Category: The GRC Pundit Blog

---

In the context of Governance, Risk Management, and Compliance (GRC), the “R” – risk management – has often been the most misunderstood, misapplied, and technologically abused component. For all the buzz surrounding risk quantification, operational resilience, and integrated risk frameworks, many so-called “risk management” modules and solutions remain little more than glorified workflow tools — digital filing cabinets that turn risk into a bureaucratic exercise, rather than a driver of strategic value. As GRC has matured over the past two decades, its true purpose has been clarified in the OCEG GRC Capability Model back in 2003: GRC is about the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance). Yet, too many implementations fail to grasp or enable the true purpose of risk management in the GRC context as defined for over 20 years.

Instead of helping organizations understand the uncertainty that impacts their success, many GRC solutions promote risk as static lists, clunky assessment forms, and color-coded heatmaps. These serve compliance goals — especially in contexts like SOX — but they do little to nothing to support strategic decision-making. The result is often a dangerous illusion: the false belief that risk has been “managed” simply because it has been documented. Terry Goodkind’s “Wizard’s First Rule” eerily captures the spirit of this deception — people will believe what they are motivated to believe, even when it isn’t true. In risk management, we have deceived ourselves into thinking that checklists and red-yellow-green matrices provide insight. In reality, they often obscure more than they reveal.

To be blunt: most risk management solutions/modules on the market today are not only weak but counterproductive. They reinforce a ritualized, low-value version of risk management that serves neither governance nor resilience. Worse, they lull organizations into a false sense of security.

The Fallacy of Workflow-Centric Risk Management

Risk management is NOT a workflow engine, it is NOT a ticketing system. While tasks, forms, and assessments are part of the process, they are not its essence. Treating risk management as a set of tickets to be opened and closed misses the point entirely. Good risk management technology must do more than facilitate process: it must enable insight, modeling, foresight, and business alignment.

Most risk management modules I encounter are designed to support compliance, not strategy. They excel at routing forms, assigning accountability, and storing evidence; but they rarely offer:

• Strategic scenario modeling
• Objective-centric analysis
• Meaningful quantification beyond superficial “likelihood × impact” matrices
• Tools for understanding the ripple effects of interconnected risks

In short, they miss the core: risk management as a decision-support discipline.

What Good Risk Management Technology Should Deliver

To move beyond mediocrity, risk management technology must embrace and enable a more strategic, analytical, and dynamic approach. The following are the essential pillars of a modern, mature risk solution:

1. Strategy Management: Risk in Decision-Making

True risk management starts upstream, in the strategic decision-making process. It is not a back-office activity but a front-line enabler of choice and direction. Risk exists where decisions are made. This is the RM2 philosophy espoused by Alex Sidorenko: risk management should live in decisions, not documentation.

Good risk solutions should allow organizations to:

• Embed risk evaluation directly in strategic initiatives, investment decisions, and transformation programs
• Tie risk identification to business cases, investment committees, and planning cycles
• Assess the potential downside and upside of decision alternatives, not just static threats
• Use tools like scenario decomposition, sensitivity analysis, or exceedance curves to inform decision outcomes

2. Objective-Centric Risk Management: Aligning Risk with What Matters

ISO 31000 defines risk as “the effect of uncertainty on objectives.” This is not just semantics, it is a blueprint for action. Risk is not a list of bad things that might happen; it is the uncertainty that affects our ability to perform, to achieve, to grow.

This is the school of thought championed by Tim Leech: risk must be managed in the context of objectives.

Strong risk management software will enable:

• Objectives to be defined and tiered across the organization (e.g., strategic, operational, compliance, ESG)
• Risks to be linked to specific objectives at various layers: enterprise, division, department, process, project, asset, or third party
• Performance metrics to be tracked alongside risks, revealing the true business impact
• Dynamic dashboards that show where uncertainty threatens key outcomes

Without this connection to objectives, risk becomes compliance. With it, risk becomes actionable and of value.

3. Risk Quantification: Beyond Heatmaps and Into Distributions

Heatmaps are not only imprecise, they are often misleading. As Graeme Keith of Stochastic ApS and others have argued, they create a false sense of comparison where high-scoring “green” risks may pose more aggregate exposure than “red” ones. Static matrices lack the dimensionality required to inform strategic resource allocation.

What is needed instead is intelligent quantification, such as:

• Use of distributions, not single-point estimates, to reflect uncertainty ranges
• Scenario-based models that evaluate different pathways and their outcomes
• Risk aggregation techniques that avoid false mathematical precision but enable executive-level oversight

Still, Monte Carlo is often misunderstood and misapplied. The real value lies not in complex models for their own sake, but in understanding the landscape of possible outcomes and the assumptions behind them. What Graeme has worked on is brilliant in making risk quantification practical and meaningful.

4. Risk Visualization: Engaging the Right Brain

We often over-rely on spreadsheets and reports that appeal to logic but not intuition. Effective risk management also requires visualization techniques that engage the right brain and facilitate understanding across the business.

Bow-tie analysis (my favorite), for example, offers:

• A clear structure showing cause, control, and consequence
• Visualization of control effectiveness and gaps
• The ability to simulate mitigation effectiveness in real-time

Such tools transform risk from a compliance burden into a business conversation.

5. Scenario Modeling & Digital Twins: The Future of Risk

One of the most powerful developments in risk management today is the rise of digital twins: virtual representations of business functions, supply chains, projects, or even entire enterprises. These allow organizations to simulate disruptions and evaluate the effects of risk on objectives in a dynamic, systems-based context.

Good solutions will support:

• Creation of digital models for supply chains, operational processes, or enterprise-level systems
• Simulation of risk events (e.g., supplier failure, cyber attack, regulation change) and their downstream impacts
• Testing of alternative mitigation strategies in real time
• Insights into resilience thresholds and recovery strategies

This is where risk management moves from theory to action, and where executives can explore, not just analyze. It gives us the power of Dr. Strange from the Marvel Universe in Avengers End Game to explore all the possibilities and identify the future where we win.

6. Connectivity, Clustering, and Contagion Analysis

Risks are rarely isolated. They are connected through relationships, processes, and interdependencies. Graph theory and network analysis now allow us to understand risk contagion—how one failure can cascade into others.

Advanced risk tools are beginning to offer:

• Network maps showing how risks relate across objectives, systems, and third parties
• Clustering analysis to identify concentrated risk areas
• Early warning of emerging threats based on interconnected indicators

These techniques offer richer, more dynamic insights than any risk register ever could.

7. External Risk Intelligence: Horizon Scanning & Real-Time Context

No business operates in a vacuum. Organizations are exposed to a wide array of external risks — geopolitical instability, economic shifts, environmental volatility, social unrest, and regulatory changes — that can rapidly derail strategies and objectives. Effective risk management must continuously monitor the external environment to maintain alignment between internal decisions and external realities.

This is where external risk intelligence feeds become essential. They provide both horizon scanning (what’s emerging) and situational awareness (what’s happening now), giving organizations the foresight and agility to respond before risks become disruptions.

Advanced GRC solutions should support:

• Integration of external data sources such as geopolitical risk indices, ESG events, sanctions lists, regulatory updates, climate risk data, and news analytics
• Signal detection that highlights changes in risk posture based on unfolding events or trend shifts
• Role-based relevance filtering to ensure risk intelligence is not just delivered, but delivered to the right people with the right context
• Dynamic linkage of external threats to internal objectives, strategies, and controls, enabling proactive adjustments

Risk intelligence is the nervous system of a modern GRC strategy — sensing, analyzing, and informing decisions in real time. Without it, internal risk models become outdated before they’re even finalized.

---

Final Thoughts: From Checklists to Capabilities

The current state of risk management software is, in many cases, a symptom of a deeper malaise. When risk is reduced to compliance, forms, and heatmaps, we miss the entire point. We create the appearance of rigor without the substance of insight. We perform risk management rituals without enabling real decision support.

There are bright spots in the market—solutions and philosophies that emphasize integration with strategy, objective-centric thinking, intelligent quantification, and modeling. I particularly appreciate the work of professionals I respect (listed above) in pushing quantification boundaries and organizations like Iluminr in making scenario gaming approachable and relevant.

But the industry must evolve.

---

Call to Action

If your current risk management platform cannot:

• Support decision-centric risk modeling,
• Connect risks to layered objectives,
• Quantify risk using meaningful distributions or simulations,
• Visualize risks in a way that speaks to executives and front-line staff alike,
• Or simulate scenarios and digital twins to prepare for the unexpected…

…then it is not a risk management solution. It is a documentation tool.

