Category: The GRC Pundit Blog

Rise of the Digital Trust & Resilience Officer: Death of the CISO, Part 2

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Rise of the Digital Trust & Resilience Officer: Death of the CISO, Part 2

In my previous post, The Death of the CISO: A Eulogy & Reincarnation, I argued that the traditional role of the Chief Information Security Officer (CISO) is evolving—or rather, undergoing a necessary transformation. The response was overwhelming, with over 100,000 views on LinkedIn alone, demonstrating that this shift is not only necessary but deeply resonant across industries. While some loved their CISO title, nobody argued with my premise that this role is not the same and has evolved. Information security in the title does not adequately describe this role anymore.

The question now is, what should the CISO become?

I initially posited the title of Digital Risk & Resilience Officer, but upon further reflection, I believe a better mantle may be Digital Trust & Resilience Officer. Why? Because trust—not just risk management—is the foundation of the modern digital enterprise. Trust is proactive, holistic, and forward-looking. Risk management, while crucial, is what achieves and enables trust, but is often perceived as a cost center rather than a business enabler.

Why Digital Trust is Paramount in Today’s Business Environment

The world operates on digital trust. Every transaction, every customer interaction, every collaboration within and beyond the enterprise is predicated on confidence in the integrity, confidentiality, availability, security, and ethical stewardship of data, information, and digital infrastructure/architecture. Without trust, digital transformation collapses under the weight of skepticism, uncertainty, and regulatory scrutiny.

Consider the following:

  1. Trust is the Ultimate Brand Currency. The digital economy has ushered in an era where businesses are built not just on products or services, but on relationships. Those relationships, in turn, are founded on trust. Companies that cultivate digital trust enjoy stronger brand loyalty, higher customer retention, and a distinct competitive advantage. A single breach—whether of data, privacy, or ethics—can shatter that trust, sometimes irreparably. Just ask any organization that has suffered a high-profile cybersecurity incident and watched its stock price plummet and customers flee.
  2. Trust Extends Beyond the Enterprise. Organizations no longer operate in isolation. The modern business ecosystem is an extended enterprise that includes third parties, suppliers, contractors, cloud providers, and strategic partners. A security vulnerability or compliance failure anywhere in this network can disrupt operations, expose sensitive information, and damage reputations. Managing risk is necessary—but instilling trust throughout the digital ecosystem ensures continuity, resilience, and shared confidence in business relationships.
  3. Stakeholders Demand Trust, Not Just Risk Mitigation. Investors, regulators, employees, and customers are no longer satisfied with mere compliance. They demand ethical AI, responsible data governance, robust cybersecurity, and transparency in risk management. The organizations that lead with trust—rather than just react to risks—are the ones that will attract investment, talent, and long-term loyalty.
  4. Trust is the Foundation of Innovation. Organizations that are mired in constant risk aversion struggle to innovate. Fear-based risk management stifles digital transformation and agility. Conversely, a trust-based approach empowers businesses to adopt new technologies, expand into new markets, and experiment with emerging business models—secure in the knowledge that their digital foundation is strong, resilient, and credible.

Digital Trust is More Valuable Than Digital Risk Management

Risk management is essential, but it does not inspire confidence by itself. Trust, on the other hand, is a business driver. Trust fosters engagement, enables growth, and secures long-term business viability. Risk is the effect of uncertainty on objectives. One of those core objectives, in this context, is digital trust. That is the focus and goal and provides the context for risk management.

While risk must be understood, controlled, and mitigated, trust must be actively built, nurtured, and expanded. Consider:

  • Trust enhances business value. Companies with strong trust postures outperform their competitors in customer satisfaction, revenue growth, and market valuation.
  • Trust is proactive. Risk management seeks to manage uncertainty to objectives and is in reaction to the objective of digital trust. Trust ensures positive engagement.
  • Trust builds resilience. Organizations with high trust are more adaptive in crises, better at recovering from incidents, and more likely to maintain customer and investor confidence in uncertain times.

Reframing the CISO as the Digital Trust & Resilience Officer

The modern CISO cannot simply be a guardian of risk and controls. That role, while critical, is too narrow, too limiting. The future demands a leader who ensures trust in the digital enterprise—a leader who integrates cybersecurity, privacy, ethics, governance, compliance, and digital operational resilience into a seamless strategic function. This is not just a semantic shift; it is a fundamental redefinition of purpose and value.

The Digital Trust & Resilience Officer:

  • Builds confidence in digital transactions, interactions, and data stewardship.
  • Ensures resilience not just against cyber threats, but against any disruption to trust (e.g., AI bias, regulatory misalignment, unethical data use).
  • Engages with the board and executive leadership as a strategic partner, demonstrating how trust translates into business value.
  • Leads a proactive culture of integrity, security, and digital ethics rather than one of fear and restriction.

The Future of Digital Trust & Resilience

As organizations continue to navigate the complexities of digital transformation, trust will become an even more critical differentiator. The role of the CISO—or its successor—must evolve beyond security and risk oversight into one that fosters and maintains digital trust and operational resilience across the digital enterprise.

What do you think? Should the CISO evolve into the Digital Trust & Resilience Officer? Or does the focus on risk still hold more weight and it should be the Digital Risk & Resilience Officer? Or do you prefer sticking to the old CISO title? I’d love to hear your thoughts.

The Regulatory Divide: How EU and US Approaches Shape Business Strategy

The GRC Pundit BlogPublished onUpdated onLeave a Comment on The Regulatory Divide: How EU and US Approaches Shape Business Strategy

Regulatory frameworks define how businesses operate, innovate, and ensure compliance in different jurisdictions. When comparing the regulatory landscapes of the European Union (EU) and the United States (US), a stark contrast emerges. While both regions aim to balance economic growth with governance, their priorities and methodologies differ significantly.

Principles vs. Prescription: A Cultural and Regulatory Divide

One of the most notable distinctions between EU and US regulations is the approach to compliance. The EU regulatory framework is predominantly principles- and outcome-based, requiring organizations to meet broad objectives while allowing flexibility in how they achieve compliance. This originally started in the United Kingdom under the Financial Services Authority (FSA) before it became the Financial Conduct Authority (FCA). It then moved over to the EU to become part of the better regulatory policy. In contrast, US regulations are often more prescriptive, providing detailed rules and checklists that companies must follow to the letter.

This difference manifests in multiple ways:

  • Differences in Risk Management Perspectives. European regulations emphasize a top-down, strategic view of risk, integrating governance and compliance into broader business objectives. The US, however, often adopts a bottom-up, checklist-driven approach to compliance. Therefore, EU regulations take a more risk-based approach to compliance over the US.
  • Corporate Responsibility. EU regulations, such as the General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), and Corporate Sustainability Reporting Directive (CSRD), and many more, focus on ethical considerations, consumer rights, and corporate accountability. US regulations, while robust in areas like financial reporting and anti-corruption, tend to prioritize business efficiency and liability mitigation over broader societal concerns. In a panel I hosted last week, #RISK Digital North America – EU Regulations as a Strategic Compass for US Companies, the panelists and I stated that the EU has a more people-first and centric approach to regulation.

Increased Demand for Evidence-Based Compliance

A key trend driving regulatory evolution is the growing demand for evidence-based compliance. As highlighted in recent discussions, EU regulations are increasingly requiring organizations to not only implement policies but also provide auditable, documented proof of compliance. This shift moves compliance beyond check-the-box exercises to defensible, data-driven processes that regulators can scrutinize.

