Category: The GRC Pundit Blog

Compliance and ethics are at the core of building a resilient, trustworthy organization that is focused on integrity. These functions are the basion of corporate integrity, and I have stated for twenty years that the CECO/CCO should be the CIO – the Chief Integrity Officer.

Unfortunately, too often, compliance and ethics gravitate to the back-office. Teams work tirelessly to monitor regulatory change, update policies, and ensure controls are in defined. These efforts are essential, but they aren’t the end of the story. Compliance success ultimately hinges on employee engagement — that “last mile” of compliance and ethics that transforms policy into action. Compliance isn’t just about knowing the law or maintaining policies; it’s about ensuring that employees act in ways that uphold these standards every day. To do this, organizations need to prioritize employee engagement as the backbone of compliance, ethics, and governance. This is the era of employee engagement on compliance and ethics, as well as broader GRC (governance, risk management, compliance), and is done through mobility.

The Human Firewall: People as the Core of Compliance

An organization can be aware of every relevant law and regulation, have policies written in impeccable prose, and maintain perfect documentation, but if employees don’t know, understand, or remember these policies, compliance is compromised. The human firewall is built on employees who are informed, empowered, and engaged in the organization’s ethical standards and compliance requirements. Yet, this firewall will falter if we fail to make engagement with compliance information easy, relevant, and ACCESSIBLE.

To build this firewall, organizations must create a culture of compliance where employees feel invested in ethical practices. This means compliance must be woven into the everyday experience of employees at all levels — not just at headquarters or in the compliance department. Every employee, from the executive team to frontline staff, should be well-versed in compliance and ethics that affect their work. The challenge is making compliance and ethics engagement readily available, easy to access, and most importantly, tailored to each role.

Policies and Awareness: The Road to True Compliance

Policies and codes of conduct only fulfill their purpose if employees actually read, understand, and internalize them. Too often, policies are treated as static documents to be acknowledged once and filed away. But policies are living documents that guide behavior, set expectations, and safeguard the organization. They need to be communicated effectively, refreshed regularly, and, importantly, be part of an ongoing dialogue with employees. Engagement isn’t just about distribution; it’s about comprehension, recall, and action. And the ability to get questions about policy, particularly in a specific context, answered.

Employees should not only know where to find policies but should also have clarity on how these policies apply to them, especially in complex, fast-moving environments where regulations evolve rapidly. It’s the difference between checking a box and fostering genuine awareness — a shift from passive to active engagement.

Moving Beyond the Hotline: Modernizing Compliance and Ethics Engagement

Traditional methods like hotlines and call centers are outdated. These channels can be slow, intimidating, and disconnected from employees’ day-to-day experiences. Today, organizations need to engage employees where they are: on their mobile devices, in real-time, and in ways that feel natural to them. Just as mobile technology has transformed how we communicate, shop, and access information, it can revolutionize how employees engage with compliance and ethics. Mobility allows employees (and third parties) to easily report issues and get questions answered.

Imagine compliance training that’s accessible on an app, allowing employees to learn in bite-sized segments, tailored to their role, process, or location. Mobile engagement can be contextual, responsive, and adaptive, shifting compliance from a static task to an interactive experience. In this sense, compliance engagement becomes as effortless as checking a sports score or sending a quick message. Organizations can empower employees with compliance tools that fit their day-to-day, not merely as a series of one-off trainings or infrequent policy reviews.

Contextual Awareness: Compliance in Real Time

A significant advantage of mobile engagement is the potential for contextually aware compliance tools. These tools can be designed to recognize an employee’s specific role, the tasks they perform, and even their location, delivering timely reminders and guidance tailored to their situation. An employee in a high-risk area may receive prompts about local compliance risks, while a sales team member can access policies related to anti-bribery and corruption as they hit the ground in high-risk countries, presented in a way that’s directly relevant to their interactions.

This level of contextual awareness brings compliance to life in the workplace. Employees are not just passive recipients of information; they are active participants who can access relevant compliance guidance as they need it. In an environment where compliance risks are constantly evolving, such responsiveness is crucial.

I get calls every month from organizations looking for solutions because they have discovered they have twenty-eight policy portals (seriously, this happened) and policies are different and out of date on these portals and lack engagement. But it gets worse when training is in separate LMS systems. Employees, on their personal time, go out to Facebook. They can watch a YouTube video on Facebook. They do not have to click on a link go and watch the video on YouTube and then go back to Facebook to comment on it. However, this is what is happening with policies and training. This is not the modern tech mobile experience that employees are used to. Things need to change.

Engaging the First Line: Empowering Every Employee

To bring compliance into the daily fabric of operations, organizations need to focus on the first line: senior executives, managers, and every frontline employee. The back office of compliance — the regulatory change, policies, controls, and documentation — is essential, but it’s the front-line engagement that ensures these tools are effective. Employees need to feel empowered to make compliant choices, know how to raise concerns and feel confident that their voice matters. This approach transforms compliance from a distant function to an integrated part of the business, owned by everyone.

Employee engagement goes beyond merely “following the rules”; it’s about aligning personal actions with corporate values. When compliance becomes part of the organizational culture, employees are more likely to act ethically even in ambiguous situations. This proactive engagement builds a foundation of trust, integrity, and shared accountability.

The Shift to Mobile: The Future of Compliance Engagement

We live in a mobile-first world where access to information is always at our fingertips. Entering a concert or sporting event without a mobile phone is almost unthinkable — so why should compliance be any different? Mobile engagement provides a powerful way to connect employees to compliance content, making training, policy updates, and whistleblower channels available wherever they are. It allows for a more flexible, scalable, and inclusive approach to compliance, creating a unified compliance experience across geographies, departments, and roles.

With this shift, the market for compliance solutions will evolve as organizations prioritize employee engagement capabilities when choosing compliance platforms. Vendors who focus solely on regulatory change and policy documentation for the back office risk being left behind. The future of compliance tools lies in mobile-first, context-aware platforms that actively support employees in making ethical decisions, rather than simply enforcing top-down mandates.

