No organization is an isolated entity. It is part of an extended enterprise of suppliers,
vendors, service providers and other third parties. This complex web of relationships drives efficiency and innovation, but it also introduces significant risk and resilience challenges. Ensuring the reliability, integrity, compliance and resilience of third-party relationships is no longer a best practice, it is a business imperative.

Third-party risk management (TPRM) extends beyond traditional procurement and vendor assessments. It encompasses a holistic approach that integrates governance, risk management and compliance (GRC) across the entire lifecycle of third-party relationships, spanning onboarding, ongoing monitoring and offboarding.

In this context, this means organizations must . . .

[The rest of this blog can be read on the IBM blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

In today’s rapidly evolving regulatory landscape, organizations face an increasingly complex and dynamic environment where managing compliance obligations demands agility, efficiency, effectiveness, resilience, and innovation. At the intersection of technology and regulation, RegTech has emerged as a pivotal component/segment within the broader Governance, Risk Management, and Compliance (GRC) market, offering transformative solutions that enable organizations to stay ahead in the fast-moving regulatory world.

As the number #2 influencer in RegTech (ask ChatGPT), here are some thoughts . . .

Regulatory Technology, or RegTech, leverages technology — most notably with artificial intelligence (AI) — to streamline compliance processes, enhance risk management, and automate the monitoring and reporting of regulatory obligations. As part of the broader GRC market, RegTech has significantly reshaped how organizations approach compliance, transforming what was once viewed merely as a burdensome cost center into a strategic enabler of business agility, efficiency, and resilience.

A core facet of my analysis at GRC 20/20 has been evaluating RegTech’s evolution, capabilities, and market traction. The landscape is rich, complex, and rapidly expanding. While AI dominates discussions around innovation in RegTech, I frequently caution organizations to look beyond the buzzword. In reality, there are compelling and sophisticated implementations of AI in RegTech, but equally, there are solutions akin to the “Wizard of Oz” — where behind the curtain, humans continue to operate many processes manually, diminishing the true promise and effectiveness of AI-driven RegTech automation.

Ultimately, navigating the RegTech universe demands clear-sighted evaluation of technologies—understanding what truly offers innovative AI capabilities versus solutions where AI is more promise than reality. As we delve deeper into this universe, we equip organizations with the insights and tools needed to leverage RegTech strategically, driving true governance, risk, and compliance effectiveness.

As RegTech continues to evolve and mature within the GRC landscape, staying informed, critical, and forward-looking remains key to successfully managing regulatory risk and harnessing technology’s full potential.

GRC 20/20 maps several key areas within RegTech:

• Regulatory Change Management. Ensuring firms keep pace with evolving regulations globally, from horizon scanning to implementing controls and updating policies.
• Regulatory Reporting. Automating the collection, analysis, and submission of regulatory data.
• Operational Risk and Internal Control Management and Benchmarking. Enhancing and benchmarking resilience and internal control effectiveness.
• Transaction and Trade Monitoring. Real-time monitoring to detect unusual or suspicious activities.
• AML & Financial Crime (FinCrime). Leveraging technology to monitor, detect, and prevent financial crime.
• Know Your Customer (KYC). Streamlining customer due diligence processes and improving accuracy.
• Conduct and Surveillance. Monitoring behaviors and transactions to ensure compliance with internal and external regulations.
• Financial Risk Management. Managing risks associated with financial operations, including market, credit, and liquidity risks.

One area of RegTech experiencing tremendous traction globally is Regulatory Change Management. At GRC 20/20, I’ve observed this as one of the most pressing and prominent use cases gaining traction worldwide. Regulatory Change Management, vital in today’s turbulent compliance environment, encompasses monitoring regulatory changes through horizon scanning, assessing the business impact, and managing responses to ensure organizations remain compliant.

My interactions around the globe underscore that efficient Regulatory Change Management solutions can dramatically mitigate compliance risks and optimize operational efficiency. The traction in Regulatory Change Management has been evident in my international engagements. Soon, I’ll be sharing insights in the upcoming workshops in Toronto and Zurich:

• Mastering the Regulatory Rollercoaster: Navigating New Rules and Emerging Risks, TORONTO
• Riding the Compliance Carousel: Managing Emerging Regulatory Risks & New Rules, ZURICH

In the context of AML and FinCrime RegTech, this engagement continues at the AML & FinCrime Summit in New York City tomorrow, where I’ll moderate both the keynote panel and another significant session, bringing into sharp focus how RegTech effectively combats financial crime through smarter AML processes, transaction monitoring, and KYC (Know Your Customer) protocols. These panels are:

• Addressing the Future of Financial Crime Prevention: Challenges, Technology, and Global Threats in 2025
• Behind the Regulatory Doors: Perspectives on AML & FinCrime Tech Innovation

Looking ahead, I am also deeply involved with the Global RegTech Summit 2025 in London (May) and New York City (September), highlighting RegTech’s growing global significance. These summits reflect critical industry insights, innovation trends, and practical adoption strategies to help organizations thrive in increasingly complex regulatory landscapes.

Looking forward, the Global RegTech Summit 2025 in London in May, and later this year in New York City in September, where these events serve as pivotal platforms for industry leaders and innovators to collaborate, exchange ideas, and explore solutions that define the future of regulatory compliance.

In my previous post, The Death of the CISO: A Eulogy & Reincarnation, I argued that the traditional role of the Chief Information Security Officer (CISO) is evolving—or rather, undergoing a necessary transformation. The response was overwhelming, with over 100,000 views on LinkedIn alone, demonstrating that this shift is not only necessary but deeply resonant across industries. While some loved their CISO title, nobody argued with my premise that this role is not the same and has evolved. Information security in the title does not adequately describe this role anymore.

The question now is, what should the CISO become?

I initially posited the title of Digital Risk & Resilience Officer, but upon further reflection, I believe a better mantle may be Digital Trust & Resilience Officer. Why? Because trust—not just risk management—is the foundation of the modern digital enterprise. Trust is proactive, holistic, and forward-looking. Risk management, while crucial, is what achieves and enables trust, but is often perceived as a cost center rather than a business enabler.

Why Digital Trust is Paramount in Today’s Business Environment

The world operates on digital trust. Every transaction, every customer interaction, every collaboration within and beyond the enterprise is predicated on confidence in the integrity, confidentiality, availability, security, and ethical stewardship of data, information, and digital infrastructure/architecture. Without trust, digital transformation collapses under the weight of skepticism, uncertainty, and regulatory scrutiny.

