Category: The GRC Pundit Blog

Part 2 in the GRC Orchestrate Series

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

In last week’s article, we introduced the concept of GRC 7.0 – GRC Orchestrate, a revolutionary-evolution of Governance, Risk Management, and Compliance. This next-generation approach envisions GRC as a dynamic and intelligent capability—one that continuously aligns business objectives, operational performance, obligations, and uncertainty across the enterprise. We explored how Agentic AI and digital twins transform traditional GRC into a living, learning system.

In this second installment, we dive deeper into one of the most transformative pillars of GRC Orchestrate: the Digital Twin.

GRC Orchestrate Is the Future: But the Journey Is Just Beginning

GRC 7.0 is a forward-looking framework that is beginning to materialize through early use cases and foundational technologies. While some organizations — particularly in Europe — are already piloting orchestration capabilities in strategy, compliance, and risk alignment, widespread adoption across the global market is will grow until 2030 when it becomes fully mature. Much of North America, for instance, is behind and still climbing toward GRC 6.0: Business Integrated GRC, focusing on embedding GRC into the business and linking it to strategic performance.

Before GRC can orchestrate, it must first integrate. That means aligning objectives with obligations, risk with decision-making, and policies with operations. But once these foundations are in place, organizations can evolve toward orchestration: where GRC capabilities dynamically interact, learn, adapt, and simulate. A core and critical piece of this next step lies the digital twin, which provides the structure, foresight, and simulation power to bring orchestration to life.

Digital Twins in GRC: Seeing Around Corners, Navigating Possibility

In the Marvel Cinematic Universe, Dr. Strange embodies the role of the ultimate Chief Risk Officer. In Avengers: Endgame, he explores over 14 million possible futures, seeking the one path to success. This fictional moment captures what digital twins offer in the real world of GRC: the ability to model complex futures, simulate countless outcomes, and make informed, strategic choices before events unfold.

A digital twin is a virtual, evolving software model that mirrors the enterprise: its structure, operations, risks, controls, policies, obligations, and external dependencies. But it’s not a static mirror; it is context-aware and predictive. It continuously ingests real-time data, refines its assumptions, and runs simulations to project what might happen next.

With GRC 7.0, digital twins become the engine of strategic foresight, allowing organizations not only to track their current GRC posture but to plan for disruptions, regulatory changes, market shifts, and strategic bets. Rather than treating risk and compliance as constraints, digital twins empower organizations to use GRC as a forward-looking capability that unlocks resilience, agility, and opportunity.

Building a GRC Digital Twin: The Eight Structural Pillars

To construct a functional GRC digital twin, organizations must think beyond traditional risk registers and compliance checklists. They must bring together data, logic, and governance layers to form a dynamic representation of the enterprise. Here are the eight structural components and GRC-related use cases with digital twins:

1. Processes and Business Services. Every digital twin, in a GRC context, begins by mapping how the organization actually operates. Business processes — from procurement to HR, from order-to-cash to incident response — are digitally modeled. These aren’t just static diagrams but dynamic simulations tied to workflows, dependencies, and performance data. When a disruption occurs — a regulatory change, a cyberattack, a supply chain interruption — the twin can simulate cascading impacts across services and geographies, allowing for stress testing and rapid reconfiguration of business logic.
2. Risks and Controls. Risk is modeled as a living variable tied to objectives. It is not just about capturing threats but about understanding how they evolve and interact. Each control is also represented as a live mechanism; complete with effectiveness ratings, failure scenarios, and response protocols. Together, they form the reasoning core of the twin: simulating what happens when risks escalate, controls degrade, or new threats emerge. Executives can model trade-offs and prioritize mitigation based on real-time risk-adjusted views of performance.
3. Events, Issues, and Audits. A robust digital twin learns from the past. Historical issue logs, audit findings, and incident reports are not archived, they become behavioral patterns. These patterns inform the twin’s predictive capacity: highlighting weak signals before incidents recur, modeling root cause propagation, and identifying systemic control vulnerabilities. Over time, the digital twin becomes a risk historian and a resilience strategist.
4. Policies and Regulations. Policies are no longer just documents, they are structured data elements that include links to obligations, regulatory jurisdictions, control mappings, and enforcement logic. When new regulations are proposed or passed, the digital twin models the policy impact across the organization: which documents require revision, which functions must attest, which controls must be reoriented. This capability enables anticipatory compliance, getting ahead of regulatory shifts instead of reacting late.
5. Real-Time Telemetry. The digital twin is fed continuously by telemetry from internal and external systems: cybersecurity alerts, ESG performance sensors, supply chain data, finance systems, and more. This stream of data provides the situational awareness needed to adjust simulations dynamically. When a vendor’s ESG score drops or a new threat pattern is detected, the twin instantly recalibrates exposure and updates its recommendations, closing the gap between sensing and decision-making.
6. Strategic Planning & Scenario Analysis. Perhaps the most powerful use case for digital twins is strategic scenario simulation. Leaders can explore “what-if” questions in real time: What if we divest a business unit? Enter a new market? Reallocate compliance resources? The twin simulates outcomes across risk, cost, compliance, and performance. It acts as a virtual war room, a sandbox for executive decision-making that reduces uncertainty and enhances agility.
7. Extended Enterprise. Third parties are modeled not just as data points but as interconnected nodes in the operational fabric. The digital twin captures performance metrics, compliance status, obligations, and exposure for each vendor, partner, or supplier. It enables the simulation of third-party failure or disruption, helping organizations prepare for—and prevent—cascading risk. GRC no longer ends at brick-and-mortar walls and traditional employees; it extends across the value chain.
8. Regulatory Change Modeling. By combining horizon scanning with large language models and machine-readable regulatory updates, the twin can model the likely impact of future rules. This enables organizations to simulate different legal landscapes, estimate compliance costs, and adjust investment decisions accordingly. The twin transforms compliance from reaction to foresight—from an audit trail to a strategic compass.

From Digital Mirror to Digital Conductor

A mature GRC digital twin doesn’t just reflect reality: it guides it. It evolves from a digital mirror into a digital conductor, orchestrating the flow of data, decisions, and adjustments across governance, risk, and compliance domains.

Imagine asking a natural language interface:

• “How would ESG reporting requirements in Southeast Asia impact our current vendors?”
• “What’s the control confidence across our top 10 revenue-generating processes if we cut IT compliance spend by 15%?”
• “Which regulatory regimes are converging in our product roadmap jurisdictions, and what’s the associated risk delta?”
• “If China invades Taiwan, how does this impact our supply chain and ability to deliver products/services and maintain operations?”
• “What are the top resilience issues in our digital supply chain with dependencies on critical services?”

The digital twin answers not with reports, but with simulations, visualizations, and prescriptive actions — each grounded in data, logic, and context. This is the future of GRC: contextualized, autonomous, and orchestrated.

Why It Matters: Building Tomorrow on Today’s Foundation

The effectiveness of a digital twin tomorrow depends entirely on the integrity of the data and governance structures built today. Organizations cannot orchestrate what they cannot understand. Siloed risk functions, unstructured policies, and outdated control frameworks will hinder simulation and automation.

To prepare, organizations must:

• Define and maintain a shared GRC ontology.
• Integrate policy, process, risk, and control data.
• Tag obligations and controls with metadata.
• Normalize risk assessment and treatment workflows.

These are not just investments in compliance or audit readiness, they are prerequisites for future-readiness.

Conclusion: Orchestrating the Future

Digital twins are not dashboards. They are strategic instruments of foresight. They empower GRC to shift from accountability to adaptability, from control to intelligence. In a world where uncertainty is constant and integrity is non-negotiable, digital twins help organizations chart a path forward: one that is intentional, informed, and integrated.

GRC 7.0 isn’t about the tools we buy, it is about the architectures we build and the intelligence we embed. As we continue this journey, stay tuned for Part 3 in the GRC Orchestrate series: an in-depth look at Agentic AI — the autonomous force behind the orchestration.

GRC 7.0 isn’t a destination. It’s the command framework for the next generation of decision-making.

