expectations.
• Social Commitments. The social component of ESG involves ensuring fair labor practices, no tolerance for modern slavery, employee well-being, and ethical supply chain labor practices. Organizations must consider how they engage with employees, communities, and stakeholders to foster a socially responsible culture.
• Governance Standards. Effective governance is the backbone of a successful ESG strategy. This includes ensuring ethical leadership, internal controls, anti-corruption, robust data protection policies, regulatory compliance, and transparency in decision-making. Strong governance creates trust and accountability within the organization and among external stakeholders.

Without a structured approach provided by GRC, ESG efforts risk becoming fragmented and ineffective. GRC offers the necessary framework to integrate ESG goals into daily operations, ensuring they are well-governed, managed, and continuously improved.

The GRC Capability Model and ESG

In recent ESG and EU CSRD workshops I conducted in Stockholm and Utrecht, I presented the OCEG GRC Capability Model 3.5, and it resonated with over 60 organizations working on ESG. The model provides a comprehensive framework for ESG management through four core components: Learn, Align, Perform, and Review.

1. Learn (Understanding ESG Contexts). Before setting ESG objectives, organizations must first understand the broader context in which they operate. The learning phase is foundational, as it establishes a comprehensive understanding of the external and internal factors influencing ESG strategy.
   • External Context. This includes understanding the regulatory landscape, evolving standards, and market trends. For example, organizations operating in the EU must align with the CSRD, which mandates transparency in ESG disclosures and reporting. This also includes understanding where you do business and who you do business with.
   • Internal Context. Organizations must assess their internal capabilities, culture, values, ethics, policies, and existing ESG initiatives. This helps in identifying gaps and areas where improvements are necessary. I always recommend organizations take an inventory of their current array of policies that relate to the aspects of ESG.
   • Stakeholders. Companies must recognize the role of investors, employees, regulators, and customers in shaping their ESG approach. Stakeholder expectations must be integrated into ESG planning to ensure long-term credibility. The same with customers, organizations that are not aligned with the values of their customers risk significant challenges in the market as the past few years have shown us several examples.
   • Corporate Culture. A successful ESG strategy aligns with an organization’s ethical values and corporate mission. ESG must be embedded into the company’s DNA rather than treated as a compliance requirement alone.
2. Align (Defining the ESG Strategy). Once the organization has learned its ESG landscape, it must align its strategy with clearly defined objectives and a structured approach to risk management.
   • Direction. Organizations need to define their ESG mission and values and set a clear vision for sustainability and social responsibility. This includes defining who is the lead on ESG and what roles and departments are part of the team.
   • Objectives. ESG goals must be SMART (Specific, Measurable, Achievable, Relevant, Time-bound) and aligned with the organization’s values, commitments, and obligations.
   • Identification. Identifying risks and opportunities that could hinder or help ESG progress. These could include regulatory, reputational, operational, and environmental. Risk is the effect of uncertainty on objectives (ISO 31000), in this case the ESG objectives.
   • Analysis. Once identified, risks must be assessed based on their uncertainty in the organization achieving its ESG objectives. A structured approach can help prioritize risk management efforts and enable the organization to achieve or even exceed ESG objectives.
   • Design. Organizations must build a structured ESG program that includes policies, frameworks, internal controls, and dedicated teams responsible for execution as well as those accountable for objectives and risks. A well-designed program enables consistent application and progress measurement.
3. Perform (Executing the ESG Program). With the strategy in place, organizations must implement and operationalize ESG across all levels of the business.
   • Controls. Implementing and monitoring ESG-related internal controls ensures compliance with internal objectives and external standards. This includes emission tracking, supply chain audits, and ethical labor practices.
   • Policies. ESG-related policies, which there are a plethora, should be well-documented, accessible, and actionable. These policies must provide clear guidance on the range of environmental, social, and governance practices, expectations, and boundaries.
   • Communication & Education. Employees and stakeholders need to be educated on ESG objectives, related policies and internal controls, and their role in achieving them. Effective communication fosters engagement and accountability.
   • Incentives & Accountability. ESG performance must be tied to incentives, such as executive compensation linked to sustainability targets. Employees participation in environmental programs. At the same time, organizations must establish accountability mechanisms for ESG compliance.
   • Monitoring & Reporting. Continuous monitoring is necessary to track ESG progress. Organizations should leverage technology and data analytics to ensure real-time insights and accurate reporting.