In contrast, US compliance practices still lean heavily on procedural adherence. While legal and regulatory frameworks mandate compliance, they often fall short of requiring the same level of ongoing, evidence-backed validation we are now seeing in EU governance and compliance. This difference further reinforces the EU’s principles-based approach, where organizations must demonstrate not just compliance but also effectiveness in achieving regulatory objectives.

Extraterritorial Impact: The EU’s Regulatory Reach

A defining characteristic of EU regulations is their global reach. Laws such as GDPR and CSRD extend beyond Europe’s borders, affecting any company that handles EU citizens’ data or operates within the EU market. This approach has influenced regulatory developments worldwide, inspiring similar legislation in Brazil (LGPD), India (DPDP Act), and even state-level privacy laws in the US, such as the California Consumer Privacy Act (CCPA).

For many US businesses, this extraterritoriality means that compliance with EU regulations is no longer optional. Companies aiming for global expansion must align with EU standards to maintain market access, mitigate risks, and build consumer trust.

The Competitive Advantage of EU Compliance

While compliance with EU regulations can be complex and resource-intensive, it offers strategic benefits for US companies. Businesses that proactively adopt EU-aligned practices position themselves for success in a global economy by:

  1. Enhancing Consumer Trust. European regulations emphasize data protection, ethical AI usage, and environmental and social responsibility and sustainability. Companies that adhere to these principles can differentiate themselves as trustworthy brands in an era of growing consumer concern over privacy and corporate ethics.
  2. Strengthening Resilience. EU regulations often take a holistic, long-term approach to risk, ensuring organizations are prepared for regulatory shifts, cybersecurity threats, and environmental changes. This proactive stance can help companies navigate future uncertainties more effectively. There is a stronger regulatory focus on operational resilience across Europe, including the United Kingdom, not just the EU.
  3. Facilitating Market Expansion. Aligning with EU regulatory frameworks simplifies entry into multiple international markets that follow similar standards. It also reduces the friction of adapting to evolving global compliance requirements.

An additional layer to this discussion is the comparison between the US and the UK/EU on risk and compliance approaches. As noted in previous posts of mine, European regulatory frameworks tend to be more sophisticated in how they integrate compliance into broader risk management structures. The UK’s Financial Conduct Authority (FCA) pioneered the principles-based compliance model before the EU widely adopted it, shaping modern regulatory expectations that prioritize adaptability and accountability.

Meanwhile, US compliance programs frequently rely on detailed, rule-based frameworks that focus on legal adherence rather than proactive risk management. This gap often leaves US companies reacting to regulatory updates rather than integrating compliance into long-term strategy. For organizations that operate internationally, bridging this gap by adopting EU-style governance models can create a significant competitive advantage.

Looking Ahead: The Future of Regulation

The EU continues to lead in shaping global regulatory trends, particularly in AI governance, digital resilience, and ESG (Environmental, Social, and Governance) requirements. Yes, the EU Omnibus has restructured CSRD and CS3D, but it is still significant. Emerging regulations like the EU AI Act and ESG reporting standards signal a shift toward greater corporate accountability and sustainability.

Meanwhile, the US remains fragmented in its regulatory approach, with states enacting their own laws in the absence of comprehensive federal legislation. However, as global regulatory alignment increases, US businesses that take a forward-looking approach by adopting EU-driven compliance strategies will gain a competitive edge.

Conclusion: A Strategic Compass for US Companies

Rather than viewing EU regulations as a burden, US companies can use them as a strategic compass. By embracing principles-based compliance and aligning with global standards, businesses can drive innovation, strengthen risk management, and build long-term value. The shift toward evidence-based compliance in the EU further underscores the need for organizations to develop robust governance frameworks that go beyond mere adherence and demonstrate real effectiveness.

As the regulatory landscape continues to evolve, adaptability and a commitment to ethical governance will define the leaders of tomorrow. US companies that proactively integrate these principles will not only mitigate risk but also unlock new opportunities for growth, resilience, and trust in an increasingly interconnected world.

GRC Starts with Objectives, Not Risk and Compliance

The GRC Pundit BlogPublished onUpdated on1 Comment on GRC Starts with Objectives, Not Risk and Compliance

Too many Governance, Risk Management, and Compliance (GRC) programs are fundamentally backward. Instead of starting with objectives, they focus on compliance checklists or risk registers, often relegating objectives to an afterthought (tags to a risk) — if they are considered at all. What many organizations practice is not true GRC but rather CRG (Compliance, Risk, and Governance in reverse), or worse, just CR (Compliance and Risk) or even simply C (Compliance).

This is not what GRC was meant to be.

The official definition of GRC, as found in the OCEG GRC Capability Model, is:
“GRC is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).”

This definition underscores the correct order of operations in a GRC program—objectives come first. True GRC is about ensuring that an organization reliably sets and achieves its objectives. Risk and compliance are important, but they serve the primary purpose of enabling an organization to meet its objectives while managing uncertainty and maintaining integrity.

Why Objectives Matter in GRC

According to ISO 31000, risk is the effect of uncertainty on objectives. This means that without a clear understanding of objectives, risk management is meaningless. Objectives define what the organization is trying to achieve, and risks are uncertainties that could impact those objectives.

Objectives exist at multiple layers within an organization:

  • Entity-Level Objectives – Overall strategic and corporate objectives
  • Divisional & Departmental Objectives – Goals specific to business units and teams
  • Process & Project Objectives – Performance and operational targets within workflows
  • Asset & Third-Party Objectives – Expectations and performance metrics for resources and external partners

Governance is about setting the right objectives and ensuring they are reliably achieved. This means that governance is not just about oversight but about performance. Effective governance structures define and track objectives, ensuring that risks are managed in a way that enables the organization to meet its goals.

The major difference between Europe and the USA in risk management approaches further highlights this issue:

  • Europe – Risk management is closely aligned with ISO 31000 and is focused on business objectives.
  • USA – Risk management tends to be more compliance-driven, often reduced to checklists primarily for SOX compliance.

Even compliance frameworks in Europe are more principle-based and outcome-oriented, requiring organizations to demonstrate how they achieve compliance objectives. In contrast, the USA’s compliance landscape is often prescriptive, with a heavy reliance on checkboxes rather than achieving meaningful business outcomes.

Understanding this nuance between Europe and USA is why many USA solution providers fail in their marketing in Europe. There is a different focus and messaging.

Environmental, Social, and Governance (ESG) initiatives are another example of how objectives should drive GRC. ESG is fundamentally about setting and achieving sustainability and ethical business objectives. Risks and compliance requirements follow from those objectives, not the other way around. An organization has the objective of being carbon neutral by a certain date, to eliminate PFAS (forever chemicals) in its products, or to have zero tolerance for modern slavery. These are objectives. Organizations that start with ESG risks without defining clear objectives are missing the point.

The Problem: Many GRC Programs and Technologies Get It Wrong

The vast majority of GRC programs within organizaitons and GRC technology that supports those programs fail to align with this definition. They start with risk registers, controls, or compliance requirements, leaving objectives as a tertiary consideration (if at all). This approach fundamentally undermines the value of GRC by detaching it from what actually drives the organization—its strategic, financial, operational, and ethical objectives.

Unfortunately, most GRC technology platforms do not start with objectives. Many organizations have adopted GRC solutions that are nothing more than compliance management systems or risk registers. They focus on risk registers, controls, and compliance requirements, treating objectives as an afterthought or a tag to a risk. These solutions focus heavily on checklists, regulatory mappings, and control frameworks, but they fail to establish a direct link to the business’s core purpose: achieving objectives.