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

Agentic AI, Digital Twins, and the Enterprise-Wide Command Center for GRC: Objectives, Uncertainty, and Integrity

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

The world of Governance, Risk Management, and Compliance is shifting toward orchestration: a continuous, intelligent alignment of decisions, data, and direction across the entire enterprise. Welcome to GRC 7.0 – GRC Orchestrate: the convergence of agile infrastructure, cognitive intelligence, and business integration into a unified operational model. This is not merely a technological trend. It is the systemic evolution of how organizations pursue objectives, navigate uncertainty, and act with integrity.

Importantly, the concept of GRC Orchestrate has roots not in hype, but in visionary groundwork. Over five years ago, I collaborated with Ian Hollowbread, then Chief Operating Officer for Digital Innovation at ING and Head of ING Labs. Ian coined the term GRC Orchestrate and led pioneering work to build a cohesive model where governance, risk management, and compliance, particularly in a RegTech context, were no longer fragmented, but orchestrated throughout the organization and its operations. Even before today’s AI gold rush, Ian envisioned a future in which regulatory obligations, risk signals, and business decisions flowed seamlessly through a unified digital architecture: an early vision now being realized.

Real-world implementations are bringing this vision to life. I recently saw this vividly illustrated in EY Germany’s One Governance framework, which offers a modular, federated, and objective-aligned governance architecture. Their approach intelligently integrates domains such as performance management, risk, internal control, compliance, resilience, and sustainability through a shared platform model. With its ontological rigor, digital twin enablement, and data-driven design, One Governance is a tangible embodiment of what GRC Orchestrate aspires to deliver: integrated oversight, real-time coordination, and contextual governance across every layer of the enterprise. It uses the power of a performance management system combined with its ability to integrate, – automate and reconfigure itself. Like a Hydra who grows a new head when one is cut off!

G: Governance – Setting, Steering, and Achieving Business Objectives

At its core, governance is about defining direction and ensuring the organization stays on course, not just through oversight, but through active alignment with strategic objectives. In the GRC Orchestrate model, governance becomes a continuously monitored and dynamically adjusted capability embedded in software: always-on, adaptive, and linked to business performance.

Boards are no longer waiting for quarterly dashboards. They are engaging with live, interactive systems that model objectives, track performance indicators, and simulate decision paths. They interact with live, intelligent systems that continuously model objectives, measure performance, and adapt pathways.

Agentic AI empowers this new governance. What one collaborator playfully called “Squids” for their digital tentacles that act on behalf of governance functions to monitor objective progress, flag deviations, and recommend corrective actions. For example, in a multinational bank expanding into new markets, governance agents track whether ESG, compliance, and financial objectives are progressing in sync. They identify gaps between corporate intent and local execution, triggering policy refinement, stakeholder engagement, or investment recalibration. 

Think of it like high-frequency strategic governance: where agents don’t just report but act, simulate, and refine. In a multinational bank, for example, these agents assess ESG, financial, and compliance progress in real-time, recommending actions when strategic objectives drift from execution.

At the heart of this system are Digital Governance Twins: virtual models of an organization’s governance architecture, including policies, committees, mandates, legal entities, and lines of accountability. These twins support scenario modeling, such as evaluating what happens to governance coverage if the organization restructures or divests a business unit. The governance layer is also federated: global objectives and governance mandates cascade into local adaptations while maintaining traceability.

GRC Orchestrate Contexts for Governance:

• Governance is the process of setting, steering, and achieving enterprise objectives.
• GRC Orchestrate transforms governance from static oversight into a dynamic, agent-supported capability.
• Digital Governance Twins model real-world governance structures, enabling simulation and proactive steering.
• Agentic systems track performance across objectives and trigger governance interventions when necessary.
• Federated policy governance enables global alignment with local adaptability, reducing policy drift.

R: Risk – Navigating the Uncertainty That Affects Objectives

Risk is not about what might go wrong in the abstract. Risk is the effect of uncertainty — both threats and opportunities — on the achievement of objectives. This framing is critical: GRC 7.0 does not see risk merely as negative events to avoid but as dynamic uncertainty to model, simulate, and leverage.

In GRC 7.0, risk management becomes a live, interconnected, and agent-driven process that is deeply tied to business performance. Risk is evaluated in the context of what the organization is trying to achieve, and continuously assessed as new data, decisions, and disruptions emerge

GRC Orchestrate leverages Agentic AI to monitor internal operations, external environments, and cross-functional dependencies. These agents scan for leading risk indicators, regulatory shifts, market disruptions, and operational anomalies. They perform real-time analysis, conduct simulations, and propose mitigations tailored to specific objectives. This marks a shift from reactive risk registers to objective-centric risk modeling.

With GRC Orchestrate, Agentic AI continuously scans signals across the enterprise: operations, suppliers, regulations, markets. These agents detect patterns, simulate outcomes, and adapt risk responses in real-time. Enabling the organization to “see around corners.” This is a clear break from passive risk registers.

We are entering the realm risk management in strategic decision making and objective-centric risk modeling: where risk data is embedded into decision architectures and dynamically optimized. These are elements that have been in the scope of the definition of GRC going back to the first version of the OCEG GRC Capability Model in 2003, but technology for GRC has not fully delivered in the past.

GRC Orchestrate Contexts for Risk Management:

• Risk is defined as the uncertainty that can affect the achievement of objectives.
• GRC Orchestrate uses agentic AI to proactively monitor risk across internal and external dimensions.
• Objective-centric modeling ties every risk to a strategic, operational, or tactical goal.
• Digital Risk Twins simulate risk impact and support resilience testing across business units.
• Risk becomes a value enabler—integrated into capital planning, innovation, and performance steering.

---

C: Compliance – Acting with Integrity Across Obligations and Expectations

Compliance in GRC 7.0 is not about box-checking or regulatory fire drills. It is about ensuring the organization acts with integrity, upholding internal values and honoring external obligations. GRC Orchestrate redefines compliance as an embedded and predictive assurance function. It continuously aligns internal policies, training, controls, and records with an ever-evolving regulatory landscape.

Agentic compliance systems monitor changes to laws, standards, and stakeholder expectations. When a new law (e.g., EU AI Act or Corporate Sustainability Due Diligence Directive) is passed, agents immediately map the new obligations to affected policies, systems, third-party contracts, and roles within the organization. Gaps are flagged, controls are updated, and relevant personnel are notified—with all actions logged for audit and regulatory review

Yes, compliance agents still interpret laws, monitor obligations, and ensure documentation. But that’s AI Stage 1. In Stage 2 and beyond, compliance becomes predictive, adaptive, and strategic. For instance, an agent could ingest global news about lithium battery incidents, anticipate future regulatory shifts across markets, and recommend adjustments to supply chains before any laws are passed.

Compliance assurance is no longer episodic. It is continuous. Evidence of control effectiveness is gathered in real time through automated monitoring. Compliance AI agents also validate attestations, execute testing protocols, and maintain audit-ready documentation. Integrity is not a campaign: it is operationalized through orchestrated workflows and embedded intelligence.

Take this further: imagine a system where a service contract is ingested, its SLA obligations extracted, metrics connected, workflows created, and actions (like payment blocking) triggered automatically upon breach. No human configuration. The system generates live code based on context. This is not science fiction, it is self-evolving GRC.

This is compliance-as-strategy. We move beyond alerts and attestations toward systems that guide long-term strategic choices, from divestment to product redesign, based on evolving legal and ethical landscapes.

GRC Orchestrate Contexts for Compliance:

• Compliance is about acting with integrity—honoring legal, ethical, and stakeholder commitments.
• Compliance agents continuously interpret new regulations and align internal systems accordingly.
• Obligations are mapped to controls, policies, and evidence in real time, enabling continuous assurance.
• Digital compliance twins model the integrity of the organization’s control environment.
• Predictive compliance reduces regulatory exposure, audit fatigue, and ethical blind spots.

Infrastructure: Ontologies, Twins, and Intelligent Systems

Behind GRC Orchestrate is a robust semantic and operational foundation. It begins with a shared GRC Ontology: a machine-readable structure that defines how governance, risk, and compliance concepts are related. Obligations, risks, controls, policies, processes, entities, and data are not isolated elements, they are interconnected nodes in a contextual map.

This ontology powers Digital Twins of the enterprise: governance twins, risk twins, and compliance twins. These twins are updated in real time and support intelligent simulations, performance forecasting, and assurance scenario modeling. For example, a risk twin might simulate what happens to supply chain resilience if a key vendor fails due to sanctions or ESG violations.

