Category: Blogs

Winston Churchill once remarked, “True genius resides in the capacity for evaluation of uncertain, hazardous, and conflicting information.” In today’s complex and rapidly evolving world, this quote rings truer than ever. For organizations navigating governance, risk management, and compliance (GRC), the ability to assess and act upon uncertain, hazardous, and conflicting information is paramount to success. This capacity is embodied in one concept: risk intelligence.

Risk intelligence involves gathering, analyzing, and leveraging various sources of information to triangulate, anticipate, assess, and evaluate risk to the objectives of the organization. It’s more than just collecting data; it’s about extracting meaning and actionable insights that drive decision-making. Organizations need a robust approach to risk intelligence that includes geopolitical risk, economic forecasts, market and industry trends, security and threat intelligence, regulatory change intelligence, third-party intelligence, and competitive intelligence.

Let’s explore the critical need for GRC and risk intelligence content, how organizations can leverage it, and how triangulation, risk modeling, and scenario analysis empower organizations to achieve their objectives with minimal surprises.

The Role of Risk Intelligence in GRC

Risk intelligence serves as the foundation of effective GRC strategies. Without it, organizations are left vulnerable to sudden disruptions, regulatory penalties, and strategic missteps that will hinder the achievement of objectives. The process of gathering, analyzing, and acting on risk intelligence allows organizations to anticipate and prepare for potential threats rather than react to them after the fact.

According to ISO 31000, “risk is the effect of uncertainty on objectives.” To achieve objectives, organizations must proactively address uncertainty. Here’s how risk intelligence supports this goal:

• Informed Decision-Making. By leveraging comprehensive and up-to-date information, leaders can make better, faster decisions, reducing the likelihood of costly mistakes.
• Anticipating Emerging Risks. Risk intelligence helps organizations identify trends, disruptions, and threats before they materialize, enabling proactive risk mitigation.
• Achieving Strategic Objectives. By addressing uncertainty, organizations can reduce the likelihood of surprise disruptions and stay on course to achieve their strategic goals.
• Building Resilience. A well-informed organization is more agile and resilient, able to pivot in response to emerging threats or new opportunities.

With these capabilities in place, organizations can shift from a reactive approach to a proactive stance, better positioning themselves to achieve success and mitigate risk.

To fully appreciate the value of risk intelligence, it’s important to understand the key categories it encompasses. Each type of intelligence addresses a unique aspect of the risk landscape and contributes to a holistic risk management strategy.

• Geopolitical Risk Intelligence. Organizations need to stay informed about changes in geopolitics, such as conflicts, trade disputes, and regulatory shifts, which can have a profound impact on global supply chains and market access.
• Economic Predictions. Economic forecasts play a vital role in strategic planning, operational costs, and financial forecasting. Fluctuations in interest rates, inflation, and currency values all affect business decisions.
• Market & Industry Forecasts. By tracking industry-specific trends and shifts in consumer behavior, companies can influence product development, supply chain decisions, and competitive positioning.
• Security/Threat Intelligence. Cybersecurity threats, insider threats, and physical security risks must be addressed to protect business continuity, customer trust, and operational resilience.
• Regulatory Intelligence & Change. Regulatory changes demand constant vigilance to ensure ongoing compliance with new and evolving requirements.
• Third-Party Intelligence: Understanding the stability, operational capacity, and ethical concerns of third-party vendors is critical for supply chain integrity, partnerships, and reputation.
• Competitive Intelligence: Staying informed on competitor strategies, new products, and market entry tactics allows organizations to make informed strategic decisions and seize market opportunities.

Each of these categories contributes to a well-rounded understanding of risk and enhances an organization’s ability to respond to an increasingly dynamic risk landscape.

The Process of Risk Intelligence: From Information to Insight

Simply gathering information is not enough. For risk intelligence to have true value, organizations must transform raw data into actionable insights. This process involves several key steps that work together to produce a complete, accurate, and meaningful view of potential risks.

1. Data Collection. It starts with gathering relevant, accurate, and timely data from a range of internal and external sources. This can include regulatory bulletins, industry publications, market reports, and real-time threat feeds.
2. Triangulation. Next, organizations cross-reference and validate data points from multiple sources. Triangulation ensures the reliability of information and reduces the likelihood of acting on inaccurate data.
3. Insight Generation. Finally, organizations analyze the data to identify trends, patterns, and interdependencies. The goal is to develop “What if” scenarios and “What it means” interpretations that drive decision-making.

This process requires both human expertise and technology-driven tools, particularly artificial intelligence, to handle large data volumes at speed. With this approach, organizations can avoid cognitive biases, eliminate data blind spots, and ensure decisions are informed by comprehensive intelligence.

The concept of triangulation is essential to effective risk intelligence. Unlike single-source analysis, triangulation builds a more complete and trustworthy view by validating information from multiple perspectives. For example, a company analyzing the potential impact of a new trade regulation would cross-reference industry analyst reports, government announcements, and internal compliance assessments. If all sources align, the organization gains confidence in its risk analysis. If discrepancies emerge, further investigation is required to clarify the impact.