Now is the time for organizations to demand more from their GRC vendors and elevate risk management from compliance exercise to strategic capability. Because in an increasingly volatile world, understanding risk is no longer optional—it is existential.

Let’s stop managing risk in forms and start managing risk in context.

And do not forget to follow my Risk Is Our Business podcast . . .

---

In a world oversaturated with rankings, quadrants, waves, grids, and so-called “expert” opinions, the role of the industry analyst has never been more critical — or more misunderstood. It should be a role grounded in investigation and informed judgment. Yet, in many ways, the profession has been hijacked by commercial interests, lazy methodologies, and echo chambers of perception masquerading as truth.

We often define an analyst as someone who studies something in detail to understand it and predict outcomes. But in practice today, this term has blurred, muddied by agendas, absence of direct experience, and a growing detachment from the realities of the marketplace.

A World of Untruth in the Pursuit of Truth

While watching Bono’s Stories of Surrender, one line struck a deep chord:

“Something you should know about performers, in pursuit of truth we are capable of more untruth than most.”

That line doesn’t just apply to artists. It is a piercing observation of many industry analysts. In the pursuit of crafting a compelling market narrative, some are willing to bend facts or gloss over contradictions to construct a neatly packaged report — one that often says more about market perception than market reality.

I have been rereading Wizard’s First Rule . . . in this book, Terry Goodkind’s wizard Zedd pronounces:

“Reality isn’t relevant. Perception is everything.”

This is the core tension at the heart of the analyst dilemma. The problem is not merely bias — it is fiction parading as fact, perception replacing analysis, and methodology sacrificed for marketability.

When Analyst Research Goes Wrong

Let’s be clear: not all analyst research is bad. But much of what is published today, particularly in GRC — from large analyst firms to boutique boutiques and peer review platforms — raises questions:

• Rankings without Rigor. Too often, I encounter reports comparing vendors in a quadrant, wave, or magic shape — where the underlying logic is murky or absent. One vendor is “a leader” in one report, and in another, the same vendor is a “challenger” or “niche.” Both reports contradict each other but claim objectivity.
• Ghost Reviews and Fake Peer Sites. Many peer review sites are riddled with manipulated entries. Solution providers incentivize clients (or consultants) to fill out the reviews on their behalf. Some go so far as to pre-write the responses, feeding them back to the reviewers. The result is a fictional echo chamber of “satisfaction” and “value” with no bearing on reality.
• No Firsthand Experience. I am astounded by how many analysts issue assessments of platforms they haven’t seen in years — or ever. I know of boutique firms publishing scores and rankings without current demos or conversations. It’s dangerous, misleading, and frankly, negligent.
• Detached from the Field. Analysts who won’t engage in live demos or customer calls, who prefer pre-recorded videos and automated surveys, are doing a disservice to the profession. Insight comes from interaction, not from passive consumption. Surveys tell you what someone thinks. Conversations uncover why.

Neutral ≠ Agnostic: The Myth of False Objectivity

When I call out poor performance — say, the growing wave of complaints I’ve heard about ServiceNow for GRC — I’m sometimes met with accusations that I’m no longer “neutral.” But neutrality is not the same as agnosticism.

Neutrality, in the analyst profession, means being guided by evidence and objectivity — not refraining from opinion. If an analyst cannot speak truthfully about what is broken, then they are not neutral — they are complicit. Objectivity requires critique when it is warranted.

As one LinkedIn commenter said in response to my post:

“Openly communicating this sort of feedback is literally the job of an analyst. Ignoring it and sweeping it under the rug because of a misguided sense of neutrality and objectivity is a dereliction of duty.”

Well said.

What Should an Analyst Do? A Return to First Principles

At its core, good industry analysis is about understanding. Not promoting. Not appeasing. Not posturing. An analyst must be an investigator, a translator, and a guide.

This means:

✅ Have Conversations, Not Just Surveys

Real insights come from probing questions and human interaction—not checkboxes. Analysts should talk to customers, implementers, end-users, and executives to understand how solutions actually perform.

✅ Demand Demonstrations

If you are going to rank, score, or analyze a platform, then you need to see it. Not a slide deck. Not a script. A live environment. Too many analysts avoid live demos in favor of canned videos. That’s not research—it’s theater.

✅ Engage the Ecosystem

You’re not an island. Analysts should build trusted relationships with practitioners, partners, and providers. That’s how you stay current, learn, and validate assumptions.

✅ Attend and Stay at Events

It’s one thing to show up, do your talk, and leave. But staying—engaging in sessions, conversations, hallway chats—this is where the real market signals live. Analysts should be present, not just performative.

✅ Acknowledge You’re Not the Expert in Everything

A good analyst knows when to consult others. Nobody is an expert in every corner of a complex market. Build a network of specialists and listen to them.

The Analyst Crisis: We Have a Problem

Today’s analyst landscape is plagued by:

• Commercialized rankings that serve marketing more than truth
• Armchair analysts who haven’t spoken to customers in months
• Overpriced advisory sessions that offer generic, out-of-touch advice
• A culture that rewards appearance over substance

This is dangerous in fields like GRC, where organizations rely on analyst guidance to make real-world, high-impact decisions around risk, compliance, and governance. If perception trumps truth, we aren’t helping—we’re harming.

Closing Thoughts: In Search of the Truth

The modern industry analyst stands at a crossroads. One path leads to genuine value: grounded, transparent, and impactful research that helps organizations make better decisions. The other path is perception-driven fiction, where charts are currency and reality is optional.

As someone who has been part of this profession for over 30 years—who helped define the GRC space in 2002 and continues to work closely with practitioners, vendors, and regulators—I believe we must reclaim the purpose of this role.

Truth matters. And the job of an analyst is to pursue it, speak it, and help others see it clearly. Because in the end, that is the analyst’s sacred duty.

If you’re navigating the GRC space and need clarity—whether you’re a buyer, a provider, or a practitioner—GRC 20/20 is here to help. We provide insight, not illusion. We ask hard questions. We listen. We engage. And we tell the truth.

A Real Conversation About Real GRC Value

It was a London evening last week, and I found myself in Mayfair sharing Indian food with a respected friend in risk management, Stefan. He’s the Head of Risk and Governance for a well-known UK-based retail organization, a sharp thinker with years of risk management experience. We met up to catch up, decompress, and compare notes on what we’ve been seeing in the world of governance, risk management, and compliance (GRC).

Midway through our conversation — just after the starters and naan arrived — he glanced at his phone and raised an eyebrow. “Another one,” he said. A vendor had messaged him directly, promoting their GRC platform. The message read like many do: bold efficiency claims. “Save 75% in time spent on risk assessments and reporting! Cut your audit prep time in half!”

My friend smiled, unimpressed. “Nobody bought a GRC tool because it makes the risk guy’s job easier, it is not a benefit that will make people buy” he responds. “Show me how this reduces risk to my corporate objectives, that is what interests me.”

That one sentence stuck with me. It was a masterclass in clarity — an executive not seduced by buzzwords or dashboards, but focused on outcomes. And it reminded me just how off-track the GRC technology conversation can become when it centers solely on process automation and productivity metrics.

The truth is that nobody buys a GRC tool just to make the risk guy’s job easier. GRC is not about efficiency for its own sake. It is about enabling the organization to reliably achieve its objectives, navigate uncertainty, and protect its integrity. Yes, time savings are useful — but if those time savings do not translate into improved decisions, reduced exposure, and stronger organizational performance, then the platform may be automating the wrong thing faster and perpetuating poor risk management.

---

GRC: What You Do, Not What You Buy

Let’s be clear: GRC is not a piece of software. GRC is a capability (read the OCEG GRC Capability Model) — an integrated set of practices across the enterprise that support governance (setting and achieving objectives), risk management (addressing uncertainty to objectives), and compliance (acting with integrity as we pursue objectives). It includes strategy and structure, culture and behavior, policies and processes, roles and responsibilities. Technology plays a role — but it is an enabler, not GRC itself.

No one buys GRC. And every organization does GRC, whether they call it GRC or something else. The question is how can we make GRC (or whatever you call it in your organization) more efficient, effective, resilient, and agile. That is where technology does have a role. And we all use technology for GRC, even if you are stuck in the Stone Age with stone tablets and chisels, that is technology.

This distinction matters because too many organizations approach GRC as a systems implementation project instead of a business discipline. They start with tool selection rather than problem identification. Too often focused on compliance and not business objectives, they aim to “get compliant” without asking what compliance means in the context of their business objectives. They automate controls but fail to evaluate whether those controls are reducing risk in a meaningful way.

