Category: The GRC Pundit Blog

In recent years, Environmental, Social, and Governance (ESG) initiatives have become a lightning rod in political discourse. Critics have reduced ESG to ideological talking points—especially on issues such as climate change and diversity, equity, and inclusion (DEI)—while supporters often frame it as a moral imperative. But both extremes can obscure the core of what ESG should truly be about. Strip away the noise, and ESG, at its best, is about something much deeper and more enduring: stewardship.

GRC 20/20 is seeing, even amid policy change in the USA, and restructuring of the EU CSRD and CSDDD in the EU Omnibus, many organizations are moving forward with ESG programs based on the stewardship to the organizations values, particularly across Europe and in parts of Asia such as Singapore, Australia, and Japan. The restructuring of the EU CSRD and CSDDD still has a significant impact on many organizations.

The True Nature of ESG: Stewardship Over Ideology

At its heart, ESG is not a political agenda or a public relations campaign. It is a framework for organizations to act as stewards of their environment, their communities, and their governance. Stewardship is the responsible planning and management of resources. It is about care, accountability, and a long-term view toward sustainability—not just in environmental terms, but across every aspect of how an organization operates.

From my own Christian faith tradition—while fully honoring the beliefs of other faiths and those with no religious affiliation—the concept of stewardship is foundational. Humanity was created to be stewards of creation: to care for the earth, to treat one another with dignity, and to live with integrity and responsibility. That same ethic of stewardship applies in the corporate context. ESG should be viewed not as a checklist of politically charged criteria, but as a commitment to responsible management of the organization, its use of resources, how it interacts with the communities it serves, and its impact across these areas and more.

Stewardship in Practice: Breaking Down ESG

Environmental Stewardship

Environmental stewardship is more than just reducing carbon footprints or making public pledges on climate goals. While climate change is a vital component, the environmental dimension of ESG includes broader concerns such as:

• PFAS and chemical pollution. Managing the use and disposal of hazardous substances like per- and polyfluoroalkyl substances (PFAS), which have widespread and lasting impacts on ecosystems and human health.
• Resource use and waste. Responsible consumption and disposal of water, energy, minerals, and materials. This means designing sustainable supply chains and product life cycles.
• Biodiversity and land use. Being mindful of how operations impact ecosystems, habitats, and land degradation.

Environmental stewardship requires that organizations actively evaluate how their operations impact the world around them and take steps to reduce harm, restore balance, and promote resilience.

Social Stewardship

Much of the political debate surrounding ESG tends to focus narrowly on DEI. While inclusion and equity are important, the S in ESG encompasses broader and often more urgent human rights and community concerns, such as:

• Modern slavery and labor practices. Ensuring that the organization and supply chains are free from forced labor, child labor, and exploitative conditions.
• Privacy and data protection. Safeguarding the personal information of employees, customers, and stakeholders in an age of growing digital exposure.
• Workplace safety, harassment, and discrimination. Fostering a safe, respectful, and fair work environment that upholds the dignity of all employees.

Social stewardship challenges organizations to consider their impact on human well-being—within the organization and across the broader communities they serve or affect.

Governance Stewardship

Governance is often the least discussed yet most crucial pillar of ESG. Good governance is not simply about ticking compliance boxes—it is about:

• Decision-making transparency
• Accountability of leadership
• Ethical behavior and oversight
• Integrity in reporting and assurance
• Internal controls, regulatory/legal compliance, and risk management

Strong governance ensures that the promises an organization makes in the environmental and social domains are not hollow. It is the framework that enables ESG commitments to translate into real, measurable action.

GRC: The Engine that Makes ESG Work

So how does an organization operationalize stewardship? That’s where GRC—Governance, Risk Management, and Compliance—comes in. ESG objectives do not become reality on good intentions alone. GRC is the structured capability that enables an organization to:

• Reliably achieve objectives (Governance)
  Set clear ESG goals based on the organization’s values, stakeholder expectations, and regulatory/legal obligations.
• Address uncertainty (Risk Management)
  Understand and mitigate risks—environmental, reputational, operational, legal—that can undermine ESG objectives goals.
• Act with integrity (Compliance)
  Ensure adherence to values, ethics, internal policies, regulations and external laws, and provide assurance through honest, transparent reporting.

Through GRC, ESG becomes more than a vision—it becomes a managed, measurable capability embedded across the organization.

But ESG starts with objectives. Any ESG strategy, program, process, or even technology that starts with ESG risks and not objectives is a broken and failed approach.

Integrity: The Ultimate Measure of ESG

Stewardship is not just about actions—it is about integrity. An organization may publish impressive ESG reports, but if those reports mask poor practices or create a misleading impression, they are nothing more than greenwashing. Authentic ESG performance comes from aligning words with deeds—living up to defined ESG values and commitments.

Each organization must define its ESG principles in alignment with its mission, values, stakeholder expectations, and regulatory obligations. What matters is not whether every ESG goal is reached overnight, but whether the organization is making transparent, credible, and consistent progress toward those goals.

A Call to Reframe the Conversation

It is time to reclaim ESG from the ideological battleground and ground it firmly in the language of stewardship and integrity and delivered through sound GRC practices found in the OCEG GRC Capability Model. When understood this way, ESG is not a threat to business—it is a path to better, more resilient, and more trustworthy business. Stewardship is not political. It is responsible. It is ethical. It is what good organizations—and good leaders—do.

Let’s rethink ESG not as a problem to solve, but as a principle to live by. When built on stewardship and supported by GRC, ESG becomes a powerful force for long-term value, accountability, and trust.

In today’s rapidly evolving world, the risk landscape is changing faster than ever. We’ve witnessed firsthand the mounting challenges organizations face with an increasingly complex web of regulatory requirements, cyber threats, and operational resilience. The issues organizations face today are more interconnected, urgent, and nuanced than ever before.