The New Generation of Employee Engagement: A Call to Action

As organizations rethink compliance and ethics, solution providers must take note. Employee engagement will increasingly drive purchasing decisions for compliance and ethics solutions, and by extension, broader GRC systems. The need is clear: solutions must prioritize first-line engagement, bridging the gap between the back office and the front line. Employees want tools that are intuitive, immediate, and mobile-friendly, and that support them in real-world, role-specific contexts.

Organizations and vendors alike should ask themselves: How effectively are we engaging employees in our compliance efforts? Are we still relying on outdated, passive methods, or are we evolving with the times? The future of compliance and ethics lies not in a stronger back office, but in a more engaged, empowered, and ethical front line. With the right tools, organizations can turn compliance from a static function into a dynamic force, aligned with business goals and embedded within daily operations.

Employee engagement is the cornerstone of authentic, effective compliance. Building a “human firewall” that upholds ethical standards is a collaborative effort that requires more than policies or documentation; it requires real, responsive, and mobile engagement. By modernizing compliance through mobile, contextual, and first-line-focused approaches, organizations can create a culture where every employee, no matter their role, contributes to the organization’s ethical standards.

In the end, compliance is about people — and people need tools that meet them where they are. It’s time for compliance to go mobile, empowering every employee to be an active part of the organization’s ethical journey. The last mile of compliance is about engagement, and the future is in the hands of organizations ready to make it happen.

The realm of compliance management is not for the faint of heart. It is a complex, ever-evolving landscape that can create sleepless nights and anxiety-filled days for compliance professionals. My Compliance Management by Design Workshop in London this week provided a vivid look into the collective concerns and “nightmares” of those in the industry. With over 100 registered attendees, we filled the room with 60 highly engaged professionals, all eager to share, learn, and explore the future of compliance.

The session was a dynamic discussion that delved into the significant challenges of compliance management. We examined the constantly changing regulatory landscape from a UK perspective, emphasizing the critical need for robust regulatory intelligence. From horizon scanning to redlining the most current changes, attendees explored how these updates must be integrated seamlessly into compliance assessments, controls, policy frameworks, and operations.

We also touched on a variety of interconnected topics including:

• Employee engagement and compliance culture
• Issue reporting, including whistleblower systems and case management.
• Third-party compliance and due diligence.
• Comprehensive policy management strategies.
• Governance of compliance and reporting structures up to the board level.

The conversation was rich, interactive, and intense, highlighting both the persistent and emerging issues that keep compliance professionals awake at night.

What Keeps Compliance Professionals Up at Night?

A key part of the workshop was an exercise that asked attendees to share what keeps them up at night. Their responses were candid and painted a picture of an industry under immense pressure. Below are the core challenges, or “nightmares,” that surfaced during our discussion:

• Silos of Compliance. The struggle of fragmented compliance operations that lack cross-departmental cohesion.
• Consequences of Interconnected Compliance Risks. How one area of non-compliance can cascade and create systemic issues.
• Regulatory Updates and Change. The constant pressure to stay informed and adapt to new regulations.
• Lack of Adherence and Evidence of Policies. Ensuring that policies are not only well-documented but are actively followed and evidenced.
• Perception Issues. Battling the image of compliance as the “corporate cop,” the “department of no,” or a business disabler.
• Embedding Compliance Culture. Building a culture where compliance is not just an obligation but an integral part of the business fabric.
• Tone at the Top and Leadership Engagement. Securing commitment from leadership, fostering alignment at the middle management level, and ensuring consistency across all employee levels.
• Digital Integration. Implementing compliance programs that align with digital transformation efforts.
• Skills and Resources. Navigating the resource constraints and skill shortages that compliance teams often face.
• Budget Constraints. Doing more with less in a world where compliance demands are increasing but budgets are not.
• The Role of AI in Compliance. Understanding how to leverage AI effectively while managing the risks associated with its use.
• Regulatory Change Management. Keeping pace with a conveyor belt of regulatory changes.
• Behavior Monitoring. Ensuring that behavior aligns with the organization’s ethical and compliance standards.
• Three Lines of Defense. Ensuring consistent compliance across the front line, risk management, and internal audit.
• Dashboards and Accountability. Providing insight into compliance and controls to deliver assurance to the business in the context of Senior Managers and Certification Regime (SMCR) and the UK Corporate Governance Code to maintain oversight.
• Obligations and Requirements Management. Adapting to changes in regulatory obligations and ensuring proportionality in compliance practices.
• Policy Communication and Understanding. Making sure policies are not only communicated effectively but are fully understood by all levels of the organization.
• Training and Education. Striking the balance between holistic training and targeted content that addresses specific compliance needs.
• Proportionality. Tailoring compliance approaches to the size and needs of the organization.
• Regulatory Awareness. Ensuring continuous awareness of regulatory expectations and fostering positive interactions with regulators.
• Horizon Scanning and Oversight. The ongoing need to monitor for future risks while maintaining day-to-day compliance operations.
• Principles-Based vs. Rules-Based Compliance. Navigating the differences and applications of these two regulatory approaches.
• Basics of Compliance. The embarrassment and risk of getting fundamental compliance elements wrong.
• Resource Allocation. Ensuring that compliance departments receive adequate funding and resources to operate effectively.
• Compliance Risk Ownership. Defining who is accountable for compliance risks within the organization.
• Proactive Compliance. Shifting from reactive responses to a proactive, strategic approach.

Addressing Compliance Nightmares: The Role of Technology and AI

One of the key takeaways from the workshop was that technology, particularly advancements in AI, can play a significant role in addressing these compliance nightmares. Here’s how:

• Breaking Down Silos with Integrated Platforms. Compliance management technology brings together data and processes from across the organization, creating a unified and more collaborative approach to compliance. By integrating compliance tools with other business systems, organizations can break down the silos that often hinder their ability to operate efficiently.