Triangulation mitigates the risk of cognitive bias and misinterpretation. It ensures a well-rounded, multi-dimensional perspective on the risks at hand, allowing for more informed decision-making. Once risk intelligence is gathered and triangulated, organizations need to understand how it will affect their operations. Modeling, simulations, and tabletop exercises are essential for this purpose. They help organizations visualize the potential impact of risk and develop effective response plans.

• Risk Modeling. This involves using quantitative and qualitative models to predict potential outcomes. For example, companies might model the financial impact of a supply chain disruption.
• Simulations. Monte Carlo simulations generate thousands of potential future outcomes, giving organizations a clear view of possible scenarios and the likelihood of each.
• Tabletop Exercises. Here, stakeholders role-play risk scenarios to identify gaps in response plans and develop playbooks for real-world application.

These methods provide a way to test assumptions, explore “what if” scenarios, and prepare for various outcomes, reducing the likelihood of being blindsided by unexpected events.

The Role of Technology in Risk Intelligence

Technology has become a critical enabler of risk intelligence. Advanced tools provide faster analysis, real-time insights, and predictive modeling, all of which are essential for managing modern risk landscapes.

• Artificial Intelligence (AI) & Machine Learning (ML). AI/ML models analyze large datasets and predict emerging risks based on historical patterns.
• Natural Language Processing (NLP). NLP extracts insights from unstructured data sources like news feeds and regulatory announcements.
• Predictive Analytics. Advanced analytics models provide foresight into potential future risks and disruptions.
• Data Aggregation Tools. These platforms consolidate data from multiple sources into a single, unified view for analysis.

These technologies automate much of the work involved in risk intelligence, making it faster, more efficient, and more accurate.

Risk Intelligence = True GRC Genius

Winston Churchill’s insight into the evaluation of “uncertain, hazardous, and conflicting information” is a guiding principle for modern GRC and risk intelligence. Organizations that master this capability position themselves to anticipate threats, reduce surprises, and achieve strategic objectives.

Risk intelligence content—tailored, timely, and high-quality—is essential for making informed decisions. By triangulating data, using modeling and simulation, and leveraging technology, organizations can ensure they have the insights needed to thrive in a complex world. True genius resides not in collecting information but in making sense of it.

In today’s technology-driven world, digital infrastructure has evolved from a supporting asset to the core of organizational operations. Every industry, from finance and healthcare to manufacturing and retail, relies on interconnected systems, data, and processes to function seamlessly. Yet, as these digital ecosystems expand, so do their vulnerabilities. Cyberattacks, IT outages, regulatory pressures, and third-party risks increasingly threaten the continuity of business operations. Addressing these challenges is no longer just an IT concern—it has become a critical enterprise-wide mandate.

Resilience: More Than Business Continuity . . .

For decades, organizations have relied on Business Continuity Planning (BCP) to recover from disruptions. BCPs offered structured roadmaps to restore operations after unforeseen events, focusing on specific scenarios. However, in an era of increasingly complex and unpredictable risks, this traditional approach is no longer sufficient. The modern risk landscape—characterized by the business reliance on technology, complex threats, supply chain disruptions, and evolving regulatory requirements—demands a more dynamic and proactive strategy.

This shift has led to the rise of operational resilience, a discipline that transcends the reactive nature of BCPs. Operational resilience isn’t just about recovering from disruptions; it is about anticipating them, adapting in real time, and ensuring the delivery of critical services even under adverse conditions. It’s a forward-looking capability that integrates seamlessly with operational risk management, emphasizing the importance of continuous improvement through testing, monitoring, and planning. As the USA OCC states, “operational resilience is an effective outcome of operational risk management.” Resilience prioritizes essential services, focusing on maintaining business outcomes rather than simply restoring systems and processes.

Within the broader framework of operational resilience, digital risk has become a focal point. As organizations digitize their operations and adopt new technologies, they expose themselves to a range of threats. Cyberattacks have grown more sophisticated, with ransomware incidents threatening to bring entire systems to a standstill. IT outages, once considered isolated events, now have cascading effects across interconnected platforms. The reliance on third-party vendors and cloud providers introduces additional vulnerabilities, creating new points of failure. Meanwhile, evolving regulations, such as the EU Digital Operational Resilience Act (DORA), add layers of complexity, requiring firms to not only safeguard their operations but also demonstrate compliance.

Resilience Focus is Across Industries . . .

What sets operational resilience apart is its universal applicability. While it’s often spotlighted in financial services due to stringent regulations, its principles resonate across industries. In healthcare, for instance, the resilience of digital systems can directly impact patient outcomes. Manufacturing companies, heavily reliant on automation and IoT technologies, risk production shutdowns from cyber incidents or IT failures. Retail businesses, particularly e-commerce platforms, depend on uninterrupted service to maintain revenue and customer trust. Even critical infrastructure, such as energy grids, faces unique risks from cyberattacks and physical disruptions.

