Category: Blogs

Risk management, for many organizations, is an exercise in analyzing the past—looking at what went wrong and how it can be avoided in the future. Too often, it’s as though we are driving down the highway while staring into the rearview mirror, trying to navigate the future by focusing on the risks that have already materialized. This approach, while valuable for learning from history, falls short in today’s chaotic, complex, and interconnected world.

In the dynamic landscape of modern business, risk is not a single path. It’s not something that can be easily contained or predicted by merely reflecting on past mistakes. This is one point among many where heatmaps fail us. Instead, risk should be viewed through the lens of the multiverse—a concept popularized in science fiction but strikingly relevant to risk management. The multiverse is a metaphor that captures the multiple possibilities, outcomes, and scenarios that could arise based on an organization’s decisions and the external forces that shape its environment.

ISO 31000 defines risk as “the effect of uncertainty on objectives,” emphasizing that risk management is inherently forward-looking. Risk management must expand beyond analyzing past events to consider multiple future scenarios, probabilities, and the myriad ways in which uncertainty can impact organizational objectives. To manage risk effectively in this environment, organizations need to embrace both left-brain and right-brain thinking—combining the logical and structured with the imaginative and creative.

The Multiverse: An Analogy for Risk Management

In risk management, the multiverse represents the infinite possibilities and outcomes that stem from an organization’s decisions, actions, and the external forces acting upon it. Every choice opens a new dimension, leading to different outcomes, both good and bad. These are not always linear or predictable, but they are interconnected. A decision made in one part of the organization or by an external actor can ripple across multiple dimensions of business, affecting operations, finances, compliance, and even reputation.

Risk management in the multiverse requires looking at risk not as a single possibility but as a web of interconnected scenarios. This approach mirrors the way science fiction envisions parallel universes—each slight variation in decision-making leading to a new, branching outcome. In this way, the multiverse metaphor pushes organizations to think more dynamically about risk.

But unlike science fiction, in the business world, we cannot afford to passively observe what happens in alternate universes. We must anticipate and proactively manage those possibilities by using the tools and frameworks available to us, while also thinking beyond traditional risk methodologies.

The Chaotic and Interconnected Nature of Risk

Today’s risk landscape is chaotic and interconnected, and it is rapidly evolving. From global supply chain disruptions to cyber-attacks, from shifting regulations to geopolitical instability, the sources of uncertainty are more varied and unpredictable than ever. The pandemic was a stark reminder of how risks from one domain (health) can cascade into others, such as finance, operations, and workforce management. These risks don’t exist in isolation; they are entangled in a complex web of interdependencies.

For risk management to be effective, it needs to account for this chaos and complexity. It must acknowledge that the risks organizations face are often unpredictable and can arise from unexpected places. This requires a mindset shift from risk avoidance to risk agility—the ability to adapt quickly and efficiently to changing circumstances, foreseen and unforeseen.

The challenge lies in identifying the critical signals amid the noise, understanding how different risks are interconnected, and recognizing which of the many possible future scenarios will impact the organization’s objectives.

Left-Brain Thinking: The Structured Models

Traditional risk management frameworks—such as risk assessments, control models, and compliance checklists—fall squarely within the realm of left-brain thinking. These are logical, structured approaches designed to bring order to the chaos of risk. They help organizations quantify risks, categorize them by likelihood and impact, and create structured mitigation plans.

Structured models, such as quantitative risk analysis, probabilistic modeling, and Monte Carlo simulations, provide valuable insights into risk. These tools allow organizations to create forecasts based on past data and trends, helping them to plan for the future. However, they often rely on assumptions of stability and predictability that don’t always hold true in a rapidly changing world. Traditional models can struggle to capture the full range of possibilities or to anticipate black swan events—those rare and unpredictable risks that can have catastrophic consequences.

Right-Brain Thinking: Creative and Imaginative Approaches

In contrast, the right-brain side of risk management requires creativity and imagination. It involves using techniques such as scenario analysis, wargaming, and tabletop exercises to explore a wider range of possible futures. These methods push organizations to think beyond what is likely and consider what is possible, even if unlikely.

For instance, scenario analysis involves creating detailed narratives of possible futures based on different assumptions and drivers. What happens if a critical supplier goes out of business? How will regulatory changes in one country affect operations in another? What if a competitor introduces a disruptive new technology? By imagining these alternate futures, organizations can prepare for a broader range of outcomes and identify strategic opportunities as well as risks.

Similarly, wargaming and microsimulations involve role-playing and testing different responses to various risk scenarios. These exercises can be invaluable for identifying gaps in existing plans, training teams to respond under pressure, and uncovering hidden risks that may not have been considered in a traditional risk assessment.

These creative, imaginative approaches require risk professionals to step outside the rigid frameworks of traditional risk management and embrace uncertainty. In doing so, they can better understand the full spectrum of risks their organizations face and be more agile in their response.

Combining Risk Intelligence with Forward-Looking Strategies

The key to navigating the multiverse of risk lies in combining risk intelligence—a deep understanding of the external environment—with forward-looking strategies such as scenario analysis, wargaming, and tabletop exercises.

Risk intelligence involves gathering real-time information from a variety of sources, including geopolitical developments, economic market trends, regulatory changes, and emerging technologies. It also requires monitoring social, environmental, and economic indicators to stay ahead of potential disruptions. By having a clear picture of the external environment, organizations can better anticipate changes that may affect their objectives and operations.