Agentic systems operate within these twins. Each agent follows a defined observe-analyze-act-escalate loop: autonomously processing input, recommending actions, executing tasks within thresholds, and escalating when necessary. All actions are governed by internal rules, ethics frameworks, and audit traceability.

GRC Orchestrate Contexts for Infrastructure & GRC:

• A shared GRC ontology creates semantic consistency across governance, risk, and compliance data.
• Digital twins simulate the current and future state of enterprise GRC capability.
• Agentic AI workflows bring autonomy to risk sensing, compliance testing, and governance monitoring.
• All orchestration is bounded by internal ethics, audit trails, and access controls.
• This infrastructure transforms GRC from function to fabric—a dynamic layer embedded in business execution.

Final Reflection: Orchestrating Integrity, Intelligence, and Impact

The evolution to GRC 7.0 is more than just another phase, it is a structural transformation. The idea that Ian Hollowbread initiated in ING Labs — a single orchestrated platform for governance, risk management, and compliance — is now fully realizable through today’s technologies. And we are already seeing signs of this vision coming to life in real-world implementations. EY Germany’s One Governance framework is an exemplary case. It integrates ISO 31000, COSO, and other global standards into a federated, modular framework with digital twin support, policy lifecycle orchestration, and intelligent GRC services spanning internal control, ESG, resilience, and responsible AI. One Governance is not just a methodology—it is GRC orchestration in action.

This convergence of agentic AI, digital twins, and GRC ontologies is giving rise to systems that learn, adapt, and grow: like living organisms. We are nearing a time when GRC systems behave like a hydra: reconfiguring, regenerating, and redirecting themselves based on context.

This enables GRC where:

• Governance is about setting and achieving business objectives.
• Risk is the uncertainty that affects those objectives.
• Compliance is acting with integrity in pursuit of them.

GRC Orchestrate is the operational system that makes this alignment tangible, real-time, and scalable. It bridges the strategic with the operational, the intentional with the intelligent, and the ethical with the executable.

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we will expand further on this theme—particularly how digital twins and ontological data models are transforming not just how we manage GRC, but how we design resilient, adaptive organizations.

GRC Orchestrate isn’t just the future. It’s what the bold are building now.

We live in an age where risk is no longer an abstract concept relegated to risk registers and quarterly reviews. It is front-page news. It is embedded in our daily operations. It is defining corporate strategy and destabilizing it in equal measure. And nowhere is this more apparent than in the proliferation and intensification of geopolitical risk.

In June alone, across my engagements in Denmark, the UK, and beyond — from financial services to international logistics, from UN agencies to infrastructure providers — geopolitical risk has emerged as the dominant concern. It shapes every conversation, touches every operational dependency, and forces organizations to rethink not just their risk postures but their very business models.

Yet, amid this rising tide of uncertainty, most organizations are not equipped to manage risk as it truly exists: dynamic, interconnected, and globally impactful. Worse, many still approach risk management through outdated lenses: overly focused on compliance, reactive rather than proactive, and siloed from strategy and performance.

To confront this challenge, we must rethink what we mean by “risk management” in Governance, Risk Management, and Compliance (GRC). This is a call to action: to modernize our understanding of the “R” in GRC, to embrace external risk intelligence, and to build agile, objective-centric, and forward-looking risk programs that can navigate today’s complex geopolitical terrain.

---

The “R” in GRC: A Tiered Approach to Risk Management

Over the years, I have articulated a three-level model for understanding and operationalizing risk in the context of GRC. These levels provide a lens through which to evaluate both capabilities and technology solutions—and expose the widening gap between operational routines and strategic foresight.

1. Operational Risk & Resilience (Bottom Layer)

This is where most organizations concentrate their risk efforts. It’s the realm of internal controls, KRIs, incident tracking, risk registers, RCSAs, and risk matrices. It’s often compliance-driven, deeply procedural, and largely focused on the past to the present—what went/can go wrong, and how to prevent recurrence.

This level is insufficient. It’s the reactive muscle of risk management, and certainly not proactive. It’s also where most GRC solutions play, digitizing workflows and supporting regulatory alignment. However, it fails to provide insight into future uncertainty or connects risk to organizational objectives.

These are often necessary activities, particularly from a compliance requirement. But they tell us little about what’s coming next.

2. Objective-Centric Risk & Resilience (Middle Layer)

This is the level where risk management becomes proactive, integrated, and performance-aligned. Risk is not managed in a vacuum but is directly linked to the organization’s ability to achieve objectives: whether operational, financial, or strategic. It requires engagement with front-line operations and cross-functional collaboration. Risks are evaluated in terms of their potential to impact the achievement of objectives. Performance and resilience become two sides of the same coin.

This level of risk management starts to factor in context: economic conditions, regulatory trends, and industry movements. But to fully realize its value, it must be underpinned by external risk intelligence. At the apex lies strategic foresight: the ability to scan the horizon, anticipate disruption, and reallocate resources accordingly to enable the organization to reliably achieve (or exceed) objectives. As ISO 31000 states, risk is the effect of uncertainty on objectives. It involves scenario modeling, war-gaming, and geopolitical forecasting.

3. Strategic Risk & Resilience (Top Layer)

This level of risk management is forward-looking, deeply integrated with the Board and C-suite, and all levels of management. It is critical to sustaining competitive advantage in an era of turbulence. This is the realm of risk-informed decision making.

It’s not just about protecting strategy: it is about shaping strategy through risk-informed intelligence. It’s where risk becomes a strategic asset.

Examples:

• A multinational consumer brand evaluating reshoring manufacturing from East Asia due to rising geopolitical tensions and export controls.
• A financial institution modeling different regional regulatory futures to decide where to expand its crypto asset services.
• An infrastructure company using digital twins to simulate the impact of political instability on supply chains across the Middle East and Africa.

Yet, despite its criticality, this level is the least addressed by traditional GRC technology. Most platforms are built for workflows and compliance — not strategy, objectives, and foresight.

---

The Geopolitical Imperative: Why This Matters Now

The global landscape is more volatile than at any point in recent memory. Consider the following:

• Russia’s war in Ukraine has upended energy markets, global grain supply, and security alliances.
• China-U.S. tensions impact everything from semiconductor supply chains to regulatory compliance in digital services.
• Sanctions regimes are expanding and shifting rapidly—requiring constant monitoring of evolving blacklists and economic restrictions.
• EU regulations are reshaping resilience, supply chain, and digital governance.
• Middle East instability, rising authoritarian nationalism, and emerging conflicts in Africa and Southeast Asia add to the unpredictability.

The result: business strategy and achieving objectives is inseparable from geopolitical context.

In June alone, I had multiple conversations where geopolitical risk was the top concern:

• An international agency trying to unify project, portfolio, and enterprise risk in fragile regions.
• A CISO going to RFP to support digital trust, citing nation-state cyber threats and regulatory risk exposure.
• A global shipping company with risks catalogued, aligning them to operational and strategic objectives through collaborative assurance models and looking to further enhance strategic risk and resilience to support decision making.

In each of these cases, the ability to anticipate, understand, and respond to external developments is what separates resilient organizations from reactive ones.

---

The Missing Ingredient: External Risk Intelligence

This brings us to the heart of the problem. Traditional risk management is inward-facing. It documents internal failures, assigns ownership, and produces metrics. But in a world shaped by external uncertainty, this is not enough.

What’s needed is a robust capability for external risk intelligence, combining two key functions:

1. Horizon Scanning

The ability to identify emerging risks, weak signals, and trend developments before they materialize into crises. This includes:

• Monitoring geopolitical flashpoints.
• Tracking emerging regulatory regimes across jurisdictions.
• Anticipating supply chain disruptions from climate, conflict, or trade policy.
• Identifying reputational risks in social and media landscapes.

2. Situational Awareness

The real-time ability to understand what is happening now: across vendors, geographies, and regulatory regimes. This supports:

• Crisis response planning.
• Incident impact assessments.
• Operational pivoting (e.g., re-routing shipments, adjusting pricing, halting expansion).

Few solutions do this well. Most focus on internal processes, not external monitoring. But I’ve seen several promising approaches. These solutions are beginning to bridge the gap between external reality and internal response.