New Paradigms and Solutions for Resilience . . .

The challenge, however, lies in execution. Many organizations still operate in silos, with IT, risk management, and business operations functioning as separate entities. This fragmented approach undermines efforts to build resilience, as critical dependencies often go unrecognized until it’s too late. Adding to the complexity is the dynamic nature of today’s risk environment. New technologies like artificial intelligence bring unprecedented efficiency but also introduce unforeseen risks and dependencies that must be managed. Organizations increasingly depend on third-party vendors who may lack the same resilience standards, creating vulnerabilities that can ripple through their operations.

To thrive in this evolving landscape, resilience must become a part of an organization’s DNA. This means investing in strategies, processes, and solutions that provide real-time visibility into services, processes, and interdependencies. Technologies like process mining, micro-simulations, and AI-driven models can help organizations simulate disruptions, identify weaknesses, and adapt proactively. Breaking down silos through cross-functional collaboration is equally critical, ensuring that IT, risk management, and business operations work together toward shared objectives. Partnerships with third-party vendors must also evolve, moving beyond basic audits to co-designed processes that align with resilience goals.

Ultimately, digital risk and resilience management is no longer just about safeguarding IT systems—it’s about securing the continuity of critical services that define an organization’s ability to operate, compete, and thrive. As businesses face increasing disruptions and regulatory pressures, operational resilience offers a path forward. By embedding resilience into every aspect of their operations, organizations can move beyond recovery and toward sustained success in an unpredictable world. It’s not just about surviving the challenges ahead—it’s about seizing the opportunities they present.

Upcoming Resilience Events . . .

• On December 4, 2024, I’ll be leading my Digital Risk & Resilience by Design Workshop in New York City. This interactive session will delve into the strategies and frameworks needed to embed resilience into operations, from mapping critical services to leveraging technology for adaptability and compliance.
• On December 17, 2025, I will be speaking on a webinar, The Intersection of GRC and Resilience: Best Practices and Insights | 1 month to DORA, where we will delve into the critical intersection of Governance, Risk, and Compliance (GRC) and business resilience.

The breadth of third-party risk management strategies and programs are undergoing a seismic shift within organizations. Over the past several months, I’ve observed a dramatic uptick in the number of organizations issuing requests for proposals (RFPs) for third-party risk management solutions and asking my advice on what solutions, services, and intelligence they should consider in these. This surge reflects a growing awareness of the need to rethink and restructure how businesses govern their extended enterprise. There are several RFPs that I have interacted on where I have flat out stated they need to look at different solutions as they ones they are down to will not deliver on the breadth and complexity of the program they are trying to achieve.

Driving this urgency is a wave of regulatory developments that are reshaping the expectations placed on organizations. The EU Corporate Sustainability Due Diligence Directive (CSDDD) looms large, demanding that companies actively manage sustainability risks across their supply chains. Meanwhile, the EU’s progress yesterday toward a Forced Labor Ban adds another layer of complexity, requiring businesses to ensure that forced labor has no place in their operations or those of their suppliers. These, and others, illustrate the demand for Environmental, Social, and Governance (ESG) assurance that is pressuring companies to provide transparency and accountability across their third-party relationships.

These dynamics have pushed organizations to move beyond siloed and reactive approaches to third-party risk management. Instead, they are embracing more integrated, holistic processes that can deliver greater transparency, agility, and resilience.

The Persistent Challenges of Third-Party Risk Management

Organizations are grappling with significant challenges in third-party risk management. These challenges are often rooted in scattered, siloed, outdated, and too often manual processes (or scattered solutions) that can no longer keep pace with today’s complex and fast-moving third-party risk environment.

One of the most pervasive issues is the fragmentation of data and processes. Many organizations still operate in silos, with different departments managing third-party risk independently. This makes it nearly impossible to achieve a unified view of third-party risks and creates redundancies that waste time and resources, and fail to deliver on holistic reporting that is required from things like EU DORA, EU CSRD / EU CSDDD, and more.

Adding to the complexity is the lack of real-time information. When data is scattered across disconnected systems, organizations are unable to identify and respond to emerging risks quickly. This problem is compounded by the difficulty of scaling traditional third-party risk management processes to accommodate growing ecosystems of suppliers, vendors, and partners.

Without integrated systems, even basic tasks like performance evaluations or compliance tracking become cumbersome. Audits and inspections, which are critical for maintaining accountability, often suffer from insufficient documentation and poor visibility into third-party activities. These gaps leave organizations vulnerable to both operational disruptions and regulatory penalties.

The Need for Modern Third-Party GRC Solutions

To meet these evolving demands, organizations are increasingly turning to modern Third-Party GRC (Governance, Risk, and Compliance) solutions. Modern Third-Party GRC platforms are designed to overcome these obstacles by providing a comprehensive, integrated approach to third-party risk management. These platforms do more than just automate the management of third-party relationships; they enable organizations to proactively govern and monitor risks across the lifecycle of their third-party engagements.