• Real-Time Regulatory Intelligence and Change Management. AI-powered horizon scanning tools can keep compliance teams updated on regulatory changes as they happen, providing real-time insights and alerts. These tools help in prioritizing and redlining regulations, allowing teams to focus on what is most relevant to their organization and stay ahead of compliance requirements.

• Enhanced Compliance Monitoring and Behavior Analysis. With the power of AI, compliance teams can move beyond traditional monitoring to more predictive analytics. AI can track behavior patterns, identify anomalies, and flag potential issues before they escalate into larger problems, supporting better risk management and oversight.

• Automated Evidence and Documentation. Automation reduces the burden of manual documentation by compiling evidence for audits and compliance reporting. AI-driven systems can automatically generate reports, track policy adherence, and maintain audit trails, providing a higher level of assurance and transparency.

• Improved Policy Communication and Training. AI-based platforms can tailor policy content to individual roles within an organization, ensuring that the training is both comprehensive and specific to the needs of employees. This “just right” approach aligns with the “Goldilocks of Compliance” principle—providing training that is neither too broad nor too narrow but exactly what is needed.

• Proactive Compliance through Predictive Analytics. Compliance teams can use AI to analyze trends and foresee potential areas of non-compliance. This helps organizations move from being reactive to being proactive, aligning with a strategic approach to compliance management.

Compliance management is a high-stakes environment where the risks of failure can be severe. However, with the right tools and strategies, compliance teams can shift from insomnia and nightmares to confident oversight and proactive management. Compliance management technology, especially with the use of AI, can alleviate many of the stressors identified during our workshop. By embracing digital solutions, organizations can better manage their compliance responsibilities, build a strong compliance culture, and align with the evolving regulatory landscape.

As compliance continues to grow in complexity, the path to restful nights lies in understanding these challenges, leveraging technology, and cultivating a culture that sees compliance not as a burden, but as a vital component of business integrity and success.

Operational Resilience: The Evolution Beyond Business Continuity Management

In today’s dynamic and interconnected business environment, the concept of resilience is gaining prominence, pushing organizations to evolve beyond traditional approaches like Business Continuity Management (BCM). While BCM has been instrumental in helping businesses navigate disruptions, it is no longer sufficient on its own.Organizations need to embrace a more integrated and proactive approach—one that encompasses not just continuity, but also adaptability and agility. Enter Operational Resilience, a forward-thinking strategy that ensures businesses can anticipate, withstand, and recover from disruptions while maintaining critical operations.

The Shift from Business Continuity to Operational Resilience

Business Continuity Management (BCM) has historically . . .

[The rest of this blog can be read on the GRCxperts blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

In an era where regulatory pressures continuously evolve and intensify, compliance management solutions have emerged as vital tools for organizations striving to uphold both mandatory (regulatory/legal) and voluntary (values-driven, ethical) obligations. These solutions provide the structure and automation needed to streamline compliance processes, mitigate risks, and ensure alignment with an ever-changing regulatory landscape. By offering real-time monitoring, efficient workflows, and a transparent audit trail, they support organizations in managing complex compliance requirements across multiple jurisdictions, enabling proactive strategies that keep pace with regulatory demands.

Top Compliance Challenges Facing Organizations Today

Organizations grappling with compliance management face a multitude of challenges, especially those still reliant on manual processes. Information and processes are frequently siloed across departments, resulting in inefficiencies, gaps in oversight, and sometimes even critical errors. Many organizations lack the dedicated resources—both personnel and expertise—required to navigate increasingly complex regulatory landscapes. Without an integrated compliance management system built on RegTech, overseeing the breadth of compliance obligations across an organization can become burdensome, leading to disjointed efforts that lack a cohesive strategy.

Inefficiency and redundancy are common pain points when compliance tracking is managed manually, wasting time and introducing the risk of human error. The fast-paced nature of regulatory changes makes real-time information critical; however, organizations often struggle to maintain up-to-date records, impacting their ability to respond quickly. Change management is another challenge, with some companies finding it difficult to promptly monitor, interpret, and adapt to new regulatory requirements, which heightens the risk of non-compliance. Compliance assessments, too, suffer from inconsistency, and without comprehensive audit trails, organizations may lack the defensible evidence required in regulatory reviews.

Furthermore, disparate technologies within organizations lead to information silos that hinder a unified compliance approach. Scaling compliance processes becomes a hurdle as organizations grow. Transitioning to an integrated compliance management technology architecture can help overcome these challenges, providing a unified view of obligations, automating workflows, and enhancing overall compliance efficiency and effectiveness.

Key Components of Modern Compliance Management Processes

1. Compliance Program Management. This establishes an integrated framework, ensuring adherence to regulatory and ethical standards across all business units. By consolidating compliance obligations, organizations gain real-time insights and stay agile, adapting quickly to new regulations and internal requirements.
2. Organizational Mapping & Understanding. A structured review of the organization’s jurisdictional scope and regulatory bodies clarifies compliance responsibilities across all locations. This foundation aids in setting up a responsive compliance system attuned to the nuances of each area’s obligations.
3. Regulatory Intelligence. With horizon scanning and tracking of current regulatory changes, organizations can anticipate and prepare for new compliance requirements. The use of redlining in regulatory updates helps compliance teams understand changes at a granular level, aligning their strategies in response.
4. Obligations Library. This provides a centralized repository linking regulatory and contractual obligations to internal policies, risks, and controls. Compliance teams can maintain visibility across the regulatory landscape, ensuring no obligations are overlooked.
5. Policy & Control Alignment – Continuously aligning policies and controls with current regulatory requirements keeps organizations in compliance. AI tools often facilitate this by suggesting necessary adjustments, helping to maintain resilience against compliance risks.
6. Compliance Monitoring & Ongoing Assessment. Regular compliance assessments, audits, and reviews are essential for early detection of non-compliance, mitigating risks, and promoting continuous alignment with regulatory requirements.