---

Toward a Risk Intelligence-Enabled GRC Strategy

The way forward is clear. Organizations must evolve their GRC capabilities to incorporate external context and align risk practices with business performance and resilience. This requires:

1. Embedding Risk into Strategic Planning
   Risk officers should sit alongside strategy teams. Risk appetite, not generically but in context of each objective/decision, should shape capital allocation, M&A, market entry, and innovation.
2. Moving Beyond Compliance-Driven Risk Management
   Regulatory compliance is the floor, not the ceiling. True GRC success is about enabling agility, resilience, and performance under uncertainty. This is the very definition of GRC since 2003. The capability to achieve objectives, address uncertainty, and act with integrity.
3. Investing in External Risk Intelligence Solutions
   These should plug into your GRC and operational data environment, contextualizing decisions in real-world conditions.
4. Reimagining Risk Technology
   Demand more from your platforms. Workflow automation is not enough. Seek out tools that integrate strategy, objectives, and external intelligence. I would also highly encourage the use of digital twins.
5. Building a Culture of Anticipation
   Train your teams not just to manage what went wrong, but to ask what could go wrong, and what could go right if we seize the opportunity embedded in risk.

---

Final Thoughts: Risk is Not the Enemy, It Is the Lens

Geopolitical risk is not going away. It is the air we breathe in global business. The challenge is not to eliminate risk but to navigate it intelligently. That requires a new mindset, one that views risk not just as a hazard to avoid but as a lens through which to understand the world, evaluate opportunity, and drive resilient performance.

Let’s stop managing risk as a checklist and start managing it as a strategic capability. It’s time to make the “R” in GRC stand for more than reporting. Let it stand for Resilience, Realism, and Readiness in a world that demands nothing less.

The regulatory landscape is moving at a breakneck pace, and it’s tough to keep up. Organizations everywhere are grappling with a flood of new regulations, amendments to existing laws, and enforcement actions that are putting immense pressure on compliance teams. This is especially true for industries like financial services, where regulatory scrutiny is intense and constantly shifting. But this isn’t just a challenge for financial services, it’s a reality for organizations across all sectors, each facing a maze of complex and often overlapping compliance requirements.

In an environment where accuracy and timeliness are of the utmost importance, staying on top of the ever-changing rules is a Herculean task. But there’s good news, AI and automation are here to help. To stay competitive and compliant, organizations must adopt smarter, more efficient solutions that streamline compliance and strengthen internal controls.

Automation also . . .

[The rest of this blog can be read on the Pathlock blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

---

In the context of Governance, Risk Management, and Compliance (GRC), the “R” – risk management – has often been the most misunderstood, misapplied, and technologically abused component. For all the buzz surrounding risk quantification, operational resilience, and integrated risk frameworks, many so-called “risk management” modules and solutions remain little more than glorified workflow tools — digital filing cabinets that turn risk into a bureaucratic exercise, rather than a driver of strategic value. As GRC has matured over the past two decades, its true purpose has been clarified in the OCEG GRC Capability Model back in 2003: GRC is about the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance). Yet, too many implementations fail to grasp or enable the true purpose of risk management in the GRC context as defined for over 20 years.

Instead of helping organizations understand the uncertainty that impacts their success, many GRC solutions promote risk as static lists, clunky assessment forms, and color-coded heatmaps. These serve compliance goals — especially in contexts like SOX — but they do little to nothing to support strategic decision-making. The result is often a dangerous illusion: the false belief that risk has been “managed” simply because it has been documented. Terry Goodkind’s “Wizard’s First Rule” eerily captures the spirit of this deception — people will believe what they are motivated to believe, even when it isn’t true. In risk management, we have deceived ourselves into thinking that checklists and red-yellow-green matrices provide insight. In reality, they often obscure more than they reveal.

To be blunt: most risk management solutions/modules on the market today are not only weak but counterproductive. They reinforce a ritualized, low-value version of risk management that serves neither governance nor resilience. Worse, they lull organizations into a false sense of security.

The Fallacy of Workflow-Centric Risk Management

Risk management is NOT a workflow engine, it is NOT a ticketing system. While tasks, forms, and assessments are part of the process, they are not its essence. Treating risk management as a set of tickets to be opened and closed misses the point entirely. Good risk management technology must do more than facilitate process: it must enable insight, modeling, foresight, and business alignment.

Most risk management modules I encounter are designed to support compliance, not strategy. They excel at routing forms, assigning accountability, and storing evidence; but they rarely offer:

• Strategic scenario modeling
• Objective-centric analysis
• Meaningful quantification beyond superficial “likelihood × impact” matrices
• Tools for understanding the ripple effects of interconnected risks

In short, they miss the core: risk management as a decision-support discipline.

What Good Risk Management Technology Should Deliver

To move beyond mediocrity, risk management technology must embrace and enable a more strategic, analytical, and dynamic approach. The following are the essential pillars of a modern, mature risk solution:

1. Strategy Management: Risk in Decision-Making

True risk management starts upstream, in the strategic decision-making process. It is not a back-office activity but a front-line enabler of choice and direction. Risk exists where decisions are made. This is the RM2 philosophy espoused by Alex Sidorenko: risk management should live in decisions, not documentation.

Good risk solutions should allow organizations to:

• Embed risk evaluation directly in strategic initiatives, investment decisions, and transformation programs
• Tie risk identification to business cases, investment committees, and planning cycles
• Assess the potential downside and upside of decision alternatives, not just static threats
• Use tools like scenario decomposition, sensitivity analysis, or exceedance curves to inform decision outcomes

2. Objective-Centric Risk Management: Aligning Risk with What Matters

ISO 31000 defines risk as “the effect of uncertainty on objectives.” This is not just semantics, it is a blueprint for action. Risk is not a list of bad things that might happen; it is the uncertainty that affects our ability to perform, to achieve, to grow.

This is the school of thought championed by Tim Leech: risk must be managed in the context of objectives.

Strong risk management software will enable:

• Objectives to be defined and tiered across the organization (e.g., strategic, operational, compliance, ESG)
• Risks to be linked to specific objectives at various layers: enterprise, division, department, process, project, asset, or third party
• Performance metrics to be tracked alongside risks, revealing the true business impact
• Dynamic dashboards that show where uncertainty threatens key outcomes

Without this connection to objectives, risk becomes compliance. With it, risk becomes actionable and of value.

3. Risk Quantification: Beyond Heatmaps and Into Distributions

Heatmaps are not only imprecise, they are often misleading. As Graeme Keith of Stochastic ApS and others have argued, they create a false sense of comparison where high-scoring “green” risks may pose more aggregate exposure than “red” ones. Static matrices lack the dimensionality required to inform strategic resource allocation.

What is needed instead is intelligent quantification, such as:

• Use of distributions, not single-point estimates, to reflect uncertainty ranges
• Scenario-based models that evaluate different pathways and their outcomes
• Risk aggregation techniques that avoid false mathematical precision but enable executive-level oversight

Still, Monte Carlo is often misunderstood and misapplied. The real value lies not in complex models for their own sake, but in understanding the landscape of possible outcomes and the assumptions behind them. What Graeme has worked on is brilliant in making risk quantification practical and meaningful.

4. Risk Visualization: Engaging the Right Brain

We often over-rely on spreadsheets and reports that appeal to logic but not intuition. Effective risk management also requires visualization techniques that engage the right brain and facilitate understanding across the business.

Bow-tie analysis (my favorite), for example, offers:

• A clear structure showing cause, control, and consequence
• Visualization of control effectiveness and gaps
• The ability to simulate mitigation effectiveness in real-time

Such tools transform risk from a compliance burden into a business conversation.

5. Scenario Modeling & Digital Twins: The Future of Risk

One of the most powerful developments in risk management today is the rise of digital twins: virtual representations of business functions, supply chains, projects, or even entire enterprises. These allow organizations to simulate disruptions and evaluate the effects of risk on objectives in a dynamic, systems-based context.

Good solutions will support:

• Creation of digital models for supply chains, operational processes, or enterprise-level systems
• Simulation of risk events (e.g., supplier failure, cyber attack, regulation change) and their downstream impacts
• Testing of alternative mitigation strategies in real time
• Insights into resilience thresholds and recovery strategies

This is where risk management moves from theory to action, and where executives can explore, not just analyze. It gives us the power of Dr. Strange from the Marvel Universe in Avengers End Game to explore all the possibilities and identify the future where we win.