What makes these solutions so powerful is their ability to provide real-time insights into third-party performance, risk, and compliance. By integrating data from multiple sources and delivering it in a unified view, these platforms empower organizations to move away from reactive, fragmented processes and toward proactive, strategic decision-making.

For example, onboarding new third parties becomes faster and more thorough, with automated due diligence processes that ensure each supplier or partner meets regulatory and contractual standards. Ongoing monitoring ensures that risks are continuously evaluated, while regular audits and inspections verify that third parties remain compliant throughout the relationship. Even the process of offboarding—a phase often overlooked—becomes more structured, reducing the risk of data breaches or unresolved compliance issues when a relationship ends.

By providing these capabilities, Third-Party GRC solutions not only streamline operations but also ensure alignment with broader organizational objectives, such as sustainability, ethical sourcing, and resilience.

At the core of these solutions is the ability to unify data and processes across the organization. By breaking down silos, these platforms create a single source of truth for third-party risks, performance, and compliance. This integration not only improves efficiency but also enables more strategic decision-making.

Another key strength of these solutions is their real-time monitoring capabilities. Whether it’s tracking key performance indicators (KPIs) or conducting periodic risk assessments, organizations gain the ability to continuously evaluate their third-party relationships. This ensures that risks are identified and addressed before they escalate into major issues.

Automation is another critical feature. By automating routine tasks like due diligence and compliance tracking, these platforms reduce the burden on internal teams and free up resources for more strategic activities. For example, automated due diligence processes can flag potential red flags, such as connections to politically exposed persons or adverse media coverage, while ensuring that all third-party interactions are thoroughly documented.

The NEED for Integration of Third-Party Risk Intelligence

What sets today’s leading Third-Party GRC solutions apart is their integration with third-party risk intelligence services. These integrations allow organizations to tap into a wealth of external data that enhances their ability to assess and manage risks.

For instance, platforms can provide real-time updates on watch lists, sanctions, and negative news, enabling organizations to respond swiftly to potential threats. They can also deliver insights into security and financial viability ratings, helping companies make informed decisions about their third-party engagements. And as ESG becomes a critical area of focus, many platforms now offer detailed ESG ratings and compliance data, ensuring that third-party relationships align with organizational values and regulatory requirements.

Preparing for the Future: The Business Case for Third-Party GRC

Investing in a Third-Party GRC solution delivers tangible benefits that extend beyond compliance. These platforms drive efficiency by automating manual processes and reducing redundancies. They enhance effectiveness by providing a comprehensive view of third-party risks and ensuring accountability at every stage of the relationship.

Moreover, Third-Party GRC solutions strengthen organizational resilience by enabling proactive risk management. By identifying and addressing risks early, companies can avoid costly disruptions and maintain business continuity. Finally, these solutions provide the agility needed to adapt to an ever-changing regulatory environment, ensuring that organizations remain compliant even as new challenges emerge.

The regulatory landscape is only becoming more complex, and the risks associated with third-party relationships are growing in both scale and scope. The introduction of measures like the EU CSDDD and the Forced Labor Ban is a clear signal that organizations can no longer afford to take a reactive approach to third-party risk management.

By adopting modern Third-Party GRC solutions, businesses can position themselves to navigate these challenges with confidence. These platforms provide the tools needed to not only meet regulatory requirements but also build stronger, more resilient third-party ecosystems.

As organizations restructure their approaches to third-party risk management, the emphasis must be on creating processes that are not only efficient and effective but also aligned with their broader values and goals. In doing so, they can turn third-party risk management from a compliance burden into a strategic advantage.

Compliance and ethics are at the core of building a resilient, trustworthy organization that is focused on integrity. These functions are the basion of corporate integrity, and I have stated for twenty years that the CECO/CCO should be the CIO – the Chief Integrity Officer.

Unfortunately, too often, compliance and ethics gravitate to the back-office. Teams work tirelessly to monitor regulatory change, update policies, and ensure controls are in defined. These efforts are essential, but they aren’t the end of the story. Compliance success ultimately hinges on employee engagement — that “last mile” of compliance and ethics that transforms policy into action. Compliance isn’t just about knowing the law or maintaining policies; it’s about ensuring that employees act in ways that uphold these standards every day. To do this, organizations need to prioritize employee engagement as the backbone of compliance, ethics, and governance. This is the era of employee engagement on compliance and ethics, as well as broader GRC (governance, risk management, compliance), and is done through mobility.

The Human Firewall: People as the Core of Compliance

An organization can be aware of every relevant law and regulation, have policies written in impeccable prose, and maintain perfect documentation, but if employees don’t know, understand, or remember these policies, compliance is compromised. The human firewall is built on employees who are informed, empowered, and engaged in the organization’s ethical standards and compliance requirements. Yet, this firewall will falter if we fail to make engagement with compliance information easy, relevant, and ACCESSIBLE.

To build this firewall, organizations must create a culture of compliance where employees feel invested in ethical practices. This means compliance must be woven into the everyday experience of employees at all levels — not just at headquarters or in the compliance department. Every employee, from the executive team to frontline staff, should be well-versed in compliance and ethics that affect their work. The challenge is making compliance and ethics engagement readily available, easy to access, and most importantly, tailored to each role.