A well-implemented GRC technology solution can be transformative — but only when it supports the broader capability. And that capability must deliver value in more than one dimension.

---

The Four Dimensions of GRC Value

The framework I have developed to evaluate the business value of GRC investments and build business cases — whether in technology, process design, or organizational structure — is grounded in four core value dimensions: Efficiency, Effectiveness, Resilience, and Agility. Each of these relates directly to the underlying GRC mission and definition: to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).

Let’s explore these four dimensions with a narrative lens—and unpack what they look like in practice . . .

---

1 – Efficiency: The Beginning, Not the End

Efficiency is the most commonly touted benefit in GRC solution pitches. And for good reason: organizations waste enormous amounts of time managing risk, controls, and compliance through fragmented, manual, spreadsheet and email-driven processes or in silos of non-integrated solutions. These inefficiencies are costly—not only in terms of personnel hours but in opportunity cost and risk of error.

Consider a global consumer goods company that had five separate teams managing overlapping third-party risk processes in different areas of the business. Each team had its own intake forms, risk assessment templates, and reporting structure. The result was redundant work, inconsistent decisions, and no centralized view of supplier risk exposure. After deploying a GRC platform to unify and automate the process, they reduced administrative effort by 80%, eliminated duplicative vendor reviews, and created a single source of truth that dramatically improved efficiency across procurement, legal/compliance, privacy, and IT security.

But here’s the key: those time savings were not the business case — they were the enabler. The real value came in improved decision-making and better vendor oversight, not faster form completion. So efficiency is nice, we like ROI, but there is much more to GRC value.

Efficiency matters. But it’s only the first step.

Efficient GRC is about doing things right. But effective GRC is about doing the right things.

---

2 – Effectiveness: Reducing Actual Risk Exposure

This is the dimension that too often gets ignored, but is the most critical. Is there a measurable, quantifiable reduction in risk exposure to the organizations objectives and operations?

In GRC, effectiveness means your efforts are actually lowering risk exposure and enabling the organization to reliably achieve objectives amid uncertainty. Not perceived risk. Not checkbox risk. But real, measurable risk exposure (uncertainty) to strategic, financial, and operational objectives.

I’ve worked with organizations that had risk registers and beautifully documented control libraries — yet they suffered repeated incidents, regulatory scrutiny, and failed to show risk reduction and enable the business to manage uncertainty to objectives. Why? Because they had no way of linking controls to outcomes, or risk scoring to business objectives. Their GRC efforts were comprehensive but not calibrated. They were tracking noise instead of reducing signal.

Contrast that with a financial services firm that focused their GRC program on risk-weighted investment in controls. They used a platform not just to document risks, but to correlate them with control performance, incident frequency, audit findings, and business objectives. This allowed them to:

• Identify areas of over-control where compliance burden could be reduced
• Justify increased investment in high-risk areas with weak mitigation
• Demonstrate to the board a clear line from GRC activities to business outcomes and objectives

Effectiveness here wasn’t about how fast they completed assessments. It was about the confidence that risks were being managed within tolerance — and being able to prove it.

If you cannot demonstrate that your GRC program is measurably reducing risk to your objectives, then you are not being effective — just active, perhaps like a hamster on a wheel not truly getting anywhere.

---

3 – Resilience: Containing the Impact, Not Just Recording It

Resilience is not just about disaster recovery plans or business continuity documentation. Resilience in GRC means the organization can detect, contain, and recover from disruptions and exposures before they cascade into full-blown crises.

Consider a manufacturer who experienced a major supplier cyber incident that exposed them to scrutiny and lost production time. Post-incident analysis revealed that the risk was known — but siloed. IT had flagged it as a concern, but procurement and compliance were unaware. No one had centralized visibility or accountability.

Following that incident, they implemented a GRC solution with integrated third-party monitoring, real-time alerts, and automated risk escalation pathways. The next time a similar issue emerged — with a different vendor — it was flagged, triaged, and mitigated before causing any operational impact.

That is what resilience looks like: not the absence of disruption, but the ability to see it early, contain it quickly, and recover with confidence.

Resilience is what keeps a compliance issue from becoming a scandal. A system failure from becoming a shutdown. A risk exposure from becoming a crisis.

---

4 – Agility: Steering Through Uncertainty

Finally, we come to agility — the often-overlooked value of GRC in helping organizations not just survive but thrive through change. This is where the greatest value of GRC is, if an organization is mature enough to achieve it and has the vision to achieve it.

The world doesn’t wait for risk teams to catch up. New regulations, emerging technologies, geopolitical shifts, environmental crises, and social expectations all create an environment where yesterday’s risks and controls are insufficient for today’s realities. The question is: Can your GRC program keep up? Are you navigating the road ahead of the organization or driving fixated on the rearview mirror?

A digital services company undergoing rapid expansion into Southeast Asia and the Middle East found itself navigating a complex mix of regulatory expectations, cultural norms, and emerging risks (e.g., geo-political, operational, financial). As they pursued strategic objectives tied to regional market growth, leadership quickly recognized that their ability to reliably achieve those objectives was threatened by fragmented risk management practices. Without a unified GRC framework, it was difficult to anticipate and adapt to jurisdictional differences or maintain consistent oversight. By implementing a GRC solution aligned with business strategy and objectives, they gained forward-looking visibility into regulatory obligations, third-party exposures, and operational dependencies across regions. This allowed the organization to proactively chart a course, scaling risk management practices in parallel with their expansion — ensuring that growth was not only fast, but sustainable and governed with integrity.

Agility meant that they could enter new markets with confidence, see the road ahead of them, that is the objectives and the obstacles appearing in the way of achieving those objectives in their growth strategy — without slowing down business.

A digital twin adds significant value to agility by providing a dynamic, real-time mirror of the organization’s processes, risks, and controls. This allows leaders to simulate potential scenarios, visualize the ripple effects of change, and make informed decisions before disruptions occur. With a digital twin, GRC becomes forward-looking — helping the organization see around corners and adjust proactively to stay aligned with strategic objectives.

GRC should not be the handbrake. It should be the navigation system — helping the business steer safely through uncertainty toward its objectives.

---

The Conclusion: Lead with Impact

Efficiency is part of GRC value — but it’s only a part of the story. Done right, the value of efficiency/ROI is only a small fragment of the value of GRC when done correctly in the right context of the organizations objectives.

The strongest business cases I see are the ones that anchor GRC in strategic outcomes:

• Reduced risk exposure to what matters most in context of objectives
• Informed investment in the right controls to reliably achieve objectives
• Fewer incidents with faster response and recovery that could expose objectives
• Smarter navigation through a changing business landscape as it strives to achieve objectives

So let me say it again—for solution providers, practitioners, and executive sponsors alike:

Stop selling GRC as time savings. Start showing how it enables the business to achieve objectives, adapt to change and uncertainty, and act with integrity in an uncertain world.

Because that’s not just GRC. That’s good business.

We live in a time when regulation changes faster than many organizations can track it. Global compliance obligations evolve overnight — sometimes even hourly (or by the minute). Legal frameworks shift, regulators issue new interpretations, enforcement expectations intensify, and risks emerge from every direction: geopolitical instability, AI disruption, ESG pressures, and more. And while the external environment accelerates, organizations are simultaneously changing from within — adapting strategies, evolving processes, onboarding new technologies, growing teams, and expanding their third-party ecosystems.

GRC — governance, risk management, and compliance — as defined by OCEG, is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Let us focus on that last portion of integrity.

Amid this constant turbulence, organizations face a daunting question:

How do we stay grounded in integrity while everything around us is in flux?

At the heart of that challenge sits the Chief Compliance Officer (or Chief Ethics & Compliance Officer) — or perhaps, more fittingly in this era, the Chief Integrity Officer. I explore this in my blog: There is a new CIO in town . . . the Chief Ethics and Compliance Officer (CECO).

---

From Compliance to Conscience

The traditional framing of compliance is no longer enough. It has become too reactive, too siloed, too focused on checklists and enforcement rather than empowerment and assurance. Compliance done well is not about playing defense. It’s about leading with values.

If we are to meet the regulatory and ethical demands of the modern enterprise, we must reframe the conversation — from compliance to conscience, from procedural enforcement to organizational integrity.

This is the thesis I bring into my upcoming keynote, “The Integrity Imperative: Ensuring Compliance in an Era of Relentless Change.” We are not just enforcing rules—we are anchoring the organization to its values and obligations, especially when the pressure is highest.