• Review (Ensuring Continuous ESG Improvement). ESG is not a static initiative but an evolving process requiring regular assessment and updates.
  • Monitoring & Auditing. ESG monitoring and data collection should be conducted to evaluate performance to internal controls, policies, and standards.
  • Assurance. Internal and external stakeholders require assurance that ESG commitments are being met. Organizations must build transparent reporting mechanisms that align with frameworks. Regular internal audits provide assurance, while external audits provide third-party validation of assurance. Organizations facing CSRD have to move from limited assurance to reasonable assurance over the next few years.
  • Continuous Improvement. ESG strategy must evolve in response to changing regulations, market trends, and stakeholder expectations. Companies should use insights from audits and reviews to refine and enhance their ESG initiatives.

The EU CSRD requires organizations to report on sustainability and ESG performance with the same rigor as financial reporting. The GRC Capability Model ensures that organizations can:

• Define the organizations ESG objectives in context of the organizations values and obligations.
• Identify ESG risks and opportunities with a structured approach.
• Implement internal controls to ensure ESG compliance and risk mitigation.
• Maintain accurate and comprehensive ESG records to meet regulatory reporting requirements.
• Continuously assess and improve ESG performance to align with evolving standards.

GRC is the foundation for successful ESG implementation. Organizations must take a structured approach to ESG, leveraging the GRC Capability Model to define objectives, manage risks, and maintain compliance. ESG is not just about checking a regulatory box—it’s about embedding sustainability into the organization’s core strategy. By following the Learn, Align, Perform, and Review approach, organizations can transform ESG from a regulatory burden into a driver of long-term value and resilience.

While the USA is going in different directions, and the EU considers streamlining and integrating requirements later this month, the global landscape of Environmental, Social, and Governance (ESG) reporting has fundamentally changed with the European Union’s Corporate Sustainability Reporting Directive (EU CSRD) first wave of corporate reports being published in 2025. Last week was intense and enlightening in my journeys across Europe, engaging with nearly 60 organizations across multiple ESG and CSRD discussions.

The journey toward effective ESG reporting is complex, costly, and evolving—but those who embrace it with the right mindset will find not just compliance, but a strategic advantage. The question is no longer if ESG will shape business operations, but how organizations will rise to the challenge.

But there are challenges . . . unlike traditional financial reporting, which historically required around 200 data points, ESG reporting under CSRD necessitates over 1,100 data points, and that number is growing exponentially as companies consider complexities across subsidiaries, divisions, locations, and third-party relationships. This shift is not just a European challenge—CSRD has global implications, impacting approximately 50,000 companies worldwide, including non-EU firms with significant operations in Europe.

One of the most pressing challenges of EU CSRD is the requirement for third-party assurance on ESG reports. Organizations are already experiencing a one-third increase in audit fees due to limited assurance requirements, and these costs will escalate significantly once reasonable assurance becomes mandatory. Unlike traditional audits, ESG assurance involves validating complex, qualitative, and often subjective data points, adding further strain on internal resources.

Two Approaches: Strategic Advantage vs. Checkbox Compliance

One striking observation from my recent workshops across London, Utrecht, and Stockholm is the variation in how companies structure ESG ownership. Some firms have designated ESG controllers or sustainability officers, while others distribute ESG responsibilities across finance, compliance, risk management, legal, audit, and internal control teams. In certain cases, ESG leaders report directly to the Board or CEO, underscoring its strategic significance, while in others, ESG remains a compliance function buried within operational silos.

Among the organizations I engaged with, there was a clear divide in approach:

1. Principled Performance – Companies that see ESG as an opportunity for better governance, risk management, integrity, and corporate strategy, aligning with OCEG’s concept of Principled Performance.
2. Checkbox Compliance – Organizations that view ESG solely as a regulatory requirement, focused only on meeting minimum compliance thresholds rather than leveraging ESG for competitive advantage.