However, simply having risk intelligence is not enough. It must be coupled with proactive, forward-looking strategies that allow organizations to explore different possibilities and prepare for multiple outcomes. This requires embedding risk management into strategic decision-making processes and ensuring that it is not just about compliance but about enabling the organization to thrive in a world of uncertainty.

By running microsimulations, organizations can test the impact of different risk scenarios on their objectives in real time. Wargaming allows them to simulate competitive threats, economic downturns, or supply chain disruptions, enabling them to build resilience into their strategies. Scenario analysis helps them to explore alternate futures, so they can be prepared not only for the most likely outcomes but also for the less probable ones.

Building Resilience and Agility in the Multiverse of Risk

To succeed in this chaotic, multiverse-like environment, organizations need to build both resilience and agility. Resilience is the ability to withstand and recover from disruptions, while agility is the ability to adapt quickly to changing circumstances. Together, these qualities enable organizations not only to survive but to thrive in a world of uncertainty.

Strong risk management is essential for building resilience. By understanding the interconnected nature of risks, organizations can put in place contingency plans, develop redundancies, and create fail-safes to protect against the most critical threats. But resilience alone is not enough. In a world where risks can emerge suddenly and from unexpected directions, agility is equally important.

Agile risk management involves being able to quickly pivot in response to new risks or opportunities, to reliably achieve or exceed organization objectives. This requires having flexible processes, decentralized decision-making, and a culture that encourages innovation and adaptability. It also means empowering risk professionals to use their right-brain creativity and intuition, as well as their left-brain analytical skills, to navigate the complexities of the multiverse.

The multiverse is a powerful metaphor for the future of risk management. In a world where the future is uncertain, and multiple possibilities exist, organizations must move beyond traditional, rearview-mirror approaches to risk (acknowledging there is still a place for this, but it is not the focus). They must embrace both left-brain logic and right-brain creativity to explore different scenarios, prepare for a range of outcomes, and build the resilience and agility they need to succeed.

By leveraging risk intelligence, forward-looking strategies, and creative approaches such as microsimulations, wargaming, and scenario analysis, organizations can not only navigate the complexities of the multiverse but also turn uncertainty into a strategic advantage. In doing so, they can achieve and exceed their objectives, no matter what the future holds.

The modern regulatory landscape is evolving at an unprecedented pace. Organizations across industries are facing a deluge of new regulations, amendments to existing laws, and enforcement actions that can overwhelm compliance teams. This is particularly evident in industries like financial services, where regulatory scrutiny is intense and constantly changing. Yet, the challenge of managing regulatory change is not limited to financial services; it spans all sectors as organizations face complex and overlapping compliance requirements. To effectively navigate this environment, businesses must adopt automated solutions that streamline regulatory change management and ensure compliance.

Drivers for regulatory change management automation include:

• Regulatory Proliferation. Regulatory bodies worldwide are introducing new laws and updating existing ones at a faster rate than ever before. Financial services alone face a few hundred regulatory changes every business day, a number that has more than doubled over the last five years. Keeping up with this deluge of changes is a monumental task for compliance teams, particularly when regulatory requirements are inconsistent across jurisdictions.
• Cross-Industry Compliance Challenges. While financial services often take center stage in discussions around regulatory compliance, other industries like healthcare, technology, gaming, and crypto face similarly complex regulatory environments. Each of these sectors must comply with global regulations related to anti-money laundering (AML), Know Your Customer (KYC), data privacy, cybersecurity, and industry-specific rules.
• Operational Risk and Reputational Damage. Failure to comply with new regulations or amendments can expose organizations to significant penalties, legal liabilities, and reputational damage. Many industries, especially those in regulated markets, operate under intense scrutiny, and a single oversight in compliance could lead to damaging fines, loss of licenses, or legal actions.
• Internal Complexity. As organizations grow, so do their internal processes and relationships with third parties. Mergers, acquisitions, and expanding product lines further complicate regulatory compliance, requiring organizations to manage an ever-growing catalog of legal obligations across various jurisdictions and operational units.

The Inevitability of Failure: Manual Processes and Silos of Information

For decades, organizations have relied on manual processes—documents, spreadsheets, and emails—to manage regulatory change. While this approach may have been feasible in less dynamic regulatory environments, it is increasingly inadequate today. Consider the impact of:

• Siloed and Scattered Information. In a manual environment, regulatory change management is often decentralized, with each department relying on disparate sources of regulatory information. These sources can range from newsletters and regulatory feeds to third-party legal databases. The result is fragmented compliance efforts, where critical updates are missed, redundant tasks are performed, and information silos prevent collaboration.
• Inefficient Reconciliation. Relying on manual processes makes reconciling regulatory updates with internal policies, controls, and risks time-consuming and error-prone. Compliance professionals must sift through hundreds of updates, extract relevant information, and then manually determine the impact on the organization. This leads to delayed responses, incomplete analysis, and a higher risk of non-compliance.
• Lack of Accountability and Auditability. Manual workflows offer little accountability or traceability. Compliance teams often struggle to document who reviewed which changes, what actions were taken, and what decisions were made. This lack of an audit trail not only complicates internal compliance but also fails to satisfy external regulators who demand clear evidence of compliance.
• Wasted Resources. Regulatory change management in a manual environment is resource-intensive. Organizations must dedicate significant time and effort to tasks that could easily be automated. This reliance on human intervention increases the likelihood of errors and drains resources that could be better allocated to strategic initiatives.