6. Connectivity, Clustering, and Contagion Analysis

Risks are rarely isolated. They are connected through relationships, processes, and interdependencies. Graph theory and network analysis now allow us to understand risk contagion—how one failure can cascade into others.

Advanced risk tools are beginning to offer:

• Network maps showing how risks relate across objectives, systems, and third parties
• Clustering analysis to identify concentrated risk areas
• Early warning of emerging threats based on interconnected indicators

These techniques offer richer, more dynamic insights than any risk register ever could.

7. External Risk Intelligence: Horizon Scanning & Real-Time Context

No business operates in a vacuum. Organizations are exposed to a wide array of external risks — geopolitical instability, economic shifts, environmental volatility, social unrest, and regulatory changes — that can rapidly derail strategies and objectives. Effective risk management must continuously monitor the external environment to maintain alignment between internal decisions and external realities.

This is where external risk intelligence feeds become essential. They provide both horizon scanning (what’s emerging) and situational awareness (what’s happening now), giving organizations the foresight and agility to respond before risks become disruptions.

Advanced GRC solutions should support:

• Integration of external data sources such as geopolitical risk indices, ESG events, sanctions lists, regulatory updates, climate risk data, and news analytics
• Signal detection that highlights changes in risk posture based on unfolding events or trend shifts
• Role-based relevance filtering to ensure risk intelligence is not just delivered, but delivered to the right people with the right context
• Dynamic linkage of external threats to internal objectives, strategies, and controls, enabling proactive adjustments

Risk intelligence is the nervous system of a modern GRC strategy — sensing, analyzing, and informing decisions in real time. Without it, internal risk models become outdated before they’re even finalized.

---

Final Thoughts: From Checklists to Capabilities

The current state of risk management software is, in many cases, a symptom of a deeper malaise. When risk is reduced to compliance, forms, and heatmaps, we miss the entire point. We create the appearance of rigor without the substance of insight. We perform risk management rituals without enabling real decision support.

There are bright spots in the market—solutions and philosophies that emphasize integration with strategy, objective-centric thinking, intelligent quantification, and modeling. I particularly appreciate the work of professionals I respect (listed above) in pushing quantification boundaries and organizations like Iluminr in making scenario gaming approachable and relevant.

But the industry must evolve.

---

Call to Action

If your current risk management platform cannot:

• Support decision-centric risk modeling,
• Connect risks to layered objectives,
• Quantify risk using meaningful distributions or simulations,
• Visualize risks in a way that speaks to executives and front-line staff alike,
• Or simulate scenarios and digital twins to prepare for the unexpected…

…then it is not a risk management solution. It is a documentation tool.

Now is the time for organizations to demand more from their GRC vendors and elevate risk management from compliance exercise to strategic capability. Because in an increasingly volatile world, understanding risk is no longer optional—it is existential.

Let’s stop managing risk in forms and start managing risk in context.

And do not forget to follow my Risk Is Our Business podcast . . .

---

In a world oversaturated with rankings, quadrants, waves, grids, and so-called “expert” opinions, the role of the industry analyst has never been more critical — or more misunderstood. It should be a role grounded in investigation and informed judgment. Yet, in many ways, the profession has been hijacked by commercial interests, lazy methodologies, and echo chambers of perception masquerading as truth.

We often define an analyst as someone who studies something in detail to understand it and predict outcomes. But in practice today, this term has blurred, muddied by agendas, absence of direct experience, and a growing detachment from the realities of the marketplace.

A World of Untruth in the Pursuit of Truth

While watching Bono’s Stories of Surrender, one line struck a deep chord:

“Something you should know about performers, in pursuit of truth we are capable of more untruth than most.”

That line doesn’t just apply to artists. It is a piercing observation of many industry analysts. In the pursuit of crafting a compelling market narrative, some are willing to bend facts or gloss over contradictions to construct a neatly packaged report — one that often says more about market perception than market reality.

I have been rereading Wizard’s First Rule . . . in this book, Terry Goodkind’s wizard Zedd pronounces:

“Reality isn’t relevant. Perception is everything.”

This is the core tension at the heart of the analyst dilemma. The problem is not merely bias — it is fiction parading as fact, perception replacing analysis, and methodology sacrificed for marketability.

When Analyst Research Goes Wrong

Let’s be clear: not all analyst research is bad. But much of what is published today, particularly in GRC — from large analyst firms to boutique boutiques and peer review platforms — raises questions:

• Rankings without Rigor. Too often, I encounter reports comparing vendors in a quadrant, wave, or magic shape — where the underlying logic is murky or absent. One vendor is “a leader” in one report, and in another, the same vendor is a “challenger” or “niche.” Both reports contradict each other but claim objectivity.
• Ghost Reviews and Fake Peer Sites. Many peer review sites are riddled with manipulated entries. Solution providers incentivize clients (or consultants) to fill out the reviews on their behalf. Some go so far as to pre-write the responses, feeding them back to the reviewers. The result is a fictional echo chamber of “satisfaction” and “value” with no bearing on reality.
• No Firsthand Experience. I am astounded by how many analysts issue assessments of platforms they haven’t seen in years — or ever. I know of boutique firms publishing scores and rankings without current demos or conversations. It’s dangerous, misleading, and frankly, negligent.
• Detached from the Field. Analysts who won’t engage in live demos or customer calls, who prefer pre-recorded videos and automated surveys, are doing a disservice to the profession. Insight comes from interaction, not from passive consumption. Surveys tell you what someone thinks. Conversations uncover why.

Neutral ≠ Agnostic: The Myth of False Objectivity

When I call out poor performance — say, the growing wave of complaints I’ve heard about ServiceNow for GRC — I’m sometimes met with accusations that I’m no longer “neutral.” But neutrality is not the same as agnosticism.

Neutrality, in the analyst profession, means being guided by evidence and objectivity — not refraining from opinion. If an analyst cannot speak truthfully about what is broken, then they are not neutral — they are complicit. Objectivity requires critique when it is warranted.

As one LinkedIn commenter said in response to my post:

“Openly communicating this sort of feedback is literally the job of an analyst. Ignoring it and sweeping it under the rug because of a misguided sense of neutrality and objectivity is a dereliction of duty.”

Well said.

What Should an Analyst Do? A Return to First Principles

At its core, good industry analysis is about understanding. Not promoting. Not appeasing. Not posturing. An analyst must be an investigator, a translator, and a guide.

This means:

 Have Conversations, Not Just Surveys

Real insights come from probing questions and human interaction—not checkboxes. Analysts should talk to customers, implementers, end-users, and executives to understand how solutions actually perform.

 Demand Demonstrations

If you are going to rank, score, or analyze a platform, then you need to see it. Not a slide deck. Not a script. A live environment. Too many analysts avoid live demos in favor of canned videos. That’s not research—it’s theater.

 Engage the Ecosystem

You’re not an island. Analysts should build trusted relationships with practitioners, partners, and providers. That’s how you stay current, learn, and validate assumptions.

 Attend and Stay at Events

It’s one thing to show up, do your talk, and leave. But staying—engaging in sessions, conversations, hallway chats—this is where the real market signals live. Analysts should be present, not just performative.

 Acknowledge You’re Not the Expert in Everything

A good analyst knows when to consult others. Nobody is an expert in every corner of a complex market. Build a network of specialists and listen to them.

The Analyst Crisis: We Have a Problem

Today’s analyst landscape is plagued by:

• Commercialized rankings that serve marketing more than truth
• Armchair analysts who haven’t spoken to customers in months
• Overpriced advisory sessions that offer generic, out-of-touch advice
• A culture that rewards appearance over substance

This is dangerous in fields like GRC, where organizations rely on analyst guidance to make real-world, high-impact decisions around risk, compliance, and governance. If perception trumps truth, we aren’t helping—we’re harming.

Closing Thoughts: In Search of the Truth

The modern industry analyst stands at a crossroads. One path leads to genuine value: grounded, transparent, and impactful research that helps organizations make better decisions. The other path is perception-driven fiction, where charts are currency and reality is optional.

As someone who has been part of this profession for over 30 years—who helped define the GRC space in 2002 and continues to work closely with practitioners, vendors, and regulators—I believe we must reclaim the purpose of this role.

Truth matters. And the job of an analyst is to pursue it, speak it, and help others see it clearly. Because in the end, that is the analyst’s sacred duty.