Only a few solutions in the market truly address the “G” in GRC by prioritizing business objectives and performance against those objectives. If you’re looking for a GRC solution that genuinely starts with objectives, feel free to reach out — I can point you to those that get it right, or mostly right. As an analyst I cover the range of solutions available in the market.

Conclusion: Get GRC Right by Starting with Objectives

If your organization’s GRC program starts with risk and compliance instead of objectives, it’s time for a reset. Good GRC is about ensuring the organization reliably achieves its objectives, manages uncertainty effectively, and acts with integrity. Governance, risk management, and compliance should work together in that order—starting with a clear understanding of business goals.

To truly unlock the value of GRC, organizations must shift their focus from checkboxes and control frameworks to strategic and operational performance. Objectives are not an afterthought; they are the foundation of good GRC.

ES-G-RC: How GRC is the Foundation for ESG and EU CSRD Reporting

The GRC Pundit BlogPublished onUpdated onLeave a Comment on ES-G-RC: How GRC is the Foundation for ESG and EU CSRD Reporting

Environmental, Social, and Governance (ESG) is a growing challenge for organizations to manage and report on. It has become a core part of corporate strategy, driven by values, stakeholder expectations, and regulatory requirements, such as the EU Corporate Sustainability Reporting Directive (CSRD) which impacts 50,000 firms that have to report annually. With over 1,100 data points that goes into CSRD reporting, organizations have to get their ESG act together.

There are different views on ESG, and I respect that. At the heart of ESG is stewardship. Every organization should put a stake in the ground in its commitments and objectives to the environment, to its social commitments, and to the governance of the organization. These may very well vary between organizations. The environmental aspects is much more than climate change, it includes air, water, waste, use of natural resources, and things like elimination of PFAS (forever chemicals). The social and governance aspects also include a lot of elements.

I do not think anyone reading this will disagree that modern slavery, part of the social, is a bad thing. In the end, ESG is best summed up in the words of my favorite fictional U.K. Premier League Coach and philosopher, Ted Lasso, “Doing the right thing is never the wrong thing.” It is up to organizations to define what the right thing is for their organization in context of the environment, the social communities it serves, and the governance of the organization.

But how do organizations ensure their ESG initiatives are well-governed, ESG objectives are set and performance measures, risk-aware of uncertainty in achieving objectives, and compliant with values and commitments of the organization? The answer lies in Governance, Risk Management, and Compliance (GRC).

The Role of GRC in ESG

The OCEG defines GRC as: “an integrated capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).” This definition is a perfect starting point for understanding ESG within an organization. Effective ESG management must begin with well-defined objectives, not just risk assessments. Too many ESG management platforms start with risks, which is like putting the cart before the horse. ESG objectives should drive risk identification, not the other way around. As an analyst, I will NEVER recommend an ESG solution that does not start with ESG objectives, and ESG program management.

At its core, ESG is about setting and achieving objectives. Organizations must begin with a clear vision of what they aim to accomplish in the environmental, social, and governance domains.

  • Environmental Objectives. Companies must define their commitments to sustainability, whether through carbon footprint reduction, waste management, energy efficiency, elimination of PFAS, or responsible sourcing of materials. These objectives should be measurable and aligned with broader industry and regulatory expectations.
  • Social Commitments. The social component of ESG involves ensuring fair labor practices, no tolerance for modern slavery, employee well-being, and ethical supply chain labor practices. Organizations must consider how they engage with employees, communities, and stakeholders to foster a socially responsible culture.
  • Governance Standards. Effective governance is the backbone of a successful ESG strategy. This includes ensuring ethical leadership, internal controls, anti-corruption, robust data protection policies, regulatory compliance, and transparency in decision-making. Strong governance creates trust and accountability within the organization and among external stakeholders.

Without a structured approach provided by GRC, ESG efforts risk becoming fragmented and ineffective. GRC offers the necessary framework to integrate ESG goals into daily operations, ensuring they are well-governed, managed, and continuously improved.

The GRC Capability Model and ESG

In recent ESG and EU CSRD workshops I conducted in Stockholm and Utrecht, I presented the OCEG GRC Capability Model 3.5, and it resonated with over 60 organizations working on ESG. The model provides a comprehensive framework for ESG management through four core components: Learn, Align, Perform, and Review.

  1. Learn (Understanding ESG Contexts). Before setting ESG objectives, organizations must first understand the broader context in which they operate. The learning phase is foundational, as it establishes a comprehensive understanding of the external and internal factors influencing ESG strategy.
    • External Context. This includes understanding the regulatory landscape, evolving standards, and market trends. For example, organizations operating in the EU must align with the CSRD, which mandates transparency in ESG disclosures and reporting. This also includes understanding where you do business and who you do business with.
    • Internal Context. Organizations must assess their internal capabilities, culture, values, ethics, policies, and existing ESG initiatives. This helps in identifying gaps and areas where improvements are necessary. I always recommend organizations take an inventory of their current array of policies that relate to the aspects of ESG.
    • Stakeholders. Companies must recognize the role of investors, employees, regulators, and customers in shaping their ESG approach. Stakeholder expectations must be integrated into ESG planning to ensure long-term credibility. The same with customers, organizations that are not aligned with the values of their customers risk significant challenges in the market as the past few years have shown us several examples.
    • Corporate Culture. A successful ESG strategy aligns with an organization’s ethical values and corporate mission. ESG must be embedded into the company’s DNA rather than treated as a compliance requirement alone.
  2. Align (Defining the ESG Strategy). Once the organization has learned its ESG landscape, it must align its strategy with clearly defined objectives and a structured approach to risk management.
    • Direction. Organizations need to define their ESG mission and values and set a clear vision for sustainability and social responsibility. This includes defining who is the lead on ESG and what roles and departments are part of the team.
    • Objectives. ESG goals must be SMART (Specific, Measurable, Achievable, Relevant, Time-bound) and aligned with the organization’s values, commitments, and obligations.
    • Identification. Identifying risks and opportunities that could hinder or help ESG progress. These could include regulatory, reputational, operational, and environmental. Risk is the effect of uncertainty on objectives (ISO 31000), in this case the ESG objectives.
    • Analysis. Once identified, risks must be assessed based on their uncertainty in the organization achieving its ESG objectives. A structured approach can help prioritize risk management efforts and enable the organization to achieve or even exceed ESG objectives.
    • Design. Organizations must build a structured ESG program that includes policies, frameworks, internal controls, and dedicated teams responsible for execution as well as those accountable for objectives and risks. A well-designed program enables consistent application and progress measurement.
  3. Perform (Executing the ESG Program). With the strategy in place, organizations must implement and operationalize ESG across all levels of the business.
    • Controls. Implementing and monitoring ESG-related internal controls ensures compliance with internal objectives and external standards. This includes emission tracking, supply chain audits, and ethical labor practices.
    • Policies. ESG-related policies, which there are a plethora, should be well-documented, accessible, and actionable. These policies must provide clear guidance on the range of environmental, social, and governance practices, expectations, and boundaries.
    • Communication & Education. Employees and stakeholders need to be educated on ESG objectives, related policies and internal controls, and their role in achieving them. Effective communication fosters engagement and accountability.
    • Incentives & Accountability. ESG performance must be tied to incentives, such as executive compensation linked to sustainability targets. Employees participation in environmental programs. At the same time, organizations must establish accountability mechanisms for ESG compliance.
    • Monitoring & Reporting. Continuous monitoring is necessary to track ESG progress. Organizations should leverage technology and data analytics to ensure real-time insights and accurate reporting.
  • Review (Ensuring Continuous ESG Improvement). ESG is not a static initiative but an evolving process requiring regular assessment and updates.
    • Monitoring & Auditing. ESG monitoring and data collection should be conducted to evaluate performance to internal controls, policies, and standards.
    • Assurance. Internal and external stakeholders require assurance that ESG commitments are being met. Organizations must build transparent reporting mechanisms that align with frameworks. Regular internal audits provide assurance, while external audits provide third-party validation of assurance. Organizations facing CSRD have to move from limited assurance to reasonable assurance over the next few years.
    • Continuous Improvement. ESG strategy must evolve in response to changing regulations, market trends, and stakeholder expectations. Companies should use insights from audits and reviews to refine and enhance their ESG initiatives.