The New Era of AI-Powered Regulatory Change & Compliance

As regulatory complexity continues to grow, so too does the need for intelligent automation. The advent of AI-driven solutions has transformed the way organizations manage regulatory change and compliance workflows. 

With AI-empowered regulatory change and compliance management processes, organizations can have:

• Comprehensive and Curated Law Libraries. AI-powered platforms provide organizations with centralized, curated regulatory content across jurisdictions. These platforms continuously track and update legal requirements, reducing the need for organizations to manage multiple, scattered sources of information. This ensures that compliance teams have access to relevant and up-to-date information without the noise of irrelevant updates.
• Automated Workflow and Task Management. AI solutions eliminate manual processes by automatically routing regulatory updates to relevant stakeholders, initiating business impact analyses, and generating tasks based on predefined criteria. This enhances accountability, ensures timely action, and creates a defensible audit trail for regulators.
• Horizon Scanning and Change Tracking. Advanced AI solutions offer horizon scanning capabilities that monitor for new or pending legislation, regulatory changes, and enforcement actions. By anticipating regulatory developments, organizations can proactively adjust their compliance strategies and ensure that policies, risks, and controls are updated in real-time.
• Risk-Based Approach to Compliance. AI-driven platforms allow organizations to adopt a risk-based approach to regulatory compliance. These solutions can map regulations to internal policies, risks, controls, and even third-party relationships, enabling organizations to prioritize compliance efforts based on risk exposure and operational impact.
• Generative AI for Compliance Insights. Generative AI models, like those built into some advanced regulatory platforms, empower compliance teams by summarizing complex regulatory requirements in natural language. These models can also generate policy drafts, identify gaps in controls, and provide actionable insights that streamline compliance workflows.

The regulatory landscape is shifting, and manual approaches to compliance management are no longer sufficient. Organizations that continue to rely on fragmented, manual processes will face increasing risks of non-compliance, operational inefficiencies, and financial penalties. To stay competitive and compliant, organizations must embrace AI-powered regulatory change management solutions that automate workflows, streamline compliance, and provide actionable insights.

Organizations should act now to implement AI-driven solutions that automate regulatory intelligence, manage compliance workflows, and ensure timely responses to regulatory changes. By doing so, they will not only reduce operational risk and improve regulatory outcomes but also free up valuable resources to focus on innovation and growth in an increasingly complex regulatory environment.

I am doing two workshops on this topic in November:

London, November 5 @ 9:00 am – 6:30 pm GMT

• Compliance Management by Design Workshop, LONDON

New York City, November 20 @ 1:00 pm – 7:00 pm EST

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, New York

In J.R.R. Tolkien’s legendary Middle Earth saga, with The Lord of the Rings movies and the current Rings of Power series, the Palantír—a magical seeing stone—grants its user the ability to peer into distant lands and potential futures. Although steeped in legend, the Palantír offers a fitting analogy for today’s organizations: they, too, need a clear, far-reaching vision into the risks that lie ahead. With today’s complexities, businesses require more than reactive risk management; they need a comprehensive approach to anticipate and prepare for emerging risks to the organizations objectives.

Much like the Palantír, modern risk management tools and techniques provide organizations with the foresight needed to navigate an unpredictable landscape of uncertainty on objectives. This metaphorical Palantír doesn’t come with the ominous overtones of the novels but rather serves as a powerful asset for organizations seeking to scan the horizon, run scenarios, and prepare for the future.

Horizon Scanning: Extending Your Vision Beyond the Immediate

One of the key benefits of a “Palantír” approach to risk management is horizon scanning—the ability to identify and monitor risks that may not yet be fully visible but are on the verge of emerging. Horizon scanning involves continually searching the external environment for signals of potential risks to organization objectives, such as geopolitical shifts, regulatory changes, technological advancements, or market disruptions.

In today’s interconnected world, organizations need to have their eyes trained on the horizon to detect the earliest signs of risk to objectives. This can include monitoring political landscapes that may influence supply chains, keeping up with evolving cyber threats, or tracking shifts in consumer behavior that might affect market demand. By identifying these risks early, businesses gain the advantage of time—allowing them to prepare, adapt, and mitigate before these risks materialize into full-blown crises.

Micro-Simulations: Testing Small but Critical Scenarios

Just as the Palantír gave glimpses of possible futures, micro-simulations allow organizations to explore how specific risks might play out. Micro-simulations are focused exercises designed to simulate the potential impact of a single, specific risk on the organization. These controlled, smaller-scale scenarios allow businesses to observe how their systems, processes, and people respond in real-time to potential disruptions.

By running micro-simulations, organizations can test their preparedness and resilience to targeted risks, such as a cyberattack on critical infrastructure, the sudden loss of a key supplier, or a localized natural disaster. The insights gained from these exercises help teams understand their current vulnerabilities and make necessary adjustments to strengthen their risk management frameworks. Micro-simulations help turn hypothetical scenarios into actionable strategies, ensuring that teams are not caught off guard.

Scenario Analysis: Understanding the Impact of Risks on Objectives

The Palantír was a tool for seeing multiple possibilities, much like scenario analysis in risk management. Scenario analysis involves creating detailed, plausible future scenarios and analyzing their potential impact on an organization’s objectives. These scenarios can range from a best-case to worst-case view of the future, providing a comprehensive picture of how various risks could converge to affect the business.