NOTE: compliance and risk management are different functions. In my perspective, in the ideal world (which the real world cannot always be ideal), compliance should never report into risk management (and it should not report into legal). I discussed this in my blog: Risk Management vs. Compliance Management: Understanding the Distinction.

---

---

The Role of Culture: A Unified Compliance Ethos

Compliance is not merely a function of having the right technology or a well-staffed compliance department. It depends on culture. That was the focus of the afternoon panel I joined at the Summit: “What Does a Unified Compliance Culture Look Like?”

The reality is this: compliance without culture is fragile. A culture of integrity, on the other hand, embeds ethical behavior across all the organization.

Yet, many organizations suffer from:

• Communication breakdowns between compliance and operations
• Inconsistent ownership of compliance obligations
• A view of compliance as “someone else’s job”
• Minimal engagement from leadership beyond formal attestations

To build resilience, organizations must elevate compliance as a shared responsibility—integrated into decision-making, performance management, third-party relationships, and strategic planning.

---

Reimagining the Chief Compliance Officer as the Chief Integrity Officer

Let’s talk about leadership.

In a world where ethical missteps can go viral, and regulators expect organizations to demonstrate intent and accountability, the role of the Chief Compliance Officer is evolving.

I propose a shift in mindset: from Chief Compliance Officer to Chief Integrity Officer.

Why? Because this role is no longer about merely ensuring regulatory adherence—it’s about embedding a culture of accountability, transparency, and trust. It’s about serving as the conscience of the enterprise—an enabler of values, not just an enforcer of rules.

The Chief Integrity Officer:

• Connects corporate purpose with operational behaviors
• Bridges legal obligations with ethical decision-making
• Leads proactive governance of AI, ESG, and third-party risk
• Ensures regulatory change is translated into action across functions
• Builds trust with regulators, investors, and the public by demonstrating alignment between words and actions

---

The Mounting Pressures of Regulatory Change Management

In my current three-week tour through Europe, I’ve seen first-hand how the regulatory change agenda is dominating boardroom and C-suite conversations. Across London, Copenhagen, Barcelona, Madrid, and Zurich, Regulatory Change Management (RCM) has come up in many conversations I’ve had (going through my notes, over 30). At the Global RegTech Summit in London, I moderated a main stage panel titled “RCM Reimagined,” and the questions from the audience were sharp and urgent:

• As AI and automation become foundational in RCM, how do we ensure accountability and compliance when machines make decisions?
• How can mid-sized firms adopt sophisticated RCM tools without enterprise-scale budgets?
• What happens when regulatory expectations conflict across jurisdictions?

Organizations are overwhelmed—not just by the volume of regulatory change, but by the complexity of interpreting, implementing, and operationalizing it. In my Zurich workshop hosted by Corlytics, we cataloged over 20 recurring pain points, including:

• The pace and volume of change
• Shadow AI and ungoverned tools interpreting regulatory data
• Data quality and legal accountability
• Siloed compliance teams and disjointed internal communication
• The struggle to keep policies and controls aligned with evolving rules
• And critically, interpreting what is material and relevant to the business context

This is not sustainable with spreadsheets, email chains, and reactive workflows.

Blueprint for Modern Compliance: From Theory to Execution

In my upcoming London workshop, “Compliance & Ethics Management by Design,” I’ll be helping attendees build the frameworks needed to operationalize this vision. We will dive into how to:

1. Build Governance Structures for Compliance

• Create a Compliance Governance Committee that integrates diverse roles
• Draft a Compliance Management Charter that defines structure and scope
• Develop a strategic plan aligned with board-level goals and objectives

2. Design the Compliance Lifecycle

• Map and monitor compliance obligations
• Establish communications, attestations, and engagement
• Assess controls and effectiveness
• Integrate compliance with third-party risk oversight
• Align metrics, reporting, and assurance

3. Architect the Right Technology

• Understand the types of compliance information and workflows
• Define requirements for a compliance information architecture
• Evaluate platform capabilities that support AI-assisted compliance, monitoring, and performance tracking
• Develop a compelling business case for investment in compliance modernization

---

Closing Reflections: Lead with Integrity, Not Just Compliance

We are NOT here to check boxes.

We are here to build organizations that do the right thing, even when no one is watching—organizations that can stand firm in the face of scrutiny because they are grounded in purpose, values, and trust. In the words of my favorite fictional Premier League coach and philosopher, Ted Lasso, “doing the right thing is never the wrong thing.”

In this era of relentless change, the most valuable compliance strategy is integrity by design.

Let’s stop managing compliance in silos and start leading with conscience.

Let’s reframe the conversation—because risk is our business, and integrity is our foundation that allows us to achieve what OCEG calls Principled Performance . . .

In today’s turbulent global landscape, risk is no longer something that can be managed solely through static policies, controls, and spreadsheets. It is dynamic, systemic, and interdependent — flowing across organizational silos, cascading through supply chains, and constantly evolving in response to regulatory, geopolitical, environmental, and technological forces that impact decision-making and an organization’s ability to reliably achieve objectives. To navigate this complexity, organizations need GRC solutions/tools that are equally dynamic and adaptive.

One of the most promising advancements in this space is the use of digital twins for Governance, Risk Management, and Compliance (GRC). Digital twins — virtual replicas of business systems, processes, or ecosystems that are continuously updated with real-world data — provide a unique capability for modeling uncertainty, visualizing interdependencies, and simulating the impact of risk and change (e.g., regulatory change, business change).

This idea came to life vividly in a recent supplier risk workshop I conducted in Madrid, Spain. Two large global manufacturers expressed their ambition to use digital twins to simulate the impacts of disruption events — from climate-related catastrophes to the geopolitical shock of a potential conflict in the Taiwan Strait. These conversations underscore the strategic value of digital twins in enhancing organizational resilience and proactive decision-making.

Then yesterday, I met with a life sciences firm in Switzerland that is in the midst of an RFP. They told me that they are specifically looking for a GRC platform that supports digital twins to simulate risk and regulatory change on their enterprise.

Simulation is the ultimate value of the story, but is built on documenting the current state of the organization and GRC . . .

In my presentations and conversations with organizations implementing business-integrated GRC strategies (GRC 6.0), I emphasize that the first and most accessible use case for a digital twin is to establish a real-time, dynamic view of the current state of GRC. Even before simulation, this initial visibility delivers meaningful value — especially for organizations earlier in their maturity journey. A digital twin of the organization (DTO) serves as a foundational representation of how risk, controls, compliance, and objectives interact across the enterprise. This “current state map” of the organization’s GRC architecture is the low-hanging fruit that enables better alignment, communication, and accountability.

Once this foundation is in place, simulation becomes the next frontier: scenario modeling, table-top exercises, micro-simulations, and war-gaming. But without an accurate digital reflection of the current state, the insights from simulations will be incomplete or misaligned.

---

Understanding Risk & Resilience Management at Multiple Levels

To appreciate the transformative potential of digital twins, it’s helpful to distinguish GRC 20/20’s three levels of risk management capability within organizations:

1. Strategic Risk & Resilience Decision Support. At this level, risk is used to evaluate and guide organizational decisions: market expansion, new product development, capital allocation, mergers, and acquisitions. This context provides the most business value, yet it is often the least structured in many enterprises. Digital twins help model how external conditions and internal shifts affect strategy and long-term performance — enabling resilient, evidence-based decisions. This is what what Alex Sidorenko refers to RM2 (Risk Management v2).
2. Objective-Centric Risk & Resilience Management. This layer focuses on managing uncertainty in the achievement of specific objectives — financial, operational, regulatory, legal, ESG, and beyond. These objectives cascade from the strategic level and exist across entities, departments, processes, projects, assets, and third-party relationships. Digital twins map these layers and the relationships between risks, objectives, and performance — creating a living model of risk in context. This alignment of risk to objectives is established in ISO 31000, and is what Tim Leech refers to as Objective-Centric Risk & Uncertainty Management.
3. Operational Risk & Resilience Execution. Here, risk is managed through tasks, controls, issues, audits, and assurance processes down in the operations, processes, transactions, and interactions of the organization. When connected to objective-centric risk management, this work supports performance and compliance. But when isolated, it often devolves into a compliance exercise with limited strategic value. Digital twins provide the connective tissue that links operational controls back to objectives, strategies, and regulatory obligations — bringing tactical risk into alignment with broader goals. This is what Alex Sidorenko refers to RM1 (Risk Management v1).