The EU CSRD requires organizations to report on sustainability and ESG performance with the same rigor as financial reporting. The GRC Capability Model ensures that organizations can:

  • Define the organizations ESG objectives in context of the organizations values and obligations.
  • Identify ESG risks and opportunities with a structured approach.
  • Implement internal controls to ensure ESG compliance and risk mitigation.
  • Maintain accurate and comprehensive ESG records to meet regulatory reporting requirements.
  • Continuously assess and improve ESG performance to align with evolving standards.

GRC is the foundation for successful ESG implementation. Organizations must take a structured approach to ESG, leveraging the GRC Capability Model to define objectives, manage risks, and maintain compliance. ESG is not just about checking a regulatory box—it’s about embedding sustainability into the organization’s core strategy. By following the Learn, Align, Perform, and Review approach, organizations can transform ESG from a regulatory burden into a driver of long-term value and resilience.

The Challenges of ESG Reporting: Navigating the Complexity of EU CSRD

The GRC Pundit BlogPublished onUpdated onLeave a Comment on The Challenges of ESG Reporting: Navigating the Complexity of EU CSRD

While the USA is going in different directions, and the EU considers streamlining and integrating requirements later this month, the global landscape of Environmental, Social, and Governance (ESG) reporting has fundamentally changed with the European Union’s Corporate Sustainability Reporting Directive (EU CSRD) first wave of corporate reports being published in 2025. Last week was intense and enlightening in my journeys across Europe, engaging with nearly 60 organizations across multiple ESG and CSRD discussions.

The journey toward effective ESG reporting is complex, costly, and evolving—but those who embrace it with the right mindset will find not just compliance, but a strategic advantage. The question is no longer if ESG will shape business operations, but how organizations will rise to the challenge.

But there are challenges . . . unlike traditional financial reporting, which historically required around 200 data points, ESG reporting under CSRD necessitates over 1,100 data points, and that number is growing exponentially as companies consider complexities across subsidiaries, divisions, locations, and third-party relationships. This shift is not just a European challenge—CSRD has global implications, impacting approximately 50,000 companies worldwide, including non-EU firms with significant operations in Europe.

One of the most pressing challenges of EU CSRD is the requirement for third-party assurance on ESG reports. Organizations are already experiencing a one-third increase in audit fees due to limited assurance requirements, and these costs will escalate significantly once reasonable assurance becomes mandatory. Unlike traditional audits, ESG assurance involves validating complex, qualitative, and often subjective data points, adding further strain on internal resources.

Two Approaches: Strategic Advantage vs. Checkbox Compliance

One striking observation from my recent workshops across London, Utrecht, and Stockholm is the variation in how companies structure ESG ownership. Some firms have designated ESG controllers or sustainability officers, while others distribute ESG responsibilities across finance, compliance, risk management, legal, audit, and internal control teams. In certain cases, ESG leaders report directly to the Board or CEO, underscoring its strategic significance, while in others, ESG remains a compliance function buried within operational silos.

Among the organizations I engaged with, there was a clear divide in approach:

  1. Principled Performance – Companies that see ESG as an opportunity for better governance, risk management, integrity, and corporate strategy, aligning with OCEG’s concept of Principled Performance.
  2. Checkbox Compliance – Organizations that view ESG solely as a regulatory requirement, focused only on meeting minimum compliance thresholds rather than leveraging ESG for competitive advantage.

The ESG & EU CSRD Insomnia: What Keeps Organizations Awake at Night

During my workshops in Utrecht and Stockholm, I facilitated discussions on what keeps organizations up at night regarding ESG and CSRD compliance. Below are the top concerns voiced:

Regulatory & Compliance Challenges

  • Understanding the complexity and breadth of EU CSRD.
  • Evolving internal control frameworks for ESG reporting.
  • Managing assurance requirements, shifting from limited to reasonable assurance.
  • Competing with other major EU regulations (e.g., DORA, CSRD, CSDDD, AI Act, NIS2) under constrained resources.
  • Navigating the subjective nature of ESG requirements.
  • Preparing for regulatory consequences and enforcement actions.

Data Challenges

  • Identifying data sources for the 1,100+ ESG reporting requirements.
  • Ensuring data accuracy, quality, and reliability.
  • Managing subsidiary cooperation in ESG data collection.
  • Addressing disparate data sources and lack of standardization.
  • Integrating ESG reporting into broader GRC (Governance, Risk & Compliance) systems.
  • Determining how far down the supply chain ESG reporting should go.
  • The potential role of AI and automation in ESG data management.

Financial & Resource Constraints

  • Rising audit and assurance costs.
  • Limited ESG expertise and resources within organizations.
  • Balancing ESG priorities with other business objectives.
  • The unexpected scale of compliance costs and resource allocation.
  • The impact of ESG disclosures on corporate reputation and investor relations.

Strategic and Cultural Implications

  • Integrating ESG into corporate culture and risk management.
  • Understanding the role of internal vs. external audit in ESG.
  • Aligning ESG strategies across different global cultures and industry sectors.
  • Establishing benchmarks for ESG compliance and reporting.

Where Do Organizations Go From Here?

With the first CSRD-aligned reports already being released, it is evident that ESG reporting is more than a regulatory requirement—it is a fundamental shift in how businesses operate and disclose their impact. Leading companies are integrating ESG into their core business strategy, governance frameworks, and risk management processes. Those that take a checkbox approach risk increased costs, reputational damage, and regulatory scrutiny.

As ESG and EU CSRD continue to evolve, organizations must focus on smarter, data-driven approaches that align ESG reporting with broader business objectives. Whether through automation, AI-powered compliance tools, or integrated risk and compliance (GRC) solutions, the key to ESG success lies in principled performance rather than reactive compliance.

Navigating Provision 29 of the UK Corporate Governance Code: Challenges and Insights

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Navigating Provision 29 of the UK Corporate Governance Code: Challenges and Insights

What an exhilarating few weeks! My recent travels have taken me across the Middle East, London, Utrecht, and Stockholm, engaging with organizations and professionals across the governance, risk management, and compliance (GRC) landscape. The energy and focus on risk management, regulatory compliance, ESG, and corporate governance have been evident in every discussion, workshop, and meeting.