Policies and Awareness: The Road to True Compliance

Policies and codes of conduct only fulfill their purpose if employees actually read, understand, and internalize them. Too often, policies are treated as static documents to be acknowledged once and filed away. But policies are living documents that guide behavior, set expectations, and safeguard the organization. They need to be communicated effectively, refreshed regularly, and, importantly, be part of an ongoing dialogue with employees. Engagement isn’t just about distribution; it’s about comprehension, recall, and action. And the ability to get questions about policy, particularly in a specific context, answered.

Employees should not only know where to find policies but should also have clarity on how these policies apply to them, especially in complex, fast-moving environments where regulations evolve rapidly. It’s the difference between checking a box and fostering genuine awareness — a shift from passive to active engagement.

Moving Beyond the Hotline: Modernizing Compliance and Ethics Engagement

Traditional methods like hotlines and call centers are outdated. These channels can be slow, intimidating, and disconnected from employees’ day-to-day experiences. Today, organizations need to engage employees where they are: on their mobile devices, in real-time, and in ways that feel natural to them. Just as mobile technology has transformed how we communicate, shop, and access information, it can revolutionize how employees engage with compliance and ethics. Mobility allows employees (and third parties) to easily report issues and get questions answered.

Imagine compliance training that’s accessible on an app, allowing employees to learn in bite-sized segments, tailored to their role, process, or location. Mobile engagement can be contextual, responsive, and adaptive, shifting compliance from a static task to an interactive experience. In this sense, compliance engagement becomes as effortless as checking a sports score or sending a quick message. Organizations can empower employees with compliance tools that fit their day-to-day, not merely as a series of one-off trainings or infrequent policy reviews.

Contextual Awareness: Compliance in Real Time

A significant advantage of mobile engagement is the potential for contextually aware compliance tools. These tools can be designed to recognize an employee’s specific role, the tasks they perform, and even their location, delivering timely reminders and guidance tailored to their situation. An employee in a high-risk area may receive prompts about local compliance risks, while a sales team member can access policies related to anti-bribery and corruption as they hit the ground in high-risk countries, presented in a way that’s directly relevant to their interactions.

This level of contextual awareness brings compliance to life in the workplace. Employees are not just passive recipients of information; they are active participants who can access relevant compliance guidance as they need it. In an environment where compliance risks are constantly evolving, such responsiveness is crucial.

I get calls every month from organizations looking for solutions because they have discovered they have twenty-eight policy portals (seriously, this happened) and policies are different and out of date on these portals and lack engagement. But it gets worse when training is in separate LMS systems. Employees, on their personal time, go out to Facebook. They can watch a YouTube video on Facebook. They do not have to click on a link go and watch the video on YouTube and then go back to Facebook to comment on it. However, this is what is happening with policies and training. This is not the modern tech mobile experience that employees are used to. Things need to change.

Engaging the First Line: Empowering Every Employee

To bring compliance into the daily fabric of operations, organizations need to focus on the first line: senior executives, managers, and every frontline employee. The back office of compliance — the regulatory change, policies, controls, and documentation — is essential, but it’s the front-line engagement that ensures these tools are effective. Employees need to feel empowered to make compliant choices, know how to raise concerns and feel confident that their voice matters. This approach transforms compliance from a distant function to an integrated part of the business, owned by everyone.

Employee engagement goes beyond merely “following the rules”; it’s about aligning personal actions with corporate values. When compliance becomes part of the organizational culture, employees are more likely to act ethically even in ambiguous situations. This proactive engagement builds a foundation of trust, integrity, and shared accountability.

The Shift to Mobile: The Future of Compliance Engagement

We live in a mobile-first world where access to information is always at our fingertips. Entering a concert or sporting event without a mobile phone is almost unthinkable — so why should compliance be any different? Mobile engagement provides a powerful way to connect employees to compliance content, making training, policy updates, and whistleblower channels available wherever they are. It allows for a more flexible, scalable, and inclusive approach to compliance, creating a unified compliance experience across geographies, departments, and roles.

With this shift, the market for compliance solutions will evolve as organizations prioritize employee engagement capabilities when choosing compliance platforms. Vendors who focus solely on regulatory change and policy documentation for the back office risk being left behind. The future of compliance tools lies in mobile-first, context-aware platforms that actively support employees in making ethical decisions, rather than simply enforcing top-down mandates.

The New Generation of Employee Engagement: A Call to Action

As organizations rethink compliance and ethics, solution providers must take note. Employee engagement will increasingly drive purchasing decisions for compliance and ethics solutions, and by extension, broader GRC systems. The need is clear: solutions must prioritize first-line engagement, bridging the gap between the back office and the front line. Employees want tools that are intuitive, immediate, and mobile-friendly, and that support them in real-world, role-specific contexts.