As we reflect on the insights from a recent survey conducted by MetricStream and the GRC Report, which polled over 100 global GRC professionals, five critical areas stand out as key learnings for organizations in 2025. These insights offer not only a roadmap for navigating the complexities ahead but also a chance to transform challenges into opportunities for growth and competitive advantage.

1. Turning Regulatory Complexity into a Strategic Differentiator

Regulatory complexity, especially the speed of regulatory changes, remains a . . .

[The rest of this blog can be read on the MetricStrean blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

The global business landscape today is a complex web of interconnected organizations—the extended enterprise. This interconnectedness delivers unprecedented opportunities for growth, efficiency, and innovation. However, it simultaneously amplifies risk exposure, creating vulnerabilities across third-party relationships.

As geopolitical and economic tensions and uncertainty escalates, it is critical that organizations urgently reassess and enhance their third-party governance, risk management, and compliance (GRC) strategies. This enables the organization to reliably achieve objectives in each relationship and across relationships (governance), address uncertainty in achieving those objectives (risk management), and act with integrity within each relationship (compliance).

Critical to this is geo-political risk management and resilience of the extended enterprise as well as meeting the obligations of the numerous laws and regulations impacting these relationships (a detailed summary overview is at the bottom of this post).

CALL TO ACTION: Organizations cannot manage third-party risk in disconnected silos, departments, and functions going in different directions and not collaborating. Organizations absolutely need an integrated approach to third-party governance, risk management and compliance to ensure they have full visibility into the extended enterprise.

The Multifaceted Challenges of Today’s Extended Enterprise

Each third-party relationship—from suppliers and vendors to agents and distributors—introduces potential uncertainties, issues of resilience, and integrity. With intensifying geopolitical instability, the extended enterprise faces heightened risks from:

• Tariffs and Trade Policies. Sudden policy shifts, such as the recent U.S. policies and corresponding global trade wars, have led to increased tariffs, affecting procurement costs, supply chain dynamics, and overall profitability.
• Regulatory Volatility. Regulations are evolving at a rapid pace and requires diligent oversight and rapid adaptability. These include an array of bribery-corruption, resilience, privacy, modern slavery laws and more. A thorough, but not comprehensive, list is at the bottom of this post.
• Global Conflicts. Conflicts, such as the war in Ukraine, conflicts in the Middle East and disruptions in the Suez Canal, disrupt supply chains, particularly for commodities like energy, grain, and critical raw materials, forcing companies to scramble for alternative sources.
• Commodity and FX Fluctuations. Fluctuating prices and foreign exchange volatility significantly impact budgeting, pricing strategies, and financial planning.

Rethinking Third-Party Governance

Traditional transactional approaches to third-party relationships, which primarily emphasized cost and punctuality, are no longer adequate. Robust third-party governance and risk management must:

• Align Strategic Objectives. Clearly articulate and align third-party relationship objectives with the organizational objectives and strategy to ensure mutually beneficial outcomes.
• Continuous Risk Assessments. Utilize continuous monitoring, due diligence, geo-polticidal and risk intelligence feeds, and analytics tools to proactively identify, assess, and mitigate risks and uncertainty..
• Value Alignment and Integrity. Regularly evaluate and monitor third-party practices to ensure ethical alignment and compliance with organizational values as well as laws, regulations, and global standards.

Building Resilience into Third-Party Risk Management

Resilience in third-party risk management means being prepared to navigate disruptions effectively. Strategies include:

• Supplier Diversification. Avoid over-reliance on single-source suppliers and continually reevaluate geopolitical risks to ensure that the organizations extended enterprise remains agile.
• Real-Time Monitoring and Analytics. Implement advanced analytics solutions to monitor geopolitical developments to enable swift responses to emerging threats.
• Scenario and Contingency Planning. Regularly simulate potential disruptions and prepare contingency plans through scenario analysis, table-top exercise, and micro-simulations to successfully navigate potential disruptions.

An Integrated Approach to Third-Party Governance(GRC)

Now is the time to act decisively. Organizations must strategically invest in their third-party GRC capabilities, embedding resilience and integrity deeply into their operational ethos of their extended enterprise. In doing so, they not only mitigate today’s risks but position themselves to confidently thrive amid future uncertainties. The extended enterprise’s resilience and integrity depend on proactive, diligent, and strategic third-party governance. Your business’s future demands nothing less.

Addressing these multifaceted risks demands an integrated strategy, process, information/intelligence, and technology. Organizations need to:

• Appoint someone to lead the strategy across departments and functions
• Insist that various silos cooperate and participate in an integrated third-party governance and risk strategy
• Foster an organizational culture that values transparency, accountability, and ethical business practices across the extended enterprise
• Monitor geo-political, regulatory, and other third-party risk intelligence feeds to ensure responsiveness to evolving circumstances both globally and within third-parties
• Deploy robust third-party governance and risk management (GRC) software providing comprehensive oversight of third-party engagements and collaboration

If your organization is navigating the complexities of third-party risk in today’s volatile and interconnected world, I welcome the opportunity to share insights from my ongoing research across strategy, processes, content/intelligence, and technology. Whether you’re building a third-party risk program from the ground up or refining a mature framework, I offer a unique lens into market trends, best practices, and innovative solutions. Feel free to reach out—I’m always happy to provide guidance and be a sounding board as you strengthen your extended enterprise.

Upcoming Third-Party Governance & Risk Workshops

Spain, May 6 @ 1:00 pm – 4:00 pm CEST 

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, MADRID

United Kingdom, May 21 @ 9:30 am – 4:30 pm BST 

• Third-Party Risk Management by Design, LONDON

United Kingdom, June 9 @ 1:00 pm – 4:00 pm CEST 

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, BIRMINGHAM

Denmark, June 17 @ 1:00 pm – 4:00 pm CEST

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, COPENHAGEN

Laws & Regulations Impacting the Extended Enterprise

Here is a list of laws and regulations, with various states of enforcement, impacting the extended enterprise. This is list is not comprehensive, but gives a good indicator of the scope of regulatory and legal volatility and complexity that is growing.