This week, I was back in London for an in-depth workshop on the UK Corporate Governance Code (UK CGC), with a particular emphasis on internal control and risk management by design to address Provision 29. Hosted at the historic Chartered Accountants Hall—where industry giants like Waterhouse and Cooper once presided—this session was packed with engaged professionals eager to address the challenges of the revised UK CGC. The timing of this workshop couldn’t have been more critical, as UK firms are under increasing pressure to ensure readiness for Provision 29. I have interacted and provided advice on four RFPs in the UK already this week with organizations looking for solutions to address this challenge. In just over a week, I will be heading to Asia for more GRC engagements, hosting workshops in the Philippines, Malaysia, and Singapore.

The Growing Pressure of Provision 29

Provision 29 of the updated UK Corporate Governance Code is top of mind for many UK organizations as they prepare for 2025. It mandates that boards provide a declaration of the ongoing effectiveness of their risk management and internal control systems. While some call it “UK SOX” (drawing comparisons to the Sarbanes-Oxley Act in the U.S.), I find that analogy misleading. UK CGC is distinct in its approach, placing a strong emphasis on ongoing, proactive risk and control management rather than compliance-driven financial control attestation.

Organizations across industries are grappling with how to operationalize Provision 29. As one UK bank shared in context of my workshop:

“The UK Corporate Governance Code is one of our main projects this year. Readiness for Provision 29 means identifying our most material controls, ensuring board disclosures on effectiveness, and maintaining alignment with peer banks to avoid being an outlier. Assurance is going to play a significant role, especially in evolving risk areas such as cyber and third-party risk.”

A smaller UK firm (under 500 employees) expressed coming out of the workshop more prepared for the Provision 29:

“Thank you so much for the insightful workshop yesterday. I found it really interesting and came away buzzing with excitement as to new ways to invigorate the business in respect of controls and risk.”

The Risk and Internal Control Insomnia List

During my workshop, I had attendees collaborate on what keeps them up at night regarding UK CGC compliance and risk management. The resulting list highlights key concerns and challenges:

  • Concentration of risk knowledge in silos – lack of shared understanding across departments
  • Siloed approaches to risk and internal control – limited visibility and consistency
  • Cultural barriers – weak communication, inconsistency, and poor tone at the top
  • Defining ‘bad’ risk and internal control – what does ineffective risk management look like?
  • Incident reporting challenges – clarity on thresholds and processes
  • Managing business and regulatory change – adapting controls to evolving risks
  • Simplifying and prioritizing the approach to UK CGC – avoiding unnecessary complexity
  • Addressing redundancy and overlaps in risk and control functions
  • Educating the organization on UK CGC requirements – ensuring buy-in at all levels
  • Evaluating inherited controls – are they still appropriate in today’s risk landscape?
  • Process modeling and business risk analysis – integrating risk and control into core operations
  • Applying UK CGC principles effectively – practical implementation strategies
  • Embedding UK CGC into the three lines of defense – ensuring integrated accountability
  • Breaking down silos in risk and control management – fostering collaboration across departments
  • Cultural and accountability shifts for UK CGC compliance – making governance a shared responsibility
  • Linking UK CGC to strategy, performance, and objectives – ensuring risk supports business goals
  • Designing a UK CGC framework – aligning controls with business needs
  • Clarifying ownership and accountability structures – defining roles clearly
  • Identifying material vs. immaterial controls – focusing efforts where they matter most
  • Measuring control effectiveness – avoiding over-control and unnecessary bureaucracy
  • Assembling the right UK CGC team – ensuring the right expertise and collaboration

Moving Forward: The Path to Effective UK CGC Compliance

UK organizations must take a strategic, risk-based approach to implementing Provision 29. Success requires:

  1. Breaking Down Silos – Risk and control management should be an enterprise-wide initiative, not a fragmented exercise.
  2. Embedding UK CGC into Business Operations – Aligning risk and control frameworks with business strategy, performance management, and operational processes.
  3. Enhancing Risk Management, Awareness & Culture – Driving engagement across all levels of the organization to ensure risk and control are part of daily decision-making.
  4. Investing in Assurance and Continuous Monitoring – Leveraging technology and robust assurance mechanisms to demonstrate control effectiveness.
  5. Defining Material Controls with Confidence – Focusing on controls that truly mitigate the most significant risks, rather than creating unnecessary layers of compliance.

The UK Corporate Governance Code represents a major shift in how UK organizations approach internal control and risk management. Organizations must move beyond viewing compliance as a check-the-box exercise and embrace a more dynamic, integrated GRC framework that fosters resilience and accountability.

I look forward to continuing these discussions in the weeks ahead as I head to Asia for more workshops. The evolution of corporate governance and risk management remains a global challenge, but one that, when addressed effectively, can lead to stronger, more resilient organizations.

Risk and Resilience Management: Lessons from Driving a Car

The GRC Pundit BlogPublished onUpdated on2 Comments on Risk and Resilience Management: Lessons from Driving a Car

Driving a car is a perfect analogy for understanding the principles of risk and resilience management. When we drive, we have an objective: a destination to reach. Similarly, in business, risk management begins with understanding objectives. According to ISO 31000, risk is defined as “the effect of uncertainty on objectives.” Achieving our goals—whether personal, organizational, or societal—requires navigating uncertainties, just as a driver navigates roads, traffic, and potential hazards.

Objectives: Our Focus is on the Road Ahead

When driving, our primary focus is on the road ahead. We watch for obstacles, anticipate turns, and adapt to changing conditions. This forward-looking approach aligns with effective risk management, where the goal is to proactively identify and address potential challenges that could disrupt achieving objectives. Unfortunately, many risk management programs fail because they are overly focused on the past, akin to driving a car while continuously staring in the rearview mirror.

While hindsight provides valuable lessons, effective risk management demands foresight. Rearview mirrors are essential, but they are not the primary focus for driving safely. Similarly, organizations must strike a balance between learning from past risks and preparing for future uncertainties.

The IPDE Method: A Framework for Risk Management

In driver’s education, we are taught the IPDE method: Identify, Predict, Decide, Execute. This simple yet powerful process is the essence of risk management:

  1. Identify: Recognize risks that could impact objectives. This could be anything from geopolitical tensions to supply chain vulnerabilities.
  2. Predict: Analyze potential scenarios and outcomes. What happens if a risk materializes? How severe could the impact be?
  3. Decide: Determine the best course of action to mitigate or respond to risks. Should you avoid, accept, transfer, or reduce the risk?
  4. Execute: Implement your chosen risk strategy. This step translates planning into action to ensure objectives remain achievable.

Just as a driver uses the IPDE method to navigate safely, organizations can use this framework to manage risk effectively.

The Role of External Risk Intelligence

Driving isn’t just about controlling the car; it’s also about adapting to external conditions like weather, traffic, and road closures. Drivers rely on external intelligence from tools like GPS systems, traffic updates, and weather forecasts to make informed decisions. Similarly, effective risk management requires external risk intelligence. Organizations must gather and analyze data on geopolitical risks, economic trends, natural disasters, commodity availability, and other external factors that could impact their objectives.

Without this external perspective, risk management becomes myopic, and decisions are made in a vacuum. External intelligence provides the context needed to navigate an increasingly complex and interconnected world.

Resilience: The Operational Backbone

While risk management focuses on navigating uncertainties, resilience ensures the organization can withstand and recover from disruptions. Resilience is akin to maintaining the operational health of a car. Routine maintenance—oil changes, tire rotations, brake inspections—is essential for ensuring the car’s reliability. Neglecting these small but critical tasks can lead to significant breakdowns.

