Category: Blogs

The following article, Reframing Integrated Risk Management: A Historical Perspective on GRC’s Evolution, was originally published by Michael Rasmussen on our sister site, www.GRCreport.com . . .

Key Takeaways

• GRC’s Origins and Evolution: GRC began as a business objective and risk-driven framework, was hijacked by compliance with SOX, but has realigned as a strategic, performance-oriented model that integrates governance, risk management, and compliance.
• IRM’s Role Within GRC: Integrated Risk Management (IRM) is not a replacement for GRC but a core component of the risk management pillar (also called ERM, ORM), helping organizations address risk within the context of governance, which defines objectives.
• The Misconception of IRM: Despite some claims, IRM does not stand apart from GRC; it is part of the risk management function within the GRC framework—the R in GRC—making it more integrated and comprehensive.
• OCEG’s Emphasis on Integration: OCEG has always emphasized that the R in GRC, which is IRM, is integral to GRC, reinforcing governance while managing risk in alignment with organizational objectives.
• Certifications Supporting GRC and IRM: OCEG’s suite of certifications, such as Certified GRC Professional and Integrated Risk Management Professional, underscores the importance of understanding how IRM fits within the larger GRC strategy and context.

Deep Dive

Over the years, the term Integrated Risk Management (IRM) has increasingly become a focal point in discussions around governance, risk management, and compliance (GRC). While IRM gained limited traction in some circles, it’s important to remember that the concept of GRC is deeply rooted in a decades-long evolution, beginning with early work in risk management, compliance, and IT security. To understand where IRM fits, it’s crucial to first understand how GRC came to be and why it continues to play a central role in managing risk and uncertainty to organizational objectives while ensuring integrity in organizations today.

My journey into framing GRC began in the mid-1990s when I worked in risk management and compliance at a life sciences firm, where I identified the need to move beyond spreadsheets to document and manage risks and controls. By the late 1990s, I had taken on the practice leader role in risk and compliance consulting at Denmac Systems, where I worked with Lou Bevente and Andy Denenberg, the owners of Denmac. During this time, we explored the possibility of developing a software solution to address risk and control needs, what would eventually be recognized as GRC.

Andy Denenberg’s prior work on AlertPage, a product he created that was later acquired by Computer Associates, was a motivator to explore doing it again for risk and internal control management. Although we explored developing what I would later call GRC, the project didn’t materialize as I moved into the analyst world at GiGa (started by Gideon Gartner from Gartner Group. The GiGa stands for Gideon Gartner and not gigabyte), which was subsequently acquired by Forrester. While the GRC software initiative at Denmac didn’t come to fruition, it laid the foundation for the work that would follow.

In February 2002, while at Forrester, I attended a briefing with Telos Xacta, a company that aimed to adapt its government accreditation platform to commercial applications for risk, control, and compliance. The capabilities demonstrated in that meeting were precisely what had resonated with me earlier at Denmac—the ability to map risks, controls, and compliance requirements in a unified solution. This was what I had envisioned, and it catalyzed my thinking about the emerging market that could tie these disparate elements together.

Following that briefing, I spent considerable time reviewing my notes, doing additional briefings with other solutions coming to the market for this, and conceptualizing a name for this market. I ultimately introduced the term Governance, Risk Management, and Compliance, i.e., GRC. What I saw was the potential for a more integrated and holistic approach to managing governance, risk, and compliance processes in an integrated fashion. Over the next several months, I added other solution providers like Aventis, BPS, BWise, QUMAS, Paisley, and TeamMate to my list, and the market quickly evolved into what I refer to as GRC 1.0, shaped largely by the Sarbanes-Oxley Act (what I refer to as the SOX captivity of GRC). This initial wave of solutions featured other players I began covering, such as OpenPages, Certus, Archer, and MetricStream.

However, I found myself frustrated with how compliance-centric this early market became and how misaligned it was with what I saw as true GRC bringing value to the business and its objectives and performance. I realized that GRC had to be communicated and educated as more than just a checkbox for compliance; it needed to be strategically aligned with business objectives and performance. This realization led me to collaborate with OCEG, who was gathering other thought leaders to address this, where we worked together to develop the GRC Capability Model, which emphasized not just governance, risk, and compliance but also performance—what OCEG defines as Principled Performance. In parallel, I authored the first two Forrester Waves assessing GRC solutions, intentionally emphasizing platforms that demonstrated strength in risk management beyond compliance, which was becoming a critical gap in the early solutions. The second Wave, published in 2007, had a Wave graphic specifically on those stronger in risk management.

More Than Just Compliance

The GRC framework, the GRC Capability Model, developed collaboratively with OCEG and the broader industry, continued to evolve, and the core concept has always been clear: GRC is not just about compliance. It’s a comprehensive framework designed to help organizations manage risk while achieving their strategic goals. The three key components, Governance, Risk Management, and Compliance, are designed to work in tandem, each supporting the others in a dynamic and integrated way.

• Governance (G) is about setting strategic objectives and aligning the organization around those goals. In this context, it also includes performance against those objectives. Without clear governance, organizations lack a sense of direction, which makes it difficult to assess risk and compliance effectively. Risk requires the context of objectives. ISO 31000, the international standard on risk management, states, “risk is the effect of uncertainty on objectives.”
• Risk Management (R) focuses on identifying, assessing, treating, and mitigating risks that could prevent the organization from meeting its objectives. It ensures that risks are not only identified but also managed in a way that aligns with the organization’s governance framework to achieve its objectives.
• Compliance (C) ensures that the organization’s activities remain within legal, regulatory, ethical, and voluntary boundaries (such as values). Compliance doesn’t operate in isolation; it’s part of the broader governance structure, ensuring that governance objectives and risk management activities stay within acceptable limits. This enables the organization to act with integrity in its commitments and obligations.

Misinterpretation of GRC’s Scope

Despite the long-standing success and clarity of the GRC framework, a small number of voices within the analyst community has pushed the idea that Integrated Risk Management (IRM) should replace traditional Governance, Risk Management, and Compliance (GRC). This argument typically claims that GRC is overly focused on compliance and fails to account for broader organizational risks. However, this narrative is fundamentally flawed for several critical reasons, which we need to explore in more depth.

The concept of IRM originated at Gartner. Since then, however, Gartner has stated that it no longer recognizes IRM as a distinct category, “Gartner no longer recognizes IRM as a market and future work from Gartner analysts will no longer reference it as such.”

During the period when Gartner did recognize it, some analysts began claiming that GRC technology had failed, and that IRM was the way forward. Yet the first IRM Magic Quadrant featured nearly the same solutions, in nearly the same positions, as the prior GRC Magic Quadrant. Which raises the obvious question: what, exactly, had failed—a question I’m still looking for an honest answer to.