Digital twins, uniquely, have the potential to integrate across all three layers — transforming how risk and compliance professionals understand, communicate, and act on uncertainty.

---

GRC Use Cases for Digital Twins

1. Strategic Risk Management & Scenario Analysis
Digital twins allow organizations to simulate the impact of strategic decisions, enabling leadership to ask “what if” in a structured, evidence-driven way.

• A global energy firm models different climate futures — rising sea levels, extreme heat waves, flooding — and assesses impacts on physical infrastructure and energy continuity in their strategy.
• A multinational manufacturer simulates a potential conflict in the South China Sea to assess disruptions in shipping lanes, supplier access, and contractual obligations.

Digital twins enable multi-scenario forecasting so leadership can evaluate strategies and make decisions — dual sourcing, inventory strategies, or regional shifts — before crises occur.

2. Objective-Centric Risk Analysis
At the objective level, digital twins allow risk professionals to model how various risks and controls influence specific business goals, performance, and outcomes.

• A pharmaceutical company models ESG objectives across facilities, aligning emissions data, regulatory requirements, and site-level performance in addition to compliance with mandates.
• A logistics company assesses how volatile fuel prices, labor unrest, and digital outages affect KPIs like on-time delivery and service quality.

This approach reveals how tradeoffs, decisions, and external events shape actual outcomes, turning abstract risk into decision intelligence.

3. Operational Risk & Control Testing
Digital twins offer an environment for continuous assurance and virtual control testing — reducing reliance on periodic audits.

• A financial institution simulates phishing, ransomware, or DDoS attacks across its IT stack, testing resilience and refining incident response procedures.
• A global retailer models transaction surges, fraud patterns, and internal controls across digital channels during peak seasons.

These controlled simulations reduce organizational exposure while improving preparedness and adaptive response capabilities.

4. Regulatory Change Management
Digital twins are ideally suited to understanding the impact of regulatory change across jurisdictions, functions, and systems.

• A bank uses a digital twin to simulate the impact of EU DORA on business units, policies, and training needs — and prioritize remediation accordingly.
• A technology company models global data privacy laws (e.g., PIPL, DPDP, CCPA) to determine how they affect data flows and vendor obligations.

With regulatory overlays integrated into the digital twin, compliance teams can visualize change impact, track dependencies, and operationalize compliance faster.

5. Third-Party Risk & Extended Enterprise Resilience
Digital twins map the extended enterprise — suppliers, outsourcers, partners — to simulate and manage risk in increasingly interdependent ecosystems.

• A consumer electronics firm models its semiconductor supply chain to predict the impact of shortages and logistic bottlenecks.
• A defense contractor uses war-gaming to identify chokepoints, sanction risk, and dual-use technology compliance exposures.
• A fashion brand integrates ESG signals, satellite imagery, and supplier data to assess due diligence under the regulations and global frameworks.

These digital environments enable proactive planning, procurement agility, and stronger third-party oversight.

---

A GRC Future That Is Simulated — But Starts with Seeing Clearly

The future of GRC isn’t just about simulation. The first step is visibility: seeing your risk, compliance, and governance architecture in one place. That’s what a digital twin delivers. For less mature organizations, this real-time, integrated view of the current state of GRC is where the immediate value lies.

From there, organizations can evolve to simulate disruptions, test controls, and model regulatory impact — supporting continuous improvement, adaptive governance, and purpose-driven risk management.

Yet despite the clear value, very few GRC platforms today support digital twins natively. Most are still static systems of record. Forward-looking organizations are building or integrating digital twin capabilities externally, or seeking next-generation platforms that bring this vision to life.

If you’re exploring this space and want to understand which vendors are leading, feel free to reach out. I cover the full spectrum of GRC technologies and architectures.

Digital twins represent more than a technological trend — they are a catalyst for transforming how organizations understand themselves and navigate a complex, fast-changing world.

---

Let’s continue the conversation. Whether your organization is exploring the basics of a digital twin for current-state visibility or seeking to enable advanced simulations for resilience and compliance, I’d be happy to share insights from the field..

Navigating risk is no small task, whether it’s staying ahead of financial crimes, managing third-party relationships, or keeping up with the constant ebb an The stakes are high, and the need for smarter, more efficient solutions has never been greater. Enter artificial intelligence (AI). As SEC Commissioner Hester M. Peirce, in her March 27, 2025 remarks at the SEC AI Roundtable, emphasized the need for a balanced and informed regulatory approach to artificial intelligence in financial services—one that fosters innovation while maintaining human oversight and ethical responsibility to protect investors and market integrity.

When it comes to risk management, It’s a transformative force that’s tackling some of the most challenging aspects of compliance and business strategy today. From detecting money laundering patterns that humans might miss to helping firms predict and manage risks before they escalate, AI is stepping up to the plate. It’s making complex problems more manageable, reducing the strain on compliance teams, and enabling businesses to stay ahead of emerging threats.

But how does it do this? Let’s dive into how AI is specifically addressing high-risk areas like Anti-Money Laundering (AML), Third-Party Risk Management (TPRM), and regulatory change management, and why it’s quickly becoming a must-have tool for businesses looking to stay secure and compliant . . .

[The rest of this blog can be read on the COMPLY blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

Organizations today operate within an extended enterprise, a complex ecosystem of third-party relationships that span suppliers, contractors, outsourcers, service providers, and other business partnerships. One of the greatest governance, risk management, and compliance (GRC) challenges organizations face is effectively managing this intricate web of relationships, especially in an era of increasing volatility, uncertainty, and global interconnectedness.

Yesterday, I had the privilege of leading my workshop “Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain” in Madrid, Spain. Attendees, representing diverse global organizations, came together in an engaging discussion, diving deep into the nuances and complexities of third-party GRC. Our conversation emphasized that a robust third-party GRC strategy must be holistic, encompassing governance, risk management, and compliance . . . but starting with governance . . .

Holistic Third-Party GRC: Governance, Risk Management, Compliance

Effective third-party GRC begins with governance, setting clear objectives for each third-party relationship and continuously measuring performance against these objectives. Governance establishes the framework that guides the partnership, ensuring strategic alignment and clarity in mutual expectations. The objectives in each relationship objectives should align and support the organizations broader objectives, and the organization needs to manage performance against the objectives in the relationship.

From governance, organizations then conduct risk management, identifying, measuring, treating, and monitoring uncertainties related to achieving these objectives. This critical step ensures preparedness for potential disruptions, enabling proactive rather than reactive management. It also enables good decision making on relationships and objectives, and enables the organization to seize opportunities and not just avoid and minimize loss.

Lastly, compliance comes into play to uphold integrity within third-party relationships, ensuring alignment with the organizational values, ethics, ESG commitments, and regulatory obligations. Compliance solidifies the relationship’s foundation, fostering mutual trust and ethical alignment. The organization needs to ensure it is doing business with other like-minded committed organizations.

When executed well, third-party GRC programs yield significant benefits:

• Agility. Organizations become adept at swiftly navigating uncertainty and enable the business to achieve, or even exceed, objectives in and across relationships having a compounding effect on the achievement of the organizations boarder objectives, even in volatile and risky environments.
• Resilience. A robust third-party GRC strategy minimizes the impact of incidents and accelerates recovery, ensuring sustained operational resilience despite events and incidents that occur.
• Integrity. Organizations build and sustain relationships with partners who reflect similar commitments to ethical standards, ESG criteria, and compliance expectations, reinforcing organizational values and brand reputation.

Challenges in Managing Third-Party Relationships

Our discussion during the workshop highlighted numerous challenges:

• Navigating global change and geopolitical risks, which introduce uncertainties into international supply chains.
• Managing operational resilience (including digital resilience), especially when facing disruptions such as the Suez Canal blockage or infrastructure failures like the Maryland bridge disaster.
• Extending oversight beyond primary suppliers (2nd, 3rd, and 4th-tier suppliers), which significantly expands the complexity and scope of third-party governance.
• Dealing with the reputational risks inherent in third-party engagements.
• Adapting to varying regulations affecting international third-party relationships, especially around ESG requirements which differ by jurisdiction.
• Addressing the challenge of mapping suppliers and understanding their comprehensive risk profiles.
• Considering critical issues like single-source dependencies, dual-sourcing, and the inherent vulnerability in using small suppliers who lack resources yet may hold significant operational importance.
• Addressing challenges of fraud, accurate monitoring, and leveraging third-party risk intelligence.
• Overcoming internal silos, where third-party risk oversight responsibilities are fragmented across various departments.