Organizations and vendors alike should ask themselves: How effectively are we engaging employees in our compliance efforts? Are we still relying on outdated, passive methods, or are we evolving with the times? The future of compliance and ethics lies not in a stronger back office, but in a more engaged, empowered, and ethical front line. With the right tools, organizations can turn compliance from a static function into a dynamic force, aligned with business goals and embedded within daily operations.

Employee engagement is the cornerstone of authentic, effective compliance. Building a “human firewall” that upholds ethical standards is a collaborative effort that requires more than policies or documentation; it requires real, responsive, and mobile engagement. By modernizing compliance through mobile, contextual, and first-line-focused approaches, organizations can create a culture where every employee, no matter their role, contributes to the organization’s ethical standards.

In the end, compliance is about people — and people need tools that meet them where they are. It’s time for compliance to go mobile, empowering every employee to be an active part of the organization’s ethical journey. The last mile of compliance is about engagement, and the future is in the hands of organizations ready to make it happen.

The realm of compliance management is not for the faint of heart. It is a complex, ever-evolving landscape that can create sleepless nights and anxiety-filled days for compliance professionals. My Compliance Management by Design Workshop in London this week provided a vivid look into the collective concerns and “nightmares” of those in the industry. With over 100 registered attendees, we filled the room with 60 highly engaged professionals, all eager to share, learn, and explore the future of compliance.

The session was a dynamic discussion that delved into the significant challenges of compliance management. We examined the constantly changing regulatory landscape from a UK perspective, emphasizing the critical need for robust regulatory intelligence. From horizon scanning to redlining the most current changes, attendees explored how these updates must be integrated seamlessly into compliance assessments, controls, policy frameworks, and operations.

We also touched on a variety of interconnected topics including:

• Employee engagement and compliance culture
• Issue reporting, including whistleblower systems and case management.
• Third-party compliance and due diligence.
• Comprehensive policy management strategies.
• Governance of compliance and reporting structures up to the board level.

The conversation was rich, interactive, and intense, highlighting both the persistent and emerging issues that keep compliance professionals awake at night.

What Keeps Compliance Professionals Up at Night?

A key part of the workshop was an exercise that asked attendees to share what keeps them up at night. Their responses were candid and painted a picture of an industry under immense pressure. Below are the core challenges, or “nightmares,” that surfaced during our discussion:

• Silos of Compliance. The struggle of fragmented compliance operations that lack cross-departmental cohesion.
• Consequences of Interconnected Compliance Risks. How one area of non-compliance can cascade and create systemic issues.
• Regulatory Updates and Change. The constant pressure to stay informed and adapt to new regulations.
• Lack of Adherence and Evidence of Policies. Ensuring that policies are not only well-documented but are actively followed and evidenced.
• Perception Issues. Battling the image of compliance as the “corporate cop,” the “department of no,” or a business disabler.
• Embedding Compliance Culture. Building a culture where compliance is not just an obligation but an integral part of the business fabric.
• Tone at the Top and Leadership Engagement. Securing commitment from leadership, fostering alignment at the middle management level, and ensuring consistency across all employee levels.
• Digital Integration. Implementing compliance programs that align with digital transformation efforts.
• Skills and Resources. Navigating the resource constraints and skill shortages that compliance teams often face.
• Budget Constraints. Doing more with less in a world where compliance demands are increasing but budgets are not.
• The Role of AI in Compliance. Understanding how to leverage AI effectively while managing the risks associated with its use.
• Regulatory Change Management. Keeping pace with a conveyor belt of regulatory changes.
• Behavior Monitoring. Ensuring that behavior aligns with the organization’s ethical and compliance standards.
• Three Lines of Defense. Ensuring consistent compliance across the front line, risk management, and internal audit.
• Dashboards and Accountability. Providing insight into compliance and controls to deliver assurance to the business in the context of Senior Managers and Certification Regime (SMCR) and the UK Corporate Governance Code to maintain oversight.
• Obligations and Requirements Management. Adapting to changes in regulatory obligations and ensuring proportionality in compliance practices.
• Policy Communication and Understanding. Making sure policies are not only communicated effectively but are fully understood by all levels of the organization.
• Training and Education. Striking the balance between holistic training and targeted content that addresses specific compliance needs.
• Proportionality. Tailoring compliance approaches to the size and needs of the organization.
• Regulatory Awareness. Ensuring continuous awareness of regulatory expectations and fostering positive interactions with regulators.
• Horizon Scanning and Oversight. The ongoing need to monitor for future risks while maintaining day-to-day compliance operations.
• Principles-Based vs. Rules-Based Compliance. Navigating the differences and applications of these two regulatory approaches.
• Basics of Compliance. The embarrassment and risk of getting fundamental compliance elements wrong.
• Resource Allocation. Ensuring that compliance departments receive adequate funding and resources to operate effectively.
• Compliance Risk Ownership. Defining who is accountable for compliance risks within the organization.
• Proactive Compliance. Shifting from reactive responses to a proactive, strategic approach.