Some of the more vocal IRM evangelists, misguided or perhaps even disingenuous, redefine GRC narrowly as compliance, yet still retain the GRC label within their own frameworks to support their argument. This only adds confusion to the industry and reflects a fundamental misunderstanding of what governance (the G) and risk management (the R) actually represent. The framework would be far clearer if they simply dropped the attack on GRC and labeled their model for what it truly is: a compliance framework.

In this context, the most common misconception among IRM proponents is that GRC is solely concerned with compliance. This simplification misrepresents the true nature of the GRC framework within the GRC Capability Model, which is, at its core, a holistic approach to managing governance, risk, and compliance as interconnected, integrated, but distinct elements.

GRC is not just about following rules and regulations. It is about enabling organizations to achieve their objectives, managing uncertainty and risk, and acting with integrity. Governance, risk management, and compliance work together to create a comprehensive strategy for managing an organization’s operations in a dynamic and sometimes uncertain environment.

Thus, GRC is a strategic and integrated approach that encompasses much more than compliance. It brings governance and risk management together in a structured, aligned way, driving Principled Performance and resilience across the organization. To limit GRC to compliance alone is to ignore the broader, more valuable benefits it provides in terms of strategic oversight and risk mitigation, and the great work that has been in place for over two decades that defines GRC in the OCEG GRC Capability Model.

IRM Is Not Separate from GRC

Another critical flaw in the IRM evangelist argument is the assumption that IRM represents something fundamentally different from the GRC framework. In reality, IRM is not a replacement for GRC; it is a core component of the GRC framework, specifically within the Risk Management function.

IRM, when implemented properly, refers to a structured, integrated approach to managing risk throughout the organization. It aligns risk management efforts with governance (objectives) and compliance to ensure that all aspects of risk, ranging from strategic, operational, financial, and compliance-related, are addressed in an integrated and cohesive way. It’s simply the “R” in GRC.

By positioning IRM as a standalone concept, IRM proponents overlook the reality that risk management, as a function, has always been a core element of GRC. In fact, the very foundations of GRC were built with the understanding that risk management cannot be separated from governance and compliance. Each function is interdependent: Governance defines the organization’s objectives, risk management ensures those objectives can be achieved despite uncertainty, and compliance ensures the organization operates within legal and ethical boundaries.

In short, IRM doesn’t replace GRC, it enhances it by bringing a more integrated, enterprise-wide approach to managing risk, ensuring that risk management is aligned with strategic goals and compliance requirements.

Overemphasis on Technology

One of the most troubling aspects of the IRM narrative is the tendency to focus disproportionately on technology as the solution. Some advocates of IRM make the case that IRM technology is something distinct and superior to existing GRC solutions. However, this misses a fundamental point: IRM technology is simply an evolution of the risk management capabilities that already exist within GRC solutions. The same solutions that Wheelhouse Advisors covers in IRM are the same solutions that Gartner, Forrester, Chartis, and Verdantix cover as GRC.

In practice, many of the technologies marketed as “IRM” tools overlap significantly with traditional GRC solutions. Many platforms have long provided robust risk management modules within their GRC offerings. These platforms already offer the ability to integrate risk management with governance and compliance, which is precisely what IRM advocates claim to be offering as a “new” solution. Whereas some newer solutions start specifically with business strategy, performance, and objectives and address risk management in this context.

The overemphasis on IRM technology as something separate or revolutionary creates confusion. It’s not the technology that matters; it’s how risk management is integrated across the organization’s entire governance and performance strategy. Compliance comes in to make sure we stay within mandatory (e.g., legal, regulatory) and voluntary (e.g., ethics, values, commitments) boundaries. A fragmented approach, where IRM tools are seen as distinct from GRC, risks creating silos that hinder collaboration and alignment across business functions.

To be clear, technology plays an important role in streamlining and automating risk management processes to make them more efficient, effective, resilient, and agile. But the solution isn’t in labelling technology as “IRM” and promoting it as something outside of GRC (and misrepresenting GRC); the solution lies in how technology supports and enhances the integration of risk management within the broader GRC framework, making it easier for organizations to understand and manage risks in the context of their overall governance and compliance strategy.

OCEG’s Commitment to a Unified GRC Approach

OCEG has long recognized that IRM is integral to the broader GRC strategy, not an alternative to it. As the global leader in GRC, OCEG has been at the forefront of developing frameworks and certifications that reinforce this point. The introduction of the Integrated Risk Management Professional Certification complements other certifications such as:

• Certified GRC Professional
• Certified GRC Auditor

These certifications help professionals understand the interconnected nature of governance, risk management, and compliance, emphasizing that IRM is a tool within this integrated framework, rather than a replacement for it.

The push for IRM as a standalone framework misses the point: effective risk management exists within the larger structure of GRC. Governance, risk management, and compliance must work together to ensure that organizations can not only manage risk but also achieve their strategic objectives with integrity.

For organizations to fully realize the benefits of GRC, they must reject the narrative that IRM stands apart. Instead, they should embrace a holistic approach that integrates risk management with governance and compliance to create a resilient, performance-driven organization.

For more clarity and guidance, organizations are encouraged to explore OCEG’s frameworks and certifications. You can also refer to the original article, Putting IRM in Its Proper GRC Context.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

This past week in London was truly a whirlwind of GRC insights, discussions, and deep dives into the future of risk and resilience management. Across multiple events and countless conversations, I had the opportunity to engage with over 150 organizations — through 1:1 meetings, my keynote presentation at the Corporater Connect+ event hosted at Parliament, and my Risk & Resilience Management by Design Workshop (sponsored by Decision Focus).

Let’s unpack the challenges UK organizations are facing that keep them up at night . . .

Key GRC Theme from the Week:

One of the most pressing topics that emerged was the focus on Provision 29 of the UK Corporate Governance Code. Organizations are now required, starting at the Board level, to establish and attest (at least annually) to the effectiveness of their risk management and internal control frameworks. In one notable 1:1 meeting with a firm currently undergoing an RFP process, the organization shared, “[ORG] we do expect that the extension of the definition of public interest entities to include private companies (if it comes into effect) will affect us. Either way, we believe that having the right controls framework is a good way to operate the business.” Running parallel to these conversations was considerable focus on the UK’s Economic Crime and Corporate Transparency Act (ECCTA). This legislation adds a mandate for internal controls to prevent fraud — further reinforcing the need for stronger, embedded risk and control frameworks across organizations.