The ESG & EU CSRD Insomnia: What Keeps Organizations Awake at Night

During my workshops in Utrecht and Stockholm, I facilitated discussions on what keeps organizations up at night regarding ESG and CSRD compliance. Below are the top concerns voiced:

Regulatory & Compliance Challenges

• Understanding the complexity and breadth of EU CSRD.
• Evolving internal control frameworks for ESG reporting.
• Managing assurance requirements, shifting from limited to reasonable assurance.
• Competing with other major EU regulations (e.g., DORA, CSRD, CSDDD, AI Act, NIS2) under constrained resources.
• Navigating the subjective nature of ESG requirements.
• Preparing for regulatory consequences and enforcement actions.

Data Challenges

• Identifying data sources for the 1,100+ ESG reporting requirements.
• Ensuring data accuracy, quality, and reliability.
• Managing subsidiary cooperation in ESG data collection.
• Addressing disparate data sources and lack of standardization.
• Integrating ESG reporting into broader GRC (Governance, Risk & Compliance) systems.
• Determining how far down the supply chain ESG reporting should go.
• The potential role of AI and automation in ESG data management.

Financial & Resource Constraints

• Rising audit and assurance costs.
• Limited ESG expertise and resources within organizations.
• Balancing ESG priorities with other business objectives.
• The unexpected scale of compliance costs and resource allocation.
• The impact of ESG disclosures on corporate reputation and investor relations.

Strategic and Cultural Implications

• Integrating ESG into corporate culture and risk management.
• Understanding the role of internal vs. external audit in ESG.
• Aligning ESG strategies across different global cultures and industry sectors.
• Establishing benchmarks for ESG compliance and reporting.

Where Do Organizations Go From Here?

With the first CSRD-aligned reports already being released, it is evident that ESG reporting is more than a regulatory requirement—it is a fundamental shift in how businesses operate and disclose their impact. Leading companies are integrating ESG into their core business strategy, governance frameworks, and risk management processes. Those that take a checkbox approach risk increased costs, reputational damage, and regulatory scrutiny.

As ESG and EU CSRD continue to evolve, organizations must focus on smarter, data-driven approaches that align ESG reporting with broader business objectives. Whether through automation, AI-powered compliance tools, or integrated risk and compliance (GRC) solutions, the key to ESG success lies in principled performance rather than reactive compliance.

What an exhilarating few weeks! My recent travels have taken me across the Middle East, London, Utrecht, and Stockholm, engaging with organizations and professionals across the governance, risk management, and compliance (GRC) landscape. The energy and focus on risk management, regulatory compliance, ESG, and corporate governance have been evident in every discussion, workshop, and meeting.

This week, I was back in London for an in-depth workshop on the UK Corporate Governance Code (UK CGC), with a particular emphasis on internal control and risk management by design to address Provision 29. Hosted at the historic Chartered Accountants Hall—where industry giants like Waterhouse and Cooper once presided—this session was packed with engaged professionals eager to address the challenges of the revised UK CGC. The timing of this workshop couldn’t have been more critical, as UK firms are under increasing pressure to ensure readiness for Provision 29. I have interacted and provided advice on four RFPs in the UK already this week with organizations looking for solutions to address this challenge. In just over a week, I will be heading to Asia for more GRC engagements, hosting workshops in the Philippines, Malaysia, and Singapore.

The Growing Pressure of Provision 29

Provision 29 of the updated UK Corporate Governance Code is top of mind for many UK organizations as they prepare for 2025. It mandates that boards provide a declaration of the ongoing effectiveness of their risk management and internal control systems. While some call it “UK SOX” (drawing comparisons to the Sarbanes-Oxley Act in the U.S.), I find that analogy misleading. UK CGC is distinct in its approach, placing a strong emphasis on ongoing, proactive risk and control management rather than compliance-driven financial control attestation.

Organizations across industries are grappling with how to operationalize Provision 29. As one UK bank shared in context of my workshop:

“The UK Corporate Governance Code is one of our main projects this year. Readiness for Provision 29 means identifying our most material controls, ensuring board disclosures on effectiveness, and maintaining alignment with peer banks to avoid being an outlier. Assurance is going to play a significant role, especially in evolving risk areas such as cyber and third-party risk.”