Some risk pundits decry risk lists and checklists. I believe they have a purpose, and it is in this operational down in the weeds context. But strategic risk management focused on objectives, the road in front of us, is the critical component that cannot be missed. Too many focused on the operational weeds of risk and neglect the strategic risk aligned with objectives.

In an organizational context, risk and resilience requires:

  • Routine checks: Regular audits, testing, and assessments to ensure systems, processes, and controls are functioning as intended.
  • Preparedness: Having contingency plans in place for when things go wrong.
  • Flexibility: The ability to adapt quickly to changing circumstances.

Just as a car’s dashboard provides critical information about fuel levels, engine health, and speed, organizations need metrics and dashboards to monitor their resilience and operational health.

Insurance: The Safety Net

No driver hits the road without insurance. Insurance provides a safety net for unforeseen accidents and ensures financial protection against significant losses. In risk management, insurance plays a similar role. It’s a form of risk transfer that mitigates the financial impact of events beyond an organization’s control.

However, insurance is not a substitute for proactive risk management. It’s a complementary tool, much like wearing a seatbelt: essential, but not a strategy for avoiding accidents.

Technology: The Vehicle for Risk Management

A car is a tool for achieving our objective—reaching our destination. The quality, reliability, and performance of the car directly impact our ability to achieve that goal. Similarly, organizations need robust risk management technology to support their objectives. Yet, many risk technologies fail because they lack an objective- or performance-centric view. They put the cart (risk) in front of the horse (objectives), many solutions do not even have the horse and it is just a cart of risks with no concept of objectives.

Effective risk management technology should:

  • Align with the organization’s objectives.
  • Provide real-time insights to support decision-making.
  • Be adaptable to changing risks and scenarios.
  • Integrate with external intelligence sources to provide a comprehensive view of the risk landscape.

Without these capabilities, risk management technology becomes a burden rather than an enabler.

The Road Ahead

Risk and resilience management, much like driving, is about balancing focus and flexibility. We must keep our eyes on the road ahead while occasionally checking the rearview mirror and dashboard. We must rely on external intelligence to anticipate conditions and ensure our vehicle—whether a car or an organization—is well-maintained and prepared for the journey.

By adopting a proactive, objective-driven approach to risk and resilience management, organizations can navigate uncertainties and achieve their goals with confidence. After all, the destination matters, but how we get there defines our success.

Reflecting on 2024 and Looking Ahead to 2025: Key Trends and Insights in the GRC Market

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Reflecting on 2024 and Looking Ahead to 2025: Key Trends and Insights in the GRC Market

As 2024 comes to a close, it’s been a year of significant activity and transformation in the Governance, Risk Management, and Compliance (GRC) space. This year marked another milestone in GRC 20/20’s journey, with a record number of engagements, RFP support and guidance to buyers, research inquiries, and strategic advisory sessions across the globe. With extensive travels to key markets such as the Europe, North America, Middle East, and Asia, I’ve had the opportunity to observe firsthand the evolving dynamics of the GRC market and provide insights into the challenges and opportunities organizations face in their pursuit of effective GRC strategies.

The GRC market continues to expand in complexity and scope, with a mix of broad enterprise platforms and specialized best-of-breed solutions addressing specific needs. GRC 20/20 tracks over 300 solution providers in the market from the broad platform to the very focused risk/compliance solution. In 2024 alone, we actively engaged with 57 of these providers through deep-dive research and advisory, while maintaining periodic interactions with the broader market to stay abreast of key developments. Our research efforts supported over inquiries from organizations seeking guidance on GRC solutions, solution briefings/evaluations, and strategy development. The market across Europe is the strongest, the Middle East remains the fastest-growing market for GRC solutions and services, and the North America market is growing at a slower pace.

It is a fast-moving market with a lot of momentum, but also a lot of nuances and niches. In 2023, GRC 20/20 answered between 10 and 20 inquiry/research questions from organizations asking about and looking for solutions every week. This accounted for over 750 interactions in 2024. These come in via email, text, LinkedIn messages, and more. Most are simple responses to questions; others go deeper. In 2024, there were 94 RFPs that GRC 20/20 provided insight and direction into. Some very deeply, many simply perspective and guidance on who to evaluate or thoughts of strengths and weaknesses not he finalists.

Looking ahead to 2025, GRC 20/20’s core research themes will focus on areas critical to organizations striving to achieve resilience, efficiency, and compliance in an evolving regulatory and operational landscape. These themes include:

  • Business Integrated GRC, emphasizing the alignment of GRC with strategic business objectives; 
  • Integrated Risk & Resilience Management, which explores how organizations can strengthen their adaptability in the face of uncertainty;
  • Compliance Management & RegTech, addressing the role of technology in streamlining regulatory compliance and change;
  • Third-Party GRC Management remains a high-priority area, as organizations seek more comprehensive and proactive approaches to managing vendor and supplier risks.
  • ESG Management initiatives, particularly related to EU CSRD and CSDDD, continue to be a driving force in the market, pushing organizations to enhance transparency and accountability in their operations. 
  • Artificial Intelligence in terms of its application in GRC (Cognitive GRC) and the governance of AI itself (AI GRC). As organizations increasingly leverage AI to enhance GRC processes, ensuring ethical and effective governance of these technologies will be a significant challenge in the coming year.

As we move into 2025, I look forward to continuing the journey with GRC professionals worldwide, providing objective insights and research to help organizations navigate the complexities of the GRC market. Stay connected with GRC 20/20 for ongoing updates and analysis, and as always, feel free to reach out with inquiries related to governance, risk management, and compliance strategies and solutions.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2024, organized by topic area . . .

Enterprise GRC Management

Research Reports
Blogs

Risk & Resilience Management

Research Reports
Blogs

Corporate Compliance & Ethics Management (RegTech)

Research Reports
Blogs

Third-Party GRC Management

Research Reports
Blogs

ESG – Environmental, Social, Governance

Research Reports
Blogs

Artificial Intelligence GRC

Research Reports
Blogs

Policy Management

Blogs

IT GRC (Digital Risk & Resilience) Management

Research Reports
Blogs

Internal & Automated Control Management

Research Reports

Blogs

Audit Management & Analytics

Blogs

Data GRC Management

Research Reports

Blogs

Identity GRC Management

Research Reports

Do not forget . . .

Follow GRC 20/20 on LinkedIn.

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions available in the GRC market . . . 

ASK INQUIRY

True Genius in GRC: The Need for Risk Intelligence

The GRC Pundit BlogPublished onUpdated on1 Comment on True Genius in GRC: The Need for Risk Intelligence

Winston Churchill once remarked, “True genius resides in the capacity for evaluation of uncertain, hazardous, and conflicting information.” In today’s complex and rapidly evolving world, this quote rings truer than ever. For organizations navigating governance, risk management, and compliance (GRC), the ability to assess and act upon uncertain, hazardous, and conflicting information is paramount to success. This capacity is embodied in one concept: risk intelligence.

Risk intelligence involves gathering, analyzing, and leveraging various sources of information to triangulate, anticipate, assess, and evaluate risk to the objectives of the organization. It’s more than just collecting data; it’s about extracting meaning and actionable insights that drive decision-making. Organizations need a robust approach to risk intelligence that includes geopolitical risk, economic forecasts, market and industry trends, security and threat intelligence, regulatory change intelligence, third-party intelligence, and competitive intelligence.

Let’s explore the critical need for GRC and risk intelligence content, how organizations can leverage it, and how triangulation, risk modeling, and scenario analysis empower organizations to achieve their objectives with minimal surprises.