Incorporating scenario analysis into risk management enables organizations to prepare for multiple outcomes by assessing the likelihood and impact of different risk combinations. For example, a scenario might explore how an economic downturn coupled with a new regulatory requirement could impact business continuity and profitability. By running these scenarios, organizations can stress-test their strategies, identify weaknesses, and develop contingency plans that align with their long-term objectives. Scenario analysis helps organizations prepare not just for isolated risks but for the complex interplay of risks that can emerge in real-world situations.

Wargaming and Tabletop Exercises: Rehearsing for the Unknown

In Tolkien’s world, the Palantír was used not just for observation but for planning. Similarly, wargaming and tabletop exercises provide a practical and collaborative way for organizations to prepare for risk events before they occur. Wargaming goes beyond simple simulations—it’s a role-playing exercise that places teams in high-stakes scenarios to test their decision-making, coordination, and crisis management skills.

In a wargame or tabletop exercise, key personnel across the organization come together to respond to a simulated crisis. These exercises could range from dealing with a sudden cybersecurity breach to managing a large-scale supply chain disruption or a public relations crisis. Participants are required to make rapid decisions, manage resources, and collaborate under pressure, all while considering the ripple effects of their actions across the business.

The value of wargaming lies in its realism—unlike theoretical analysis, these exercises require teams to work through real-time decision-making processes and consider the practical challenges of managing a crisis. Afterward, teams debrief to review what went well, what could be improved, and where gaps exist in their risk preparedness. By rehearsing for the unknown, organizations develop muscle memory for risk management, ensuring that when a crisis does occur, they can respond with agility and confidence.

Integrating Horizon Scanning, Scenario Analysis, and Exercises into Risk Strategy

The tools of horizon scanning, micro-simulations, scenario analysis, and wargaming can be seamlessly integrated into an organization’s risk management framework to provide a 360-degree view of potential risks to objectives and evaluate possible responses. Much like how the Palantír offers a multi-dimensional perspective, these methods collectively give organizations the ability to see, test, and prepare for risks at every level.

By adopting these practices, organizations can move beyond traditional risk management, where risks are often treated as static threats, to a dynamic, forward-looking approach. With horizon scanning, they can detect emerging risks early. With micro-simulations, they can test the effects of specific risks. With scenario analysis, they can explore the impact of broader risks on their business objectives. And through wargaming, they can rehearse responses to high-pressure, high-stakes situations.

A Unified Approach: Turning Foresight into Action

A comprehensive risk management strategy that incorporates these elements allows businesses to shift from a reactive stance to a proactive one. They move from simply responding to risks after they occur to actively preparing for and mitigating risks before they happen. This kind of foresight empowers organizations to make better, more informed decisions that not only protect against risks to objectives but also position them for future opportunities.

The modern “Palantír” that organizations must build today involves the convergence of advanced risk intelligence, data analytics, and collaborative planning. With the right tools and processes, organizations can effectively scan the horizon for signals of potential risks to objectives, simulate how those risks will impact them, and prepare teams to respond swiftly and decisively.

As businesses face an increasingly complex and interconnected risk environment, having a “Palantír” view into emerging risks is no longer a luxury—it’s essential. Horizon scanning, micro-simulations, scenario analysis, and wargaming give organizations the foresight and preparedness they need to thrive in a world where risks are ever-evolving.

The ability to see beyond the present, to anticipate the challenges of tomorrow, and to rehearse responses to potential risks to objectives is a strategic advantage that few can afford to overlook. By embracing a holistic approach to risk management—one that integrates advanced forecasting tools and collaborative exercises—organizations can build resilience, protect their objectives, and confidently navigate the uncertainties of the future.

The Palantír of risk management is within reach. It’s time for organizations to gaze into it and take control of their future.

In the realm of organizational governance, there is often confusion between risk management and compliance management. While both functions are integral to the overall health and sustainability of an organization, and part of GRC, they are fundamentally different in their purpose, approach, and execution. Understanding these distinctions is crucial for developing an effective governance framework that balances the need for innovation and strategic growth with the necessity of adhering to legal, regulatory, and ethical boundaries.

The Nature of Risk Management: Navigating Uncertainty

Risk management is about navigating uncertainty and making informed decisions that enable the organization to achieve its objectives. According to ISO 31000, “risk is the effect of uncertainty on objectives.” This definition highlights the inherent nature of risk management: it is not merely about avoiding negative outcomes but about understanding and managing the trade-offs associated with different courses of action.

Risk management involves identifying, assessing, and prioritizing risks that could impact the achievement of an organization’s objectives. These risks can be financial, operational, strategic, ethical, or even reputational. The key to effective risk management is the ability to balance potential rewards with potential downsides. This often involves making difficult decisions where there is no clear “right” or “wrong” answer but rather a spectrum of potential outcomes, each with its own set of consequences.

For example, consider a company deciding whether to enter a new market. The risk assessment might reveal significant opportunities for growth but also substantial risks related to regulatory uncertainty, cultural differences, or operational challenges. A risk manager’s job is to weigh these factors, consider the likelihood and impact of various risks, and recommend a course of action that aligns with the company’s risk appetite and strategic objectives.

Risk management is therefore about understanding the landscape of uncertainty and making informed decisions that optimize the potential for success while minimizing potential downsides. It is inherently strategic and involves a continuous process of risk identification, assessment, treatment, and monitoring.