• Operational Resilience. The following laws predominantly, but not exclusively, focus on financial services. While broadly focused on operational resilience, this cannot be achieved without managing third-party risk. Everyone of them includes strong aspects of third-party risk management:
  • United Kingdom Operational Resilience Regulations
  • European Union Digital Operational Resilience Act (DORA)
  • Australia Prudential Standard CPS 230 – Operational Risk Management 
  • Federal Reserve, OCC, and FDIC Joint Guidance on Operational Resilience (guidance, not regulation)
  • Singapore Monetary Authority of Singapore (MAS) Guidelines on Operational Resilience 
  • Hong Kong Monetary Authority Supervisory Policy Manual OR-2 on Operational Resilience 
  • Canada OSFI Guideline B-13: Technology and Cyber Risk Management 
• Broad Environmental, Social, Governance (ESG)/Sustainability. The following are laws that regulate broad ESG and sustainability reporting that tie into supply chains. More specific laws are listed below.
  • European Union Corporate Sustainability Reporting Directive (CSRD), Taxonomy Regulation & Corporate Sustainability Due Diligence Directive (CSDDD) (being rescoped with the EU Omnibus but still significant)
  • Germany Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG)
  • France Duty of Vigilance Law (Loi de Vigilance)
  • Switzerland Responsible Business Initiative
  • Dutch Bill for Responsible and Sustainable International Business Conduct
  • Austrian Supply Chain Act (Proposed)
• Modern Slavery. The following are laws and regulations that impact human rights in context of modern slavery (forced labor, child labor) and working conditions in the extended enterprise:
  • European Union Conflict Minerals Regulation
  • European Union Forced Labour Regulation
  • United Kingdom Modern Slavery Act
  • Norway Transparency Act
  • California Transparency in Supply Chains Act
  • USA Uyghur Forced Labor Prevention Act (UFLPA)
  • USA Dodd-Frank Act – Section 1502 (Conflict Minerals Rule)
  • USA Trade Facilitation and Trade Enforcement Act (TFTEA)
  • Canada Fighting Against Forced Labour and Child Labour in Supply Chains Act
  • Australia Modern Slavery Act
  • Australia New South Wales Modern Slavery Act
  • Dutch Child Labour Due Diligence Law
• Anti-Bribery & Corruption. The following are key anti-bribery and corruption (ABAC/ABC) laws and regulations from around the world that are particularly relevant to third-party risk, as intermediaries (agents, resellers, consultants, distributors, etc.) are often a primary source of bribery and corruption exposure.
  • USA Foreign Corrupt Practices Act (FCPA) 
  • United Kingdom Bribery Act
  • France Sapin II Law
  • Canada Corruption of Foreign Public Officials Act (CFPOA)
  • Germany Anti-Corruption Laws / Corporate Sanctions Act (proposed)
  • Brazil: Clean Company Act
  • India Prevention of Corruption Act
  • China Anti-Unfair Competition Law & Criminal Law Provisions
  • Australia Criminal Code Act – Division 70
  • Multilateral Frameworks Influencing National Laws: OECD Anti-Bribery Convention, UN Convention Against Corruption (UNCAC), Transparency International Guidelines
• Environmental Regulations. This category could expand much more, here are some that are top of mind currently:
  • European Union Regulation on Deforestation-free Products
  • European Union Battery Regulation
  • European Union Registration, Evaluation, Authorisation, and Restriction of Chemicals (REACH)
  • California Senate Bill 253 (SB 253): Climate Corporate Data Accountability Act
  • California Senate Bill 261 (SB 261): Climate-Related Financial Risk Act
  • Chinese Due Diligence Guidelines for Responsible Mineral Supply Chains
  • China Restriction of Hazardous Substances (RoHS) Directive
  • Japan The Act on Promoting Green Procurement
  • Japan The Clean Wood Act
  • Singapore Mandatory Climate-Related Disclosures
  • Global (many countries and states/provinces) ​Extended Producer Responsibility 
  • Global liability and regulation related to PFAS (Per- and Polyfluoroalkyl Substances – Forever Chemicals)
• Privacy & Information Security. The following are the significant privacy related laws and regulations that impact third-party relationships:
  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)
  • New York SHIELD Act
  • Virginia Consumer Data Protection Act
  • Colorado Privacy Act
  • Connecticut Data Privacy Act
  • Utah Consumer Privacy Act
  • USA HIPAA (Health Insurance Portability and Accountability Act)
  • USAGLBA (Gramm-Leach-Bliley Act)
  • USAFTC Safeguards Rule
  • European Union General Data Protection Regulation (GDPR)
  • European Union NIS Directive
  • European Union NIS2 Directive
  • United Kingdom GDPR (Post-Brexit version of GDPR)
  • United Kingdom Data Protection Act
  • Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Québec Law 25
  • Australia Privacy Act
  • Australia Notifiable Data Breaches Scheme
  • Singapore Personal Data Protection Act (PDPA)
  • Singapore Cybersecurity Act
  • Japan Act on the Protection of Personal Information (APPI)
  • China Personal Information Protection Law (PIPL)
  • China Cybersecurity Law
  • China Data Security Law
  • South Korea Personal Information Protection Act (PIPA)
  • Brazil General Data Protection Law (LGPD)
  • India Digital Personal Data Protection Act

OK, I have not event got into things like sanctions, the US Federal Acquisition Regulation, or regulations around Animal Welfare (concern in life sciences in third-party risk), inappropriate promotion, and I can keep going . . .