If you’re navigating the GRC space and need clarity—whether you’re a buyer, a provider, or a practitioner—GRC 20/20 is here to help. We provide insight, not illusion. We ask hard questions. We listen. We engage. And we tell the truth.

A Real Conversation About Real GRC Value

It was a London evening last week, and I found myself in Mayfair sharing Indian food with a respected friend in risk management, Stefan. He’s the Head of Risk and Governance for a well-known UK-based retail organization, a sharp thinker with years of risk management experience. We met up to catch up, decompress, and compare notes on what we’ve been seeing in the world of governance, risk management, and compliance (GRC).

Midway through our conversation — just after the starters and naan arrived — he glanced at his phone and raised an eyebrow. “Another one,” he said. A vendor had messaged him directly, promoting their GRC platform. The message read like many do: bold efficiency claims. “Save 75% in time spent on risk assessments and reporting! Cut your audit prep time in half!”

My friend smiled, unimpressed. “Nobody bought a GRC tool because it makes the risk guy’s job easier, it is not a benefit that will make people buy” he responds. “Show me how this reduces risk to my corporate objectives, that is what interests me.”

That one sentence stuck with me. It was a masterclass in clarity — an executive not seduced by buzzwords or dashboards, but focused on outcomes. And it reminded me just how off-track the GRC technology conversation can become when it centers solely on process automation and productivity metrics.

The truth is that nobody buys a GRC tool just to make the risk guy’s job easier. GRC is not about efficiency for its own sake. It is about enabling the organization to reliably achieve its objectives, navigate uncertainty, and protect its integrity. Yes, time savings are useful — but if those time savings do not translate into improved decisions, reduced exposure, and stronger organizational performance, then the platform may be automating the wrong thing faster and perpetuating poor risk management.

---

GRC: What You Do, Not What You Buy

Let’s be clear: GRC is not a piece of software. GRC is a capability (read the OCEG GRC Capability Model) — an integrated set of practices across the enterprise that support governance (setting and achieving objectives), risk management (addressing uncertainty to objectives), and compliance (acting with integrity as we pursue objectives). It includes strategy and structure, culture and behavior, policies and processes, roles and responsibilities. Technology plays a role — but it is an enabler, not GRC itself.

No one buys GRC. And every organization does GRC, whether they call it GRC or something else. The question is how can we make GRC (or whatever you call it in your organization) more efficient, effective, resilient, and agile. That is where technology does have a role. And we all use technology for GRC, even if you are stuck in the Stone Age with stone tablets and chisels, that is technology.

This distinction matters because too many organizations approach GRC as a systems implementation project instead of a business discipline. They start with tool selection rather than problem identification. Too often focused on compliance and not business objectives, they aim to “get compliant” without asking what compliance means in the context of their business objectives. They automate controls but fail to evaluate whether those controls are reducing risk in a meaningful way.

A well-implemented GRC technology solution can be transformative — but only when it supports the broader capability. And that capability must deliver value in more than one dimension.

---

The Four Dimensions of GRC Value

The framework I have developed to evaluate the business value of GRC investments and build business cases — whether in technology, process design, or organizational structure — is grounded in four core value dimensions: Efficiency, Effectiveness, Resilience, and Agility. Each of these relates directly to the underlying GRC mission and definition: to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).

Let’s explore these four dimensions with a narrative lens—and unpack what they look like in practice . . .

---

1 – Efficiency: The Beginning, Not the End

Efficiency is the most commonly touted benefit in GRC solution pitches. And for good reason: organizations waste enormous amounts of time managing risk, controls, and compliance through fragmented, manual, spreadsheet and email-driven processes or in silos of non-integrated solutions. These inefficiencies are costly—not only in terms of personnel hours but in opportunity cost and risk of error.

Consider a global consumer goods company that had five separate teams managing overlapping third-party risk processes in different areas of the business. Each team had its own intake forms, risk assessment templates, and reporting structure. The result was redundant work, inconsistent decisions, and no centralized view of supplier risk exposure. After deploying a GRC platform to unify and automate the process, they reduced administrative effort by 80%, eliminated duplicative vendor reviews, and created a single source of truth that dramatically improved efficiency across procurement, legal/compliance, privacy, and IT security.

But here’s the key: those time savings were not the business case — they were the enabler. The real value came in improved decision-making and better vendor oversight, not faster form completion. So efficiency is nice, we like ROI, but there is much more to GRC value.

Efficiency matters. But it’s only the first step.

Efficient GRC is about doing things right. But effective GRC is about doing the right things.

---

2 – Effectiveness: Reducing Actual Risk Exposure

This is the dimension that too often gets ignored, but is the most critical. Is there a measurable, quantifiable reduction in risk exposure to the organizations objectives and operations?

In GRC, effectiveness means your efforts are actually lowering risk exposure and enabling the organization to reliably achieve objectives amid uncertainty. Not perceived risk. Not checkbox risk. But real, measurable risk exposure (uncertainty) to strategic, financial, and operational objectives.

I’ve worked with organizations that had risk registers and beautifully documented control libraries — yet they suffered repeated incidents, regulatory scrutiny, and failed to show risk reduction and enable the business to manage uncertainty to objectives. Why? Because they had no way of linking controls to outcomes, or risk scoring to business objectives. Their GRC efforts were comprehensive but not calibrated. They were tracking noise instead of reducing signal.

Contrast that with a financial services firm that focused their GRC program on risk-weighted investment in controls. They used a platform not just to document risks, but to correlate them with control performance, incident frequency, audit findings, and business objectives. This allowed them to:

• Identify areas of over-control where compliance burden could be reduced
• Justify increased investment in high-risk areas with weak mitigation
• Demonstrate to the board a clear line from GRC activities to business outcomes and objectives

Effectiveness here wasn’t about how fast they completed assessments. It was about the confidence that risks were being managed within tolerance — and being able to prove it.

If you cannot demonstrate that your GRC program is measurably reducing risk to your objectives, then you are not being effective — just active, perhaps like a hamster on a wheel not truly getting anywhere.

---

3 – Resilience: Containing the Impact, Not Just Recording It

Resilience is not just about disaster recovery plans or business continuity documentation. Resilience in GRC means the organization can detect, contain, and recover from disruptions and exposures before they cascade into full-blown crises.

Consider a manufacturer who experienced a major supplier cyber incident that exposed them to scrutiny and lost production time. Post-incident analysis revealed that the risk was known — but siloed. IT had flagged it as a concern, but procurement and compliance were unaware. No one had centralized visibility or accountability.

Following that incident, they implemented a GRC solution with integrated third-party monitoring, real-time alerts, and automated risk escalation pathways. The next time a similar issue emerged — with a different vendor — it was flagged, triaged, and mitigated before causing any operational impact.

That is what resilience looks like: not the absence of disruption, but the ability to see it early, contain it quickly, and recover with confidence.

Resilience is what keeps a compliance issue from becoming a scandal. A system failure from becoming a shutdown. A risk exposure from becoming a crisis.

---

4 – Agility: Steering Through Uncertainty

Finally, we come to agility — the often-overlooked value of GRC in helping organizations not just survive but thrive through change. This is where the greatest value of GRC is, if an organization is mature enough to achieve it and has the vision to achieve it.

The world doesn’t wait for risk teams to catch up. New regulations, emerging technologies, geopolitical shifts, environmental crises, and social expectations all create an environment where yesterday’s risks and controls are insufficient for today’s realities. The question is: Can your GRC program keep up? Are you navigating the road ahead of the organization or driving fixated on the rearview mirror?

A digital services company undergoing rapid expansion into Southeast Asia and the Middle East found itself navigating a complex mix of regulatory expectations, cultural norms, and emerging risks (e.g., geo-political, operational, financial). As they pursued strategic objectives tied to regional market growth, leadership quickly recognized that their ability to reliably achieve those objectives was threatened by fragmented risk management practices. Without a unified GRC framework, it was difficult to anticipate and adapt to jurisdictional differences or maintain consistent oversight. By implementing a GRC solution aligned with business strategy and objectives, they gained forward-looking visibility into regulatory obligations, third-party exposures, and operational dependencies across regions. This allowed the organization to proactively chart a course, scaling risk management practices in parallel with their expansion — ensuring that growth was not only fast, but sustainable and governed with integrity.