A smaller UK firm (under 500 employees) expressed coming out of the workshop more prepared for the Provision 29:

“Thank you so much for the insightful workshop yesterday. I found it really interesting and came away buzzing with excitement as to new ways to invigorate the business in respect of controls and risk.”

The Risk and Internal Control Insomnia List

During my workshop, I had attendees collaborate on what keeps them up at night regarding UK CGC compliance and risk management. The resulting list highlights key concerns and challenges:

• Concentration of risk knowledge in silos – lack of shared understanding across departments
• Siloed approaches to risk and internal control – limited visibility and consistency
• Cultural barriers – weak communication, inconsistency, and poor tone at the top
• Defining ‘bad’ risk and internal control – what does ineffective risk management look like?
• Incident reporting challenges – clarity on thresholds and processes
• Managing business and regulatory change – adapting controls to evolving risks
• Simplifying and prioritizing the approach to UK CGC – avoiding unnecessary complexity
• Addressing redundancy and overlaps in risk and control functions
• Educating the organization on UK CGC requirements – ensuring buy-in at all levels
• Evaluating inherited controls – are they still appropriate in today’s risk landscape?
• Process modeling and business risk analysis – integrating risk and control into core operations
• Applying UK CGC principles effectively – practical implementation strategies
• Embedding UK CGC into the three lines of defense – ensuring integrated accountability
• Breaking down silos in risk and control management – fostering collaboration across departments
• Cultural and accountability shifts for UK CGC compliance – making governance a shared responsibility
• Linking UK CGC to strategy, performance, and objectives – ensuring risk supports business goals
• Designing a UK CGC framework – aligning controls with business needs
• Clarifying ownership and accountability structures – defining roles clearly
• Identifying material vs. immaterial controls – focusing efforts where they matter most
• Measuring control effectiveness – avoiding over-control and unnecessary bureaucracy
• Assembling the right UK CGC team – ensuring the right expertise and collaboration

Moving Forward: The Path to Effective UK CGC Compliance

UK organizations must take a strategic, risk-based approach to implementing Provision 29. Success requires:

1. Breaking Down Silos – Risk and control management should be an enterprise-wide initiative, not a fragmented exercise.
2. Embedding UK CGC into Business Operations – Aligning risk and control frameworks with business strategy, performance management, and operational processes.
3. Enhancing Risk Management, Awareness & Culture – Driving engagement across all levels of the organization to ensure risk and control are part of daily decision-making.
4. Investing in Assurance and Continuous Monitoring – Leveraging technology and robust assurance mechanisms to demonstrate control effectiveness.
5. Defining Material Controls with Confidence – Focusing on controls that truly mitigate the most significant risks, rather than creating unnecessary layers of compliance.

The UK Corporate Governance Code represents a major shift in how UK organizations approach internal control and risk management. Organizations must move beyond viewing compliance as a check-the-box exercise and embrace a more dynamic, integrated GRC framework that fosters resilience and accountability.

I look forward to continuing these discussions in the weeks ahead as I head to Asia for more workshops. The evolution of corporate governance and risk management remains a global challenge, but one that, when addressed effectively, can lead to stronger, more resilient organizations.

Driving a car is a perfect analogy for understanding the principles of risk and resilience management. When we drive, we have an objective: a destination to reach. Similarly, in business, risk management begins with understanding objectives. According to ISO 31000, risk is defined as “the effect of uncertainty on objectives.” Achieving our goals—whether personal, organizational, or societal—requires navigating uncertainties, just as a driver navigates roads, traffic, and potential hazards.

Objectives: Our Focus is on the Road Ahead

When driving, our primary focus is on the road ahead. We watch for obstacles, anticipate turns, and adapt to changing conditions. This forward-looking approach aligns with effective risk management, where the goal is to proactively identify and address potential challenges that could disrupt achieving objectives. Unfortunately, many risk management programs fail because they are overly focused on the past, akin to driving a car while continuously staring in the rearview mirror.