For example, here is the list of third-party risk categories that is put together in one comprehensive third-party risk program as a major life sciences company that I advised on their RFP:

• Anti-bribery and Corruption (ABAC)
• Conflict Minerals (CM)
• Complementary Workers (CW)
• Environment Health, Safety & Sustainability (EHSS)  
• Human Safety Information (HSI) 
• Inappropriate Promotion (IP) 
• Information & Cyber Security Risk – IT & OT (ICR)
• Labour Rights (LR) 
• Privacy (Priv)
• Sanctions
• Animal Welfare (AW)
• Crisis and Continuity Management 
• Data Integrity (DI)
• Good Clinical Practice (GCP)
• Good Laboratory Practice (GLP)
• Good Manufacturing Practice (GMP)
• Human Biological Samples Management (HBSM)

In a similar example, here is the list of third-party risk categories from another life sciences firm I interacted with that is delivering a comprehensive third-party risk program:

• Anti-bribery and corruption
• InfoSec
• Information Systems Quality
• Privacy
• Animal welfare
• Business continuity (includes concentration, material)
• Health, safety, and environment
• Compliance (promotional practices, bioethics)
• Product quality and safety (clinical trial, human biological sample management, pharmacovigilance)
• Strategic sourcing
• Intellectual property
• ESG
• Performance and Contractual
• Global Security
• Fourth Party risk across all domains

I also have similar structure from financial services, consumer packaged goods, and many other industries.

In the past several months, my family has faced a deeply personal challenge — my wife’s battle with breast cancer. Observing her journey through six rounds of chemotherapy, with upcoming surgeries and subsequent immunotherapy treatments, has profoundly illuminated for me the essence and criticality of resilience. As a professional deeply immersed in Governance, Risk Management, and Compliance (GRC), this personal battle has provided significant parallels and lessons that organizations can harness.

At its core, GRC is a capability designed to reliably achieve objectives (Governance), address uncertainty (Risk Management), and act with integrity (Compliance). But to truly master GRC, an organization must build and continuously refine resilience across these areas. Watching my wife courageously face her treatments has crystallized three specific types of resilience that every organization should strategically integrate into its GRC approach: Strategic Resilience, Environmental Resilience, and Operational Resilience.

Strategic Resilience: Adapting and Persisting

Strategic resilience in cancer treatment mirrors how organizations must anticipate, adapt, and respond to risks and uncertainties impacting their strategic objectives. My wife’s treatment plan was meticulously designed based on careful assessments, risk analysis, and projected outcomes. Each chemotherapy round was a strategic choice aimed at aggressively targeting the cancer. However, resilience was essential as each round of treatment came with increasing physical tolls, requiring her — and us as a family — to reassess, recalibrate, and reaffirm our commitment to the end goal of recovery.

Organizations face analogous scenarios when navigating their strategic paths. Resilience is not simply having a strategic plan; it’s maintaining flexibility and adaptability when confronting unexpected challenges or intensified risk exposure. It involves periodically revisiting and revising strategies, ensuring alignment with evolving realities, and reinforcing the organization’s commitment to long-term objectives despite short-term setbacks.

Environmental Resilience: Creating Supportive and Sustainable Conditions

My wife’s resilience has also been deeply tied to managing and optimizing her environment. This has included not just physical spaces — maintaining cleanliness, nutrition, rest — but also psychological and social environments, surrounding herself with supportive friends, family, and professionals who provide emotional and mental strength, and removing stress from her life. This holistic approach to managing her environmental conditions is pivotal in building and maintaining her overall resilience and health.

In GRC, particularly within the context of the Environmental component of ESG (Environmental, Social, and Governance), organizations similarly must understand and manage their broader environments. Environmental resilience goes beyond mere compliance with regulations. It encompasses creating and sustaining a corporate ecosystem that supports long-term health and adaptability, minimizing negative environmental impacts, and proactively enhancing overall corporate sustainability and being stewards of the organization’s environment and resources it consumes. Just as my wife’s health depends heavily on careful environmental management, organizations thrive best when actively fostering conditions that sustain operational continuity and positive impact.

Operational Resilience: Navigating the Day-to-Day

The everyday challenges of cancer treatment — the logistics of medical appointments, treatments, side effects management, maintaining daily routines, and keeping up morale — have underscored the critical importance of operational resilience. It involves ensuring continuity, adaptability, and effectiveness of daily operations, even under intense pressure and disruption.

Operational resilience within organizations parallels this experience closely. Companies must design and continually refine processes that enable them to respond to disruptions swiftly and effectively. Whether it’s cyber threats, operational outages, regulatory changes, or market volatility, operational resilience ensures continuity, mitigates damage, and sustains performance. Like my wife’s careful attention to daily operational details during treatment, businesses must proactively identify critical processes, vulnerabilities, and dependencies, preparing robust plans and recovery measures that minimize impact when adversity strikes.

Personal to Professional: Universal Lessons in Resilience

The resilience I’ve witnessed in my wife’s battle with cancer transcends individual experience, it encapsulates universal principles applicable to organizational resilience. Strategic resilience emphasizes adaptability and foresight. Environmental resilience focuses on cultivating sustainable and supportive conditions. Operational resilience ensures practical continuity amidst disruption.

By embedding these resilience lessons into their GRC frameworks, organizations can build stronger capabilities to withstand shocks, adapt to change, and sustainably achieve their objectives. Resilience isn’t just about survival; it’s about emerging stronger, wiser, and better prepared for the future challenges we inevitably face.

My wife’s journey through cancer treatment continues to inspire me every day, illuminating resilience not as a reactive stance but as a proactive, deeply ingrained practice essential for personal and organizational strength, stability, and growth.

For those interested, you can follow her on Instagram, where she documents her journey and resilience through cancer.

A small, obscure, and misguided segment of the analyst community promotes Integrated Risk Management (IRM) as a replacement for Governance, Risk Management, and Compliance (GRC). This group incorrectly portrays GRC as focused on compliance, missing the broader and essential elements—governance and risk management—that are foundational and integral to GRC as established over two decades ago by the OCEG GRC Capability Model.