The Role of Artificial Intelligence in Compliance Management

AI is revolutionizing compliance management by automating critical processes, increasing accuracy, and easing the burden on compliance teams. AI enables real-time monitoring of regulatory changes, performs predictive horizon scanning, and redlines regulations to highlight updates. AI is a gazillion times faster at reading, mapping, and categorizing regulations. One life science organization that GRC 20/20 has advised found that AI for regulatory change management was also 30% more accurate than traditional processes.

Additionally, AI-driven obligations mapping connects new requirements with existing policies and controls, while automated policy alignment suggests updates in response to regulatory shifts with suggested changes using generative AI. AI also monitors compliance activities, flags potential risks, and interprets regulatory texts through Natural Language Processing (NLP), enhancing scalability and adaptability across compliance functions.

Critical Capabilities in Compliance Management Solutions

Successful compliance management solutions must offer integrated compliance risk assessments, real-time monitoring, AI-powered regulatory change capabilities, and a centralized obligations management system. Other essential features include policy and control alignment, comprehensive compliance monitoring, automated audit trails, dynamic reporting, data integration, scalability, adaptability, and alert systems. These tools work together to create a responsive and agile compliance environment, empowering organizations to meet evolving regulatory demands.

The investment in robust compliance management/RegTech technology delivers significant returns by reducing manual efforts and costs, improving accountability, and ensuring regulatory adherence. Such a system strengthens organizational resilience by preemptively identifying and addressing compliance risks and enhances agility, allowing quick adaptations to changing regulations and internal dynamics.

HOWEVER, in this fast-evolving RegTech landscape, not all solutions deliver on their promises. Some remain more marketing than reality, falling short in functionality or integration. For a clear understanding of which RegTech solutions truly add value and enhance compliance capabilities, reach out to GRC 20/20. Our expertise can help you navigate the market, ensuring you select a solution that genuinely meets your organization’s needs.

Upcoming Compliance Management Workshops:

November 5 @ 9:00 am – 6:30 pm GMT, London

• Compliance Management by Design Workshop, LONDON

November 20 @ 1:00 pm – 7:00 pm EST, New York

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, New York

It’s tempting to think of Enterprise Risk Management (ERM) as the central hub of your risk program. However, stopping at ERM limits an organization’s ability to fully manage risk and ensure operational resilience. The modern risk landscape demands a GRC (Governance, Risk Management, and Compliance) strategy that goes beyond traditional ERM, encompassing interconnected risks such as third-party, cyber, regulatory, and operational risk and resilience. An effective GRC program integrated across the enterprise is essential for managing not only risk but also building operational resilience.  

The Expanding Scope of GRC and the Need for Holistic Risk Management 

Risks are increasingly interconnected. Compliance, cyber threats, third-party risks, and ESG are not just isolated challenges, they’re deeply integrated into the operational fabric of organizations. A GRC program that only . . .

[The rest of this blog can be read on the Origami Risk blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

The compliance technology and broader GRC solution landscape are more complex than ever, and becoming a better buyer means more than just asking the right questions—it requires cutting through the noise of biased advice. In my recent analysis of RFPs, I’ve seen firsthand how the system can be stacked in favor of certain vendors, often driven by consulting firms with something to gain.

The Perils of Impartial Expertise

An alarming trend has surfaced: Many consulting firms, supposedly neutral advisors, are quietly steering clients towards solutions with massive implementation costs. Why? These firms benefit from bloated implementation projects that can cost millions and take a year or two to deliver value. What should be an impartial solution selection process is manipulated to favor these high-cost solutions, leaving more agile, cost-effective competitors out of the conversation entirely.

Consider . . .

[The rest of this blog can be read on the GAN Integrity blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

Risk management, for many organizations, is an exercise in analyzing the past—looking at what went wrong and how it can be avoided in the future. Too often, it’s as though we are driving down the highway while staring into the rearview mirror, trying to navigate the future by focusing on the risks that have already materialized. This approach, while valuable for learning from history, falls short in today’s chaotic, complex, and interconnected world.

In the dynamic landscape of modern business, risk is not a single path. It’s not something that can be easily contained or predicted by merely reflecting on past mistakes. This is one point among many where heatmaps fail us. Instead, risk should be viewed through the lens of the multiverse—a concept popularized in science fiction but strikingly relevant to risk management. The multiverse is a metaphor that captures the multiple possibilities, outcomes, and scenarios that could arise based on an organization’s decisions and the external forces that shape its environment.

ISO 31000 defines risk as “the effect of uncertainty on objectives,” emphasizing that risk management is inherently forward-looking. Risk management must expand beyond analyzing past events to consider multiple future scenarios, probabilities, and the myriad ways in which uncertainty can impact organizational objectives. To manage risk effectively in this environment, organizations need to embrace both left-brain and right-brain thinking—combining the logical and structured with the imaginative and creative.

The Multiverse: An Analogy for Risk Management

In risk management, the multiverse represents the infinite possibilities and outcomes that stem from an organization’s decisions, actions, and the external forces acting upon it. Every choice opens a new dimension, leading to different outcomes, both good and bad. These are not always linear or predictable, but they are interconnected. A decision made in one part of the organization or by an external actor can ripple across multiple dimensions of business, affecting operations, finances, compliance, and even reputation.

Risk management in the multiverse requires looking at risk not as a single possibility but as a web of interconnected scenarios. This approach mirrors the way science fiction envisions parallel universes—each slight variation in decision-making leading to a new, branching outcome. In this way, the multiverse metaphor pushes organizations to think more dynamically about risk.

But unlike science fiction, in the business world, we cannot afford to passively observe what happens in alternate universes. We must anticipate and proactively manage those possibilities by using the tools and frameworks available to us, while also thinking beyond traditional risk methodologies.