Consider the following:

1. Trust is the Ultimate Brand Currency. The digital economy has ushered in an era where businesses are built not just on products or services, but on relationships. Those relationships, in turn, are founded on trust. Companies that cultivate digital trust enjoy stronger brand loyalty, higher customer retention, and a distinct competitive advantage. A single breach—whether of data, privacy, or ethics—can shatter that trust, sometimes irreparably. Just ask any organization that has suffered a high-profile cybersecurity incident and watched its stock price plummet and customers flee.
2. Trust Extends Beyond the Enterprise. Organizations no longer operate in isolation. The modern business ecosystem is an extended enterprise that includes third parties, suppliers, contractors, cloud providers, and strategic partners. A security vulnerability or compliance failure anywhere in this network can disrupt operations, expose sensitive information, and damage reputations. Managing risk is necessary—but instilling trust throughout the digital ecosystem ensures continuity, resilience, and shared confidence in business relationships.
3. Stakeholders Demand Trust, Not Just Risk Mitigation. Investors, regulators, employees, and customers are no longer satisfied with mere compliance. They demand ethical AI, responsible data governance, robust cybersecurity, and transparency in risk management. The organizations that lead with trust—rather than just react to risks—are the ones that will attract investment, talent, and long-term loyalty.
4. Trust is the Foundation of Innovation. Organizations that are mired in constant risk aversion struggle to innovate. Fear-based risk management stifles digital transformation and agility. Conversely, a trust-based approach empowers businesses to adopt new technologies, expand into new markets, and experiment with emerging business models—secure in the knowledge that their digital foundation is strong, resilient, and credible.

Digital Trust is More Valuable Than Digital Risk Management

Risk management is essential, but it does not inspire confidence by itself. Trust, on the other hand, is a business driver. Trust fosters engagement, enables growth, and secures long-term business viability. Risk is the effect of uncertainty on objectives. One of those core objectives, in this context, is digital trust. That is the focus and goal and provides the context for risk management.

While risk must be understood, controlled, and mitigated, trust must be actively built, nurtured, and expanded. Consider:

• Trust enhances business value. Companies with strong trust postures outperform their competitors in customer satisfaction, revenue growth, and market valuation.
• Trust is proactive. Risk management seeks to manage uncertainty to objectives and is in reaction to the objective of digital trust. Trust ensures positive engagement.
• Trust builds resilience. Organizations with high trust are more adaptive in crises, better at recovering from incidents, and more likely to maintain customer and investor confidence in uncertain times.

Reframing the CISO as the Digital Trust & Resilience Officer

The modern CISO cannot simply be a guardian of risk and controls. That role, while critical, is too narrow, too limiting. The future demands a leader who ensures trust in the digital enterprise—a leader who integrates cybersecurity, privacy, ethics, governance, compliance, and digital operational resilience into a seamless strategic function. This is not just a semantic shift; it is a fundamental redefinition of purpose and value.

The Digital Trust & Resilience Officer:

• Builds confidence in digital transactions, interactions, and data stewardship.
• Ensures resilience not just against cyber threats, but against any disruption to trust (e.g., AI bias, regulatory misalignment, unethical data use).
• Engages with the board and executive leadership as a strategic partner, demonstrating how trust translates into business value.
• Leads a proactive culture of integrity, security, and digital ethics rather than one of fear and restriction.

The Future of Digital Trust & Resilience

As organizations continue to navigate the complexities of digital transformation, trust will become an even more critical differentiator. The role of the CISO—or its successor—must evolve beyond security and risk oversight into one that fosters and maintains digital trust and operational resilience across the digital enterprise.

What do you think? Should the CISO evolve into the Digital Trust & Resilience Officer? Or does the focus on risk still hold more weight and it should be the Digital Risk & Resilience Officer? Or do you prefer sticking to the old CISO title? I’d love to hear your thoughts.

Regulatory frameworks define how businesses operate, innovate, and ensure compliance in different jurisdictions. When comparing the regulatory landscapes of the European Union (EU) and the United States (US), a stark contrast emerges. While both regions aim to balance economic growth with governance, their priorities and methodologies differ significantly.

Principles vs. Prescription: A Cultural and Regulatory Divide

One of the most notable distinctions between EU and US regulations is the approach to compliance. The EU regulatory framework is predominantly principles- and outcome-based, requiring organizations to meet broad objectives while allowing flexibility in how they achieve compliance. This originally started in the United Kingdom under the Financial Services Authority (FSA) before it became the Financial Conduct Authority (FCA). It then moved over to the EU to become part of the better regulatory policy. In contrast, US regulations are often more prescriptive, providing detailed rules and checklists that companies must follow to the letter.

This difference manifests in multiple ways:

• Differences in Risk Management Perspectives. European regulations emphasize a top-down, strategic view of risk, integrating governance and compliance into broader business objectives. The US, however, often adopts a bottom-up, checklist-driven approach to compliance. Therefore, EU regulations take a more risk-based approach to compliance over the US.
• Corporate Responsibility. EU regulations, such as the General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), and Corporate Sustainability Reporting Directive (CSRD), and many more, focus on ethical considerations, consumer rights, and corporate accountability. US regulations, while robust in areas like financial reporting and anti-corruption, tend to prioritize business efficiency and liability mitigation over broader societal concerns. In a panel I hosted last week, #RISK Digital North America – EU Regulations as a Strategic Compass for US Companies, the panelists and I stated that the EU has a more people-first and centric approach to regulation.

Increased Demand for Evidence-Based Compliance

A key trend driving regulatory evolution is the growing demand for evidence-based compliance. As highlighted in recent discussions, EU regulations are increasingly requiring organizations to not only implement policies but also provide auditable, documented proof of compliance. This shift moves compliance beyond check-the-box exercises to defensible, data-driven processes that regulators can scrutinize.

In contrast, US compliance practices still lean heavily on procedural adherence. While legal and regulatory frameworks mandate compliance, they often fall short of requiring the same level of ongoing, evidence-backed validation we are now seeing in EU governance and compliance. This difference further reinforces the EU’s principles-based approach, where organizations must demonstrate not just compliance but also effectiveness in achieving regulatory objectives.

Extraterritorial Impact: The EU’s Regulatory Reach

A defining characteristic of EU regulations is their global reach. Laws such as GDPR and CSRD extend beyond Europe’s borders, affecting any company that handles EU citizens’ data or operates within the EU market. This approach has influenced regulatory developments worldwide, inspiring similar legislation in Brazil (LGPD), India (DPDP Act), and even state-level privacy laws in the US, such as the California Consumer Privacy Act (CCPA).

For many US businesses, this extraterritoriality means that compliance with EU regulations is no longer optional. Companies aiming for global expansion must align with EU standards to maintain market access, mitigate risks, and build consumer trust.