Agility meant that they could enter new markets with confidence, see the road ahead of them, that is the objectives and the obstacles appearing in the way of achieving those objectives in their growth strategy — without slowing down business.

A digital twin adds significant value to agility by providing a dynamic, real-time mirror of the organization’s processes, risks, and controls. This allows leaders to simulate potential scenarios, visualize the ripple effects of change, and make informed decisions before disruptions occur. With a digital twin, GRC becomes forward-looking — helping the organization see around corners and adjust proactively to stay aligned with strategic objectives.

GRC should not be the handbrake. It should be the navigation system — helping the business steer safely through uncertainty toward its objectives.

---

The Conclusion: Lead with Impact

Efficiency is part of GRC value — but it’s only a part of the story. Done right, the value of efficiency/ROI is only a small fragment of the value of GRC when done correctly in the right context of the organizations objectives.

The strongest business cases I see are the ones that anchor GRC in strategic outcomes:

• Reduced risk exposure to what matters most in context of objectives
• Informed investment in the right controls to reliably achieve objectives
• Fewer incidents with faster response and recovery that could expose objectives
• Smarter navigation through a changing business landscape as it strives to achieve objectives

So let me say it again—for solution providers, practitioners, and executive sponsors alike:

Stop selling GRC as time savings. Start showing how it enables the business to achieve objectives, adapt to change and uncertainty, and act with integrity in an uncertain world.

Because that’s not just GRC. That’s good business.

We live in a time when regulation changes faster than many organizations can track it. Global compliance obligations evolve overnight — sometimes even hourly (or by the minute). Legal frameworks shift, regulators issue new interpretations, enforcement expectations intensify, and risks emerge from every direction: geopolitical instability, AI disruption, ESG pressures, and more. And while the external environment accelerates, organizations are simultaneously changing from within — adapting strategies, evolving processes, onboarding new technologies, growing teams, and expanding their third-party ecosystems.

GRC — governance, risk management, and compliance — as defined by OCEG, is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Let us focus on that last portion of integrity.

Amid this constant turbulence, organizations face a daunting question:

How do we stay grounded in integrity while everything around us is in flux?

At the heart of that challenge sits the Chief Compliance Officer (or Chief Ethics & Compliance Officer) — or perhaps, more fittingly in this era, the Chief Integrity Officer. I explore this in my blog: There is a new CIO in town . . . the Chief Ethics and Compliance Officer (CECO).

---

From Compliance to Conscience

The traditional framing of compliance is no longer enough. It has become too reactive, too siloed, too focused on checklists and enforcement rather than empowerment and assurance. Compliance done well is not about playing defense. It’s about leading with values.

If we are to meet the regulatory and ethical demands of the modern enterprise, we must reframe the conversation — from compliance to conscience, from procedural enforcement to organizational integrity.

This is the thesis I bring into my upcoming keynote, “The Integrity Imperative: Ensuring Compliance in an Era of Relentless Change.” We are not just enforcing rules—we are anchoring the organization to its values and obligations, especially when the pressure is highest.

NOTE: compliance and risk management are different functions. In my perspective, in the ideal world (which the real world cannot always be ideal), compliance should never report into risk management (and it should not report into legal). I discussed this in my blog: Risk Management vs. Compliance Management: Understanding the Distinction.

---

---

The Role of Culture: A Unified Compliance Ethos

Compliance is not merely a function of having the right technology or a well-staffed compliance department. It depends on culture. That was the focus of the afternoon panel I joined at the Summit: “What Does a Unified Compliance Culture Look Like?”

The reality is this: compliance without culture is fragile. A culture of integrity, on the other hand, embeds ethical behavior across all the organization.

Yet, many organizations suffer from:

• Communication breakdowns between compliance and operations
• Inconsistent ownership of compliance obligations
• A view of compliance as “someone else’s job”
• Minimal engagement from leadership beyond formal attestations

To build resilience, organizations must elevate compliance as a shared responsibility—integrated into decision-making, performance management, third-party relationships, and strategic planning.

---

Reimagining the Chief Compliance Officer as the Chief Integrity Officer

Let’s talk about leadership.

In a world where ethical missteps can go viral, and regulators expect organizations to demonstrate intent and accountability, the role of the Chief Compliance Officer is evolving.

I propose a shift in mindset: from Chief Compliance Officer to Chief Integrity Officer.

Why? Because this role is no longer about merely ensuring regulatory adherence—it’s about embedding a culture of accountability, transparency, and trust. It’s about serving as the conscience of the enterprise—an enabler of values, not just an enforcer of rules.

The Chief Integrity Officer:

• Connects corporate purpose with operational behaviors
• Bridges legal obligations with ethical decision-making
• Leads proactive governance of AI, ESG, and third-party risk
• Ensures regulatory change is translated into action across functions
• Builds trust with regulators, investors, and the public by demonstrating alignment between words and actions

---

The Mounting Pressures of Regulatory Change Management

In my current three-week tour through Europe, I’ve seen first-hand how the regulatory change agenda is dominating boardroom and C-suite conversations. Across London, Copenhagen, Barcelona, Madrid, and Zurich, Regulatory Change Management (RCM) has come up in many conversations I’ve had (going through my notes, over 30). At the Global RegTech Summit in London, I moderated a main stage panel titled “RCM Reimagined,” and the questions from the audience were sharp and urgent:

• As AI and automation become foundational in RCM, how do we ensure accountability and compliance when machines make decisions?
• How can mid-sized firms adopt sophisticated RCM tools without enterprise-scale budgets?
• What happens when regulatory expectations conflict across jurisdictions?

Organizations are overwhelmed—not just by the volume of regulatory change, but by the complexity of interpreting, implementing, and operationalizing it. In my Zurich workshop hosted by Corlytics, we cataloged over 20 recurring pain points, including:

• The pace and volume of change
• Shadow AI and ungoverned tools interpreting regulatory data
• Data quality and legal accountability
• Siloed compliance teams and disjointed internal communication
• The struggle to keep policies and controls aligned with evolving rules
• And critically, interpreting what is material and relevant to the business context

This is not sustainable with spreadsheets, email chains, and reactive workflows.

Blueprint for Modern Compliance: From Theory to Execution

In my upcoming London workshop, “Compliance & Ethics Management by Design,” I’ll be helping attendees build the frameworks needed to operationalize this vision. We will dive into how to:

1. Build Governance Structures for Compliance

• Create a Compliance Governance Committee that integrates diverse roles
• Draft a Compliance Management Charter that defines structure and scope
• Develop a strategic plan aligned with board-level goals and objectives

2. Design the Compliance Lifecycle

• Map and monitor compliance obligations
• Establish communications, attestations, and engagement
• Assess controls and effectiveness
• Integrate compliance with third-party risk oversight
• Align metrics, reporting, and assurance

3. Architect the Right Technology

• Understand the types of compliance information and workflows
• Define requirements for a compliance information architecture
• Evaluate platform capabilities that support AI-assisted compliance, monitoring, and performance tracking
• Develop a compelling business case for investment in compliance modernization

---

Closing Reflections: Lead with Integrity, Not Just Compliance

We are NOT here to check boxes.

We are here to build organizations that do the right thing, even when no one is watching—organizations that can stand firm in the face of scrutiny because they are grounded in purpose, values, and trust. In the words of my favorite fictional Premier League coach and philosopher, Ted Lasso, “doing the right thing is never the wrong thing.”

In this era of relentless change, the most valuable compliance strategy is integrity by design.

Let’s stop managing compliance in silos and start leading with conscience.

Let’s reframe the conversation—because risk is our business, and integrity is our foundation that allows us to achieve what OCEG calls Principled Performance . . .

In today’s turbulent global landscape, risk is no longer something that can be managed solely through static policies, controls, and spreadsheets. It is dynamic, systemic, and interdependent — flowing across organizational silos, cascading through supply chains, and constantly evolving in response to regulatory, geopolitical, environmental, and technological forces that impact decision-making and an organization’s ability to reliably achieve objectives. To navigate this complexity, organizations need GRC solutions/tools that are equally dynamic and adaptive.

One of the most promising advancements in this space is the use of digital twins for Governance, Risk Management, and Compliance (GRC). Digital twins — virtual replicas of business systems, processes, or ecosystems that are continuously updated with real-world data — provide a unique capability for modeling uncertainty, visualizing interdependencies, and simulating the impact of risk and change (e.g., regulatory change, business change).

