Or, How to Avoid Booking a Table to Watch Your GRC RFP Decision Explode Somewhere in the vast and bewildering expanse of governance, risk management, and compliance, there is a restaurant with a truly spectacular view. It is not located at the end of the universe in distance, as that would be far too simple…

The highlight of my current business trip to Denmark has not been a meeting, a briefing, an RFP conversation, or a strategy session. The highlight was going to Alchemist in Copenhagen with my oldest son, Noah, who is a chef . . . That made the experience personal. It was father and son, but also analyst and…

Reflections on my presentation at apexanalytix Icon 2026 on building the supplier risk business case In my presentation at Icon 2026 in Scottsdale/Phoenix, I wanted to put one point on the table immediately and directly: we are measuring the value of third-party and supplier risk management wrong. Too often, organizations build the business case for…

The Market Has Outgrown the Collection-of-Modules Model For years, governance, risk management, and compliance (GRC) has operated on an assumption that now needs to be challenged: that if you add enough modules together, you somehow create an enterprise platform. Organizations have accumulated solutions for enterprise risk, compliance, policy management, third-party risk, ethics, audit, cyber risk,…

From the Kiosk to the Table: Why a True Industry Analyst Still Matters I have been thinking about this a great deal lately, and oddly enough, the reflection sharpened while planning an intense stretch of work in Denmark this April. I will be busy there, as I usually am when I travel, meeting with organizations,…

I am increasingly concerned by how loosely the term Agentic AI is being used across the governance, risk management, and compliance market. What should be a meaningful distinction in capability is rapidly becoming a fashionable label applied to almost anything with a prompt, a workflow trigger, or a generative text output. This is not a…

For too long, audit and assurance management has been treated as the corporate equivalent of an annual physical: episodic, disruptive, backward-looking, and too often disconnected from the living metabolism of the organization. It arrives on a schedule, extracts evidence, tests control design and operating effectiveness, writes reports, issues findings, assigns remediation, and then recedes until…

In the first layer Strategic Risk & Resilience Management, leadership establishes direction. As discussed in the previous blogs, strategy clarifies ambition and guides the major decisions that shape the future of the enterprise. Those decisions are translated into measurable objectives that define what success looks like in practice, which is Objective-Centric Risk & Resilience Management.  But objectives, like strategy,…

From Risk Intelligence to Organizational Capability There is a moment that repeats itself across countless science-fiction stories. A ship’s sensors detect something unusual. Signals arrive that do not quite align with expectations. Perhaps it is a gravitational anomaly, a sudden communications blackout, or an unexpected hostile vessel appearing where none should exist. The bridge crew…

In the first layer of Strategic Risk & Resilience Management, leadership sets direction. As discussed in the previous blog on Strategic Risk & Resilience Management, strategy establishes ambition, guides capital allocation, shapes market choices, and authorizes transformation initiatives. Together, these decisions clarify where the enterprise intends to go.  But strategy by itself is aspiration. It becomes real only when it is translated into objectives:   Without objectives, strategy remains conceptual. With objectives, it becomes…

Integrity as the Boundary System of the Enterprise Every organization operates within boundaries that define what it is allowed to do, how it must behave, and what it must deliver to regulators, customers, investors, employees, and society. These boundaries are expressed through obligations. Some obligations are mandatory, imposed through laws, regulations, supervisory guidance, and contractual commitments.…

Every great mission eventually faces the same question: How do we know we are truly on course? On the bridge of a starship like the U.S.S. Enterprise, the crew does not rely on hope, intuition, or good intentions to answer that question. They rely on sensors, diagnostics, verification systems, and independent confirmation that the ship is…