Top Risk and Resilience Challenges Identified:

Reviewing my notes from the week, several consistent challenges emerged across industries and organization sizes:

• Geo-political risk, this was front and center and part of nearly every conversation, particularly in an extended enterprise context
• The breadth of cyber, digital, and data risk and resilience challenges facing organizations and their operations, and again across the extended enterprise
• AI risks, including deep fakes and impersonation, and governing AI within the organization and across the extended enterprise
• Regulatory mandates for resilience management (UK Operational Resilience, EU DORA, NIS2)
• Embedding risk management into business operations, including defining, embedding, and nurturing a healthy risk culture
• Aligning risk management with business change and transformation and leveraging a digital twin to help forecast and understand scenarios of risk and resilience
• Connecting risk programs with business objectives where the organization can reliably achieve objectives (the heart of what GRC has been about for 20 years, when done correctly)
• Sourcing and integrating external risk intelligence feeds that help the organization navigate the business for what is developing currently and on the horizon
• Ensuring risk insights inform decision-making and add business value
• Breaking down risk management silos to provide an enterprise perspective of risk where the R delivers value to the G in GRC
• Addressing resilience and risk in a sustainability and ESG context
• Increasing oversight and due diligence in third-party relationships
• Addressing inadequate risk reporting and increasing quality in risk reporting
• Clarifying risk accountability and ownership with the business and aligned with objectives and the objective owner
• Managing and keeping pace with the volume of third-party, regulatory, and business change
• Compliance challenges related to third parties
• Addressing emerging risks and the “unknown unknowns”
• Environmental risks and resilience (acts of nature)

Third-party and extended enterprise risk emerged as a particularly dominant theme, touching almost every area listed above. Organizations are recognizing that resilience is not just internal — it extends across the broader network of partners, vendors, and suppliers.

Strategic Response: Achieving Risk Agility and Resilience

In light of these discussions, organizations should focus on four core pillars: strategy, process, risk intelligence, and technology — underpinned by risk intelligence.

1. Strategy:
   • Align risk management directly with corporate strategy, objectives, and performance.
   • Treat resilience as a strategic business enabler, not just a compliance exercise.
   • Develop a forward-looking, dynamic risk accountability framework.
   • Do regular scenario analysis, stress testing, wargaming, and simulations.
2. Process:
   • Embed risk management in day-to-day business activities and decision-making.
   • Foster a culture of risk ownership across all levels.
   • Strengthen internal control environments.
   • Integrate third-party governance and risk management as a core operational process.
3. Risk Intelligence:
   • Continuously source external content from trusted providers to stay informed on emerging risks.
   • Integrate real-time risk feeds into GRC management programs enabling risk and resilience management.
   • Utilize external intelligence to enhance scenario planning and stress testing.
   • Benchmark against industry trends and regulatory developments to adjust risk strategies.
4. Technology:
   • Invest in GRC technologies that provide real-time visibility and adaptability for risk and resilience in a business context.
   • Leverage AI responsibly to enhance risk detection, resilience planning, and reporting.
   • Connect risk intelligence feeds into operational risk and decision-making workflows.
   • Focus on interoperability — connecting risk data across enterprise systems.

The Road Ahead

These themes are not unique to the UK. I am seeing similar patterns globally. Though I am home for a brief week, the dialogue continues. From May 3rd to May 23rd, I will be engaging with organizations across Madrid, Barcelona, Zurich, Copenhagen, and London — further gathering perspectives and advancing the conversation on how organizations can build risk agility and resilience in a rapidly changing world.

Stay tune

“But he hasn’t got anything on!”—The Emperor’s New Clothes, Hans Christian Andersen

The Fable and the Analogy

Hans Christian Andersen’s tale of “The Emperor’s New Clothes” tells of a vain ruler tricked by swindlers who claim they can weave a magnificent fabric invisible to anyone incompetent or stupid. No one dares admit they see nothing—until a child innocently proclaims the truth.

The GRC technology market, like any other, has its own “emperors” and tailors. In recent years, ServiceNow has emerged as a dominant platform pushed into GRC use cases—branded not as GRC, but as IRM (Integrated Risk Management). And in many organizations, particularly outside of IT, people are starting to murmur: “But it doesn’t work for us.”

This article is not an attack, nor is it a “do not purchase” directive. Instead, it is a professional caution: a yellow light urging evaluation, due diligence, and an objective look before committing to ServiceNow for GRC. And it also is a call to action that should you desire to select ServiceNow for GRC . . . make damn sure you have the right tailor (professional service firm) as that is the only way you will get satisfaction.

A Flood of Market Feedback

My first LinkedIn post on this issue drew significant attention:

• 43,000+ views
• 450+ likes
• 90+ comments
• 50+ reposts

Which I had a follow-up LinkedIn post providing additional perspectives.

What was even more telling? Not one GRC professional outside of IT has come forward publicly or privately to say they love using ServiceNow for GRC. Not yet at least.

In contrast, I’ve received dozens of private messages and direct conversations from across industries, countries, and company sizes confirming consistent frustrations with ServiceNow for GRC/IRM use cases. One CISO at a mid-sized bank specifically stated, it was his “mission to get SNOW out of the bank for GRC use cases.”

The Core Issues with ServiceNow for GRC

🔴 1. Cost and Complexity

ServiceNow promotes its GRC modules as “out-of-the-box” solutions. Yet, in nearly every client conversation I have, these modules require extensive and expensive customization to even begin functioning as needed. One global organization told me:

“The TPRM module is their most immature and least thought-out module of all of ServiceNow.”

Another shared:

“ServiceNow is an ITSM platform they’ve tried to adapt for GRC. It’s tedious, unintuitive, and painful to maintain.”

The licensing model is complex, and the total cost of ownership (implementation + maintenance + upgrade costs) is the highest in the entire GRC market in GRC 20/20’s market research.

🔴 2. Performance Issues

The underlying architecture of ServiceNow was not originally built for GRC. Clients report slow response times, clunky workflows, and user experience limitations, especially when dealing with cross-functional risk and compliance processes.

🔴 3. Maintenance and Upgrades Are Difficult

ServiceNow’s relational database foundation includes an overwhelming number of interconnected tables. Clients say:

“Every new version potentially breaks something. We live in fear of upgrades.”

Customization increases fragility. Even ServiceNow’s own GRC modules can become unstable with version changes. For organizations with moderate to high customization, every upgrade is a risk.

🔴 4. GRC Decisions Driven by IT, Not Business Needs

This may be the most persistent challenge. Many implementations begin with IT departments selecting ServiceNow simply because it’s already in use for ITSM. The problem? Risk, compliance, audit, and legal teams are not consulted or heard. One organization told me:

“We never had a chance to weigh in. IT made the decision, and now we’re stuck.”

GRC should be business-led. IT is an enabler—not the driver.

I worked on one major GRC/ERM RFP in Europe, a global organization with over 60,000 employees. ServiceNow was eliminated in the very beginning against competitors and did not make the semi-finals or finals. A solution was chosen . . . IT steps in and says it will only be ServiceNow. SNOW wins RFPs that it loses.

🔴 5. Consulting Firms Stack the Deck

Consulting firms too often push ServiceNow regardless of fit. Why? Because of the massive ongoing revenue streamsthese projects generate. What starts as an implementation becomes an ETERNAL engagement.