Understanding True GRC

GRC, clearly articulated by the OCEG GRC Capability Model, is defined as “a capability to reliably achieve objectives (Governance), address uncertainty (Risk Management), and act with integrity (Compliance).” It is critical to emphasize the structured sequence and inherent logic in this definition:

• Governance (G). Establishes clear organizational objectives and measures performance against these objectives. Without governance, an organization cannot define or assess success and will lack the foundation for meaningful risk management. This goes from entity level objectives down into operational level objectives.
• Risk Management (R). According to ISO 31000, the international standard for risk management, risk is “the effect of uncertainty on objectives.” Thus, risk management logically follows governance—it requires clearly articulated objectives as its necessary context.
• Compliance (C). Compliance ensures acting with integrity by adhering to both mandatory and voluntary obligations, forming the operational boundaries within which governance and risk management operate.

This logical structure—G flowing to R and bounded by C—is the true essence of GRC.

The Misguided Push for IRM

Despite the longstanding clarity and industry-wide acceptance of the GRC framework, a minor segment (one analyst) has attempted to elevate IRM as a superior or successor concept. Their argument suggests that traditional GRC has “failed” and is overly compliance-focused. This narrative is fundamentally flawed:

• It inaccurately redefines GRC as compliance-centric, ignoring the essential roles of governance and risk management.
• It overlooks that IRM, properly executed, is already encompassed within the risk management component of GRC.
• It mistakenly suggests that IRM technology is distinct or superior, despite the reality that IRM-labeled technology overlaps entirely with existing GRC solutions.

The reality is clear: IRM, when correctly understood, is simply the “R” in GRC—risk management integrated fully with governance and compliance.

OCEG’s Clear and Consistent Perspective

OCEG—the global authority on GRC—recognizes and clearly articulates this correct perspective. IRM, as OCEG presents it, serves governance and enhances compliance by effectively managing uncertainty in alignment with organizational objectives.

OCEG has actively reinforced this proper understanding of IRM by introducing the Integrated Risk Management Professional Certification, complementing their foundational certifications such as:

• Certified GRC Professional
• Certified GRC Auditor

OCEG further supports specialized domain knowledge with certifications such as:

• Integrated Policy Management Professional
• Integrated Data Privacy Management Professional
• Integrated Audit & Assurance Professional
• Integrated Compliance & Ethics Professional
• Integrated Governance & Oversight Professional (coming soon)
• Integrated Strategy & Performance Professional (coming soon)
• Integrated Security & Continuity Professional (coming soon)

This suite of certifications reflects OCEG’s comprehensive approach, ensuring practitioners understand that IRM is not separate from but integral to the broader GRC strategy that governs it.

Organizations seeking meaningful results from their governance, risk, and compliance activities (strategy, people, process, and supporting technology) must reject misleading narratives that position IRM in opposition to GRC. True IRM exists within GRC, guided by clear governance objectives and defined compliance boundaries.

For more clarity and guidance, organizations and professionals are encouraged to explore OCEG’s robust framework and certifications, reinforcing that true IRM is always and only meaningful within the comprehensive context of GRC.

No organization is an isolated entity. It is part of an extended enterprise of suppliers,
vendors, service providers and other third parties. This complex web of relationships drives efficiency and innovation, but it also introduces significant risk and resilience challenges. Ensuring the reliability, integrity, compliance and resilience of third-party relationships is no longer a best practice, it is a business imperative.

Third-party risk management (TPRM) extends beyond traditional procurement and vendor assessments. It encompasses a holistic approach that integrates governance, risk management and compliance (GRC) across the entire lifecycle of third-party relationships, spanning onboarding, ongoing monitoring and offboarding.

In this context, this means organizations must . . .

[The rest of this blog can be read on the IBM blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

In today’s rapidly evolving regulatory landscape, organizations face an increasingly complex and dynamic environment where managing compliance obligations demands agility, efficiency, effectiveness, resilience, and innovation. At the intersection of technology and regulation, RegTech has emerged as a pivotal component/segment within the broader Governance, Risk Management, and Compliance (GRC) market, offering transformative solutions that enable organizations to stay ahead in the fast-moving regulatory world.

As the number #2 influencer in RegTech (ask ChatGPT), here are some thoughts . . .

Regulatory Technology, or RegTech, leverages technology — most notably with artificial intelligence (AI) — to streamline compliance processes, enhance risk management, and automate the monitoring and reporting of regulatory obligations. As part of the broader GRC market, RegTech has significantly reshaped how organizations approach compliance, transforming what was once viewed merely as a burdensome cost center into a strategic enabler of business agility, efficiency, and resilience.

A core facet of my analysis at GRC 20/20 has been evaluating RegTech’s evolution, capabilities, and market traction. The landscape is rich, complex, and rapidly expanding. While AI dominates discussions around innovation in RegTech, I frequently caution organizations to look beyond the buzzword. In reality, there are compelling and sophisticated implementations of AI in RegTech, but equally, there are solutions akin to the “Wizard of Oz” — where behind the curtain, humans continue to operate many processes manually, diminishing the true promise and effectiveness of AI-driven RegTech automation.

Ultimately, navigating the RegTech universe demands clear-sighted evaluation of technologies—understanding what truly offers innovative AI capabilities versus solutions where AI is more promise than reality. As we delve deeper into this universe, we equip organizations with the insights and tools needed to leverage RegTech strategically, driving true governance, risk, and compliance effectiveness.

As RegTech continues to evolve and mature within the GRC landscape, staying informed, critical, and forward-looking remains key to successfully managing regulatory risk and harnessing technology’s full potential.