This idea came to life vividly in a recent supplier risk workshop I conducted in Madrid, Spain. Two large global manufacturers expressed their ambition to use digital twins to simulate the impacts of disruption events — from climate-related catastrophes to the geopolitical shock of a potential conflict in the Taiwan Strait. These conversations underscore the strategic value of digital twins in enhancing organizational resilience and proactive decision-making.

Then yesterday, I met with a life sciences firm in Switzerland that is in the midst of an RFP. They told me that they are specifically looking for a GRC platform that supports digital twins to simulate risk and regulatory change on their enterprise.

Simulation is the ultimate value of the story, but is built on documenting the current state of the organization and GRC . . .

In my presentations and conversations with organizations implementing business-integrated GRC strategies (GRC 6.0), I emphasize that the first and most accessible use case for a digital twin is to establish a real-time, dynamic view of the current state of GRC. Even before simulation, this initial visibility delivers meaningful value — especially for organizations earlier in their maturity journey. A digital twin of the organization (DTO) serves as a foundational representation of how risk, controls, compliance, and objectives interact across the enterprise. This “current state map” of the organization’s GRC architecture is the low-hanging fruit that enables better alignment, communication, and accountability.

Once this foundation is in place, simulation becomes the next frontier: scenario modeling, table-top exercises, micro-simulations, and war-gaming. But without an accurate digital reflection of the current state, the insights from simulations will be incomplete or misaligned.

---

Understanding Risk & Resilience Management at Multiple Levels

To appreciate the transformative potential of digital twins, it’s helpful to distinguish GRC 20/20’s three levels of risk management capability within organizations:

1. Strategic Risk & Resilience Decision Support. At this level, risk is used to evaluate and guide organizational decisions: market expansion, new product development, capital allocation, mergers, and acquisitions. This context provides the most business value, yet it is often the least structured in many enterprises. Digital twins help model how external conditions and internal shifts affect strategy and long-term performance — enabling resilient, evidence-based decisions. This is what what Alex Sidorenko refers to RM2 (Risk Management v2).
2. Objective-Centric Risk & Resilience Management. This layer focuses on managing uncertainty in the achievement of specific objectives — financial, operational, regulatory, legal, ESG, and beyond. These objectives cascade from the strategic level and exist across entities, departments, processes, projects, assets, and third-party relationships. Digital twins map these layers and the relationships between risks, objectives, and performance — creating a living model of risk in context. This alignment of risk to objectives is established in ISO 31000, and is what Tim Leech refers to as Objective-Centric Risk & Uncertainty Management.
3. Operational Risk & Resilience Execution. Here, risk is managed through tasks, controls, issues, audits, and assurance processes down in the operations, processes, transactions, and interactions of the organization. When connected to objective-centric risk management, this work supports performance and compliance. But when isolated, it often devolves into a compliance exercise with limited strategic value. Digital twins provide the connective tissue that links operational controls back to objectives, strategies, and regulatory obligations — bringing tactical risk into alignment with broader goals. This is what Alex Sidorenko refers to RM1 (Risk Management v1).

Digital twins, uniquely, have the potential to integrate across all three layers — transforming how risk and compliance professionals understand, communicate, and act on uncertainty.

---

GRC Use Cases for Digital Twins

1. Strategic Risk Management & Scenario Analysis
Digital twins allow organizations to simulate the impact of strategic decisions, enabling leadership to ask “what if” in a structured, evidence-driven way.

• A global energy firm models different climate futures — rising sea levels, extreme heat waves, flooding — and assesses impacts on physical infrastructure and energy continuity in their strategy.
• A multinational manufacturer simulates a potential conflict in the South China Sea to assess disruptions in shipping lanes, supplier access, and contractual obligations.

Digital twins enable multi-scenario forecasting so leadership can evaluate strategies and make decisions — dual sourcing, inventory strategies, or regional shifts — before crises occur.

2. Objective-Centric Risk Analysis
At the objective level, digital twins allow risk professionals to model how various risks and controls influence specific business goals, performance, and outcomes.

• A pharmaceutical company models ESG objectives across facilities, aligning emissions data, regulatory requirements, and site-level performance in addition to compliance with mandates.
• A logistics company assesses how volatile fuel prices, labor unrest, and digital outages affect KPIs like on-time delivery and service quality.

This approach reveals how tradeoffs, decisions, and external events shape actual outcomes, turning abstract risk into decision intelligence.

3. Operational Risk & Control Testing
Digital twins offer an environment for continuous assurance and virtual control testing — reducing reliance on periodic audits.

• A financial institution simulates phishing, ransomware, or DDoS attacks across its IT stack, testing resilience and refining incident response procedures.
• A global retailer models transaction surges, fraud patterns, and internal controls across digital channels during peak seasons.

These controlled simulations reduce organizational exposure while improving preparedness and adaptive response capabilities.

4. Regulatory Change Management
Digital twins are ideally suited to understanding the impact of regulatory change across jurisdictions, functions, and systems.

• A bank uses a digital twin to simulate the impact of EU DORA on business units, policies, and training needs — and prioritize remediation accordingly.
• A technology company models global data privacy laws (e.g., PIPL, DPDP, CCPA) to determine how they affect data flows and vendor obligations.

With regulatory overlays integrated into the digital twin, compliance teams can visualize change impact, track dependencies, and operationalize compliance faster.

5. Third-Party Risk & Extended Enterprise Resilience
Digital twins map the extended enterprise — suppliers, outsourcers, partners — to simulate and manage risk in increasingly interdependent ecosystems.

• A consumer electronics firm models its semiconductor supply chain to predict the impact of shortages and logistic bottlenecks.
• A defense contractor uses war-gaming to identify chokepoints, sanction risk, and dual-use technology compliance exposures.
• A fashion brand integrates ESG signals, satellite imagery, and supplier data to assess due diligence under the regulations and global frameworks.

These digital environments enable proactive planning, procurement agility, and stronger third-party oversight.

---

A GRC Future That Is Simulated — But Starts with Seeing Clearly

The future of GRC isn’t just about simulation. The first step is visibility: seeing your risk, compliance, and governance architecture in one place. That’s what a digital twin delivers. For less mature organizations, this real-time, integrated view of the current state of GRC is where the immediate value lies.

From there, organizations can evolve to simulate disruptions, test controls, and model regulatory impact — supporting continuous improvement, adaptive governance, and purpose-driven risk management.

Yet despite the clear value, very few GRC platforms today support digital twins natively. Most are still static systems of record. Forward-looking organizations are building or integrating digital twin capabilities externally, or seeking next-generation platforms that bring this vision to life.

If you’re exploring this space and want to understand which vendors are leading, feel free to reach out. I cover the full spectrum of GRC technologies and architectures.

Digital twins represent more than a technological trend — they are a catalyst for transforming how organizations understand themselves and navigate a complex, fast-changing world.

---

Let’s continue the conversation. Whether your organization is exploring the basics of a digital twin for current-state visibility or seeking to enable advanced simulations for resilience and compliance, I’d be happy to share insights from the field..

Navigating risk is no small task, whether it’s staying ahead of financial crimes, managing third-party relationships, or keeping up with the constant ebb an The stakes are high, and the need for smarter, more efficient solutions has never been greater. Enter artificial intelligence (AI). As SEC Commissioner Hester M. Peirce, in her March 27, 2025 remarks at the SEC AI Roundtable, emphasized the need for a balanced and informed regulatory approach to artificial intelligence in financial services—one that fosters innovation while maintaining human oversight and ethical responsibility to protect investors and market integrity.

When it comes to risk management, It’s a transformative force that’s tackling some of the most challenging aspects of compliance and business strategy today. From detecting money laundering patterns that humans might miss to helping firms predict and manage risks before they escalate, AI is stepping up to the plate. It’s making complex problems more manageable, reducing the strain on compliance teams, and enabling businesses to stay ahead of emerging threats.

But how does it do this? Let’s dive into how AI is specifically addressing high-risk areas like Anti-Money Laundering (AML), Third-Party Risk Management (TPRM), and regulatory change management, and why it’s quickly becoming a must-have tool for businesses looking to stay secure and compliant . . .

[The rest of this blog can be read on the COMPLY blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]