The Competitive Advantage of EU Compliance

While compliance with EU regulations can be complex and resource-intensive, it offers strategic benefits for US companies. Businesses that proactively adopt EU-aligned practices position themselves for success in a global economy by:

1. Enhancing Consumer Trust. European regulations emphasize data protection, ethical AI usage, and environmental and social responsibility and sustainability. Companies that adhere to these principles can differentiate themselves as trustworthy brands in an era of growing consumer concern over privacy and corporate ethics.
2. Strengthening Resilience. EU regulations often take a holistic, long-term approach to risk, ensuring organizations are prepared for regulatory shifts, cybersecurity threats, and environmental changes. This proactive stance can help companies navigate future uncertainties more effectively. There is a stronger regulatory focus on operational resilience across Europe, including the United Kingdom, not just the EU.
3. Facilitating Market Expansion. Aligning with EU regulatory frameworks simplifies entry into multiple international markets that follow similar standards. It also reduces the friction of adapting to evolving global compliance requirements.

An additional layer to this discussion is the comparison between the US and the UK/EU on risk and compliance approaches. As noted in previous posts of mine, European regulatory frameworks tend to be more sophisticated in how they integrate compliance into broader risk management structures. The UK’s Financial Conduct Authority (FCA) pioneered the principles-based compliance model before the EU widely adopted it, shaping modern regulatory expectations that prioritize adaptability and accountability.

Meanwhile, US compliance programs frequently rely on detailed, rule-based frameworks that focus on legal adherence rather than proactive risk management. This gap often leaves US companies reacting to regulatory updates rather than integrating compliance into long-term strategy. For organizations that operate internationally, bridging this gap by adopting EU-style governance models can create a significant competitive advantage.

Looking Ahead: The Future of Regulation

The EU continues to lead in shaping global regulatory trends, particularly in AI governance, digital resilience, and ESG (Environmental, Social, and Governance) requirements. Yes, the EU Omnibus has restructured CSRD and CS3D, but it is still significant. Emerging regulations like the EU AI Act and ESG reporting standards signal a shift toward greater corporate accountability and sustainability.

Meanwhile, the US remains fragmented in its regulatory approach, with states enacting their own laws in the absence of comprehensive federal legislation. However, as global regulatory alignment increases, US businesses that take a forward-looking approach by adopting EU-driven compliance strategies will gain a competitive edge.

Conclusion: A Strategic Compass for US Companies

Rather than viewing EU regulations as a burden, US companies can use them as a strategic compass. By embracing principles-based compliance and aligning with global standards, businesses can drive innovation, strengthen risk management, and build long-term value. The shift toward evidence-based compliance in the EU further underscores the need for organizations to develop robust governance frameworks that go beyond mere adherence and demonstrate real effectiveness.

As the regulatory landscape continues to evolve, adaptability and a commitment to ethical governance will define the leaders of tomorrow. US companies that proactively integrate these principles will not only mitigate risk but also unlock new opportunities for growth, resilience, and trust in an increasingly interconnected world.

Too many Governance, Risk Management, and Compliance (GRC) programs are fundamentally backward. Instead of starting with objectives, they focus on compliance checklists or risk registers, often relegating objectives to an afterthought (tags to a risk) — if they are considered at all. What many organizations practice is not true GRC but rather CRG (Compliance, Risk, and Governance in reverse), or worse, just CR (Compliance and Risk) or even simply C (Compliance).

This is not what GRC was meant to be.

The official definition of GRC, as found in the OCEG GRC Capability Model, is:
“GRC is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).”

This definition underscores the correct order of operations in a GRC program—objectives come first. True GRC is about ensuring that an organization reliably sets and achieves its objectives. Risk and compliance are important, but they serve the primary purpose of enabling an organization to meet its objectives while managing uncertainty and maintaining integrity.

Why Objectives Matter in GRC

According to ISO 31000, risk is the effect of uncertainty on objectives. This means that without a clear understanding of objectives, risk management is meaningless. Objectives define what the organization is trying to achieve, and risks are uncertainties that could impact those objectives.

Objectives exist at multiple layers within an organization:

• Entity-Level Objectives – Overall strategic and corporate objectives
• Divisional & Departmental Objectives – Goals specific to business units and teams
• Process & Project Objectives – Performance and operational targets within workflows
• Asset & Third-Party Objectives – Expectations and performance metrics for resources and external partners

Governance is about setting the right objectives and ensuring they are reliably achieved. This means that governance is not just about oversight but about performance. Effective governance structures define and track objectives, ensuring that risks are managed in a way that enables the organization to meet its goals.

The major difference between Europe and the USA in risk management approaches further highlights this issue:

• Europe – Risk management is closely aligned with ISO 31000 and is focused on business objectives.
• USA – Risk management tends to be more compliance-driven, often reduced to checklists primarily for SOX compliance.

Even compliance frameworks in Europe are more principle-based and outcome-oriented, requiring organizations to demonstrate how they achieve compliance objectives. In contrast, the USA’s compliance landscape is often prescriptive, with a heavy reliance on checkboxes rather than achieving meaningful business outcomes.

Understanding this nuance between Europe and USA is why many USA solution providers fail in their marketing in Europe. There is a different focus and messaging.

Environmental, Social, and Governance (ESG) initiatives are another example of how objectives should drive GRC. ESG is fundamentally about setting and achieving sustainability and ethical business objectives. Risks and compliance requirements follow from those objectives, not the other way around. An organization has the objective of being carbon neutral by a certain date, to eliminate PFAS (forever chemicals) in its products, or to have zero tolerance for modern slavery. These are objectives. Organizations that start with ESG risks without defining clear objectives are missing the point.

The Problem: Many GRC Programs and Technologies Get It Wrong

The vast majority of GRC programs within organizaitons and GRC technology that supports those programs fail to align with this definition. They start with risk registers, controls, or compliance requirements, leaving objectives as a tertiary consideration (if at all). This approach fundamentally undermines the value of GRC by detaching it from what actually drives the organization—its strategic, financial, operational, and ethical objectives.

Unfortunately, most GRC technology platforms do not start with objectives. Many organizations have adopted GRC solutions that are nothing more than compliance management systems or risk registers. They focus on risk registers, controls, and compliance requirements, treating objectives as an afterthought or a tag to a risk. These solutions focus heavily on checklists, regulatory mappings, and control frameworks, but they fail to establish a direct link to the business’s core purpose: achieving objectives.

Only a few solutions in the market truly address the “G” in GRC by prioritizing business objectives and performance against those objectives. If you’re looking for a GRC solution that genuinely starts with objectives, feel free to reach out — I can point you to those that get it right, or mostly right. As an analyst I cover the range of solutions available in the market.