Rethinking Risk: The Value at Risk and Digital Twins

Two particularly transformative insights emerged prominently during our workshop:

1. Measuring Risk by Value at Risk, Not Spend. Traditional models often gauge supplier risk based on expenditure levels. Yet, the true impact of risk lies in potential harm to business continuity or brand reputation. Even small suppliers with modest spending can pose enormous risks if their product or service is critical. Organizations must shift their metrics from spend-centric assessments to value-at-risk evaluations to accurately capture and mitigate risks.
2. Leveraging Digital Twins for Enhanced Risk Simulation. Another groundbreaking approach is the use of digital twins—virtual models that replicate the dynamics of third-party relationships and the organization itself. This technology enables organizations to simulate various risk scenarios and resilience strategies proactively, offering deep insights into potential impacts and effective responses.

In this context, organizations should also incorporate simulations, table-top exercises, and wargaming into their third-party risk management toolkit. Such exercises can reveal hidden vulnerabilities, refine response plans, and foster organizational preparedness, significantly enhancing resilience in real-world scenarios.

A Strategic Shift: Starting with Governance, Not Compliance

Finally, attendees agreed strongly that traditional approaches often mistakenly start—and sometimes end—with compliance. This approach overlooks critical governance frameworks and the core objectives that should underpin third-party engagements. Effective third-party GRC must always begin with governance, setting clear objectives (and performance against those objectives), proceed through risk management to understand uncertainties to objectives, and finally extend into compliance to assure alignment with the organizations values, ESG commitments, and regulatory/legal obligations.

By embracing these comprehensive and nuanced approaches, organizations can significantly strengthen their ability to manage third-party relationships effectively, maintaining agility, resilience, and integrity in a complex global ecosystem.

Could not get to Madrid, I am doing similar workshops in the next two months . . .

May 14 @ 2:00 pm – 5:00 pm CEST 

• Riding the Compliance Carousel: Managing Emerging Regulatory Risks & New Rules, ZURICH

 21 @ 9:30 am – 4:30 pm BST 

• Third-Party Risk Management by Design, LONDON

June 9 @ 1:00 pm – 4:00 pm CEST 

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, BIRMINGHAM

June 10 @ 1:00 pm – 5:30 pm BST 

• Risk and Resilience by Design: Building the Future-Proof Enterprise, LONDON

June 17 @ 1:00 pm – 4:00 pm CEST

• Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain, COPENHAGEN

June 19 @ 6:00 am – 6:30 am BST 

• Compliance & Ethics Management by Design, LONDON

The following article, Reframing Integrated Risk Management: A Historical Perspective on GRC’s Evolution, was originally published by Michael Rasmussen on our sister site, www.GRCreport.com . . .

Key Takeaways

• GRC’s Origins and Evolution: GRC began as a business objective and risk-driven framework, was hijacked by compliance with SOX, but has realigned as a strategic, performance-oriented model that integrates governance, risk management, and compliance.
• IRM’s Role Within GRC: Integrated Risk Management (IRM) is not a replacement for GRC but a core component of the risk management pillar (also called ERM, ORM), helping organizations address risk within the context of governance, which defines objectives.
• The Misconception of IRM: Despite some claims, IRM does not stand apart from GRC; it is part of the risk management function within the GRC framework—the R in GRC—making it more integrated and comprehensive.
• OCEG’s Emphasis on Integration: OCEG has always emphasized that the R in GRC, which is IRM, is integral to GRC, reinforcing governance while managing risk in alignment with organizational objectives.
• Certifications Supporting GRC and IRM: OCEG’s suite of certifications, such as Certified GRC Professional and Integrated Risk Management Professional, underscores the importance of understanding how IRM fits within the larger GRC strategy and context.

Deep Dive

Over the years, the term Integrated Risk Management (IRM) has increasingly become a focal point in discussions around governance, risk management, and compliance (GRC). While IRM gained limited traction in some circles, it’s important to remember that the concept of GRC is deeply rooted in a decades-long evolution, beginning with early work in risk management, compliance, and IT security. To understand where IRM fits, it’s crucial to first understand how GRC came to be and why it continues to play a central role in managing risk and uncertainty to organizational objectives while ensuring integrity in organizations today.

My journey into framing GRC began in the mid-1990s when I worked in risk management and compliance at a life sciences firm, where I identified the need to move beyond spreadsheets to document and manage risks and controls. By the late 1990s, I had taken on the practice leader role in risk and compliance consulting at Denmac Systems, where I worked with Lou Bevente and Andy Denenberg, the owners of Denmac. During this time, we explored the possibility of developing a software solution to address risk and control needs, what would eventually be recognized as GRC.

Andy Denenberg’s prior work on AlertPage, a product he created that was later acquired by Computer Associates, was a motivator to explore doing it again for risk and internal control management. Although we explored developing what I would later call GRC, the project didn’t materialize as I moved into the analyst world at GiGa (started by Gideon Gartner from Gartner Group. The GiGa stands for Gideon Gartner and not gigabyte), which was subsequently acquired by Forrester. While the GRC software initiative at Denmac didn’t come to fruition, it laid the foundation for the work that would follow.

In February 2002, while at Forrester, I attended a briefing with Telos Xacta, a company that aimed to adapt its government accreditation platform to commercial applications for risk, control, and compliance. The capabilities demonstrated in that meeting were precisely what had resonated with me earlier at Denmac—the ability to map risks, controls, and compliance requirements in a unified solution. This was what I had envisioned, and it catalyzed my thinking about the emerging market that could tie these disparate elements together.

Following that briefing, I spent considerable time reviewing my notes, doing additional briefings with other solutions coming to the market for this, and conceptualizing a name for this market. I ultimately introduced the term Governance, Risk Management, and Compliance, i.e., GRC. What I saw was the potential for a more integrated and holistic approach to managing governance, risk, and compliance processes in an integrated fashion. Over the next several months, I added other solution providers like Aventis, BPS, BWise, QUMAS, Paisley, and TeamMate to my list, and the market quickly evolved into what I refer to as GRC 1.0, shaped largely by the Sarbanes-Oxley Act (what I refer to as the SOX captivity of GRC). This initial wave of solutions featured other players I began covering, such as OpenPages, Certus, Archer, and MetricStream.

However, I found myself frustrated with how compliance-centric this early market became and how misaligned it was with what I saw as true GRC bringing value to the business and its objectives and performance. I realized that GRC had to be communicated and educated as more than just a checkbox for compliance; it needed to be strategically aligned with business objectives and performance. This realization led me to collaborate with OCEG, who was gathering other thought leaders to address this, where we worked together to develop the GRC Capability Model, which emphasized not just governance, risk, and compliance but also performance—what OCEG defines as Principled Performance. In parallel, I authored the first two Forrester Waves assessing GRC solutions, intentionally emphasizing platforms that demonstrated strength in risk management beyond compliance, which was becoming a critical gap in the early solutions. The second Wave, published in 2007, had a Wave graphic specifically on those stronger in risk management.

More Than Just Compliance

The GRC framework, the GRC Capability Model, developed collaboratively with OCEG and the broader industry, continued to evolve, and the core concept has always been clear: GRC is not just about compliance. It’s a comprehensive framework designed to help organizations manage risk while achieving their strategic goals. The three key components, Governance, Risk Management, and Compliance, are designed to work in tandem, each supporting the others in a dynamic and integrated way.

• Governance (G) is about setting strategic objectives and aligning the organization around those goals. In this context, it also includes performance against those objectives. Without clear governance, organizations lack a sense of direction, which makes it difficult to assess risk and compliance effectively. Risk requires the context of objectives. ISO 31000, the international standard on risk management, states, “risk is the effect of uncertainty on objectives.”
• Risk Management (R) focuses on identifying, assessing, treating, and mitigating risks that could prevent the organization from meeting its objectives. It ensures that risks are not only identified but also managed in a way that aligns with the organization’s governance framework to achieve its objectives.
• Compliance (C) ensures that the organization’s activities remain within legal, regulatory, ethical, and voluntary boundaries (such as values). Compliance doesn’t operate in isolation; it’s part of the broader governance structure, ensuring that governance objectives and risk management activities stay within acceptable limits. This enables the organization to act with integrity in its commitments and obligations.

Misinterpretation of GRC’s Scope

Despite the long-standing success and clarity of the GRC framework, a small number of voices within the analyst community has pushed the idea that Integrated Risk Management (IRM) should replace traditional Governance, Risk Management, and Compliance (GRC). This argument typically claims that GRC is overly focused on compliance and fails to account for broader organizational risks. However, this narrative is fundamentally flawed for several critical reasons, which we need to explore in more depth.