In one case:

• The an organization spent $12M+ and 5 years on ServiceNow for GRC.
• Fired the first consulting firm, brought in another.
• Still not fully implemented.

Several organizations have told me outright:

“We cannot afford the ongoing implementation and maintenance costs.”

Stories from the Field

A few anonymized insights from real organizations:

• Large FinTech: Says TPRM module is their least mature and weakest component.
• Healthcare System: Recently finished implementation. Team dislikes the product. Another healthcare peer did the same and recently left SNOW and bought another solution to compensate.
• Retail Enterprise: Abandoned ServiceNow entirely for another GRC solution that was easier to use, implement, and maintain.
• HighTech. Turned off ServiceNow for GRC, returned to manual processes in many areas, and is pending RFP again.
• Banking: IT chose ServiceNow despite the GRC team ruling it out in the RFP process. GRC needs were ignored.

The stories keep coming . . .

The Tailor Matters

ServiceNow’s success often hinges on who implements it.

In GRC 20/20 research, we see that boutique ServiceNow specialists consistently deliver better results and higher satisfaction than the big consulting houses. There are great people, magnificent people, at large consulting firms . . . but too often their voices are drowned out in pursuit of large never-ending projects. The Never Ending Story for an analogy as well . . .

Why do boutiques have a better track record with ServiceNow for GRC?

• More agile
• More engaged
• More experienced in GRC specifically
• Less incentive to bloat the scope

This does not mean every big firm fails. But it does mean that organizations should choose implementation partners carefully, and never default to the big-name brand.

So, Should You Use ServiceNow for GRC?

The answer: Maybe. But only if it fits.

ServiceNow GRC/IRM can work, particularly in IT-focused environments or when there is deep platform expertise in-house or with the right consulting firm (but be VERY selective). But it should never be the default, and it should not be forced on the business by IT or consultants.

GRC selection must be business-driven.

GRC use cases span risk management, compliance, audit, legal, ESG, third-party risk, and operational resilience. These teams must be part of the selection process.

Let ServiceNow compete. But let it win on capabilities, not on convenience by IT mandates or consulting firms aiming for HUGE never ending projects.

The Analyst’s Role: Calling Out the Pattern

No solution is perfect. Every vendor has a mix of satisfied and dissatisfied clients. But as an analyst with over 25 years of analyst experience (and 33 years total GRC experience), I have a responsibility to flag patterns when they emerge.

And this is clear: ServiceNow for GRC has more reported issues and frustrations than any other GRC technology in the market today with the highest cost to implement and maintain,

Until I begin hearing positive stories from GRC professionals outside of IT, my position remains:

Proceed with caution. Evaluate ServiceNow objectively. Choose the right tailor (partner). And never let convenience override capability.

Who should I call out next . . .

In recent years, Environmental, Social, and Governance (ESG) initiatives have become a lightning rod in political discourse. Critics have reduced ESG to ideological talking points—especially on issues such as climate change and diversity, equity, and inclusion (DEI)—while supporters often frame it as a moral imperative. But both extremes can obscure the core of what ESG should truly be about. Strip away the noise, and ESG, at its best, is about something much deeper and more enduring: stewardship.

GRC 20/20 is seeing, even amid policy change in the USA, and restructuring of the EU CSRD and CSDDD in the EU Omnibus, many organizations are moving forward with ESG programs based on the stewardship to the organizations values, particularly across Europe and in parts of Asia such as Singapore, Australia, and Japan. The restructuring of the EU CSRD and CSDDD still has a significant impact on many organizations.

The True Nature of ESG: Stewardship Over Ideology

At its heart, ESG is not a political agenda or a public relations campaign. It is a framework for organizations to act as stewards of their environment, their communities, and their governance. Stewardship is the responsible planning and management of resources. It is about care, accountability, and a long-term view toward sustainability—not just in environmental terms, but across every aspect of how an organization operates.

From my own Christian faith tradition—while fully honoring the beliefs of other faiths and those with no religious affiliation—the concept of stewardship is foundational. Humanity was created to be stewards of creation: to care for the earth, to treat one another with dignity, and to live with integrity and responsibility. That same ethic of stewardship applies in the corporate context. ESG should be viewed not as a checklist of politically charged criteria, but as a commitment to responsible management of the organization, its use of resources, how it interacts with the communities it serves, and its impact across these areas and more.

Stewardship in Practice: Breaking Down ESG

Environmental Stewardship

Environmental stewardship is more than just reducing carbon footprints or making public pledges on climate goals. While climate change is a vital component, the environmental dimension of ESG includes broader concerns such as:

• PFAS and chemical pollution. Managing the use and disposal of hazardous substances like per- and polyfluoroalkyl substances (PFAS), which have widespread and lasting impacts on ecosystems and human health.
• Resource use and waste. Responsible consumption and disposal of water, energy, minerals, and materials. This means designing sustainable supply chains and product life cycles.
• Biodiversity and land use. Being mindful of how operations impact ecosystems, habitats, and land degradation.

Environmental stewardship requires that organizations actively evaluate how their operations impact the world around them and take steps to reduce harm, restore balance, and promote resilience.

Social Stewardship

Much of the political debate surrounding ESG tends to focus narrowly on DEI. While inclusion and equity are important, the S in ESG encompasses broader and often more urgent human rights and community concerns, such as:

• Modern slavery and labor practices. Ensuring that the organization and supply chains are free from forced labor, child labor, and exploitative conditions.
• Privacy and data protection. Safeguarding the personal information of employees, customers, and stakeholders in an age of growing digital exposure.
• Workplace safety, harassment, and discrimination. Fostering a safe, respectful, and fair work environment that upholds the dignity of all employees.

Social stewardship challenges organizations to consider their impact on human well-being—within the organization and across the broader communities they serve or affect.

Governance Stewardship

Governance is often the least discussed yet most crucial pillar of ESG. Good governance is not simply about ticking compliance boxes—it is about:

• Decision-making transparency
• Accountability of leadership
• Ethical behavior and oversight
• Integrity in reporting and assurance
• Internal controls, regulatory/legal compliance, and risk management

Strong governance ensures that the promises an organization makes in the environmental and social domains are not hollow. It is the framework that enables ESG commitments to translate into real, measurable action.

GRC: The Engine that Makes ESG Work

So how does an organization operationalize stewardship? That’s where GRC—Governance, Risk Management, and Compliance—comes in. ESG objectives do not become reality on good intentions alone. GRC is the structured capability that enables an organization to:

• Reliably achieve objectives (Governance)
  Set clear ESG goals based on the organization’s values, stakeholder expectations, and regulatory/legal obligations.
• Address uncertainty (Risk Management)
  Understand and mitigate risks—environmental, reputational, operational, legal—that can undermine ESG objectives goals.
• Act with integrity (Compliance)
  Ensure adherence to values, ethics, internal policies, regulations and external laws, and provide assurance through honest, transparent reporting.