Risk itself is neutral and agnostic. A risk analysis/assessment might determine that the organization can meet or exceed its objectives by violating a law or regulation.

Compliance Management: The Boundary Setter

Compliance management, on the other hand, is about ensuring that an organization adheres to the laws, regulations, and internal policies that govern its operations. Compliance is binary: an organization is either compliant or it is not. There is no middle ground, no weighing of pros and cons, no strategic trade-offs. Compliance is about following the rules—whether those rules are mandated by law, dictated by industry standards, or set by the organization’s own policies and ethical standards.

Compliance management is essential because it establishes the boundaries within which the organization can operate. These boundaries are (or should be) non-negotiable. For instance, consider a financial institution that must adhere to anti-money laundering (AML) regulations. Compliance with these regulations is mandatory, and failure to do so can result in penalties, including fines, legal action, and reputational damage.

While risk management might involve assessing the likelihood and impact of non-compliance with these regulations, the compliance function’s role is to ensure that the organization adheres to them. In this sense, compliance sets the boundaries for risk-taking by establishing what is legally and ethically permissible. It puts limits on the risks that the organization can take by defining the “red lines” that cannot be crossed.

The Intersection of Risk and Compliance: Compliance Risk Management

While risk management and compliance management are distinct, they do intersect—particularly in the area of compliance risk management. Compliance risk refers to the potential for violations of laws, regulations, or internal policies, which could lead to legal penalties, financial loss, or reputational harm.

Compliance risk management involves identifying and assessing compliance risks, implementing controls to mitigate these risks, and monitoring the effectiveness of these controls. However, it’s important to note that compliance risk management is just one aspect of the broader enterprise risk management function and even broader integrated GRC functions. Enterprise and operational risks encompass a much wider range of potential issues, from market volatility to supply chain disruptions, which may or may not have a direct compliance component.

For example, a pharmaceutical company may face compliance risks related to FDA regulations, but it also faces operational risks related to supply chain reliability, financial risks related to currency fluctuations, and strategic risks related to market competition. While the compliance function will focus on ensuring adherence to FDA regulations, the risk management function will take a broader view, considering how all these risks interact and impact the organization’s overall objectives.

The Importance of Separation: Balancing Checks and Balances

Given the differences between risk management and compliance management, these functions must remain separate but collaborative within an organization. This separation allows for a system of checks and balances that enhances the organization’s ability to manage risk while ensuring compliance with legal and ethical standards.

Risk management needs the freedom to explore different strategic options, including those that involve taking calculated risks. This freedom is essential for innovation and growth. However, without the boundaries set by the compliance function, there is a danger that risk management could pursue strategies that, while potentially profitable, violate legal or ethical standards.

On the other hand, the compliance function provides the necessary constraints that ensure the organization operates within the boundaries of the law and its ethical standards. However, without the insights from risk management, the compliance function could become overly rigid, potentially stifling innovation and growth.

For example, consider a tech company developing a new product that involves collecting user data. The risk management team might assess the potential for significant profit but also recognize the risks related to data breaches or privacy violations. The compliance team, meanwhile, will focus on ensuring that the product meets all data protection regulations, such as GDPR or CCPA. By working together, these teams can develop a product that is both innovative and compliant, balancing the need for growth with the necessity of adhering to legal and ethical standards.

Collaboration for Organizational Success

In conclusion, risk management and compliance management are distinct but complementary functions within an organization. Risk management is about navigating uncertainty and making strategic decisions that balance potential rewards with potential risks. Compliance management, on the other hand, is about ensuring that the organization operates within the boundaries set by laws, regulations, and ethical standards.

While these functions must remain separate to maintain a system of checks and balances, they must also collaborate closely to ensure that the organization can achieve its objectives while adhering to the necessary legal and ethical boundaries. By understanding and respecting the distinctions between risk management and compliance management, organizations can create a governance framework that supports both innovation and integrity, driving sustainable success in an increasingly complex and regulated world.

It’s not enough to have the right policies in place — you have to embed those policies into the fabric of your organization.

In today’s fast-paced and interconnected business world, ensuring compliance and building an ethical corporate culture isn’t just a regulatory checkbox—it’s part of your organization’s DNA. Governance, Risk Management, and Compliance (GRC) has evolved from a back-office necessity to a front-line enabler, engaging everyone from employees to third-party partners in the process. This shift emphasizes that compliance and ethics must be woven into every aspect of the company’s operations, influencing attitudes, behavior, and, ultimately, organizational culture.

At the core of this transformation is the concept of engagement, a critical trend shaping the future of GRC. In the modern organization . . .

[The rest of this blog can be read on the Mitratech blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

Risk management is an evolving discipline, especially in today’s interconnected world, where risks are no longer isolated. They often have cascading effects, where one risk can trigger or amplify others, leading to potentially significant consequences. This recognition is at the heart of Germany’s IDW PS 340 auditing standard, particularly emphasizing risk correlation—how risks are interrelated and can influence each other. The standard has become an essential part of the audit and risk management landscape, helping organizations fortify their risk management systems to withstand the growing complexity of risk scenarios . . .

[The rest of this blog can be read on the CALPANA Crisam blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

How Poor Risk Management Sunk the Unsinkable, and Lessons Learned in Identifying Blind Spots in the Modern Threatscape

The story of the Titanic is one of the most infamous disasters in history. Yet, beyond the tragic loss of life, it serves as a compelling analogy for understanding and managing risk in today’s business environment. The ship’s demise was not due to a single failure, but rather a combination of risks — external and internal — that collectively brought about the disaster. As organizations strive to navigate the complex waters of today’s risk landscape, there is much to learn from how various factors contributed to the sinking of the Titanic.