The concept of IRM originated at Gartner. Since then, however, Gartner has stated that it no longer recognizes IRM as a distinct category, “Gartner no longer recognizes IRM as a market and future work from Gartner analysts will no longer reference it as such.”

During the period when Gartner did recognize it, some analysts began claiming that GRC technology had failed, and that IRM was the way forward. Yet the first IRM Magic Quadrant featured nearly the same solutions, in nearly the same positions, as the prior GRC Magic Quadrant. Which raises the obvious question: what, exactly, had failed—a question I’m still looking for an honest answer to.

Some of the more vocal IRM evangelists, misguided or perhaps even disingenuous, redefine GRC narrowly as compliance, yet still retain the GRC label within their own frameworks to support their argument. This only adds confusion to the industry and reflects a fundamental misunderstanding of what governance (the G) and risk management (the R) actually represent. The framework would be far clearer if they simply dropped the attack on GRC and labeled their model for what it truly is: a compliance framework.

In this context, the most common misconception among IRM proponents is that GRC is solely concerned with compliance. This simplification misrepresents the true nature of the GRC framework within the GRC Capability Model, which is, at its core, a holistic approach to managing governance, risk, and compliance as interconnected, integrated, but distinct elements.

GRC is not just about following rules and regulations. It is about enabling organizations to achieve their objectives, managing uncertainty and risk, and acting with integrity. Governance, risk management, and compliance work together to create a comprehensive strategy for managing an organization’s operations in a dynamic and sometimes uncertain environment.

Thus, GRC is a strategic and integrated approach that encompasses much more than compliance. It brings governance and risk management together in a structured, aligned way, driving Principled Performance and resilience across the organization. To limit GRC to compliance alone is to ignore the broader, more valuable benefits it provides in terms of strategic oversight and risk mitigation, and the great work that has been in place for over two decades that defines GRC in the OCEG GRC Capability Model.

IRM Is Not Separate from GRC

Another critical flaw in the IRM evangelist argument is the assumption that IRM represents something fundamentally different from the GRC framework. In reality, IRM is not a replacement for GRC; it is a core component of the GRC framework, specifically within the Risk Management function.

IRM, when implemented properly, refers to a structured, integrated approach to managing risk throughout the organization. It aligns risk management efforts with governance (objectives) and compliance to ensure that all aspects of risk, ranging from strategic, operational, financial, and compliance-related, are addressed in an integrated and cohesive way. It’s simply the “R” in GRC.

By positioning IRM as a standalone concept, IRM proponents overlook the reality that risk management, as a function, has always been a core element of GRC. In fact, the very foundations of GRC were built with the understanding that risk management cannot be separated from governance and compliance. Each function is interdependent: Governance defines the organization’s objectives, risk management ensures those objectives can be achieved despite uncertainty, and compliance ensures the organization operates within legal and ethical boundaries.

In short, IRM doesn’t replace GRC, it enhances it by bringing a more integrated, enterprise-wide approach to managing risk, ensuring that risk management is aligned with strategic goals and compliance requirements.

Overemphasis on Technology

One of the most troubling aspects of the IRM narrative is the tendency to focus disproportionately on technology as the solution. Some advocates of IRM make the case that IRM technology is something distinct and superior to existing GRC solutions. However, this misses a fundamental point: IRM technology is simply an evolution of the risk management capabilities that already exist within GRC solutions. The same solutions that Wheelhouse Advisors covers in IRM are the same solutions that Gartner, Forrester, Chartis, and Verdantix cover as GRC.

In practice, many of the technologies marketed as “IRM” tools overlap significantly with traditional GRC solutions. Many platforms have long provided robust risk management modules within their GRC offerings. These platforms already offer the ability to integrate risk management with governance and compliance, which is precisely what IRM advocates claim to be offering as a “new” solution. Whereas some newer solutions start specifically with business strategy, performance, and objectives and address risk management in this context.

The overemphasis on IRM technology as something separate or revolutionary creates confusion. It’s not the technology that matters; it’s how risk management is integrated across the organization’s entire governance and performance strategy. Compliance comes in to make sure we stay within mandatory (e.g., legal, regulatory) and voluntary (e.g., ethics, values, commitments) boundaries. A fragmented approach, where IRM tools are seen as distinct from GRC, risks creating silos that hinder collaboration and alignment across business functions.

To be clear, technology plays an important role in streamlining and automating risk management processes to make them more efficient, effective, resilient, and agile. But the solution isn’t in labelling technology as “IRM” and promoting it as something outside of GRC (and misrepresenting GRC); the solution lies in how technology supports and enhances the integration of risk management within the broader GRC framework, making it easier for organizations to understand and manage risks in the context of their overall governance and compliance strategy.

OCEG’s Commitment to a Unified GRC Approach

OCEG has long recognized that IRM is integral to the broader GRC strategy, not an alternative to it. As the global leader in GRC, OCEG has been at the forefront of developing frameworks and certifications that reinforce this point. The introduction of the Integrated Risk Management Professional Certification complements other certifications such as:

• Certified GRC Professional
• Certified GRC Auditor

These certifications help professionals understand the interconnected nature of governance, risk management, and compliance, emphasizing that IRM is a tool within this integrated framework, rather than a replacement for it.

The push for IRM as a standalone framework misses the point: effective risk management exists within the larger structure of GRC. Governance, risk management, and compliance must work together to ensure that organizations can not only manage risk but also achieve their strategic objectives with integrity.

For organizations to fully realize the benefits of GRC, they must reject the narrative that IRM stands apart. Instead, they should embrace a holistic approach that integrates risk management with governance and compliance to create a resilient, performance-driven organization.

For more clarity and guidance, organizations are encouraged to explore OCEG’s frameworks and certifications. You can also refer to the original article, Putting IRM in Its Proper GRC Context.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

This past week in London was truly a whirlwind of GRC insights, discussions, and deep dives into the future of risk and resilience management. Across multiple events and countless conversations, I had the opportunity to engage with over 150 organizations — through 1:1 meetings, my keynote presentation at the Corporater Connect+ event hosted at Parliament, and my Risk & Resilience Management by Design Workshop (sponsored by Decision Focus).

Let’s unpack the challenges UK organizations are facing that keep them up at night . . .

Key GRC Theme from the Week:

One of the most pressing topics that emerged was the focus on Provision 29 of the UK Corporate Governance Code. Organizations are now required, starting at the Board level, to establish and attest (at least annually) to the effectiveness of their risk management and internal control frameworks. In one notable 1:1 meeting with a firm currently undergoing an RFP process, the organization shared, “[ORG] we do expect that the extension of the definition of public interest entities to include private companies (if it comes into effect) will affect us. Either way, we believe that having the right controls framework is a good way to operate the business.” Running parallel to these conversations was considerable focus on the UK’s Economic Crime and Corporate Transparency Act (ECCTA). This legislation adds a mandate for internal controls to prevent fraud — further reinforcing the need for stronger, embedded risk and control frameworks across organizations.

Top Risk and Resilience Challenges Identified:

Reviewing my notes from the week, several consistent challenges emerged across industries and organization sizes:

• Geo-political risk, this was front and center and part of nearly every conversation, particularly in an extended enterprise context
• The breadth of cyber, digital, and data risk and resilience challenges facing organizations and their operations, and again across the extended enterprise
• AI risks, including deep fakes and impersonation, and governing AI within the organization and across the extended enterprise
• Regulatory mandates for resilience management (UK Operational Resilience, EU DORA, NIS2)
• Embedding risk management into business operations, including defining, embedding, and nurturing a healthy risk culture
• Aligning risk management with business change and transformation and leveraging a digital twin to help forecast and understand scenarios of risk and resilience
• Connecting risk programs with business objectives where the organization can reliably achieve objectives (the heart of what GRC has been about for 20 years, when done correctly)
• Sourcing and integrating external risk intelligence feeds that help the organization navigate the business for what is developing currently and on the horizon
• Ensuring risk insights inform decision-making and add business value
• Breaking down risk management silos to provide an enterprise perspective of risk where the R delivers value to the G in GRC
• Addressing resilience and risk in a sustainability and ESG context
• Increasing oversight and due diligence in third-party relationships
• Addressing inadequate risk reporting and increasing quality in risk reporting
• Clarifying risk accountability and ownership with the business and aligned with objectives and the objective owner
• Managing and keeping pace with the volume of third-party, regulatory, and business change
• Compliance challenges related to third parties
• Addressing emerging risks and the “unknown unknowns”
• Environmental risks and resilience (acts of nature)

Third-party and extended enterprise risk emerged as a particularly dominant theme, touching almost every area listed above. Organizations are recognizing that resilience is not just internal — it extends across the broader network of partners, vendors, and suppliers.