Through GRC, ESG becomes more than a vision—it becomes a managed, measurable capability embedded across the organization.

But ESG starts with objectives. Any ESG strategy, program, process, or even technology that starts with ESG risks and not objectives is a broken and failed approach.

Integrity: The Ultimate Measure of ESG

Stewardship is not just about actions—it is about integrity. An organization may publish impressive ESG reports, but if those reports mask poor practices or create a misleading impression, they are nothing more than greenwashing. Authentic ESG performance comes from aligning words with deeds—living up to defined ESG values and commitments.

Each organization must define its ESG principles in alignment with its mission, values, stakeholder expectations, and regulatory obligations. What matters is not whether every ESG goal is reached overnight, but whether the organization is making transparent, credible, and consistent progress toward those goals.

A Call to Reframe the Conversation

It is time to reclaim ESG from the ideological battleground and ground it firmly in the language of stewardship and integrity and delivered through sound GRC practices found in the OCEG GRC Capability Model. When understood this way, ESG is not a threat to business—it is a path to better, more resilient, and more trustworthy business. Stewardship is not political. It is responsible. It is ethical. It is what good organizations—and good leaders—do.

Let’s rethink ESG not as a problem to solve, but as a principle to live by. When built on stewardship and supported by GRC, ESG becomes a powerful force for long-term value, accountability, and trust.

In today’s rapidly evolving world, the risk landscape is changing faster than ever. We’ve witnessed firsthand the mounting challenges organizations face with an increasingly complex web of regulatory requirements, cyber threats, and operational resilience. The issues organizations face today are more interconnected, urgent, and nuanced than ever before.

As we reflect on the insights from a recent survey conducted by MetricStream and the GRC Report, which polled over 100 global GRC professionals, five critical areas stand out as key learnings for organizations in 2025. These insights offer not only a roadmap for navigating the complexities ahead but also a chance to transform challenges into opportunities for growth and competitive advantage.

1. Turning Regulatory Complexity into a Strategic Differentiator

Regulatory complexity, especially the speed of regulatory changes, remains a . . .

[The rest of this blog can be read on the MetricStrean blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

The global business landscape today is a complex web of interconnected organizations—the extended enterprise. This interconnectedness delivers unprecedented opportunities for growth, efficiency, and innovation. However, it simultaneously amplifies risk exposure, creating vulnerabilities across third-party relationships.

As geopolitical and economic tensions and uncertainty escalates, it is critical that organizations urgently reassess and enhance their third-party governance, risk management, and compliance (GRC) strategies. This enables the organization to reliably achieve objectives in each relationship and across relationships (governance), address uncertainty in achieving those objectives (risk management), and act with integrity within each relationship (compliance).

Critical to this is geo-political risk management and resilience of the extended enterprise as well as meeting the obligations of the numerous laws and regulations impacting these relationships (a detailed summary overview is at the bottom of this post).

CALL TO ACTION: Organizations cannot manage third-party risk in disconnected silos, departments, and functions going in different directions and not collaborating. Organizations absolutely need an integrated approach to third-party governance, risk management and compliance to ensure they have full visibility into the extended enterprise.

The Multifaceted Challenges of Today’s Extended Enterprise

Each third-party relationship—from suppliers and vendors to agents and distributors—introduces potential uncertainties, issues of resilience, and integrity. With intensifying geopolitical instability, the extended enterprise faces heightened risks from:

• Tariffs and Trade Policies. Sudden policy shifts, such as the recent U.S. policies and corresponding global trade wars, have led to increased tariffs, affecting procurement costs, supply chain dynamics, and overall profitability.
• Regulatory Volatility. Regulations are evolving at a rapid pace and requires diligent oversight and rapid adaptability. These include an array of bribery-corruption, resilience, privacy, modern slavery laws and more. A thorough, but not comprehensive, list is at the bottom of this post.
• Global Conflicts. Conflicts, such as the war in Ukraine, conflicts in the Middle East and disruptions in the Suez Canal, disrupt supply chains, particularly for commodities like energy, grain, and critical raw materials, forcing companies to scramble for alternative sources.
• Commodity and FX Fluctuations. Fluctuating prices and foreign exchange volatility significantly impact budgeting, pricing strategies, and financial planning.

Rethinking Third-Party Governance

Traditional transactional approaches to third-party relationships, which primarily emphasized cost and punctuality, are no longer adequate. Robust third-party governance and risk management must:

• Align Strategic Objectives. Clearly articulate and align third-party relationship objectives with the organizational objectives and strategy to ensure mutually beneficial outcomes.
• Continuous Risk Assessments. Utilize continuous monitoring, due diligence, geo-polticidal and risk intelligence feeds, and analytics tools to proactively identify, assess, and mitigate risks and uncertainty..
• Value Alignment and Integrity. Regularly evaluate and monitor third-party practices to ensure ethical alignment and compliance with organizational values as well as laws, regulations, and global standards.

Building Resilience into Third-Party Risk Management

Resilience in third-party risk management means being prepared to navigate disruptions effectively. Strategies include:

• Supplier Diversification. Avoid over-reliance on single-source suppliers and continually reevaluate geopolitical risks to ensure that the organizations extended enterprise remains agile.
• Real-Time Monitoring and Analytics. Implement advanced analytics solutions to monitor geopolitical developments to enable swift responses to emerging threats.
• Scenario and Contingency Planning. Regularly simulate potential disruptions and prepare contingency plans through scenario analysis, table-top exercise, and micro-simulations to successfully navigate potential disruptions.

An Integrated Approach to Third-Party Governance(GRC)

Now is the time to act decisively. Organizations must strategically invest in their third-party GRC capabilities, embedding resilience and integrity deeply into their operational ethos of their extended enterprise. In doing so, they not only mitigate today’s risks but position themselves to confidently thrive amid future uncertainties. The extended enterprise’s resilience and integrity depend on proactive, diligent, and strategic third-party governance. Your business’s future demands nothing less.

Addressing these multifaceted risks demands an integrated strategy, process, information/intelligence, and technology. Organizations need to:

• Appoint someone to lead the strategy across departments and functions
• Insist that various silos cooperate and participate in an integrated third-party governance and risk strategy
• Foster an organizational culture that values transparency, accountability, and ethical business practices across the extended enterprise
• Monitor geo-political, regulatory, and other third-party risk intelligence feeds to ensure responsiveness to evolving circumstances both globally and within third-parties
• Deploy robust third-party governance and risk management (GRC) software providing comprehensive oversight of third-party engagements and collaboration

If your organization is navigating the complexities of third-party risk in today’s volatile and interconnected world, I welcome the opportunity to share insights from my ongoing research across strategy, processes, content/intelligence, and technology. Whether you’re building a third-party risk program from the ground up or refining a mature framework, I offer a unique lens into market trends, best practices, and innovative solutions. Feel free to reach out—I’m always happy to provide guidance and be a sounding board as you strengthen your extended enterprise.