The Chaotic and Interconnected Nature of Risk

Today’s risk landscape is chaotic and interconnected, and it is rapidly evolving. From global supply chain disruptions to cyber-attacks, from shifting regulations to geopolitical instability, the sources of uncertainty are more varied and unpredictable than ever. The pandemic was a stark reminder of how risks from one domain (health) can cascade into others, such as finance, operations, and workforce management. These risks don’t exist in isolation; they are entangled in a complex web of interdependencies.

For risk management to be effective, it needs to account for this chaos and complexity. It must acknowledge that the risks organizations face are often unpredictable and can arise from unexpected places. This requires a mindset shift from risk avoidance to risk agility—the ability to adapt quickly and efficiently to changing circumstances, foreseen and unforeseen.

The challenge lies in identifying the critical signals amid the noise, understanding how different risks are interconnected, and recognizing which of the many possible future scenarios will impact the organization’s objectives.

Left-Brain Thinking: The Structured Models

Traditional risk management frameworks—such as risk assessments, control models, and compliance checklists—fall squarely within the realm of left-brain thinking. These are logical, structured approaches designed to bring order to the chaos of risk. They help organizations quantify risks, categorize them by likelihood and impact, and create structured mitigation plans.

Structured models, such as quantitative risk analysis, probabilistic modeling, and Monte Carlo simulations, provide valuable insights into risk. These tools allow organizations to create forecasts based on past data and trends, helping them to plan for the future. However, they often rely on assumptions of stability and predictability that don’t always hold true in a rapidly changing world. Traditional models can struggle to capture the full range of possibilities or to anticipate black swan events—those rare and unpredictable risks that can have catastrophic consequences.

Right-Brain Thinking: Creative and Imaginative Approaches

In contrast, the right-brain side of risk management requires creativity and imagination. It involves using techniques such as scenario analysis, wargaming, and tabletop exercises to explore a wider range of possible futures. These methods push organizations to think beyond what is likely and consider what is possible, even if unlikely.

For instance, scenario analysis involves creating detailed narratives of possible futures based on different assumptions and drivers. What happens if a critical supplier goes out of business? How will regulatory changes in one country affect operations in another? What if a competitor introduces a disruptive new technology? By imagining these alternate futures, organizations can prepare for a broader range of outcomes and identify strategic opportunities as well as risks.

Similarly, wargaming and microsimulations involve role-playing and testing different responses to various risk scenarios. These exercises can be invaluable for identifying gaps in existing plans, training teams to respond under pressure, and uncovering hidden risks that may not have been considered in a traditional risk assessment.

These creative, imaginative approaches require risk professionals to step outside the rigid frameworks of traditional risk management and embrace uncertainty. In doing so, they can better understand the full spectrum of risks their organizations face and be more agile in their response.

Combining Risk Intelligence with Forward-Looking Strategies

The key to navigating the multiverse of risk lies in combining risk intelligence—a deep understanding of the external environment—with forward-looking strategies such as scenario analysis, wargaming, and tabletop exercises.

Risk intelligence involves gathering real-time information from a variety of sources, including geopolitical developments, economic market trends, regulatory changes, and emerging technologies. It also requires monitoring social, environmental, and economic indicators to stay ahead of potential disruptions. By having a clear picture of the external environment, organizations can better anticipate changes that may affect their objectives and operations.

However, simply having risk intelligence is not enough. It must be coupled with proactive, forward-looking strategies that allow organizations to explore different possibilities and prepare for multiple outcomes. This requires embedding risk management into strategic decision-making processes and ensuring that it is not just about compliance but about enabling the organization to thrive in a world of uncertainty.

By running microsimulations, organizations can test the impact of different risk scenarios on their objectives in real time. Wargaming allows them to simulate competitive threats, economic downturns, or supply chain disruptions, enabling them to build resilience into their strategies. Scenario analysis helps them to explore alternate futures, so they can be prepared not only for the most likely outcomes but also for the less probable ones.

Building Resilience and Agility in the Multiverse of Risk

To succeed in this chaotic, multiverse-like environment, organizations need to build both resilience and agility. Resilience is the ability to withstand and recover from disruptions, while agility is the ability to adapt quickly to changing circumstances. Together, these qualities enable organizations not only to survive but to thrive in a world of uncertainty.

Strong risk management is essential for building resilience. By understanding the interconnected nature of risks, organizations can put in place contingency plans, develop redundancies, and create fail-safes to protect against the most critical threats. But resilience alone is not enough. In a world where risks can emerge suddenly and from unexpected directions, agility is equally important.

Agile risk management involves being able to quickly pivot in response to new risks or opportunities, to reliably achieve or exceed organization objectives. This requires having flexible processes, decentralized decision-making, and a culture that encourages innovation and adaptability. It also means empowering risk professionals to use their right-brain creativity and intuition, as well as their left-brain analytical skills, to navigate the complexities of the multiverse.

The multiverse is a powerful metaphor for the future of risk management. In a world where the future is uncertain, and multiple possibilities exist, organizations must move beyond traditional, rearview-mirror approaches to risk (acknowledging there is still a place for this, but it is not the focus). They must embrace both left-brain logic and right-brain creativity to explore different scenarios, prepare for a range of outcomes, and build the resilience and agility they need to succeed.

By leveraging risk intelligence, forward-looking strategies, and creative approaches such as microsimulations, wargaming, and scenario analysis, organizations can not only navigate the complexities of the multiverse but also turn uncertainty into a strategic advantage. In doing so, they can achieve and exceed their objectives, no matter what the future holds.