Conclusion: Get GRC Right by Starting with Objectives

If your organization’s GRC program starts with risk and compliance instead of objectives, it’s time for a reset. Good GRC is about ensuring the organization reliably achieves its objectives, manages uncertainty effectively, and acts with integrity. Governance, risk management, and compliance should work together in that order—starting with a clear understanding of business goals.

To truly unlock the value of GRC, organizations must shift their focus from checkboxes and control frameworks to strategic and operational performance. Objectives are not an afterthought; they are the foundation of good GRC.

Environmental, Social, and Governance (ESG) is a growing challenge for organizations to manage and report on. It has become a core part of corporate strategy, driven by values, stakeholder expectations, and regulatory requirements, such as the EU Corporate Sustainability Reporting Directive (CSRD) which impacts 50,000 firms that have to report annually. With over 1,100 data points that goes into CSRD reporting, organizations have to get their ESG act together.

There are different views on ESG, and I respect that. At the heart of ESG is stewardship. Every organization should put a stake in the ground in its commitments and objectives to the environment, to its social commitments, and to the governance of the organization. These may very well vary between organizations. The environmental aspects is much more than climate change, it includes air, water, waste, use of natural resources, and things like elimination of PFAS (forever chemicals). The social and governance aspects also include a lot of elements.

I do not think anyone reading this will disagree that modern slavery, part of the social, is a bad thing. In the end, ESG is best summed up in the words of my favorite fictional U.K. Premier League Coach and philosopher, Ted Lasso, “Doing the right thing is never the wrong thing.” It is up to organizations to define what the right thing is for their organization in context of the environment, the social communities it serves, and the governance of the organization.

But how do organizations ensure their ESG initiatives are well-governed, ESG objectives are set and performance measures, risk-aware of uncertainty in achieving objectives, and compliant with values and commitments of the organization? The answer lies in Governance, Risk Management, and Compliance (GRC).

The Role of GRC in ESG

The OCEG defines GRC as: “an integrated capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).” This definition is a perfect starting point for understanding ESG within an organization. Effective ESG management must begin with well-defined objectives, not just risk assessments. Too many ESG management platforms start with risks, which is like putting the cart before the horse. ESG objectives should drive risk identification, not the other way around. As an analyst, I will NEVER recommend an ESG solution that does not start with ESG objectives, and ESG program management.

At its core, ESG is about setting and achieving objectives. Organizations must begin with a clear vision of what they aim to accomplish in the environmental, social, and governance domains.

• Environmental Objectives. Companies must define their commitments to sustainability, whether through carbon footprint reduction, waste management, energy efficiency, elimination of PFAS, or responsible sourcing of materials. These objectives should be measurable and aligned with broader industry and regulatory expectations.
• Social Commitments. The social component of ESG involves ensuring fair labor practices, no tolerance for modern slavery, employee well-being, and ethical supply chain labor practices. Organizations must consider how they engage with employees, communities, and stakeholders to foster a socially responsible culture.
• Governance Standards. Effective governance is the backbone of a successful ESG strategy. This includes ensuring ethical leadership, internal controls, anti-corruption, robust data protection policies, regulatory compliance, and transparency in decision-making. Strong governance creates trust and accountability within the organization and among external stakeholders.

Without a structured approach provided by GRC, ESG efforts risk becoming fragmented and ineffective. GRC offers the necessary framework to integrate ESG goals into daily operations, ensuring they are well-governed, managed, and continuously improved.

The GRC Capability Model and ESG

In recent ESG and EU CSRD workshops I conducted in Stockholm and Utrecht, I presented the OCEG GRC Capability Model 3.5, and it resonated with over 60 organizations working on ESG. The model provides a comprehensive framework for ESG management through four core components: Learn, Align, Perform, and Review.

1. Learn (Understanding ESG Contexts). Before setting ESG objectives, organizations must first understand the broader context in which they operate. The learning phase is foundational, as it establishes a comprehensive understanding of the external and internal factors influencing ESG strategy.
   • External Context. This includes understanding the regulatory landscape, evolving standards, and market trends. For example, organizations operating in the EU must align with the CSRD, which mandates transparency in ESG disclosures and reporting. This also includes understanding where you do business and who you do business with.
   • Internal Context. Organizations must assess their internal capabilities, culture, values, ethics, policies, and existing ESG initiatives. This helps in identifying gaps and areas where improvements are necessary. I always recommend organizations take an inventory of their current array of policies that relate to the aspects of ESG.
   • Stakeholders. Companies must recognize the role of investors, employees, regulators, and customers in shaping their ESG approach. Stakeholder expectations must be integrated into ESG planning to ensure long-term credibility. The same with customers, organizations that are not aligned with the values of their customers risk significant challenges in the market as the past few years have shown us several examples.
   • Corporate Culture. A successful ESG strategy aligns with an organization’s ethical values and corporate mission. ESG must be embedded into the company’s DNA rather than treated as a compliance requirement alone.
2. Align (Defining the ESG Strategy). Once the organization has learned its ESG landscape, it must align its strategy with clearly defined objectives and a structured approach to risk management.
   • Direction. Organizations need to define their ESG mission and values and set a clear vision for sustainability and social responsibility. This includes defining who is the lead on ESG and what roles and departments are part of the team.
   • Objectives. ESG goals must be SMART (Specific, Measurable, Achievable, Relevant, Time-bound) and aligned with the organization’s values, commitments, and obligations.
   • Identification. Identifying risks and opportunities that could hinder or help ESG progress. These could include regulatory, reputational, operational, and environmental. Risk is the effect of uncertainty on objectives (ISO 31000), in this case the ESG objectives.
   • Analysis. Once identified, risks must be assessed based on their uncertainty in the organization achieving its ESG objectives. A structured approach can help prioritize risk management efforts and enable the organization to achieve or even exceed ESG objectives.
   • Design. Organizations must build a structured ESG program that includes policies, frameworks, internal controls, and dedicated teams responsible for execution as well as those accountable for objectives and risks. A well-designed program enables consistent application and progress measurement.
3. Perform (Executing the ESG Program). With the strategy in place, organizations must implement and operationalize ESG across all levels of the business.
   • Controls. Implementing and monitoring ESG-related internal controls ensures compliance with internal objectives and external standards. This includes emission tracking, supply chain audits, and ethical labor practices.
   • Policies. ESG-related policies, which there are a plethora, should be well-documented, accessible, and actionable. These policies must provide clear guidance on the range of environmental, social, and governance practices, expectations, and boundaries.
   • Communication & Education. Employees and stakeholders need to be educated on ESG objectives, related policies and internal controls, and their role in achieving them. Effective communication fosters engagement and accountability.
   • Incentives & Accountability. ESG performance must be tied to incentives, such as executive compensation linked to sustainability targets. Employees participation in environmental programs. At the same time, organizations must establish accountability mechanisms for ESG compliance.
   • Monitoring & Reporting. Continuous monitoring is necessary to track ESG progress. Organizations should leverage technology and data analytics to ensure real-time insights and accurate reporting.