Upcoming Third-Party Governance & Risk Workshops

Spain, May 6 @ 1:00 pm – 4:00 pm CEST 

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, MADRID

United Kingdom, May 21 @ 9:30 am – 4:30 pm BST 

• Third-Party Risk Management by Design, LONDON

United Kingdom, June 9 @ 1:00 pm – 4:00 pm CEST 

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, BIRMINGHAM

Denmark, June 17 @ 1:00 pm – 4:00 pm CEST

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, COPENHAGEN

Laws & Regulations Impacting the Extended Enterprise

Here is a list of laws and regulations, with various states of enforcement, impacting the extended enterprise. This is list is not comprehensive, but gives a good indicator of the scope of regulatory and legal volatility and complexity that is growing.

• Operational Resilience. The following laws predominantly, but not exclusively, focus on financial services. While broadly focused on operational resilience, this cannot be achieved without managing third-party risk. Everyone of them includes strong aspects of third-party risk management:
  • United Kingdom Operational Resilience Regulations
  • European Union Digital Operational Resilience Act (DORA)
  • Australia Prudential Standard CPS 230 – Operational Risk Management 
  • Federal Reserve, OCC, and FDIC Joint Guidance on Operational Resilience (guidance, not regulation)
  • Singapore Monetary Authority of Singapore (MAS) Guidelines on Operational Resilience 
  • Hong Kong Monetary Authority Supervisory Policy Manual OR-2 on Operational Resilience 
  • Canada OSFI Guideline B-13: Technology and Cyber Risk Management 
• Broad Environmental, Social, Governance (ESG)/Sustainability. The following are laws that regulate broad ESG and sustainability reporting that tie into supply chains. More specific laws are listed below.
  • European Union Corporate Sustainability Reporting Directive (CSRD), Taxonomy Regulation & Corporate Sustainability Due Diligence Directive (CSDDD) (being rescoped with the EU Omnibus but still significant)
  • Germany Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG)
  • France Duty of Vigilance Law (Loi de Vigilance)
  • Switzerland Responsible Business Initiative
  • Dutch Bill for Responsible and Sustainable International Business Conduct
  • Austrian Supply Chain Act (Proposed)
• Modern Slavery. The following are laws and regulations that impact human rights in context of modern slavery (forced labor, child labor) and working conditions in the extended enterprise:
  • European Union Conflict Minerals Regulation
  • European Union Forced Labour Regulation
  • United Kingdom Modern Slavery Act
  • Norway Transparency Act
  • California Transparency in Supply Chains Act
  • USA Uyghur Forced Labor Prevention Act (UFLPA)
  • USA Dodd-Frank Act – Section 1502 (Conflict Minerals Rule)
  • USA Trade Facilitation and Trade Enforcement Act (TFTEA)
  • Canada Fighting Against Forced Labour and Child Labour in Supply Chains Act
  • Australia Modern Slavery Act
  • Australia New South Wales Modern Slavery Act
  • Dutch Child Labour Due Diligence Law
• Anti-Bribery & Corruption. The following are key anti-bribery and corruption (ABAC/ABC) laws and regulations from around the world that are particularly relevant to third-party risk, as intermediaries (agents, resellers, consultants, distributors, etc.) are often a primary source of bribery and corruption exposure.
  • USA Foreign Corrupt Practices Act (FCPA) 
  • United Kingdom Bribery Act
  • France Sapin II Law
  • Canada Corruption of Foreign Public Officials Act (CFPOA)
  • Germany Anti-Corruption Laws / Corporate Sanctions Act (proposed)
  • Brazil: Clean Company Act
  • India Prevention of Corruption Act
  • China Anti-Unfair Competition Law & Criminal Law Provisions
  • Australia Criminal Code Act – Division 70
  • Multilateral Frameworks Influencing National Laws: OECD Anti-Bribery Convention, UN Convention Against Corruption (UNCAC), Transparency International Guidelines
• Environmental Regulations. This category could expand much more, here are some that are top of mind currently:
  • European Union Regulation on Deforestation-free Products
  • European Union Battery Regulation
  • European Union Registration, Evaluation, Authorisation, and Restriction of Chemicals (REACH)
  • California Senate Bill 253 (SB 253): Climate Corporate Data Accountability Act
  • California Senate Bill 261 (SB 261): Climate-Related Financial Risk Act
  • Chinese Due Diligence Guidelines for Responsible Mineral Supply Chains
  • China Restriction of Hazardous Substances (RoHS) Directive
  • Japan The Act on Promoting Green Procurement
  • Japan The Clean Wood Act
  • Singapore Mandatory Climate-Related Disclosures
  • Global (many countries and states/provinces) ​Extended Producer Responsibility 
  • Global liability and regulation related to PFAS (Per- and Polyfluoroalkyl Substances – Forever Chemicals)
• Privacy & Information Security. The following are the significant privacy related laws and regulations that impact third-party relationships:
  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)
  • New York SHIELD Act
  • Virginia Consumer Data Protection Act
  • Colorado Privacy Act
  • Connecticut Data Privacy Act
  • Utah Consumer Privacy Act
  • USA HIPAA (Health Insurance Portability and Accountability Act)
  • USAGLBA (Gramm-Leach-Bliley Act)
  • USAFTC Safeguards Rule
  • European Union General Data Protection Regulation (GDPR)
  • European Union NIS Directive
  • European Union NIS2 Directive
  • United Kingdom GDPR (Post-Brexit version of GDPR)
  • United Kingdom Data Protection Act
  • Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Québec Law 25
  • Australia Privacy Act
  • Australia Notifiable Data Breaches Scheme
  • Singapore Personal Data Protection Act (PDPA)
  • Singapore Cybersecurity Act
  • Japan Act on the Protection of Personal Information (APPI)
  • China Personal Information Protection Law (PIPL)
  • China Cybersecurity Law
  • China Data Security Law
  • South Korea Personal Information Protection Act (PIPA)
  • Brazil General Data Protection Law (LGPD)
  • India Digital Personal Data Protection Act

OK, I have not event got into things like sanctions, the US Federal Acquisition Regulation, or regulations around Animal Welfare (concern in life sciences in third-party risk), inappropriate promotion, and I can keep going . . .