Addressing Compliance Nightmares: The Role of Technology and AI

One of the key takeaways from the workshop was that technology, particularly advancements in AI, can play a significant role in addressing these compliance nightmares. Here’s how:

• Breaking Down Silos with Integrated Platforms. Compliance management technology brings together data and processes from across the organization, creating a unified and more collaborative approach to compliance. By integrating compliance tools with other business systems, organizations can break down the silos that often hinder their ability to operate efficiently.

• Real-Time Regulatory Intelligence and Change Management. AI-powered horizon scanning tools can keep compliance teams updated on regulatory changes as they happen, providing real-time insights and alerts. These tools help in prioritizing and redlining regulations, allowing teams to focus on what is most relevant to their organization and stay ahead of compliance requirements.

• Enhanced Compliance Monitoring and Behavior Analysis. With the power of AI, compliance teams can move beyond traditional monitoring to more predictive analytics. AI can track behavior patterns, identify anomalies, and flag potential issues before they escalate into larger problems, supporting better risk management and oversight.

• Automated Evidence and Documentation. Automation reduces the burden of manual documentation by compiling evidence for audits and compliance reporting. AI-driven systems can automatically generate reports, track policy adherence, and maintain audit trails, providing a higher level of assurance and transparency.

• Improved Policy Communication and Training. AI-based platforms can tailor policy content to individual roles within an organization, ensuring that the training is both comprehensive and specific to the needs of employees. This “just right” approach aligns with the “Goldilocks of Compliance” principle—providing training that is neither too broad nor too narrow but exactly what is needed.

• Proactive Compliance through Predictive Analytics. Compliance teams can use AI to analyze trends and foresee potential areas of non-compliance. This helps organizations move from being reactive to being proactive, aligning with a strategic approach to compliance management.

Compliance management is a high-stakes environment where the risks of failure can be severe. However, with the right tools and strategies, compliance teams can shift from insomnia and nightmares to confident oversight and proactive management. Compliance management technology, especially with the use of AI, can alleviate many of the stressors identified during our workshop. By embracing digital solutions, organizations can better manage their compliance responsibilities, build a strong compliance culture, and align with the evolving regulatory landscape.

As compliance continues to grow in complexity, the path to restful nights lies in understanding these challenges, leveraging technology, and cultivating a culture that sees compliance not as a burden, but as a vital component of business integrity and success.

Operational Resilience: The Evolution Beyond Business Continuity Management

In today’s dynamic and interconnected business environment, the concept of resilience is gaining prominence, pushing organizations to evolve beyond traditional approaches like Business Continuity Management (BCM). While BCM has been instrumental in helping businesses navigate disruptions, it is no longer sufficient on its own.Organizations need to embrace a more integrated and proactive approach—one that encompasses not just continuity, but also adaptability and agility. Enter Operational Resilience, a forward-thinking strategy that ensures businesses can anticipate, withstand, and recover from disruptions while maintaining critical operations.

The Shift from Business Continuity to Operational Resilience

Business Continuity Management (BCM) has historically . . .

[The rest of this blog can be read on the GRCxperts blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

In an era where regulatory pressures continuously evolve and intensify, compliance management solutions have emerged as vital tools for organizations striving to uphold both mandatory (regulatory/legal) and voluntary (values-driven, ethical) obligations. These solutions provide the structure and automation needed to streamline compliance processes, mitigate risks, and ensure alignment with an ever-changing regulatory landscape. By offering real-time monitoring, efficient workflows, and a transparent audit trail, they support organizations in managing complex compliance requirements across multiple jurisdictions, enabling proactive strategies that keep pace with regulatory demands.

Top Compliance Challenges Facing Organizations Today

Organizations grappling with compliance management face a multitude of challenges, especially those still reliant on manual processes. Information and processes are frequently siloed across departments, resulting in inefficiencies, gaps in oversight, and sometimes even critical errors. Many organizations lack the dedicated resources—both personnel and expertise—required to navigate increasingly complex regulatory landscapes. Without an integrated compliance management system built on RegTech, overseeing the breadth of compliance obligations across an organization can become burdensome, leading to disjointed efforts that lack a cohesive strategy.

Inefficiency and redundancy are common pain points when compliance tracking is managed manually, wasting time and introducing the risk of human error. The fast-paced nature of regulatory changes makes real-time information critical; however, organizations often struggle to maintain up-to-date records, impacting their ability to respond quickly. Change management is another challenge, with some companies finding it difficult to promptly monitor, interpret, and adapt to new regulatory requirements, which heightens the risk of non-compliance. Compliance assessments, too, suffer from inconsistency, and without comprehensive audit trails, organizations may lack the defensible evidence required in regulatory reviews.

Furthermore, disparate technologies within organizations lead to information silos that hinder a unified compliance approach. Scaling compliance processes becomes a hurdle as organizations grow. Transitioning to an integrated compliance management technology architecture can help overcome these challenges, providing a unified view of obligations, automating workflows, and enhancing overall compliance efficiency and effectiveness.