The modern regulatory landscape is evolving at an unprecedented pace. Organizations across industries are facing a deluge of new regulations, amendments to existing laws, and enforcement actions that can overwhelm compliance teams. This is particularly evident in industries like financial services, where regulatory scrutiny is intense and constantly changing. Yet, the challenge of managing regulatory change is not limited to financial services; it spans all sectors as organizations face complex and overlapping compliance requirements. To effectively navigate this environment, businesses must adopt automated solutions that streamline regulatory change management and ensure compliance.

Drivers for regulatory change management automation include:

• Regulatory Proliferation. Regulatory bodies worldwide are introducing new laws and updating existing ones at a faster rate than ever before. Financial services alone face a few hundred regulatory changes every business day, a number that has more than doubled over the last five years. Keeping up with this deluge of changes is a monumental task for compliance teams, particularly when regulatory requirements are inconsistent across jurisdictions.
• Cross-Industry Compliance Challenges. While financial services often take center stage in discussions around regulatory compliance, other industries like healthcare, technology, gaming, and crypto face similarly complex regulatory environments. Each of these sectors must comply with global regulations related to anti-money laundering (AML), Know Your Customer (KYC), data privacy, cybersecurity, and industry-specific rules.
• Operational Risk and Reputational Damage. Failure to comply with new regulations or amendments can expose organizations to significant penalties, legal liabilities, and reputational damage. Many industries, especially those in regulated markets, operate under intense scrutiny, and a single oversight in compliance could lead to damaging fines, loss of licenses, or legal actions.
• Internal Complexity. As organizations grow, so do their internal processes and relationships with third parties. Mergers, acquisitions, and expanding product lines further complicate regulatory compliance, requiring organizations to manage an ever-growing catalog of legal obligations across various jurisdictions and operational units.

The Inevitability of Failure: Manual Processes and Silos of Information

For decades, organizations have relied on manual processes—documents, spreadsheets, and emails—to manage regulatory change. While this approach may have been feasible in less dynamic regulatory environments, it is increasingly inadequate today. Consider the impact of:

• Siloed and Scattered Information. In a manual environment, regulatory change management is often decentralized, with each department relying on disparate sources of regulatory information. These sources can range from newsletters and regulatory feeds to third-party legal databases. The result is fragmented compliance efforts, where critical updates are missed, redundant tasks are performed, and information silos prevent collaboration.
• Inefficient Reconciliation. Relying on manual processes makes reconciling regulatory updates with internal policies, controls, and risks time-consuming and error-prone. Compliance professionals must sift through hundreds of updates, extract relevant information, and then manually determine the impact on the organization. This leads to delayed responses, incomplete analysis, and a higher risk of non-compliance.
• Lack of Accountability and Auditability. Manual workflows offer little accountability or traceability. Compliance teams often struggle to document who reviewed which changes, what actions were taken, and what decisions were made. This lack of an audit trail not only complicates internal compliance but also fails to satisfy external regulators who demand clear evidence of compliance.
• Wasted Resources. Regulatory change management in a manual environment is resource-intensive. Organizations must dedicate significant time and effort to tasks that could easily be automated. This reliance on human intervention increases the likelihood of errors and drains resources that could be better allocated to strategic initiatives.

The New Era of AI-Powered Regulatory Change & Compliance

As regulatory complexity continues to grow, so too does the need for intelligent automation. The advent of AI-driven solutions has transformed the way organizations manage regulatory change and compliance workflows. 

With AI-empowered regulatory change and compliance management processes, organizations can have:

• Comprehensive and Curated Law Libraries. AI-powered platforms provide organizations with centralized, curated regulatory content across jurisdictions. These platforms continuously track and update legal requirements, reducing the need for organizations to manage multiple, scattered sources of information. This ensures that compliance teams have access to relevant and up-to-date information without the noise of irrelevant updates.
• Automated Workflow and Task Management. AI solutions eliminate manual processes by automatically routing regulatory updates to relevant stakeholders, initiating business impact analyses, and generating tasks based on predefined criteria. This enhances accountability, ensures timely action, and creates a defensible audit trail for regulators.
• Horizon Scanning and Change Tracking. Advanced AI solutions offer horizon scanning capabilities that monitor for new or pending legislation, regulatory changes, and enforcement actions. By anticipating regulatory developments, organizations can proactively adjust their compliance strategies and ensure that policies, risks, and controls are updated in real-time.
• Risk-Based Approach to Compliance. AI-driven platforms allow organizations to adopt a risk-based approach to regulatory compliance. These solutions can map regulations to internal policies, risks, controls, and even third-party relationships, enabling organizations to prioritize compliance efforts based on risk exposure and operational impact.
• Generative AI for Compliance Insights. Generative AI models, like those built into some advanced regulatory platforms, empower compliance teams by summarizing complex regulatory requirements in natural language. These models can also generate policy drafts, identify gaps in controls, and provide actionable insights that streamline compliance workflows.

The regulatory landscape is shifting, and manual approaches to compliance management are no longer sufficient. Organizations that continue to rely on fragmented, manual processes will face increasing risks of non-compliance, operational inefficiencies, and financial penalties. To stay competitive and compliant, organizations must embrace AI-powered regulatory change management solutions that automate workflows, streamline compliance, and provide actionable insights.

Organizations should act now to implement AI-driven solutions that automate regulatory intelligence, manage compliance workflows, and ensure timely responses to regulatory changes. By doing so, they will not only reduce operational risk and improve regulatory outcomes but also free up valuable resources to focus on innovation and growth in an increasingly complex regulatory environment.

I am doing two workshops on this topic in November:

London, November 5 @ 9:00 am – 6:30 pm GMT

• Compliance Management by Design Workshop, LONDON

New York City, November 20 @ 1:00 pm – 7:00 pm EST

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, New York

In J.R.R. Tolkien’s legendary Middle Earth saga, with The Lord of the Rings movies and the current Rings of Power series, the Palantír—a magical seeing stone—grants its user the ability to peer into distant lands and potential futures. Although steeped in legend, the Palantír offers a fitting analogy for today’s organizations: they, too, need a clear, far-reaching vision into the risks that lie ahead. With today’s complexities, businesses require more than reactive risk management; they need a comprehensive approach to anticipate and prepare for emerging risks to the organizations objectives.