For example, here is the list of third-party risk categories that is put together in one comprehensive third-party risk program as a major life sciences company that I advised on their RFP:

• Anti-bribery and Corruption (ABAC)
• Conflict Minerals (CM)
• Complementary Workers (CW)
• Environment Health, Safety & Sustainability (EHSS)  
• Human Safety Information (HSI) 
• Inappropriate Promotion (IP) 
• Information & Cyber Security Risk – IT & OT (ICR)
• Labour Rights (LR) 
• Privacy (Priv)
• Sanctions
• Animal Welfare (AW)
• Crisis and Continuity Management 
• Data Integrity (DI)
• Good Clinical Practice (GCP)
• Good Laboratory Practice (GLP)
• Good Manufacturing Practice (GMP)
• Human Biological Samples Management (HBSM)

In a similar example, here is the list of third-party risk categories from another life sciences firm I interacted with that is delivering a comprehensive third-party risk program:

• Anti-bribery and corruption
• InfoSec
• Information Systems Quality
• Privacy
• Animal welfare
• Business continuity (includes concentration, material)
• Health, safety, and environment
• Compliance (promotional practices, bioethics)
• Product quality and safety (clinical trial, human biological sample management, pharmacovigilance)
• Strategic sourcing
• Intellectual property
• ESG
• Performance and Contractual
• Global Security
• Fourth Party risk across all domains

I also have similar structure from financial services, consumer packaged goods, and many other industries.

In the past several months, my family has faced a deeply personal challenge — my wife’s battle with breast cancer. Observing her journey through six rounds of chemotherapy, with upcoming surgeries and subsequent immunotherapy treatments, has profoundly illuminated for me the essence and criticality of resilience. As a professional deeply immersed in Governance, Risk Management, and Compliance (GRC), this personal battle has provided significant parallels and lessons that organizations can harness.

At its core, GRC is a capability designed to reliably achieve objectives (Governance), address uncertainty (Risk Management), and act with integrity (Compliance). But to truly master GRC, an organization must build and continuously refine resilience across these areas. Watching my wife courageously face her treatments has crystallized three specific types of resilience that every organization should strategically integrate into its GRC approach: Strategic Resilience, Environmental Resilience, and Operational Resilience.

Strategic Resilience: Adapting and Persisting

Strategic resilience in cancer treatment mirrors how organizations must anticipate, adapt, and respond to risks and uncertainties impacting their strategic objectives. My wife’s treatment plan was meticulously designed based on careful assessments, risk analysis, and projected outcomes. Each chemotherapy round was a strategic choice aimed at aggressively targeting the cancer. However, resilience was essential as each round of treatment came with increasing physical tolls, requiring her — and us as a family — to reassess, recalibrate, and reaffirm our commitment to the end goal of recovery.

Organizations face analogous scenarios when navigating their strategic paths. Resilience is not simply having a strategic plan; it’s maintaining flexibility and adaptability when confronting unexpected challenges or intensified risk exposure. It involves periodically revisiting and revising strategies, ensuring alignment with evolving realities, and reinforcing the organization’s commitment to long-term objectives despite short-term setbacks.

Environmental Resilience: Creating Supportive and Sustainable Conditions

My wife’s resilience has also been deeply tied to managing and optimizing her environment. This has included not just physical spaces — maintaining cleanliness, nutrition, rest — but also psychological and social environments, surrounding herself with supportive friends, family, and professionals who provide emotional and mental strength, and removing stress from her life. This holistic approach to managing her environmental conditions is pivotal in building and maintaining her overall resilience and health.

In GRC, particularly within the context of the Environmental component of ESG (Environmental, Social, and Governance), organizations similarly must understand and manage their broader environments. Environmental resilience goes beyond mere compliance with regulations. It encompasses creating and sustaining a corporate ecosystem that supports long-term health and adaptability, minimizing negative environmental impacts, and proactively enhancing overall corporate sustainability and being stewards of the organization’s environment and resources it consumes. Just as my wife’s health depends heavily on careful environmental management, organizations thrive best when actively fostering conditions that sustain operational continuity and positive impact.

Operational Resilience: Navigating the Day-to-Day

The everyday challenges of cancer treatment — the logistics of medical appointments, treatments, side effects management, maintaining daily routines, and keeping up morale — have underscored the critical importance of operational resilience. It involves ensuring continuity, adaptability, and effectiveness of daily operations, even under intense pressure and disruption.

Operational resilience within organizations parallels this experience closely. Companies must design and continually refine processes that enable them to respond to disruptions swiftly and effectively. Whether it’s cyber threats, operational outages, regulatory changes, or market volatility, operational resilience ensures continuity, mitigates damage, and sustains performance. Like my wife’s careful attention to daily operational details during treatment, businesses must proactively identify critical processes, vulnerabilities, and dependencies, preparing robust plans and recovery measures that minimize impact when adversity strikes.

Personal to Professional: Universal Lessons in Resilience

The resilience I’ve witnessed in my wife’s battle with cancer transcends individual experience, it encapsulates universal principles applicable to organizational resilience. Strategic resilience emphasizes adaptability and foresight. Environmental resilience focuses on cultivating sustainable and supportive conditions. Operational resilience ensures practical continuity amidst disruption.

By embedding these resilience lessons into their GRC frameworks, organizations can build stronger capabilities to withstand shocks, adapt to change, and sustainably achieve their objectives. Resilience isn’t just about survival; it’s about emerging stronger, wiser, and better prepared for the future challenges we inevitably face.

My wife’s journey through cancer treatment continues to inspire me every day, illuminating resilience not as a reactive stance but as a proactive, deeply ingrained practice essential for personal and organizational strength, stability, and growth.

For those interested, you can follow her on Instagram, where she documents her journey and resilience through cancer.

A small, obscure, and misguided segment of the analyst community promotes Integrated Risk Management (IRM) as a replacement for Governance, Risk Management, and Compliance (GRC). This group incorrectly portrays GRC as focused on compliance, missing the broader and essential elements—governance and risk management—that are foundational and integral to GRC as established over two decades ago by the OCEG GRC Capability Model.

Understanding True GRC

GRC, clearly articulated by the OCEG GRC Capability Model, is defined as “a capability to reliably achieve objectives (Governance), address uncertainty (Risk Management), and act with integrity (Compliance).” It is critical to emphasize the structured sequence and inherent logic in this definition:

• Governance (G). Establishes clear organizational objectives and measures performance against these objectives. Without governance, an organization cannot define or assess success and will lack the foundation for meaningful risk management. This goes from entity level objectives down into operational level objectives.
• Risk Management (R). According to ISO 31000, the international standard for risk management, risk is “the effect of uncertainty on objectives.” Thus, risk management logically follows governance—it requires clearly articulated objectives as its necessary context.
• Compliance (C). Compliance ensures acting with integrity by adhering to both mandatory and voluntary obligations, forming the operational boundaries within which governance and risk management operate.

This logical structure—G flowing to R and bounded by C—is the true essence of GRC.

The Misguided Push for IRM

Despite the longstanding clarity and industry-wide acceptance of the GRC framework, a minor segment (one analyst) has attempted to elevate IRM as a superior or successor concept. Their argument suggests that traditional GRC has “failed” and is overly compliance-focused. This narrative is fundamentally flawed:

• It inaccurately redefines GRC as compliance-centric, ignoring the essential roles of governance and risk management.
• It overlooks that IRM, properly executed, is already encompassed within the risk management component of GRC.
• It mistakenly suggests that IRM technology is distinct or superior, despite the reality that IRM-labeled technology overlaps entirely with existing GRC solutions.