GRC 20/20 maps several key areas within RegTech:

• Regulatory Change Management. Ensuring firms keep pace with evolving regulations globally, from horizon scanning to implementing controls and updating policies.
• Regulatory Reporting. Automating the collection, analysis, and submission of regulatory data.
• Operational Risk and Internal Control Management and Benchmarking. Enhancing and benchmarking resilience and internal control effectiveness.
• Transaction and Trade Monitoring. Real-time monitoring to detect unusual or suspicious activities.
• AML & Financial Crime (FinCrime). Leveraging technology to monitor, detect, and prevent financial crime.
• Know Your Customer (KYC). Streamlining customer due diligence processes and improving accuracy.
• Conduct and Surveillance. Monitoring behaviors and transactions to ensure compliance with internal and external regulations.
• Financial Risk Management. Managing risks associated with financial operations, including market, credit, and liquidity risks.

One area of RegTech experiencing tremendous traction globally is Regulatory Change Management. At GRC 20/20, I’ve observed this as one of the most pressing and prominent use cases gaining traction worldwide. Regulatory Change Management, vital in today’s turbulent compliance environment, encompasses monitoring regulatory changes through horizon scanning, assessing the business impact, and managing responses to ensure organizations remain compliant.

My interactions around the globe underscore that efficient Regulatory Change Management solutions can dramatically mitigate compliance risks and optimize operational efficiency. The traction in Regulatory Change Management has been evident in my international engagements. Soon, I’ll be sharing insights in the upcoming workshops in Toronto and Zurich:

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, TORONTO
• Riding the Compliance Carousel: Managing Emerging Regulatory Risks & New Rules, ZURICH

In the context of AML and FinCrime RegTech, this engagement continues at the AML & FinCrime Summit in New York City tomorrow, where I’ll moderate both the keynote panel and another significant session, bringing into sharp focus how RegTech effectively combats financial crime through smarter AML processes, transaction monitoring, and KYC (Know Your Customer) protocols. These panels are:

• Addressing the Future of Financial Crime Prevention: Challenges, Technology, and Global Threats in 2025
• Behind the Regulatory Doors: Perspectives on AML & FinCrime Tech Innovation

Looking ahead, I am also deeply involved with the Global RegTech Summit 2025 in London (May) and New York City (September), highlighting RegTech’s growing global significance. These summits reflect critical industry insights, innovation trends, and practical adoption strategies to help organizations thrive in increasingly complex regulatory landscapes.

Looking forward, the Global RegTech Summit 2025 in London in May, and later this year in New York City in September, where these events serve as pivotal platforms for industry leaders and innovators to collaborate, exchange ideas, and explore solutions that define the future of regulatory compliance.

In my previous post, The Death of the CISO: A Eulogy & Reincarnation, I argued that the traditional role of the Chief Information Security Officer (CISO) is evolving—or rather, undergoing a necessary transformation. The response was overwhelming, with over 100,000 views on LinkedIn alone, demonstrating that this shift is not only necessary but deeply resonant across industries. While some loved their CISO title, nobody argued with my premise that this role is not the same and has evolved. Information security in the title does not adequately describe this role anymore.

The question now is, what should the CISO become?

I initially posited the title of Digital Risk & Resilience Officer, but upon further reflection, I believe a better mantle may be Digital Trust & Resilience Officer. Why? Because trust—not just risk management—is the foundation of the modern digital enterprise. Trust is proactive, holistic, and forward-looking. Risk management, while crucial, is what achieves and enables trust, but is often perceived as a cost center rather than a business enabler.

Why Digital Trust is Paramount in Today’s Business Environment

The world operates on digital trust. Every transaction, every customer interaction, every collaboration within and beyond the enterprise is predicated on confidence in the integrity, confidentiality, availability, security, and ethical stewardship of data, information, and digital infrastructure/architecture. Without trust, digital transformation collapses under the weight of skepticism, uncertainty, and regulatory scrutiny.

Consider the following:

1. Trust is the Ultimate Brand Currency. The digital economy has ushered in an era where businesses are built not just on products or services, but on relationships. Those relationships, in turn, are founded on trust. Companies that cultivate digital trust enjoy stronger brand loyalty, higher customer retention, and a distinct competitive advantage. A single breach—whether of data, privacy, or ethics—can shatter that trust, sometimes irreparably. Just ask any organization that has suffered a high-profile cybersecurity incident and watched its stock price plummet and customers flee.
2. Trust Extends Beyond the Enterprise. Organizations no longer operate in isolation. The modern business ecosystem is an extended enterprise that includes third parties, suppliers, contractors, cloud providers, and strategic partners. A security vulnerability or compliance failure anywhere in this network can disrupt operations, expose sensitive information, and damage reputations. Managing risk is necessary—but instilling trust throughout the digital ecosystem ensures continuity, resilience, and shared confidence in business relationships.
3. Stakeholders Demand Trust, Not Just Risk Mitigation. Investors, regulators, employees, and customers are no longer satisfied with mere compliance. They demand ethical AI, responsible data governance, robust cybersecurity, and transparency in risk management. The organizations that lead with trust—rather than just react to risks—are the ones that will attract investment, talent, and long-term loyalty.
4. Trust is the Foundation of Innovation. Organizations that are mired in constant risk aversion struggle to innovate. Fear-based risk management stifles digital transformation and agility. Conversely, a trust-based approach empowers businesses to adopt new technologies, expand into new markets, and experiment with emerging business models—secure in the knowledge that their digital foundation is strong, resilient, and credible.

Digital Trust is More Valuable Than Digital Risk Management

Risk management is essential, but it does not inspire confidence by itself. Trust, on the other hand, is a business driver. Trust fosters engagement, enables growth, and secures long-term business viability. Risk is the effect of uncertainty on objectives. One of those core objectives, in this context, is digital trust. That is the focus and goal and provides the context for risk management.

While risk must be understood, controlled, and mitigated, trust must be actively built, nurtured, and expanded. Consider:

• Trust enhances business value. Companies with strong trust postures outperform their competitors in customer satisfaction, revenue growth, and market valuation.
• Trust is proactive. Risk management seeks to manage uncertainty to objectives and is in reaction to the objective of digital trust. Trust ensures positive engagement.
• Trust builds resilience. Organizations with high trust are more adaptive in crises, better at recovering from incidents, and more likely to maintain customer and investor confidence in uncertain times.