Much like the Palantír, modern risk management tools and techniques provide organizations with the foresight needed to navigate an unpredictable landscape of uncertainty on objectives. This metaphorical Palantír doesn’t come with the ominous overtones of the novels but rather serves as a powerful asset for organizations seeking to scan the horizon, run scenarios, and prepare for the future.

Horizon Scanning: Extending Your Vision Beyond the Immediate

One of the key benefits of a “Palantír” approach to risk management is horizon scanning—the ability to identify and monitor risks that may not yet be fully visible but are on the verge of emerging. Horizon scanning involves continually searching the external environment for signals of potential risks to organization objectives, such as geopolitical shifts, regulatory changes, technological advancements, or market disruptions.

In today’s interconnected world, organizations need to have their eyes trained on the horizon to detect the earliest signs of risk to objectives. This can include monitoring political landscapes that may influence supply chains, keeping up with evolving cyber threats, or tracking shifts in consumer behavior that might affect market demand. By identifying these risks early, businesses gain the advantage of time—allowing them to prepare, adapt, and mitigate before these risks materialize into full-blown crises.

Micro-Simulations: Testing Small but Critical Scenarios

Just as the Palantír gave glimpses of possible futures, micro-simulations allow organizations to explore how specific risks might play out. Micro-simulations are focused exercises designed to simulate the potential impact of a single, specific risk on the organization. These controlled, smaller-scale scenarios allow businesses to observe how their systems, processes, and people respond in real-time to potential disruptions.

By running micro-simulations, organizations can test their preparedness and resilience to targeted risks, such as a cyberattack on critical infrastructure, the sudden loss of a key supplier, or a localized natural disaster. The insights gained from these exercises help teams understand their current vulnerabilities and make necessary adjustments to strengthen their risk management frameworks. Micro-simulations help turn hypothetical scenarios into actionable strategies, ensuring that teams are not caught off guard.

Scenario Analysis: Understanding the Impact of Risks on Objectives

The Palantír was a tool for seeing multiple possibilities, much like scenario analysis in risk management. Scenario analysis involves creating detailed, plausible future scenarios and analyzing their potential impact on an organization’s objectives. These scenarios can range from a best-case to worst-case view of the future, providing a comprehensive picture of how various risks could converge to affect the business.

Incorporating scenario analysis into risk management enables organizations to prepare for multiple outcomes by assessing the likelihood and impact of different risk combinations. For example, a scenario might explore how an economic downturn coupled with a new regulatory requirement could impact business continuity and profitability. By running these scenarios, organizations can stress-test their strategies, identify weaknesses, and develop contingency plans that align with their long-term objectives. Scenario analysis helps organizations prepare not just for isolated risks but for the complex interplay of risks that can emerge in real-world situations.

Wargaming and Tabletop Exercises: Rehearsing for the Unknown

In Tolkien’s world, the Palantír was used not just for observation but for planning. Similarly, wargaming and tabletop exercises provide a practical and collaborative way for organizations to prepare for risk events before they occur. Wargaming goes beyond simple simulations—it’s a role-playing exercise that places teams in high-stakes scenarios to test their decision-making, coordination, and crisis management skills.

In a wargame or tabletop exercise, key personnel across the organization come together to respond to a simulated crisis. These exercises could range from dealing with a sudden cybersecurity breach to managing a large-scale supply chain disruption or a public relations crisis. Participants are required to make rapid decisions, manage resources, and collaborate under pressure, all while considering the ripple effects of their actions across the business.

The value of wargaming lies in its realism—unlike theoretical analysis, these exercises require teams to work through real-time decision-making processes and consider the practical challenges of managing a crisis. Afterward, teams debrief to review what went well, what could be improved, and where gaps exist in their risk preparedness. By rehearsing for the unknown, organizations develop muscle memory for risk management, ensuring that when a crisis does occur, they can respond with agility and confidence.

Integrating Horizon Scanning, Scenario Analysis, and Exercises into Risk Strategy

The tools of horizon scanning, micro-simulations, scenario analysis, and wargaming can be seamlessly integrated into an organization’s risk management framework to provide a 360-degree view of potential risks to objectives and evaluate possible responses. Much like how the Palantír offers a multi-dimensional perspective, these methods collectively give organizations the ability to see, test, and prepare for risks at every level.

By adopting these practices, organizations can move beyond traditional risk management, where risks are often treated as static threats, to a dynamic, forward-looking approach. With horizon scanning, they can detect emerging risks early. With micro-simulations, they can test the effects of specific risks. With scenario analysis, they can explore the impact of broader risks on their business objectives. And through wargaming, they can rehearse responses to high-pressure, high-stakes situations.

A Unified Approach: Turning Foresight into Action

A comprehensive risk management strategy that incorporates these elements allows businesses to shift from a reactive stance to a proactive one. They move from simply responding to risks after they occur to actively preparing for and mitigating risks before they happen. This kind of foresight empowers organizations to make better, more informed decisions that not only protect against risks to objectives but also position them for future opportunities.

The modern “Palantír” that organizations must build today involves the convergence of advanced risk intelligence, data analytics, and collaborative planning. With the right tools and processes, organizations can effectively scan the horizon for signals of potential risks to objectives, simulate how those risks will impact them, and prepare teams to respond swiftly and decisively.

As businesses face an increasingly complex and interconnected risk environment, having a “Palantír” view into emerging risks is no longer a luxury—it’s essential. Horizon scanning, micro-simulations, scenario analysis, and wargaming give organizations the foresight and preparedness they need to thrive in a world where risks are ever-evolving.