From Luxury to Lifeboats: The Titanic’s Missteps in Risk Mitigation

Consider the following lessons the Titanic teaches about . . .

[The rest of this blog can be read on the Mitratech blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

In the rapidly evolving landscape of governance, risk management, and compliance (GRC), information security is undergoing a significant transformation. This evolution reflects the growing complexity and interconnectedness of digital risks that organizations face today. As businesses become increasingly reliant on digital technologies, the traditional responsibilities of the CISO are expanding, giving rise to digital risk and resilience management.

The Traditional CISO: A Foundation in Security

The CISO role was born out of the need to protect organizational assets in a digital world. The primary mission was clear: safeguard the confidentiality, integrity, and availability of information systems against cyber threats. This role has been crucial in implementing security measures such as firewalls, intrusion detection systems, and data encryption to defend against potential breaches. Over time, the CISO’s responsibilities expanded to include compliance with regulatory requirements, vendor risk management, and data privacy.

However, as the digital landscape has . . .

[The rest of this blog can be read on the Riskonnect blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

For many years, the global compliance landscape was dominated by a checkbox-driven approach, primarily led by the United States. Compliance programs in the U.S. focused on prescriptive rules, and adherence to specific frameworks, and largely followed a formulaic pattern where ticking the correct boxes and maintaining records sufficed to meet regulatory requirements. At the heart of this approach was the Chief Ethics and Compliance Officer (CECO), a role that has long been established as part of the American compliance infrastructure.

However, recent developments in Europe, especially within the European Union (EU), have reshaped the compliance landscape. With a significant shift toward evidence-based compliance, the EU is now spearheading a more agile, risk-based, and outcomes-focused approach to regulation. This shift has allowed Europe to leapfrog the U.S. in terms of structured compliance programs, creating a more mature and demanding framework for organizations to follow.

The Evolution of European Compliance

For many years, Europe lagged behind the U.S. in terms of organized compliance frameworks. U.S.-based organizations were at the forefront of building structured compliance programs, with the CECO role established as a key component in ensuring adherence to regulations such as the Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley (SOX). In contrast, Europe’s regulatory environment was perceived as more fragmented, with less emphasis on the structured and formalized compliance initiatives seen in the U.S.

This, however, began to change with the introduction of sweeping regulatory frameworks within the EU. The General Data Protection Regulation (GDPR), which came into force in 2018, was the first signal that Europe was taking a different path. GDPR was not just a regulation; it was a paradigm shift that put data privacy and security at the forefront of global compliance conversations. The regulation’s stringent penalties and extraterritorial reach forced organizations worldwide to rethink their approach to compliance, especially in how they collect, manage, and protect personal data.

With this regulatory foundation, Europe has continued to develop regulations that go beyond prescriptive checklists, demanding a more principled and evidence-based approach. Three key regulations currently shaping this new approach are the Corporate Sustainability Reporting Directive (CSRD), the Digital Operational Resilience Act (DORA), and the EU Artificial Intelligence Act (EU AI Act), all have looming 2025 deadlines (and more in subsequent years). These regulations emphasize risk-based compliance, requiring organizations to provide clear, documented evidence that they are not only meeting regulatory requirements but also achieving the intended outcomes of those regulations.

Europe’s Shift Toward Evidence-Based Compliance

At the core of the EU’s new compliance landscape is a focus on evidence-based compliance, where companies must not only adhere to regulations but also demonstrate how they are achieving compliance in a way that is effective and sustainable. The EU’s regulations are broader in scope with a global impact outside of the EU, focus on outcomes rather than prescribed steps, and require companies to take a more risk-based approach.

Principled and Outcome-Based Compliance

Unlike the U.S., which has traditionally followed a checkbox-based, prescriptive model of compliance, the EU has adopted a more principled, outcome-based framework. This approach started in the United Kingdom under the old FSA (before it became the FCA) and moved to be part of the EU’s better regulatory policy nearly twenty years back.

It requires organizations to take a risk-based approach, tailoring their compliance programs to specific risks that are unique to their operations, industry, and geography. Simply following a list of mandated tasks is not enough. Organizations must show evidence of how they have mitigated risks, complied with regulatory outcomes, and adjusted their internal controls and procedures in real-time.

For instance, the CSRD requires organizations to report on a wide range of environmental, social, and governance (ESG) factors. But beyond simply reporting, they must provide evidence that their ESG strategies are embedded into their core business practices and demonstrate tangible impacts (including across the extended enterprise with the corresponding EU Corporate Sustainability Due Diligence Directive – CSDDD. This is in contrast to the U.S., where ESG reporting has been more voluntary, with scattered compliance mandates, and less comprehensive focus.

Similarly, the DORA regulation, which focuses on the operational resilience of digital infrastructures, requires financial institutions and third-party providers to show evidence of risk assessments, internal control measures, and continuous monitoring to safeguard against cyber threats. The directive’s emphasis on evidence-based reporting makes it clear that organizations need to proactively manage their operational resilience risks, rather than reacting to incidents as they arise.