Strategic Response: Achieving Risk Agility and Resilience

In light of these discussions, organizations should focus on four core pillars: strategy, process, risk intelligence, and technology — underpinned by risk intelligence.

1. Strategy:
   • Align risk management directly with corporate strategy, objectives, and performance.
   • Treat resilience as a strategic business enabler, not just a compliance exercise.
   • Develop a forward-looking, dynamic risk accountability framework.
   • Do regular scenario analysis, stress testing, wargaming, and simulations.
2. Process:
   • Embed risk management in day-to-day business activities and decision-making.
   • Foster a culture of risk ownership across all levels.
   • Strengthen internal control environments.
   • Integrate third-party governance and risk management as a core operational process.
3. Risk Intelligence:
   • Continuously source external content from trusted providers to stay informed on emerging risks.
   • Integrate real-time risk feeds into GRC management programs enabling risk and resilience management.
   • Utilize external intelligence to enhance scenario planning and stress testing.
   • Benchmark against industry trends and regulatory developments to adjust risk strategies.
4. Technology:
   • Invest in GRC technologies that provide real-time visibility and adaptability for risk and resilience in a business context.
   • Leverage AI responsibly to enhance risk detection, resilience planning, and reporting.
   • Connect risk intelligence feeds into operational risk and decision-making workflows.
   • Focus on interoperability — connecting risk data across enterprise systems.

The Road Ahead

These themes are not unique to the UK. I am seeing similar patterns globally. Though I am home for a brief week, the dialogue continues. From May 3rd to May 23rd, I will be engaging with organizations across Madrid, Barcelona, Zurich, Copenhagen, and London — further gathering perspectives and advancing the conversation on how organizations can build risk agility and resilience in a rapidly changing world.

Stay tune

“But he hasn’t got anything on!”—The Emperor’s New Clothes, Hans Christian Andersen

The Fable and the Analogy

Hans Christian Andersen’s tale of “The Emperor’s New Clothes” tells of a vain ruler tricked by swindlers who claim they can weave a magnificent fabric invisible to anyone incompetent or stupid. No one dares admit they see nothing—until a child innocently proclaims the truth.

The GRC technology market, like any other, has its own “emperors” and tailors. In recent years, ServiceNow has emerged as a dominant platform pushed into GRC use cases—branded not as GRC, but as IRM (Integrated Risk Management). And in many organizations, particularly outside of IT, people are starting to murmur: “But it doesn’t work for us.”

This article is not an attack, nor is it a “do not purchase” directive. Instead, it is a professional caution: a yellow light urging evaluation, due diligence, and an objective look before committing to ServiceNow for GRC. And it also is a call to action that should you desire to select ServiceNow for GRC . . . make damn sure you have the right tailor (professional service firm) as that is the only way you will get satisfaction.

A Flood of Market Feedback

My first LinkedIn post on this issue drew significant attention:

• 43,000+ views
• 450+ likes
• 90+ comments
• 50+ reposts

Which I had a follow-up LinkedIn post providing additional perspectives.

What was even more telling? Not one GRC professional outside of IT has come forward publicly or privately to say they love using ServiceNow for GRC. Not yet at least.

In contrast, I’ve received dozens of private messages and direct conversations from across industries, countries, and company sizes confirming consistent frustrations with ServiceNow for GRC/IRM use cases. One CISO at a mid-sized bank specifically stated, it was his “mission to get SNOW out of the bank for GRC use cases.”

The Core Issues with ServiceNow for GRC

🔴 1. Cost and Complexity

ServiceNow promotes its GRC modules as “out-of-the-box” solutions. Yet, in nearly every client conversation I have, these modules require extensive and expensive customization to even begin functioning as needed. One global organization told me:

“The TPRM module is their most immature and least thought-out module of all of ServiceNow.”

Another shared:

“ServiceNow is an ITSM platform they’ve tried to adapt for GRC. It’s tedious, unintuitive, and painful to maintain.”

The licensing model is complex, and the total cost of ownership (implementation + maintenance + upgrade costs) is the highest in the entire GRC market in GRC 20/20’s market research.

🔴 2. Performance Issues

The underlying architecture of ServiceNow was not originally built for GRC. Clients report slow response times, clunky workflows, and user experience limitations, especially when dealing with cross-functional risk and compliance processes.

🔴 3. Maintenance and Upgrades Are Difficult

ServiceNow’s relational database foundation includes an overwhelming number of interconnected tables. Clients say:

“Every new version potentially breaks something. We live in fear of upgrades.”

Customization increases fragility. Even ServiceNow’s own GRC modules can become unstable with version changes. For organizations with moderate to high customization, every upgrade is a risk.

🔴 4. GRC Decisions Driven by IT, Not Business Needs

This may be the most persistent challenge. Many implementations begin with IT departments selecting ServiceNow simply because it’s already in use for ITSM. The problem? Risk, compliance, audit, and legal teams are not consulted or heard. One organization told me:

“We never had a chance to weigh in. IT made the decision, and now we’re stuck.”

GRC should be business-led. IT is an enabler—not the driver.

I worked on one major GRC/ERM RFP in Europe, a global organization with over 60,000 employees. ServiceNow was eliminated in the very beginning against competitors and did not make the semi-finals or finals. A solution was chosen . . . IT steps in and says it will only be ServiceNow. SNOW wins RFPs that it loses.

🔴 5. Consulting Firms Stack the Deck

Consulting firms too often push ServiceNow regardless of fit. Why? Because of the massive ongoing revenue streamsthese projects generate. What starts as an implementation becomes an ETERNAL engagement.

In one case:

• The an organization spent $12M+ and 5 years on ServiceNow for GRC.
• Fired the first consulting firm, brought in another.
• Still not fully implemented.

Several organizations have told me outright:

“We cannot afford the ongoing implementation and maintenance costs.”

---

Stories from the Field

A few anonymized insights from real organizations:

• Large FinTech: Says TPRM module is their least mature and weakest component.
• Healthcare System: Recently finished implementation. Team dislikes the product. Another healthcare peer did the same and recently left SNOW and bought another solution to compensate.
• Retail Enterprise: Abandoned ServiceNow entirely for another GRC solution that was easier to use, implement, and maintain.
• HighTech. Turned off ServiceNow for GRC, returned to manual processes in many areas, and is pending RFP again.
• Banking: IT chose ServiceNow despite the GRC team ruling it out in the RFP process. GRC needs were ignored.

The stories keep coming . . .

---

The Tailor Matters

ServiceNow’s success often hinges on who implements it.

In GRC 20/20 research, we see that boutique ServiceNow specialists consistently deliver better results and higher satisfaction than the big consulting houses. There are great people, magnificent people, at large consulting firms . . . but too often their voices are drowned out in pursuit of large never-ending projects. The Never Ending Story for an analogy as well . . .

Why do boutiques have a better track record with ServiceNow for GRC?

• More agile
• More engaged
• More experienced in GRC specifically
• Less incentive to bloat the scope

This does not mean every big firm fails. But it does mean that organizations should choose implementation partners carefully, and never default to the big-name brand.

---

So, Should You Use ServiceNow for GRC?

The answer: Maybe. But only if it fits.

ServiceNow GRC/IRM can work, particularly in IT-focused environments or when there is deep platform expertise in-house or with the right consulting firm (but be VERY selective). But it should never be the default, and it should not be forced on the business by IT or consultants.

GRC selection must be business-driven.

GRC use cases span risk management, compliance, audit, legal, ESG, third-party risk, and operational resilience. These teams must be part of the selection process.

Let ServiceNow compete. But let it win on capabilities, not on convenience by IT mandates or consulting firms aiming for HUGE never ending projects.

---

The Analyst’s Role: Calling Out the Pattern

No solution is perfect. Every vendor has a mix of satisfied and dissatisfied clients. But as an analyst with over 25 years of analyst experience (and 33 years total GRC experience), I have a responsibility to flag patterns when they emerge.

And this is clear: ServiceNow for GRC has more reported issues and frustrations than any other GRC technology in the market today with the highest cost to implement and maintain,

Until I begin hearing positive stories from GRC professionals outside of IT, my position remains:

Proceed with caution. Evaluate ServiceNow objectively. Choose the right tailor (partner). And never let convenience override capability.

Who should I call out next . . .