Key Components of Modern Compliance Management Processes

1. Compliance Program Management. This establishes an integrated framework, ensuring adherence to regulatory and ethical standards across all business units. By consolidating compliance obligations, organizations gain real-time insights and stay agile, adapting quickly to new regulations and internal requirements.
2. Organizational Mapping & Understanding. A structured review of the organization’s jurisdictional scope and regulatory bodies clarifies compliance responsibilities across all locations. This foundation aids in setting up a responsive compliance system attuned to the nuances of each area’s obligations.
3. Regulatory Intelligence. With horizon scanning and tracking of current regulatory changes, organizations can anticipate and prepare for new compliance requirements. The use of redlining in regulatory updates helps compliance teams understand changes at a granular level, aligning their strategies in response.
4. Obligations Library. This provides a centralized repository linking regulatory and contractual obligations to internal policies, risks, and controls. Compliance teams can maintain visibility across the regulatory landscape, ensuring no obligations are overlooked.
5. Policy & Control Alignment – Continuously aligning policies and controls with current regulatory requirements keeps organizations in compliance. AI tools often facilitate this by suggesting necessary adjustments, helping to maintain resilience against compliance risks.
6. Compliance Monitoring & Ongoing Assessment. Regular compliance assessments, audits, and reviews are essential for early detection of non-compliance, mitigating risks, and promoting continuous alignment with regulatory requirements.

The Role of Artificial Intelligence in Compliance Management

AI is revolutionizing compliance management by automating critical processes, increasing accuracy, and easing the burden on compliance teams. AI enables real-time monitoring of regulatory changes, performs predictive horizon scanning, and redlines regulations to highlight updates. AI is a gazillion times faster at reading, mapping, and categorizing regulations. One life science organization that GRC 20/20 has advised found that AI for regulatory change management was also 30% more accurate than traditional processes.

Additionally, AI-driven obligations mapping connects new requirements with existing policies and controls, while automated policy alignment suggests updates in response to regulatory shifts with suggested changes using generative AI. AI also monitors compliance activities, flags potential risks, and interprets regulatory texts through Natural Language Processing (NLP), enhancing scalability and adaptability across compliance functions.

Critical Capabilities in Compliance Management Solutions

Successful compliance management solutions must offer integrated compliance risk assessments, real-time monitoring, AI-powered regulatory change capabilities, and a centralized obligations management system. Other essential features include policy and control alignment, comprehensive compliance monitoring, automated audit trails, dynamic reporting, data integration, scalability, adaptability, and alert systems. These tools work together to create a responsive and agile compliance environment, empowering organizations to meet evolving regulatory demands.

The investment in robust compliance management/RegTech technology delivers significant returns by reducing manual efforts and costs, improving accountability, and ensuring regulatory adherence. Such a system strengthens organizational resilience by preemptively identifying and addressing compliance risks and enhances agility, allowing quick adaptations to changing regulations and internal dynamics.

HOWEVER, in this fast-evolving RegTech landscape, not all solutions deliver on their promises. Some remain more marketing than reality, falling short in functionality or integration. For a clear understanding of which RegTech solutions truly add value and enhance compliance capabilities, reach out to GRC 20/20. Our expertise can help you navigate the market, ensuring you select a solution that genuinely meets your organization’s needs.

Upcoming Compliance Management Workshops:

November 5 @ 9:00 am – 6:30 pm GMT, London

• Compliance Management by Design Workshop, LONDON

November 20 @ 1:00 pm – 7:00 pm EST, New York

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, New York

It’s tempting to think of Enterprise Risk Management (ERM) as the central hub of your risk program. However, stopping at ERM limits an organization’s ability to fully manage risk and ensure operational resilience. The modern risk landscape demands a GRC (Governance, Risk Management, and Compliance) strategy that goes beyond traditional ERM, encompassing interconnected risks such as third-party, cyber, regulatory, and operational risk and resilience. An effective GRC program integrated across the enterprise is essential for managing not only risk but also building operational resilience.  

The Expanding Scope of GRC and the Need for Holistic Risk Management 

Risks are increasingly interconnected. Compliance, cyber threats, third-party risks, and ESG are not just isolated challenges, they’re deeply integrated into the operational fabric of organizations. A GRC program that only . . .

[The rest of this blog can be read on the Origami Risk blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

The compliance technology and broader GRC solution landscape are more complex than ever, and becoming a better buyer means more than just asking the right questions—it requires cutting through the noise of biased advice. In my recent analysis of RFPs, I’ve seen firsthand how the system can be stacked in favor of certain vendors, often driven by consulting firms with something to gain.

The Perils of Impartial Expertise

An alarming trend has surfaced: Many consulting firms, supposedly neutral advisors, are quietly steering clients towards solutions with massive implementation costs. Why? These firms benefit from bloated implementation projects that can cost millions and take a year or two to deliver value. What should be an impartial solution selection process is manipulated to favor these high-cost solutions, leaving more agile, cost-effective competitors out of the conversation entirely.

Consider . . .

[The rest of this blog can be read on the GAN Integrity blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]