The Role of Risk Intelligence in GRC

Risk intelligence serves as the foundation of effective GRC strategies. Without it, organizations are left vulnerable to sudden disruptions, regulatory penalties, and strategic missteps that will hinder the achievement of objectives. The process of gathering, analyzing, and acting on risk intelligence allows organizations to anticipate and prepare for potential threats rather than react to them after the fact.

According to ISO 31000, “risk is the effect of uncertainty on objectives.” To achieve objectives, organizations must proactively address uncertainty. Here’s how risk intelligence supports this goal:

  • Informed Decision-Making. By leveraging comprehensive and up-to-date information, leaders can make better, faster decisions, reducing the likelihood of costly mistakes.
  • Anticipating Emerging Risks. Risk intelligence helps organizations identify trends, disruptions, and threats before they materialize, enabling proactive risk mitigation.
  • Achieving Strategic Objectives. By addressing uncertainty, organizations can reduce the likelihood of surprise disruptions and stay on course to achieve their strategic goals.
  • Building Resilience. A well-informed organization is more agile and resilient, able to pivot in response to emerging threats or new opportunities.

With these capabilities in place, organizations can shift from a reactive approach to a proactive stance, better positioning themselves to achieve success and mitigate risk.

To fully appreciate the value of risk intelligence, it’s important to understand the key categories it encompasses. Each type of intelligence addresses a unique aspect of the risk landscape and contributes to a holistic risk management strategy.

  • Geopolitical Risk Intelligence. Organizations need to stay informed about changes in geopolitics, such as conflicts, trade disputes, and regulatory shifts, which can have a profound impact on global supply chains and market access.
  • Economic Predictions. Economic forecasts play a vital role in strategic planning, operational costs, and financial forecasting. Fluctuations in interest rates, inflation, and currency values all affect business decisions.
  • Market & Industry Forecasts. By tracking industry-specific trends and shifts in consumer behavior, companies can influence product development, supply chain decisions, and competitive positioning.
  • Security/Threat Intelligence. Cybersecurity threats, insider threats, and physical security risks must be addressed to protect business continuity, customer trust, and operational resilience.
  • Regulatory Intelligence & Change. Regulatory changes demand constant vigilance to ensure ongoing compliance with new and evolving requirements.
  • Third-Party Intelligence: Understanding the stability, operational capacity, and ethical concerns of third-party vendors is critical for supply chain integrity, partnerships, and reputation.
  • Competitive Intelligence: Staying informed on competitor strategies, new products, and market entry tactics allows organizations to make informed strategic decisions and seize market opportunities.

Each of these categories contributes to a well-rounded understanding of risk and enhances an organization’s ability to respond to an increasingly dynamic risk landscape.

The Process of Risk Intelligence: From Information to Insight

Simply gathering information is not enough. For risk intelligence to have true value, organizations must transform raw data into actionable insights. This process involves several key steps that work together to produce a complete, accurate, and meaningful view of potential risks.

  1. Data Collection. It starts with gathering relevant, accurate, and timely data from a range of internal and external sources. This can include regulatory bulletins, industry publications, market reports, and real-time threat feeds.
  2. Triangulation. Next, organizations cross-reference and validate data points from multiple sources. Triangulation ensures the reliability of information and reduces the likelihood of acting on inaccurate data.
  3. Insight Generation. Finally, organizations analyze the data to identify trends, patterns, and interdependencies. The goal is to develop “What if” scenarios and “What it means” interpretations that drive decision-making.

This process requires both human expertise and technology-driven tools, particularly artificial intelligence, to handle large data volumes at speed. With this approach, organizations can avoid cognitive biases, eliminate data blind spots, and ensure decisions are informed by comprehensive intelligence.

The concept of triangulation is essential to effective risk intelligence. Unlike single-source analysis, triangulation builds a more complete and trustworthy view by validating information from multiple perspectives. For example, a company analyzing the potential impact of a new trade regulation would cross-reference industry analyst reports, government announcements, and internal compliance assessments. If all sources align, the organization gains confidence in its risk analysis. If discrepancies emerge, further investigation is required to clarify the impact.

Triangulation mitigates the risk of cognitive bias and misinterpretation. It ensures a well-rounded, multi-dimensional perspective on the risks at hand, allowing for more informed decision-making. Once risk intelligence is gathered and triangulated, organizations need to understand how it will affect their operations. Modeling, simulations, and tabletop exercises are essential for this purpose. They help organizations visualize the potential impact of risk and develop effective response plans.

  • Risk Modeling. This involves using quantitative and qualitative models to predict potential outcomes. For example, companies might model the financial impact of a supply chain disruption.
  • Simulations. Monte Carlo simulations generate thousands of potential future outcomes, giving organizations a clear view of possible scenarios and the likelihood of each.
  • Tabletop Exercises. Here, stakeholders role-play risk scenarios to identify gaps in response plans and develop playbooks for real-world application.

These methods provide a way to test assumptions, explore “what if” scenarios, and prepare for various outcomes, reducing the likelihood of being blindsided by unexpected events.

The Role of Technology in Risk Intelligence

Technology has become a critical enabler of risk intelligence. Advanced tools provide faster analysis, real-time insights, and predictive modeling, all of which are essential for managing modern risk landscapes.

  • Artificial Intelligence (AI) & Machine Learning (ML). AI/ML models analyze large datasets and predict emerging risks based on historical patterns.
  • Natural Language Processing (NLP). NLP extracts insights from unstructured data sources like news feeds and regulatory announcements.
  • Predictive Analytics. Advanced analytics models provide foresight into potential future risks and disruptions.
  • Data Aggregation Tools. These platforms consolidate data from multiple sources into a single, unified view for analysis.

These technologies automate much of the work involved in risk intelligence, making it faster, more efficient, and more accurate.

Risk Intelligence = True GRC Genius

Winston Churchill’s insight into the evaluation of “uncertain, hazardous, and conflicting information” is a guiding principle for modern GRC and risk intelligence. Organizations that master this capability position themselves to anticipate threats, reduce surprises, and achieve strategic objectives.

Risk intelligence content—tailored, timely, and high-quality—is essential for making informed decisions. By triangulating data, using modeling and simulation, and leveraging technology, organizations can ensure they have the insights needed to thrive in a complex world. True genius resides not in collecting information but in making sense of it.

ESG & Resilience: Transforming Third-Party Risk and the Extended Enterprise

The GRC Pundit BlogPublished onUpdated onLeave a Comment on ESG & Resilience: Transforming Third-Party Risk and the Extended Enterprise

The regulatory landscape for Environmental, Social, and Governance (ESG), operational resilience, and third-party risk management (TPRM) is undergoing a profound transformation. Organizations across Europe—and those operating within European supply chains—are feeling the impact of the looming EU Corporate Sustainability Due Diligence Directive (CSDDD) as well as the EU Digital Operational Resilience Act (DORA). These regulations are driving a shift from fragmented, reactive third-party risk management processes to integrated, proactive strategies that emphasize not only ESG, but also operational resilience. It is about integrity and resilience of the extended enterprise. I am interacting on a number of developing strategies and RFPs as several organizations have told me their most significant third-party risk is now the EU CSDDD.