Reframing the CISO as the Digital Trust & Resilience Officer

The modern CISO cannot simply be a guardian of risk and controls. That role, while critical, is too narrow, too limiting. The future demands a leader who ensures trust in the digital enterprise—a leader who integrates cybersecurity, privacy, ethics, governance, compliance, and digital operational resilience into a seamless strategic function. This is not just a semantic shift; it is a fundamental redefinition of purpose and value.

The Digital Trust & Resilience Officer:

• Builds confidence in digital transactions, interactions, and data stewardship.
• Ensures resilience not just against cyber threats, but against any disruption to trust (e.g., AI bias, regulatory misalignment, unethical data use).
• Engages with the board and executive leadership as a strategic partner, demonstrating how trust translates into business value.
• Leads a proactive culture of integrity, security, and digital ethics rather than one of fear and restriction.

The Future of Digital Trust & Resilience

As organizations continue to navigate the complexities of digital transformation, trust will become an even more critical differentiator. The role of the CISO—or its successor—must evolve beyond security and risk oversight into one that fosters and maintains digital trust and operational resilience across the digital enterprise.

What do you think? Should the CISO evolve into the Digital Trust & Resilience Officer? Or does the focus on risk still hold more weight and it should be the Digital Risk & Resilience Officer? Or do you prefer sticking to the old CISO title? I’d love to hear your thoughts.

Regulatory frameworks define how businesses operate, innovate, and ensure compliance in different jurisdictions. When comparing the regulatory landscapes of the European Union (EU) and the United States (US), a stark contrast emerges. While both regions aim to balance economic growth with governance, their priorities and methodologies differ significantly.

Principles vs. Prescription: A Cultural and Regulatory Divide

One of the most notable distinctions between EU and US regulations is the approach to compliance. The EU regulatory framework is predominantly principles- and outcome-based, requiring organizations to meet broad objectives while allowing flexibility in how they achieve compliance. This originally started in the United Kingdom under the Financial Services Authority (FSA) before it became the Financial Conduct Authority (FCA). It then moved over to the EU to become part of the better regulatory policy. In contrast, US regulations are often more prescriptive, providing detailed rules and checklists that companies must follow to the letter.

This difference manifests in multiple ways:

• Differences in Risk Management Perspectives. European regulations emphasize a top-down, strategic view of risk, integrating governance and compliance into broader business objectives. The US, however, often adopts a bottom-up, checklist-driven approach to compliance. Therefore, EU regulations take a more risk-based approach to compliance over the US.
• Corporate Responsibility. EU regulations, such as the General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), and Corporate Sustainability Reporting Directive (CSRD), and many more, focus on ethical considerations, consumer rights, and corporate accountability. US regulations, while robust in areas like financial reporting and anti-corruption, tend to prioritize business efficiency and liability mitigation over broader societal concerns. In a panel I hosted last week, #RISK Digital North America – EU Regulations as a Strategic Compass for US Companies, the panelists and I stated that the EU has a more people-first and centric approach to regulation.

Increased Demand for Evidence-Based Compliance

A key trend driving regulatory evolution is the growing demand for evidence-based compliance. As highlighted in recent discussions, EU regulations are increasingly requiring organizations to not only implement policies but also provide auditable, documented proof of compliance. This shift moves compliance beyond check-the-box exercises to defensible, data-driven processes that regulators can scrutinize.

In contrast, US compliance practices still lean heavily on procedural adherence. While legal and regulatory frameworks mandate compliance, they often fall short of requiring the same level of ongoing, evidence-backed validation we are now seeing in EU governance and compliance. This difference further reinforces the EU’s principles-based approach, where organizations must demonstrate not just compliance but also effectiveness in achieving regulatory objectives.

Extraterritorial Impact: The EU’s Regulatory Reach

A defining characteristic of EU regulations is their global reach. Laws such as GDPR and CSRD extend beyond Europe’s borders, affecting any company that handles EU citizens’ data or operates within the EU market. This approach has influenced regulatory developments worldwide, inspiring similar legislation in Brazil (LGPD), India (DPDP Act), and even state-level privacy laws in the US, such as the California Consumer Privacy Act (CCPA).

For many US businesses, this extraterritoriality means that compliance with EU regulations is no longer optional. Companies aiming for global expansion must align with EU standards to maintain market access, mitigate risks, and build consumer trust.

The Competitive Advantage of EU Compliance

While compliance with EU regulations can be complex and resource-intensive, it offers strategic benefits for US companies. Businesses that proactively adopt EU-aligned practices position themselves for success in a global economy by:

1. Enhancing Consumer Trust. European regulations emphasize data protection, ethical AI usage, and environmental and social responsibility and sustainability. Companies that adhere to these principles can differentiate themselves as trustworthy brands in an era of growing consumer concern over privacy and corporate ethics.
2. Strengthening Resilience. EU regulations often take a holistic, long-term approach to risk, ensuring organizations are prepared for regulatory shifts, cybersecurity threats, and environmental changes. This proactive stance can help companies navigate future uncertainties more effectively. There is a stronger regulatory focus on operational resilience across Europe, including the United Kingdom, not just the EU.
3. Facilitating Market Expansion. Aligning with EU regulatory frameworks simplifies entry into multiple international markets that follow similar standards. It also reduces the friction of adapting to evolving global compliance requirements.

An additional layer to this discussion is the comparison between the US and the UK/EU on risk and compliance approaches. As noted in previous posts of mine, European regulatory frameworks tend to be more sophisticated in how they integrate compliance into broader risk management structures. The UK’s Financial Conduct Authority (FCA) pioneered the principles-based compliance model before the EU widely adopted it, shaping modern regulatory expectations that prioritize adaptability and accountability.