• Review (Ensuring Continuous ESG Improvement). ESG is not a static initiative but an evolving process requiring regular assessment and updates.
  • Monitoring & Auditing. ESG monitoring and data collection should be conducted to evaluate performance to internal controls, policies, and standards.
  • Assurance. Internal and external stakeholders require assurance that ESG commitments are being met. Organizations must build transparent reporting mechanisms that align with frameworks. Regular internal audits provide assurance, while external audits provide third-party validation of assurance. Organizations facing CSRD have to move from limited assurance to reasonable assurance over the next few years.
  • Continuous Improvement. ESG strategy must evolve in response to changing regulations, market trends, and stakeholder expectations. Companies should use insights from audits and reviews to refine and enhance their ESG initiatives.

The EU CSRD requires organizations to report on sustainability and ESG performance with the same rigor as financial reporting. The GRC Capability Model ensures that organizations can:

• Define the organizations ESG objectives in context of the organizations values and obligations.
• Identify ESG risks and opportunities with a structured approach.
• Implement internal controls to ensure ESG compliance and risk mitigation.
• Maintain accurate and comprehensive ESG records to meet regulatory reporting requirements.
• Continuously assess and improve ESG performance to align with evolving standards.

GRC is the foundation for successful ESG implementation. Organizations must take a structured approach to ESG, leveraging the GRC Capability Model to define objectives, manage risks, and maintain compliance. ESG is not just about checking a regulatory box—it’s about embedding sustainability into the organization’s core strategy. By following the Learn, Align, Perform, and Review approach, organizations can transform ESG from a regulatory burden into a driver of long-term value and resilience.

While the USA is going in different directions, and the EU considers streamlining and integrating requirements later this month, the global landscape of Environmental, Social, and Governance (ESG) reporting has fundamentally changed with the European Union’s Corporate Sustainability Reporting Directive (EU CSRD) first wave of corporate reports being published in 2025. Last week was intense and enlightening in my journeys across Europe, engaging with nearly 60 organizations across multiple ESG and CSRD discussions.

The journey toward effective ESG reporting is complex, costly, and evolving—but those who embrace it with the right mindset will find not just compliance, but a strategic advantage. The question is no longer if ESG will shape business operations, but how organizations will rise to the challenge.

But there are challenges . . . unlike traditional financial reporting, which historically required around 200 data points, ESG reporting under CSRD necessitates over 1,100 data points, and that number is growing exponentially as companies consider complexities across subsidiaries, divisions, locations, and third-party relationships. This shift is not just a European challenge—CSRD has global implications, impacting approximately 50,000 companies worldwide, including non-EU firms with significant operations in Europe.

One of the most pressing challenges of EU CSRD is the requirement for third-party assurance on ESG reports. Organizations are already experiencing a one-third increase in audit fees due to limited assurance requirements, and these costs will escalate significantly once reasonable assurance becomes mandatory. Unlike traditional audits, ESG assurance involves validating complex, qualitative, and often subjective data points, adding further strain on internal resources.

Two Approaches: Strategic Advantage vs. Checkbox Compliance

One striking observation from my recent workshops across London, Utrecht, and Stockholm is the variation in how companies structure ESG ownership. Some firms have designated ESG controllers or sustainability officers, while others distribute ESG responsibilities across finance, compliance, risk management, legal, audit, and internal control teams. In certain cases, ESG leaders report directly to the Board or CEO, underscoring its strategic significance, while in others, ESG remains a compliance function buried within operational silos.

Among the organizations I engaged with, there was a clear divide in approach:

1. Principled Performance – Companies that see ESG as an opportunity for better governance, risk management, integrity, and corporate strategy, aligning with OCEG’s concept of Principled Performance.
2. Checkbox Compliance – Organizations that view ESG solely as a regulatory requirement, focused only on meeting minimum compliance thresholds rather than leveraging ESG for competitive advantage.

The ESG & EU CSRD Insomnia: What Keeps Organizations Awake at Night

During my workshops in Utrecht and Stockholm, I facilitated discussions on what keeps organizations up at night regarding ESG and CSRD compliance. Below are the top concerns voiced:

Regulatory & Compliance Challenges

• Understanding the complexity and breadth of EU CSRD.
• Evolving internal control frameworks for ESG reporting.
• Managing assurance requirements, shifting from limited to reasonable assurance.
• Competing with other major EU regulations (e.g., DORA, CSRD, CSDDD, AI Act, NIS2) under constrained resources.
• Navigating the subjective nature of ESG requirements.
• Preparing for regulatory consequences and enforcement actions.

Data Challenges

• Identifying data sources for the 1,100+ ESG reporting requirements.
• Ensuring data accuracy, quality, and reliability.
• Managing subsidiary cooperation in ESG data collection.
• Addressing disparate data sources and lack of standardization.
• Integrating ESG reporting into broader GRC (Governance, Risk & Compliance) systems.
• Determining how far down the supply chain ESG reporting should go.
• The potential role of AI and automation in ESG data management.

Financial & Resource Constraints

• Rising audit and assurance costs.
• Limited ESG expertise and resources within organizations.
• Balancing ESG priorities with other business objectives.
• The unexpected scale of compliance costs and resource allocation.
• The impact of ESG disclosures on corporate reputation and investor relations.

Strategic and Cultural Implications

• Integrating ESG into corporate culture and risk management.
• Understanding the role of internal vs. external audit in ESG.
• Aligning ESG strategies across different global cultures and industry sectors.
• Establishing benchmarks for ESG compliance and reporting.

Where Do Organizations Go From Here?

With the first CSRD-aligned reports already being released, it is evident that ESG reporting is more than a regulatory requirement—it is a fundamental shift in how businesses operate and disclose their impact. Leading companies are integrating ESG into their core business strategy, governance frameworks, and risk management processes. Those that take a checkbox approach risk increased costs, reputational damage, and regulatory scrutiny.

As ESG and EU CSRD continue to evolve, organizations must focus on smarter, data-driven approaches that align ESG reporting with broader business objectives. Whether through automation, AI-powered compliance tools, or integrated risk and compliance (GRC) solutions, the key to ESG success lies in principled performance rather than reactive compliance.

What an exhilarating few weeks! My recent travels have taken me across the Middle East, London, Utrecht, and Stockholm, engaging with organizations and professionals across the governance, risk management, and compliance (GRC) landscape. The energy and focus on risk management, regulatory compliance, ESG, and corporate governance have been evident in every discussion, workshop, and meeting.