The EU CSDDD, effective from 2026, marks a significant change in corporate accountability. It compels companies to assess, prevent, and mitigate adverse impacts on human rights, the environment, and corporate governance (such as bribery and corruption, privacy, cyber risk) throughout their entire value chain, including suppliers, outsourcers, vendors, service providers, subcontractors, and other third parties. This shift extends beyond compliance, pushing companies toward a more ethical and sustainable future. Alongside this, but separate, EU DORA focuses on ensuring the resilience of financial institutions and their critical third-party service providers, particularly in the areas of IT, cybersecurity, and operational continuity. Together, these directives are reshaping third-party risk management for the modern enterprise across industries (yes, DORA is financial services specific but impacts a lot more). I am interacting with some organizations that refer to their ESG strategies as ‘strategic resilience.’

Organizations cannot let third-party risk be this scattered mess that it so often is within organizations. The future of regulation, but most importantly integrity and resilience, requires an integrated strategy that is supported by technology, intelligence, and assurance.

The Role of ESG and Resilience in Third-Party Risk Management

The components of ESG—Environmental, Social, and Governance—play a critical role in the transformation of TPRM.

  • Environmental. The “E” requires organizations to evaluate their suppliers’ policies on climate change mitigation, resource efficiency, and biodiversity protection. I have had several interactions where one of the top concerns is forever chemicals in the supply chain. Companies must ensure their supply chains comply with environmental standards, adopt circular economy principles, and minimize pollution. These efforts are reinforced by monitoring and due diligence activities, supported by third-party risk intelligence.
  • Social. The “S” emphasizes human rights, labor practices, and workplace safety. The EU CSDDD prioritizes addressing forced labor, child labor, and unsafe conditions. It requires organizations to assess and ensure suppliers’ commitment to fair treatment, equitable wages, and safe working environments. Social accountability is becoming integral to supplier evaluations, with companies focusing on shared values within their supply chains.
  • Governance. The “G” focuses on business ethics, anti-corruption, cybersecurity, privacy, and accountability. Governance requirements extend beyond internal operations, compelling companies to verify that third-party partners maintain ethical practices, prevent bribery, and adhere to data privacy and cybersecurity standards. Organizations must ensure that their suppliers’ governance structures align with regulatory and ethical mandates, safeguarding the integrity of the entire value chain.

Resilience, as emphasized by EU DORA, is a critical addition to this framework. DORA mandates that financial institutions and critical service providers, including cloud providers, ensure operational continuity in the face of disruptions. This means companies must assess the resilience of their third-party partners, ensure they have robust incident response plans, and continuously monitor for potential disruptions that could impact business operations. Resilience now plays a central role in the extended enterprise, alongside ESG commitments.

The Shift from Fragmented to Integrated TPRM Programs

Many organizations have traditionally managed third-party risk through siloed, department-driven processes, with procurement, legal, compliance, and IT each managing risk assessments independently. The EU CSDDD, CSRD, and DORA demand a unified strategy that bridges these functional divides. Companies are now working to establish integrated TPRM programs supported by modern technology and intelligence architectures.

This transformation requires multi-departmental collaboration. Legal, compliance, procurement, supply chain, human resources, IT, and sustainability departments must coordinate efforts to develop a comprehensive third-party due diligence strategy. Governance committees are being established to oversee risk activities, ensuring alignment with corporate ESG objectives and operational resilience goals.

To achieve this, organizations are adopting centralized third-party risk management platforms. These platforms provide a unified view of third-party risks, from onboarding and due diligence to ongoing monitoring all the way to offboarding. Risk intelligence feeds play a critical role, providing real-time insights into environmental, social, and governance risks in supply chains, as well as operational threats such as cybersecurity risks and IT system failures. Companies are leveraging automation and artificial intelligence (AI) to streamline workflows, identify hidden risks, and enhance overall efficiency.

Building a Holistic ESG- and Resilience-Driven TPRM Strategy

To meet the demands of the EU CSDDD (and CSRD), and DORA, organizations must develop a holistic ESG- and resilience-driven TPRM strategy. Success requires clear governance, robust risk assessment, continuous monitoring, and transparent reporting. Key steps in this process include:

  • Accountability. Establishing accountability at the executive and board level is a foundational step. Executive sponsors must drive ESG compliance initiatives, supported by cross-functional risk oversight committees that span legal, compliance, procurement, IT, and sustainability teams. Accountability structures ensure that ESG commitments and operational resilience goals are enforced throughout the organization and its supply chain.
  • Onboarding. Comprehensive due diligence and supplier onboarding are essential. Organizations must evaluate potential suppliers based on ESG and resilience criteria before entering into contracts. Supplier codes of conduct are developed to set clear expectations for ESG compliance and resilience commitments, ensuring suppliers commit to ethical, sustainable, and resilient practices.
  • Monitoring. Risk assessment and continuous monitoring are crucial to ESG- and resilience-driven TPRM. Companies are using third-party risk intelligence feeds to track environmental, social, and governance risks in real-time. Automated alerts notify companies of supplier non-compliance, regulatory changes, adverse media coverage, and operational risks such as cybersecurity threats or natural disasters, enabling proactive responses to emerging risks.
  • Resilience. When issues arise, companies must have clear processes for remediation and corrective action. This includes escalating, addressing, and reporting third-party ESG and resilience issues. Companies should also define contractual remedies, such as termination clauses, for suppliers that fail to comply with ESG or resilience commitments.
  • Engagement. Training and awareness initiatives play a vital role in embedding ESG and resilience principles within the organization and its supply chain. Training internal teams and third-party partners ensures that everyone understands the company’s ESG commitments, operational resilience obligations, and compliance obligations. Training on TPRM platforms and risk intelligence tools helps teams maximize the technology’s potential.
  • Assurance. Assurance activities are essential to verify that companies and their third parties are meeting ESG and resilience requirements under the EU CSDDD, CSRD, and DORA. Companies must conduct regular audits of high-risk third parties, ensuring compliance with ESG and operational resilience criteria. Self-assessment questionnaires (SAQs) are used to gather direct responses from suppliers about their adherence to ESG and resilience policies, as well as certifications to demonstrate compliance. Organizations are also adopting verification processes that leverage third-party audits to ensure suppliers uphold their ESG and resilience commitments. These independent audits provide objective assurance that suppliers are meeting regulatory obligations and ethical standards. When non-compliance is detected, organizations must address gaps through remediation and corrective action plans.
  • Reporting. Finally, eporting and assurance are essential for demonstrating compliance with ESG and resilience regulations. Companies must provide assurance on third-party compliance with ESG standards and resilience requirements through regular reporting, dashboards, and independent audits. Verification processes, such as supplier self-assessments and independent certifications, offer additional assurance of supplier integrity and compliance.

ESG and resilience are driving a transformation in third-party risk management, pushing companies toward an integrated third-party risk strategy and architecture (technology and intelligence/content). Fragmented risk management strategies are being replaced by unified, multi-departmental strategies supported by modern technology and third-party risk intelligence. This approach requires companies to collaborate across functions, leverage TPRM platforms, and adopt proactive risk assessment and monitoring techniques.

The future of third-party risk management is clear: ESG and resilience are no longer “nice-to-have” but regulatory necessities. Companies must adapt to ensure their extended enterprise aligns with Environmental, Social, and Governance principles while also ensuring operational resilience. Doing so strengthens corporate integrity, builds trust with stakeholders, and ensures regulatory compliance under the EU CSDDD, CSRD, DORA, and beyond. Companies that successfully navigate this transformation will gain a competitive advantage, while those that fail to act risk penalties, reputational damage, and loss of market access.