While hindsight provides valuable lessons, effective risk management demands foresight. Rearview mirrors are essential, but they are not the primary focus for driving safely. Similarly, organizations must strike a balance between learning from past risks and preparing for future uncertainties.

The IPDE Method: A Framework for Risk Management

In driver’s education, we are taught the IPDE method: Identify, Predict, Decide, Execute. This simple yet powerful process is the essence of risk management:

1. Identify: Recognize risks that could impact objectives. This could be anything from geopolitical tensions to supply chain vulnerabilities.
2. Predict: Analyze potential scenarios and outcomes. What happens if a risk materializes? How severe could the impact be?
3. Decide: Determine the best course of action to mitigate or respond to risks. Should you avoid, accept, transfer, or reduce the risk?
4. Execute: Implement your chosen risk strategy. This step translates planning into action to ensure objectives remain achievable.

Just as a driver uses the IPDE method to navigate safely, organizations can use this framework to manage risk effectively.

The Role of External Risk Intelligence

Driving isn’t just about controlling the car; it’s also about adapting to external conditions like weather, traffic, and road closures. Drivers rely on external intelligence from tools like GPS systems, traffic updates, and weather forecasts to make informed decisions. Similarly, effective risk management requires external risk intelligence. Organizations must gather and analyze data on geopolitical risks, economic trends, natural disasters, commodity availability, and other external factors that could impact their objectives.

Without this external perspective, risk management becomes myopic, and decisions are made in a vacuum. External intelligence provides the context needed to navigate an increasingly complex and interconnected world.

Resilience: The Operational Backbone

While risk management focuses on navigating uncertainties, resilience ensures the organization can withstand and recover from disruptions. Resilience is akin to maintaining the operational health of a car. Routine maintenance—oil changes, tire rotations, brake inspections—is essential for ensuring the car’s reliability. Neglecting these small but critical tasks can lead to significant breakdowns.

Some risk pundits decry risk lists and checklists. I believe they have a purpose, and it is in this operational down in the weeds context. But strategic risk management focused on objectives, the road in front of us, is the critical component that cannot be missed. Too many focused on the operational weeds of risk and neglect the strategic risk aligned with objectives.

In an organizational context, risk and resilience requires:

• Routine checks: Regular audits, testing, and assessments to ensure systems, processes, and controls are functioning as intended.
• Preparedness: Having contingency plans in place for when things go wrong.
• Flexibility: The ability to adapt quickly to changing circumstances.

Just as a car’s dashboard provides critical information about fuel levels, engine health, and speed, organizations need metrics and dashboards to monitor their resilience and operational health.

Insurance: The Safety Net

No driver hits the road without insurance. Insurance provides a safety net for unforeseen accidents and ensures financial protection against significant losses. In risk management, insurance plays a similar role. It’s a form of risk transfer that mitigates the financial impact of events beyond an organization’s control.

However, insurance is not a substitute for proactive risk management. It’s a complementary tool, much like wearing a seatbelt: essential, but not a strategy for avoiding accidents.

Technology: The Vehicle for Risk Management

A car is a tool for achieving our objective—reaching our destination. The quality, reliability, and performance of the car directly impact our ability to achieve that goal. Similarly, organizations need robust risk management technology to support their objectives. Yet, many risk technologies fail because they lack an objective- or performance-centric view. They put the cart (risk) in front of the horse (objectives), many solutions do not even have the horse and it is just a cart of risks with no concept of objectives.

Effective risk management technology should:

• Align with the organization’s objectives.
• Provide real-time insights to support decision-making.
• Be adaptable to changing risks and scenarios.
• Integrate with external intelligence sources to provide a comprehensive view of the risk landscape.

Without these capabilities, risk management technology becomes a burden rather than an enabler.

The Road Ahead

Risk and resilience management, much like driving, is about balancing focus and flexibility. We must keep our eyes on the road ahead while occasionally checking the rearview mirror and dashboard. We must rely on external intelligence to anticipate conditions and ensure our vehicle—whether a car or an organization—is well-maintained and prepared for the journey.

By adopting a proactive, objective-driven approach to risk and resilience management, organizations can navigate uncertainties and achieve their goals with confidence. After all, the destination matters, but how we get there defines our success.