This week, I was back in London for an in-depth workshop on the UK Corporate Governance Code (UK CGC), with a particular emphasis on internal control and risk management by design to address Provision 29. Hosted at the historic Chartered Accountants Hall—where industry giants like Waterhouse and Cooper once presided—this session was packed with engaged professionals eager to address the challenges of the revised UK CGC. The timing of this workshop couldn’t have been more critical, as UK firms are under increasing pressure to ensure readiness for Provision 29. I have interacted and provided advice on four RFPs in the UK already this week with organizations looking for solutions to address this challenge. In just over a week, I will be heading to Asia for more GRC engagements, hosting workshops in the Philippines, Malaysia, and Singapore.

The Growing Pressure of Provision 29

Provision 29 of the updated UK Corporate Governance Code is top of mind for many UK organizations as they prepare for 2025. It mandates that boards provide a declaration of the ongoing effectiveness of their risk management and internal control systems. While some call it “UK SOX” (drawing comparisons to the Sarbanes-Oxley Act in the U.S.), I find that analogy misleading. UK CGC is distinct in its approach, placing a strong emphasis on ongoing, proactive risk and control management rather than compliance-driven financial control attestation.

Organizations across industries are grappling with how to operationalize Provision 29. As one UK bank shared in context of my workshop:

“The UK Corporate Governance Code is one of our main projects this year. Readiness for Provision 29 means identifying our most material controls, ensuring board disclosures on effectiveness, and maintaining alignment with peer banks to avoid being an outlier. Assurance is going to play a significant role, especially in evolving risk areas such as cyber and third-party risk.”

A smaller UK firm (under 500 employees) expressed coming out of the workshop more prepared for the Provision 29:

“Thank you so much for the insightful workshop yesterday. I found it really interesting and came away buzzing with excitement as to new ways to invigorate the business in respect of controls and risk.”

The Risk and Internal Control Insomnia List

During my workshop, I had attendees collaborate on what keeps them up at night regarding UK CGC compliance and risk management. The resulting list highlights key concerns and challenges:

• Concentration of risk knowledge in silos – lack of shared understanding across departments
• Siloed approaches to risk and internal control – limited visibility and consistency
• Cultural barriers – weak communication, inconsistency, and poor tone at the top
• Defining ‘bad’ risk and internal control – what does ineffective risk management look like?
• Incident reporting challenges – clarity on thresholds and processes
• Managing business and regulatory change – adapting controls to evolving risks
• Simplifying and prioritizing the approach to UK CGC – avoiding unnecessary complexity
• Addressing redundancy and overlaps in risk and control functions
• Educating the organization on UK CGC requirements – ensuring buy-in at all levels
• Evaluating inherited controls – are they still appropriate in today’s risk landscape?
• Process modeling and business risk analysis – integrating risk and control into core operations
• Applying UK CGC principles effectively – practical implementation strategies
• Embedding UK CGC into the three lines of defense – ensuring integrated accountability
• Breaking down silos in risk and control management – fostering collaboration across departments
• Cultural and accountability shifts for UK CGC compliance – making governance a shared responsibility
• Linking UK CGC to strategy, performance, and objectives – ensuring risk supports business goals
• Designing a UK CGC framework – aligning controls with business needs
• Clarifying ownership and accountability structures – defining roles clearly
• Identifying material vs. immaterial controls – focusing efforts where they matter most
• Measuring control effectiveness – avoiding over-control and unnecessary bureaucracy
• Assembling the right UK CGC team – ensuring the right expertise and collaboration

Moving Forward: The Path to Effective UK CGC Compliance

UK organizations must take a strategic, risk-based approach to implementing Provision 29. Success requires:

1. Breaking Down Silos – Risk and control management should be an enterprise-wide initiative, not a fragmented exercise.
2. Embedding UK CGC into Business Operations – Aligning risk and control frameworks with business strategy, performance management, and operational processes.
3. Enhancing Risk Management, Awareness & Culture – Driving engagement across all levels of the organization to ensure risk and control are part of daily decision-making.
4. Investing in Assurance and Continuous Monitoring – Leveraging technology and robust assurance mechanisms to demonstrate control effectiveness.
5. Defining Material Controls with Confidence – Focusing on controls that truly mitigate the most significant risks, rather than creating unnecessary layers of compliance.

The UK Corporate Governance Code represents a major shift in how UK organizations approach internal control and risk management. Organizations must move beyond viewing compliance as a check-the-box exercise and embrace a more dynamic, integrated GRC framework that fosters resilience and accountability.

I look forward to continuing these discussions in the weeks ahead as I head to Asia for more workshops. The evolution of corporate governance and risk management remains a global challenge, but one that, when addressed effectively, can lead to stronger, more resilient organizations.

Driving a car is a perfect analogy for understanding the principles of risk and resilience management. When we drive, we have an objective: a destination to reach. Similarly, in business, risk management begins with understanding objectives. According to ISO 31000, risk is defined as “the effect of uncertainty on objectives.” Achieving our goals—whether personal, organizational, or societal—requires navigating uncertainties, just as a driver navigates roads, traffic, and potential hazards.

Objectives: Our Focus is on the Road Ahead

When driving, our primary focus is on the road ahead. We watch for obstacles, anticipate turns, and adapt to changing conditions. This forward-looking approach aligns with effective risk management, where the goal is to proactively identify and address potential challenges that could disrupt achieving objectives. Unfortunately, many risk management programs fail because they are overly focused on the past, akin to driving a car while continuously staring in the rearview mirror.

While hindsight provides valuable lessons, effective risk management demands foresight. Rearview mirrors are essential, but they are not the primary focus for driving safely. Similarly, organizations must strike a balance between learning from past risks and preparing for future uncertainties.

The IPDE Method: A Framework for Risk Management

In driver’s education, we are taught the IPDE method: Identify, Predict, Decide, Execute. This simple yet powerful process is the essence of risk management:

1. Identify: Recognize risks that could impact objectives. This could be anything from geopolitical tensions to supply chain vulnerabilities.
2. Predict: Analyze potential scenarios and outcomes. What happens if a risk materializes? How severe could the impact be?
3. Decide: Determine the best course of action to mitigate or respond to risks. Should you avoid, accept, transfer, or reduce the risk?
4. Execute: Implement your chosen risk strategy. This step translates planning into action to ensure objectives remain achievable.

Just as a driver uses the IPDE method to navigate safely, organizations can use this framework to manage risk effectively.