Meanwhile, US compliance programs frequently rely on detailed, rule-based frameworks that focus on legal adherence rather than proactive risk management. This gap often leaves US companies reacting to regulatory updates rather than integrating compliance into long-term strategy. For organizations that operate internationally, bridging this gap by adopting EU-style governance models can create a significant competitive advantage.

Looking Ahead: The Future of Regulation

The EU continues to lead in shaping global regulatory trends, particularly in AI governance, digital resilience, and ESG (Environmental, Social, and Governance) requirements. Yes, the EU Omnibus has restructured CSRD and CS3D, but it is still significant. Emerging regulations like the EU AI Act and ESG reporting standards signal a shift toward greater corporate accountability and sustainability.

Meanwhile, the US remains fragmented in its regulatory approach, with states enacting their own laws in the absence of comprehensive federal legislation. However, as global regulatory alignment increases, US businesses that take a forward-looking approach by adopting EU-driven compliance strategies will gain a competitive edge.

Conclusion: A Strategic Compass for US Companies

Rather than viewing EU regulations as a burden, US companies can use them as a strategic compass. By embracing principles-based compliance and aligning with global standards, businesses can drive innovation, strengthen risk management, and build long-term value. The shift toward evidence-based compliance in the EU further underscores the need for organizations to develop robust governance frameworks that go beyond mere adherence and demonstrate real effectiveness.

As the regulatory landscape continues to evolve, adaptability and a commitment to ethical governance will define the leaders of tomorrow. US companies that proactively integrate these principles will not only mitigate risk but also unlock new opportunities for growth, resilience, and trust in an increasingly interconnected world.

Too many Governance, Risk Management, and Compliance (GRC) programs are fundamentally backward. Instead of starting with objectives, they focus on compliance checklists or risk registers, often relegating objectives to an afterthought (tags to a risk) — if they are considered at all. What many organizations practice is not true GRC but rather CRG (Compliance, Risk, and Governance in reverse), or worse, just CR (Compliance and Risk) or even simply C (Compliance).

This is not what GRC was meant to be.

The official definition of GRC, as found in the OCEG GRC Capability Model, is:
“GRC is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).”

This definition underscores the correct order of operations in a GRC program—objectives come first. True GRC is about ensuring that an organization reliably sets and achieves its objectives. Risk and compliance are important, but they serve the primary purpose of enabling an organization to meet its objectives while managing uncertainty and maintaining integrity.

Why Objectives Matter in GRC

According to ISO 31000, risk is the effect of uncertainty on objectives. This means that without a clear understanding of objectives, risk management is meaningless. Objectives define what the organization is trying to achieve, and risks are uncertainties that could impact those objectives.

Objectives exist at multiple layers within an organization:

• Entity-Level Objectives – Overall strategic and corporate objectives
• Divisional & Departmental Objectives – Goals specific to business units and teams
• Process & Project Objectives – Performance and operational targets within workflows
• Asset & Third-Party Objectives – Expectations and performance metrics for resources and external partners

Governance is about setting the right objectives and ensuring they are reliably achieved. This means that governance is not just about oversight but about performance. Effective governance structures define and track objectives, ensuring that risks are managed in a way that enables the organization to meet its goals.

The major difference between Europe and the USA in risk management approaches further highlights this issue:

• Europe – Risk management is closely aligned with ISO 31000 and is focused on business objectives.
• USA – Risk management tends to be more compliance-driven, often reduced to checklists primarily for SOX compliance.

Even compliance frameworks in Europe are more principle-based and outcome-oriented, requiring organizations to demonstrate how they achieve compliance objectives. In contrast, the USA’s compliance landscape is often prescriptive, with a heavy reliance on checkboxes rather than achieving meaningful business outcomes.

Understanding this nuance between Europe and USA is why many USA solution providers fail in their marketing in Europe. There is a different focus and messaging.

Environmental, Social, and Governance (ESG) initiatives are another example of how objectives should drive GRC. ESG is fundamentally about setting and achieving sustainability and ethical business objectives. Risks and compliance requirements follow from those objectives, not the other way around. An organization has the objective of being carbon neutral by a certain date, to eliminate PFAS (forever chemicals) in its products, or to have zero tolerance for modern slavery. These are objectives. Organizations that start with ESG risks without defining clear objectives are missing the point.

The Problem: Many GRC Programs and Technologies Get It Wrong

The vast majority of GRC programs within organizaitons and GRC technology that supports those programs fail to align with this definition. They start with risk registers, controls, or compliance requirements, leaving objectives as a tertiary consideration (if at all). This approach fundamentally undermines the value of GRC by detaching it from what actually drives the organization—its strategic, financial, operational, and ethical objectives.

Unfortunately, most GRC technology platforms do not start with objectives. Many organizations have adopted GRC solutions that are nothing more than compliance management systems or risk registers. They focus on risk registers, controls, and compliance requirements, treating objectives as an afterthought or a tag to a risk. These solutions focus heavily on checklists, regulatory mappings, and control frameworks, but they fail to establish a direct link to the business’s core purpose: achieving objectives.

Only a few solutions in the market truly address the “G” in GRC by prioritizing business objectives and performance against those objectives. If you’re looking for a GRC solution that genuinely starts with objectives, feel free to reach out — I can point you to those that get it right, or mostly right. As an analyst I cover the range of solutions available in the market.

Conclusion: Get GRC Right by Starting with Objectives

If your organization’s GRC program starts with risk and compliance instead of objectives, it’s time for a reset. Good GRC is about ensuring the organization reliably achieves its objectives, manages uncertainty effectively, and acts with integrity. Governance, risk management, and compliance should work together in that order—starting with a clear understanding of business goals.

To truly unlock the value of GRC, organizations must shift their focus from checkboxes and control frameworks to strategic and operational performance. Objectives are not an afterthought; they are the foundation of good GRC.