The Challenges and Benefits of the European Model

The EU’s approach to compliance is undoubtedly more complex and demanding than the traditional U.S. model. While the prescriptive nature of U.S. regulations provides clarity and a structured approach, it can often become inflexible, making it difficult for companies to adapt to emerging risks or evolving regulatory landscapes.

In contrast, the EU’s evidence-based model, while more agile and adaptable, comes with challenges. One of the main hurdles for organizations operating in Europe is the requirement for continuous monitoring and documentation. Compliance teams must be proactive, constantly assessing risks and adjusting controls to ensure they remain compliant. The lack of prescriptive rules means that organizations must exercise greater diligence in interpreting regulations and building compliance programs that are tailored to their specific needs.

Another challenge is the sheer breadth of compliance requirements across different sectors and jurisdictions within the EU. For multinational companies, this can lead to significant resource allocation toward compliance functions, requiring more advanced tools for compliance risk management, reporting, and data governance.

However, these challenges come with significant benefits. The EU’s outcome-based approach allows for greater flexibility, enabling organizations to design compliance programs that are more tailored and responsive to their unique risks. This, in turn, fosters a culture of continuous improvement, as organizations are encouraged to go beyond minimum compliance standards to truly integrate risk management into their business strategy.

Moreover, by requiring evidence of compliance, the EU is pushing organizations to demonstrate transparency and accountability. This is not only beneficial for regulators but also strengthens trust with investors, customers, and other stakeholders. The focus on measurable outcomes means that organizations can build more resilient and sustainable compliance programs, which ultimately reduce long-term risk exposure.

The U.S. Compliance Landscape: Can It Keep Up?

In comparison to the EU, the U.S. compliance landscape remains more prescriptive, though there are signs of change. It is also disrupted by the political polarization in U.S. politics that fails to get broad compliance reform addressed. The U.S. Securities and Exchange Commission (SEC) has recently proposed new rules around ESG disclosures, which would require more comprehensive reporting on climate-related risks. However, this is only a piece of the broad EU CSRD pie of ESG. These developments are still in their early stages, and U.S. regulations continue to be driven by a checklist mentality, with less emphasis on the principles or outcomes of compliance.

While the CECO role remains central in U.S. organizations, there is growing recognition that compliance needs to evolve beyond rigid frameworks. The demand for data-driven, risk-based compliance is growing, especially as global regulations, particularly those in the EU, have a wider extraterritorial reach.

Be-Prepared for Evidence-Based Compliance

As the compliance landscape continues to evolve, the EU has emerged as a leader in structured, evidence-based compliance programs. The transition from a prescriptive, checkbox-based model to a principled, outcome-driven approach has propelled Europe ahead of the U.S., requiring organizations to be more agile, risk-focused, and diligent in their compliance efforts.

The upcoming deadlines for CSRD, DORA in 2025, and the forthcoming EU AI Act (as just a few examples) will further cement Europe’s leadership in this space, as organizations must not only comply but also demonstrate evidence of compliance in a way that is both transparent and risk-based. For compliance professionals, this shift presents an opportunity to build more resilient and effective compliance programs, though it will require significant investment in tools, resources, and expertise to meet these new regulatory challenges.

As global regulatory environments become more intertwined, it is likely that the U.S. will also adopt more elements of evidence-based compliance, though for now, Europe leads the charge in this new era of compliance oversight. However, many firms in the U.S. and around the world have to respond to the broad reach and scope of the EU regulatory environment.

Risk management, when done effectively, is both an art and a science, requiring a careful balance of top-down strategic insight in the context of the organization’s objectives and bottom-up operational risk, control, and resilience. To understand this delicate alignment, let’s take inspiration from an ancient engineering marvel: the Tunnel of Eupalinos on the Greek island of Samos.

The Tunnel of Eupalinos: An Architectural Feat

The Tunnel of Eupalinos, constructed in the 6th century BCE, was designed to supply fresh water to the city of Samos. What makes this tunnel remarkable is that it was excavated from two opposite ends of Mount Kastro, eventually meeting in the middle with stunning precision. It’s an ancient testament to the power of coordination, foresight, and understanding the bigger picture while working through the minute details.

In the same way that two teams of engineers worked from opposite ends of the mountain, risk management requires a meeting of two critical perspectives:

1. The Top-Down Strategic View. This is the broader vision, where leaders define the organization’s objectives and set the stage for growth, innovation, and navigating a chaotic business world. In risk terms, this is where you need to align your risk management framework with the organization’s strategic goals and objectives. ISO 31000 defines risk as the “effect of uncertainty on objectives,” making it clear that risk is inseparable from business objectives. These objectives can be financial, operational, or even ethical (ESG) objectives. Objectives start at the entity level and filter down into division, department, process, project, asset, and even third-party relationship objectives. They go across business departments and functions from sales, marketing, IT, finance/accounting, and more. Risk is the uncertainty in achieving these objectives.
2. The Bottom-Up Operational View. Down in the depths of the organization, there is the daily grind of mitigating and managing specific risks—cybersecurity threats, operational disruptions, supply chain vulnerabilities, and more. This is where resilience is built, controls are implemented, and where tactical responses to emerging threats are honed. The operational view of risk down in the weeds is critical as this is where some small thing goes wrong and can bring down the organization.

Much like the Tunnel of Eupalinos, these two approaches to risk management must converge for true risk management success. Focusing on only the strategic top-down view can lead to what the military calls a CLUSTER F***. Focusing only on the operational down-in-the-weeds view misses what risk management is about, and that is enabling the business to achieve its objectives amid uncertainty. Here’s how these two perspectives need to work together to navigate the chaotic and unpredictable world of modern business.