The Role of External Risk Intelligence

Driving isn’t just about controlling the car; it’s also about adapting to external conditions like weather, traffic, and road closures. Drivers rely on external intelligence from tools like GPS systems, traffic updates, and weather forecasts to make informed decisions. Similarly, effective risk management requires external risk intelligence. Organizations must gather and analyze data on geopolitical risks, economic trends, natural disasters, commodity availability, and other external factors that could impact their objectives.

Without this external perspective, risk management becomes myopic, and decisions are made in a vacuum. External intelligence provides the context needed to navigate an increasingly complex and interconnected world.

Resilience: The Operational Backbone

While risk management focuses on navigating uncertainties, resilience ensures the organization can withstand and recover from disruptions. Resilience is akin to maintaining the operational health of a car. Routine maintenance—oil changes, tire rotations, brake inspections—is essential for ensuring the car’s reliability. Neglecting these small but critical tasks can lead to significant breakdowns.

Some risk pundits decry risk lists and checklists. I believe they have a purpose, and it is in this operational down in the weeds context. But strategic risk management focused on objectives, the road in front of us, is the critical component that cannot be missed. Too many focused on the operational weeds of risk and neglect the strategic risk aligned with objectives.

In an organizational context, risk and resilience requires:

• Routine checks: Regular audits, testing, and assessments to ensure systems, processes, and controls are functioning as intended.
• Preparedness: Having contingency plans in place for when things go wrong.
• Flexibility: The ability to adapt quickly to changing circumstances.

Just as a car’s dashboard provides critical information about fuel levels, engine health, and speed, organizations need metrics and dashboards to monitor their resilience and operational health.

Insurance: The Safety Net

No driver hits the road without insurance. Insurance provides a safety net for unforeseen accidents and ensures financial protection against significant losses. In risk management, insurance plays a similar role. It’s a form of risk transfer that mitigates the financial impact of events beyond an organization’s control.

However, insurance is not a substitute for proactive risk management. It’s a complementary tool, much like wearing a seatbelt: essential, but not a strategy for avoiding accidents.

Technology: The Vehicle for Risk Management

A car is a tool for achieving our objective—reaching our destination. The quality, reliability, and performance of the car directly impact our ability to achieve that goal. Similarly, organizations need robust risk management technology to support their objectives. Yet, many risk technologies fail because they lack an objective- or performance-centric view. They put the cart (risk) in front of the horse (objectives), many solutions do not even have the horse and it is just a cart of risks with no concept of objectives.

Effective risk management technology should:

• Align with the organization’s objectives.
• Provide real-time insights to support decision-making.
• Be adaptable to changing risks and scenarios.
• Integrate with external intelligence sources to provide a comprehensive view of the risk landscape.

Without these capabilities, risk management technology becomes a burden rather than an enabler.

The Road Ahead

Risk and resilience management, much like driving, is about balancing focus and flexibility. We must keep our eyes on the road ahead while occasionally checking the rearview mirror and dashboard. We must rely on external intelligence to anticipate conditions and ensure our vehicle—whether a car or an organization—is well-maintained and prepared for the journey.

By adopting a proactive, objective-driven approach to risk and resilience management, organizations can navigate uncertainties and achieve their goals with confidence. After all, the destination matters, but how we get there defines our success.

As 2024 comes to a close, it’s been a year of significant activity and transformation in the Governance, Risk Management, and Compliance (GRC) space. This year marked another milestone in GRC 20/20’s journey, with a record number of engagements, RFP support and guidance to buyers, research inquiries, and strategic advisory sessions across the globe. With extensive travels to key markets such as the Europe, North America, Middle East, and Asia, I’ve had the opportunity to observe firsthand the evolving dynamics of the GRC market and provide insights into the challenges and opportunities organizations face in their pursuit of effective GRC strategies.

The GRC market continues to expand in complexity and scope, with a mix of broad enterprise platforms and specialized best-of-breed solutions addressing specific needs. GRC 20/20 tracks over 300 solution providers in the market from the broad platform to the very focused risk/compliance solution. In 2024 alone, we actively engaged with 57 of these providers through deep-dive research and advisory, while maintaining periodic interactions with the broader market to stay abreast of key developments. Our research efforts supported over inquiries from organizations seeking guidance on GRC solutions, solution briefings/evaluations, and strategy development. The market across Europe is the strongest, the Middle East remains the fastest-growing market for GRC solutions and services, and the North America market is growing at a slower pace.

It is a fast-moving market with a lot of momentum, but also a lot of nuances and niches. In 2023, GRC 20/20 answered between 10 and 20 inquiry/research questions from organizations asking about and looking for solutions every week. This accounted for over 750 interactions in 2024. These come in via email, text, LinkedIn messages, and more. Most are simple responses to questions; others go deeper. In 2024, there were 94 RFPs that GRC 20/20 provided insight and direction into. Some very deeply, many simply perspective and guidance on who to evaluate or thoughts of strengths and weaknesses not he finalists.

Looking ahead to 2025, GRC 20/20’s core research themes will focus on areas critical to organizations striving to achieve resilience, efficiency, and compliance in an evolving regulatory and operational landscape. These themes include:

• Business Integrated GRC, emphasizing the alignment of GRC with strategic business objectives; 
• Integrated Risk & Resilience Management, which explores how organizations can strengthen their adaptability in the face of uncertainty;
• Compliance Management & RegTech, addressing the role of technology in streamlining regulatory compliance and change;
• Third-Party GRC Management remains a high-priority area, as organizations seek more comprehensive and proactive approaches to managing vendor and supplier risks.
• ESG Management initiatives, particularly related to EU CSRD and CSDDD, continue to be a driving force in the market, pushing organizations to enhance transparency and accountability in their operations. 
• Artificial Intelligence in terms of its application in GRC (Cognitive GRC) and the governance of AI itself (AI GRC). As organizations increasingly leverage AI to enhance GRC processes, ensuring ethical and effective governance of these technologies will be a significant challenge in the coming year.

As we move into 2025, I look forward to continuing the journey with GRC professionals worldwide, providing objective insights and research to help organizations navigate the complexities of the GRC market. Stay connected with GRC 20/20 for ongoing updates and analysis, and as always, feel free to reach out with inquiries related to governance, risk management, and compliance strategies and solutions.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2024, organized by topic area . . .