The reality is clear: IRM, when correctly understood, is simply the “R” in GRC—risk management integrated fully with governance and compliance.

OCEG’s Clear and Consistent Perspective

OCEG—the global authority on GRC—recognizes and clearly articulates this correct perspective. IRM, as OCEG presents it, serves governance and enhances compliance by effectively managing uncertainty in alignment with organizational objectives.

OCEG has actively reinforced this proper understanding of IRM by introducing the Integrated Risk Management Professional Certification, complementing their foundational certifications such as:

• Certified GRC Professional
• Certified GRC Auditor

OCEG further supports specialized domain knowledge with certifications such as:

• Integrated Policy Management Professional
• Integrated Data Privacy Management Professional
• Integrated Audit & Assurance Professional
• Integrated Compliance & Ethics Professional
• Integrated Governance & Oversight Professional (coming soon)
• Integrated Strategy & Performance Professional (coming soon)
• Integrated Security & Continuity Professional (coming soon)

This suite of certifications reflects OCEG’s comprehensive approach, ensuring practitioners understand that IRM is not separate from but integral to the broader GRC strategy that governs it.

Organizations seeking meaningful results from their governance, risk, and compliance activities (strategy, people, process, and supporting technology) must reject misleading narratives that position IRM in opposition to GRC. True IRM exists within GRC, guided by clear governance objectives and defined compliance boundaries.

For more clarity and guidance, organizations and professionals are encouraged to explore OCEG’s robust framework and certifications, reinforcing that true IRM is always and only meaningful within the comprehensive context of GRC.

No organization is an isolated entity. It is part of an extended enterprise of suppliers,
vendors, service providers and other third parties. This complex web of relationships drives efficiency and innovation, but it also introduces significant risk and resilience challenges. Ensuring the reliability, integrity, compliance and resilience of third-party relationships is no longer a best practice, it is a business imperative.

Third-party risk management (TPRM) extends beyond traditional procurement and vendor assessments. It encompasses a holistic approach that integrates governance, risk management and compliance (GRC) across the entire lifecycle of third-party relationships, spanning onboarding, ongoing monitoring and offboarding.

In this context, this means organizations must . . .

[The rest of this blog can be read on the IBM blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

In today’s rapidly evolving regulatory landscape, organizations face an increasingly complex and dynamic environment where managing compliance obligations demands agility, efficiency, effectiveness, resilience, and innovation. At the intersection of technology and regulation, RegTech has emerged as a pivotal component/segment within the broader Governance, Risk Management, and Compliance (GRC) market, offering transformative solutions that enable organizations to stay ahead in the fast-moving regulatory world.

As the number #2 influencer in RegTech (ask ChatGPT), here are some thoughts . . .

Regulatory Technology, or RegTech, leverages technology — most notably with artificial intelligence (AI) — to streamline compliance processes, enhance risk management, and automate the monitoring and reporting of regulatory obligations. As part of the broader GRC market, RegTech has significantly reshaped how organizations approach compliance, transforming what was once viewed merely as a burdensome cost center into a strategic enabler of business agility, efficiency, and resilience.

A core facet of my analysis at GRC 20/20 has been evaluating RegTech’s evolution, capabilities, and market traction. The landscape is rich, complex, and rapidly expanding. While AI dominates discussions around innovation in RegTech, I frequently caution organizations to look beyond the buzzword. In reality, there are compelling and sophisticated implementations of AI in RegTech, but equally, there are solutions akin to the “Wizard of Oz” — where behind the curtain, humans continue to operate many processes manually, diminishing the true promise and effectiveness of AI-driven RegTech automation.

Ultimately, navigating the RegTech universe demands clear-sighted evaluation of technologies—understanding what truly offers innovative AI capabilities versus solutions where AI is more promise than reality. As we delve deeper into this universe, we equip organizations with the insights and tools needed to leverage RegTech strategically, driving true governance, risk, and compliance effectiveness.

As RegTech continues to evolve and mature within the GRC landscape, staying informed, critical, and forward-looking remains key to successfully managing regulatory risk and harnessing technology’s full potential.

GRC 20/20 maps several key areas within RegTech:

• Regulatory Change Management. Ensuring firms keep pace with evolving regulations globally, from horizon scanning to implementing controls and updating policies.
• Regulatory Reporting. Automating the collection, analysis, and submission of regulatory data.
• Operational Risk and Internal Control Management and Benchmarking. Enhancing and benchmarking resilience and internal control effectiveness.
• Transaction and Trade Monitoring. Real-time monitoring to detect unusual or suspicious activities.
• AML & Financial Crime (FinCrime). Leveraging technology to monitor, detect, and prevent financial crime.
• Know Your Customer (KYC). Streamlining customer due diligence processes and improving accuracy.
• Conduct and Surveillance. Monitoring behaviors and transactions to ensure compliance with internal and external regulations.
• Financial Risk Management. Managing risks associated with financial operations, including market, credit, and liquidity risks.

One area of RegTech experiencing tremendous traction globally is Regulatory Change Management. At GRC 20/20, I’ve observed this as one of the most pressing and prominent use cases gaining traction worldwide. Regulatory Change Management, vital in today’s turbulent compliance environment, encompasses monitoring regulatory changes through horizon scanning, assessing the business impact, and managing responses to ensure organizations remain compliant.

My interactions around the globe underscore that efficient Regulatory Change Management solutions can dramatically mitigate compliance risks and optimize operational efficiency. The traction in Regulatory Change Management has been evident in my international engagements. Soon, I’ll be sharing insights in the upcoming workshops in Toronto and Zurich:

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, TORONTO
• Riding the Compliance Carousel: Managing Emerging Regulatory Risks & New Rules, ZURICH

In the context of AML and FinCrime RegTech, this engagement continues at the AML & FinCrime Summit in New York City tomorrow, where I’ll moderate both the keynote panel and another significant session, bringing into sharp focus how RegTech effectively combats financial crime through smarter AML processes, transaction monitoring, and KYC (Know Your Customer) protocols. These panels are:

• Addressing the Future of Financial Crime Prevention: Challenges, Technology, and Global Threats in 2025
• Behind the Regulatory Doors: Perspectives on AML & FinCrime Tech Innovation

Looking ahead, I am also deeply involved with the Global RegTech Summit 2025 in London (May) and New York City (September), highlighting RegTech’s growing global significance. These summits reflect critical industry insights, innovation trends, and practical adoption strategies to help organizations thrive in increasingly complex regulatory landscapes.

Looking forward, the Global RegTech Summit 2025 in London in May, and later this year in New York City in September, where these events serve as pivotal platforms for industry leaders and innovators to collaborate, exchange ideas, and explore solutions that define the future of regulatory compliance.