The Top-Down Strategic View of Risk: Charting the Course

In any organization, leadership needs to have a clear, top-down understanding of risk. This is not simply about identifying what could go wrong—it’s about understanding the broad landscape of risk in the context of organizational objectives. The leaders of the ancient city of Samos knew they needed a water supply to ensure the city’s survival and growth. Their strategic view informed the need for the tunnel.

Today’s business leaders need to ask similar strategic questions:

• What are our business objectives from the top down into the functions and processes of the organization? Whether it’s growing market share, launching a new product, or entering a new geographical market, these objectives will shape the risk landscape.
• How does uncertainty affect these objectives? This is where the ISO 31000 definition of risk becomes crucial. Uncertainty, whether economic, operational, technological, geo-political, regulatory/legal, or environmental, can affect the organization’s ability to meet its goals.
• How do we allocate resources to manage these risks? Just like the city of Samos invested resources in building the tunnel, organizations must allocate the right talent, technology, and capital toward mitigating strategic risks.

At this level, risk management is not about individual incidents or isolated risks. It’s about understanding how uncertainty in the external and internal environment affects your ability to achieve strategic objectives and steer the organization accordingly. This top-down view provides clarity on where the organization is headed, but it is incomplete without understanding what happens at the ground level—down in the “tunnel” of daily operations.

The Bottom-Up Operational View: Navigating the Depths of Risk

While the top-down view provides the strategic direction, the bottom-up operational view ensures that the day-to-day management of risks is aligned with broader objectives. The workers digging the tunnel had a much different view of the project than the city leaders who envisioned it. But their work was just as critical to its success.

This is where operational risk and resilience comes into play. In today’s business environment, risks are increasingly complex and interconnected. Whether it’s a cyberattack, a natural disaster, or a supply chain disruption, organizations face risks that require resilience at every level of operations.

Some questions to consider from the bottom-up perspective:

• How are risks manifesting at the operational level? These risks often appear in the form of cybersecurity vulnerabilities, supplier disruption, equipment failures, or human error. Understanding these risks in detail is key to building resilience.
• How does resilience at the operational level support strategic objectives? It’s not enough to simply mitigate risks as they arise; you need to ensure that operational responses are aligned with the broader organizational goals. For example, if the strategic objective is to expand into new markets, how do you ensure that your operational resilience supports this expansion?
• How do we ensure constant communication between operational risk managers and strategic decision-makers? Just as the two ends of the tunnel had to stay coordinated, the operational teams must maintain clear lines of communication with leadership to ensure that their efforts are contributing to overall success.

Operational risk management is about building resilience, and ensuring that the organization can continue to function effectively even when faced with disruptions. This is the nitty-gritty work that happens in the trenches, where risks are identified, assessed, and managed in real time.

The Convergence: Bringing Strategy and Operations Together

The true magic of risk management happens when these two perspectives—strategic and operational—meet in the middle. Just as the two teams digging the Tunnel of Eupalinos had to meet with precision, the top-down and bottom-up views of risk management must align seamlessly.

Why Both Perspectives Are Necessary:

• Strategic Risk Management without Operational Insight is Blind. If leadership only focuses on the big picture, they miss the crucial details that could derail their strategy. Without understanding the specific risks at the operational level, they are essentially flying blind. This leads to a CLUSTER F***.
• Operational Risk Management & Control without Strategic Alignment is Rudderless. On the flip side, operational risk managers can get bogged down in the details without understanding how their efforts support broader organizational objectives. Without the top-down view, they lack direction and purpose.

How to Bring Them Together:

• Strategy, Collaboration, and Communication is Key. Leadership must foster an environment where communication flows freely between strategic and operational teams. Risk management is not a siloed activity—every level of the organization must be engaged.
• Use a Common Framework. ISO 31000 provides an ideal framework for this convergence, emphasizing that risk management should be integrated into all processes of the organization, aligned with the overall strategy.
• Build a Culture of Risk Awareness. When everyone from the C-suite to front-line employees understands their role in managing risk, the organization becomes more resilient. It’s not just about following a risk checklist but about cultivating a mindset that recognizes and responds to risks dynamically in the context of the organization’s strategy, objectives, and operations.
• Risk Technology Architecture Enablement. Unfortunately, there are very few GRC solutions on the market that can enable the entire picture from strategic to operational. The majority of solutions are solely focused in the weeds of operational risks and completely miss the top-down strategic view. Feel free to inquire with GRC 20/20 in our coverage of the GRC market to know which solutions are best fit for bringing this broad picture together. But at the end of the day, it requires an architecture as one solution does not do everything, and certainly not everything very well.

Building the Future Tunnel of Resilience

The Tunnel of Eupalinos stands as a reminder that even the most ambitious projects require a balance of vision and detailed execution. In the same way, effective risk management in today’s chaotic business environment requires both a strategic view from the top and operational resilience at the bottom. These two perspectives must meet, support each other, and work in harmony to guide organizations through uncertainty.

In the end, it’s not just about avoiding risks; it’s about understanding how uncertainty affects your objectives and how to navigate through them with precision and purpose. Just like the tunnel builders of ancient Samos, risk managers must balance the broad view with the fine details, ensuring that their efforts lead to a successful and resilient future.