The ability to see beyond the present, to anticipate the challenges of tomorrow, and to rehearse responses to potential risks to objectives is a strategic advantage that few can afford to overlook. By embracing a holistic approach to risk management—one that integrates advanced forecasting tools and collaborative exercises—organizations can build resilience, protect their objectives, and confidently navigate the uncertainties of the future.

The Palantír of risk management is within reach. It’s time for organizations to gaze into it and take control of their future.

In the realm of organizational governance, there is often confusion between risk management and compliance management. While both functions are integral to the overall health and sustainability of an organization, and part of GRC, they are fundamentally different in their purpose, approach, and execution. Understanding these distinctions is crucial for developing an effective governance framework that balances the need for innovation and strategic growth with the necessity of adhering to legal, regulatory, and ethical boundaries.

The Nature of Risk Management: Navigating Uncertainty

Risk management is about navigating uncertainty and making informed decisions that enable the organization to achieve its objectives. According to ISO 31000, “risk is the effect of uncertainty on objectives.” This definition highlights the inherent nature of risk management: it is not merely about avoiding negative outcomes but about understanding and managing the trade-offs associated with different courses of action.

Risk management involves identifying, assessing, and prioritizing risks that could impact the achievement of an organization’s objectives. These risks can be financial, operational, strategic, ethical, or even reputational. The key to effective risk management is the ability to balance potential rewards with potential downsides. This often involves making difficult decisions where there is no clear “right” or “wrong” answer but rather a spectrum of potential outcomes, each with its own set of consequences.

For example, consider a company deciding whether to enter a new market. The risk assessment might reveal significant opportunities for growth but also substantial risks related to regulatory uncertainty, cultural differences, or operational challenges. A risk manager’s job is to weigh these factors, consider the likelihood and impact of various risks, and recommend a course of action that aligns with the company’s risk appetite and strategic objectives.

Risk management is therefore about understanding the landscape of uncertainty and making informed decisions that optimize the potential for success while minimizing potential downsides. It is inherently strategic and involves a continuous process of risk identification, assessment, treatment, and monitoring.

Risk itself is neutral and agnostic. A risk analysis/assessment might determine that the organization can meet or exceed its objectives by violating a law or regulation.

Compliance Management: The Boundary Setter

Compliance management, on the other hand, is about ensuring that an organization adheres to the laws, regulations, and internal policies that govern its operations. Compliance is binary: an organization is either compliant or it is not. There is no middle ground, no weighing of pros and cons, no strategic trade-offs. Compliance is about following the rules—whether those rules are mandated by law, dictated by industry standards, or set by the organization’s own policies and ethical standards.

Compliance management is essential because it establishes the boundaries within which the organization can operate. These boundaries are (or should be) non-negotiable. For instance, consider a financial institution that must adhere to anti-money laundering (AML) regulations. Compliance with these regulations is mandatory, and failure to do so can result in penalties, including fines, legal action, and reputational damage.

While risk management might involve assessing the likelihood and impact of non-compliance with these regulations, the compliance function’s role is to ensure that the organization adheres to them. In this sense, compliance sets the boundaries for risk-taking by establishing what is legally and ethically permissible. It puts limits on the risks that the organization can take by defining the “red lines” that cannot be crossed.

The Intersection of Risk and Compliance: Compliance Risk Management

While risk management and compliance management are distinct, they do intersect—particularly in the area of compliance risk management. Compliance risk refers to the potential for violations of laws, regulations, or internal policies, which could lead to legal penalties, financial loss, or reputational harm.

Compliance risk management involves identifying and assessing compliance risks, implementing controls to mitigate these risks, and monitoring the effectiveness of these controls. However, it’s important to note that compliance risk management is just one aspect of the broader enterprise risk management function and even broader integrated GRC functions. Enterprise and operational risks encompass a much wider range of potential issues, from market volatility to supply chain disruptions, which may or may not have a direct compliance component.

For example, a pharmaceutical company may face compliance risks related to FDA regulations, but it also faces operational risks related to supply chain reliability, financial risks related to currency fluctuations, and strategic risks related to market competition. While the compliance function will focus on ensuring adherence to FDA regulations, the risk management function will take a broader view, considering how all these risks interact and impact the organization’s overall objectives.

The Importance of Separation: Balancing Checks and Balances

Given the differences between risk management and compliance management, these functions must remain separate but collaborative within an organization. This separation allows for a system of checks and balances that enhances the organization’s ability to manage risk while ensuring compliance with legal and ethical standards.

Risk management needs the freedom to explore different strategic options, including those that involve taking calculated risks. This freedom is essential for innovation and growth. However, without the boundaries set by the compliance function, there is a danger that risk management could pursue strategies that, while potentially profitable, violate legal or ethical standards.

On the other hand, the compliance function provides the necessary constraints that ensure the organization operates within the boundaries of the law and its ethical standards. However, without the insights from risk management, the compliance function could become overly rigid, potentially stifling innovation and growth.

For example, consider a tech company developing a new product that involves collecting user data. The risk management team might assess the potential for significant profit but also recognize the risks related to data breaches or privacy violations. The compliance team, meanwhile, will focus on ensuring that the product meets all data protection regulations, such as GDPR or CCPA. By working together, these teams can develop a product that is both innovative and compliant, balancing the need for growth with the necessity of adhering to legal and ethical standards.

Collaboration for Organizational Success

In conclusion, risk management and compliance management are distinct but complementary functions within an organization. Risk management is about navigating uncertainty and making strategic decisions that balance potential rewards with potential risks. Compliance management, on the other hand, is about ensuring that the organization operates within the boundaries set by laws, regulations, and ethical standards.

While these functions must remain separate to maintain a system of checks and balances, they must also collaborate closely to ensure that the organization can achieve its objectives while adhering to the necessary legal and ethical boundaries. By understanding and respecting the distinctions between risk management and compliance management, organizations can create a governance framework that supports both innovation and integrity, driving sustainable success in an increasingly complex and regulated world.