Enterprise GRC Management

Research Reports

• 2024: Global GRC Risk & Regulatory Market Drivers & Trends with RFP Analysis by Region
• SmartSuite: Next Generation Agile GRC Enablement
• MetricStream: Integrating GRC to Enable Organizations to Thrive on Risk
• SAI360: Delivering Integrated GRC Across Risk Domains
• CAMMS, a Riskonnect Company: Delivering a Business Perspective into GRC
• Calpana’s CRISAM: 360° Enhanced Visibility into GRC
• Archer: Delivering Integrated Contextual Awareness in GRC
• Corporater: Delivering an Integrated View of G[P]RC to the Organization

Blogs

• True Genius in GRC: The Need for Risk Intelligence
• Why Your GRC Program Should Cover More Than Just ERM: The Critical Link to Operational Resilience
• Seven AI Samurai of GRC: Protecting the Organization
• How to Build Your GRC Strategy in an ESG Era
• GRC in the United Kingdom & Beyond . . .
• When GRC (related) RFPs Crash and Fail
• GRC After Hours: Star Trek Edition
• Next Generation GRC: Business Integrated/Aligned GRC
• Navigating GRC Trends and Strategies in 2024
• Dreaming of the Ultimate GRC Platform . . .
• The Book of Five GRC Rings: A Path to GRC Mastery
• Who Will Be the GRC Platform Shogun?
• Agile & Cognitive GRC to the Future of Business Integrated GRC
• 2024 Trends in Governance, Risk Management & Compliance (GRC)
• 7 Strategies to Mature Your GRC Program
• The GRC Winchester Mystery House

Risk & Resilience Management

Research Reports

• 2024 State of the GRC Market
• 2024: Global GRC Risk & Regulatory Market Drivers & Trends with RFP Analysis by Region
• Risk & Resilience Technology Illustrated
• Risk & Resilience Management by Design
• RiskSpotlight Portal: Enabling Organizations with Operational Risk Intelligence
• Udbhata Qoris® ERM: Delivering Value with Integrated Risk Governance
• 2024 How to Market & Sell GRC Solutions & Services

Blogs

• True Genius in GRC: The Need for Risk Intelligence
• Risk & Resilience: Navigating the Digital-Driven Era
• The Integrated Approach: Bringing Risk & Resilience Together
• Why Your GRC Program Should Cover More Than Just ERM: The Critical Link to Operational Resilience
• Navigating the Multiverse of Risk: Building Agility into Our Approach to Risk Management
• Gazing into the Palantir of Risk: A Tolkien-Inspired Journey into Emerging Risks
• Risk Management vs. Compliance Management: Understanding the Distinction
• Germany’s IDW PS 340 Auditing Standard: Understanding Risk Correlation
• The Titanic: A Case Study in Flawed Risk Management
• The Tunnel of Eupalinos: a Blueprint for Connecting Strategic and Operational Risk & Resilience
• Ethics, Compliance & Risk Culture in Denmark: A Model of Orderliness and Mindfulness
• Understanding the Interrelationship of Risk and its Impact on Operations
• The Need for Contextual Awareness of Risk & Resilience
• Is Your Risk Management Program Driving with the Rearview Mirror?
• Overcoming Challenges in Risk & Resilience Management
• Enabling Enterprise Endurance: Risk Agility & Resilience
• Navigating Uncertainty and Chaos: Key Trends in Risk and Resilience Management
• From Risk Management to Risk Leadership
• Risk! Risk is Our Business!!!
• Integrating Risk Management into Strategic Decision Making: A Symphony of Success
• Risk & Resilience Management by Design

Corporate Compliance & Ethics Management (RegTech)

Research Reports

• 2024: Global GRC Risk & Regulatory Market Drivers & Trends with RFP Analysis by Region
• Regology: Enabling Regulatory Change & Compliance Management
• MCO: MyComplianceOffice, an Integrated Compliance Platform for Financial Services

Blogs

• Employee Engagement: The Last Mile of Compliance & Ethics
• Compliance Insomnia and Nightmares
• Compliance Management: The RegTech Future in a Dynamic Environment
• Becoming a Better Compliance Technology Buyer: Cutting Through the Noise
• Automating Compliance: A Necessity for Modern Compliance
• Risk Management vs. Compliance Management: Understanding the Distinction
• People and Policy: Building Compliance and Ethics into Your Company’s DNA
• Increased Demand for Evidence-Based Compliance: EU Surpasses the USA
• Ethics, Compliance & Risk Culture in Denmark: A Model of Orderliness and Mindfulness
• Beyond the Heatmap: Rethinking Risk Management for the Modern Age
• Understanding Corruption: Navigating Third-Party Risk in Supplier and Vendor Relationships
• Navigating the Complex Landscape of RegTech

Third-Party GRC Management

Research Reports

• Third-Party Risk Management in Consumer-Packaged Goods

Blogs

• ESG & Resilience: Transforming Third-Party Risk and the Extended Enterprise
• Restructuring Third-Party Risk Management: Meeting Challenges with a Holistic Approach
• Strengthening the Bonds of the Extended Enterprise: A Unified Approach to Third-Party Risk Management
• Understanding Corruption: Navigating Third-Party Risk in Supplier and Vendor Relationships
• Addressing Third-Party Risk Management Challenges with AI Automation
• The Vital Role of Third-Party Governance in Organization Integrity
• The Mystery House of Third-Party Risk Management
• Federated Governance of the Extended Enterprise

ESG – Environmental, Social, Governance

Research Reports

• ESG Management Technology Illustrated

Blogs

• ESG & Resilience: Transforming Third-Party Risk and the Extended Enterprise
• How to Build Your GRC Strategy in an ESG Era

Artificial Intelligence GRC

Research Reports

• AI GRC Technology Illustrated

Blogs

• Data Governance at the Heart of Effective AI Programs
• The A.I. Wild West is Over: There is a New Law in Town, The EU AI Act

Policy Management

Blogs

• People and Policy: Building Compliance and Ethics into Your Company’s DNA
• Modernizing Policy Management: The Urgent Need for Automation

IT GRC (Digital Risk & Resilience) Management

Research Reports

• Trust Assurance for CISOs: the CISO as a Strategic Governance Focused Board Partner
• Alfahive: Providing Cyber Risk Quantification & Automation

Blogs

• Risk & Resilience: Navigating the Digital-Driven Era
• A New Era: Embracing the Role of Digital Risk & Resilience
• The Death of the CISO: A Eulogy & Reincarnation

Internal & Automated Control Management

Research Reports

• Internal Control Management Technology Illustrated

Blogs

• Internal Control Management Technology Illustrated (the blog)

Audit Management & Analytics

Blogs

• Germany’s IDW PS 340 Auditing Standard: Understanding Risk Correlation

Data GRC Management

Research Reports

• Data GRC Management by Design

Blogs

• Data Governance at the Heart of Effective AI Programs
• Building Your Data Governance Strategy: A Call to Action for Data GRC

Identity GRC Management

Research Reports

• Identity GRC Technology Illustrated

Do not forget . . .

Follow GRC 20/20 on LinkedIn.

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions available in the GRC market . . .