Bear with me for a moment or two, and set aside the standards and frameworks that provide definitions of “risk” and “risk management”. Why? As Grant Purdy (the grandfather and, IMHO, the grandmaster of risk management) together with the late Roger Estall proclaimed in the highly-rated Deciding: A guide to even better decision making (2020), […]| Norman Marks on Governance, Risk Management, and Internal Audit
Please read this excellent article, Big Four Giants Dive into AI Audits: Deloitte, EY, KPMG, and PwC Lead the Charge from Open Tools. It says: The Big Four accounting firms are racing to dominate A…| Norman Marks on Governance, Risk Management, and Internal Audit
In conversation with Joseph Haske, Risk Manager at Pipedrive This blog is part of Sprinto’s GRC Top Voice series — where we bring you candid conversations with GRC Leaders. Watch the full episode here → Every organization wants to be data-driven. Yet in many boardrooms, risk discussions still sound vague: “That’s a high risk,” “This one’s... The post From Labels to Business Impact: Converting Risk Ratings into Action appeared first on Sprinto.| Sprinto
Turn policies into operational control. See the full GRC policy lifecycle, must-have policies, KPIs, review cadences, automation tips & more.| Sprinto
La gestión de GRC (Gobierno, Riesgo y Cumplimiento) empieza a ser uno de los pilares que conforman las estrategias de las empresas. Su valor se fundamenta en el aumento de|
Your organization runs hundreds, maybe thousands, of workflows to support GRC and audit efforts. But which ones need automation? Which require human expertise? And where does AI fit in? The answer isn’t choosing one over another. It’s understanding how automation, AI, and human review work together to close the audit gap—that persistent disconnect between compliance […] The post Workflows to transform your GRC and audit program appeared first on Thoropass.| Thoropass
While most internal audit engagements are performed by the CAE’s staff, the CAE himself (I’ll go with ‘he’ to make this post easier to write) should be addressing many if not most of the top enterprise risks. In fact, much of the valuable assurance, advice, and insight provided by the internal audit function is by […]| Norman Marks on Governance, Risk Management, and Internal Audit
I am a huge believer in risk-based auditing and have been practicing it ever since I became an internal auditor many years ago. Some refer to risk-based auditing with an acronym of RBIA (making it …| Norman Marks on Governance, Risk Management, and Internal Audit
Every organization has risks, but not every organization manages them effectively. A risk register is one of the most common […]| GuidePoint Security
What makes an ideal risk officer? Here are my thoughts on the most significant attributes. I welcome your thoughts. Has a deep understanding of the business, including its: Business processes Produ…| Norman Marks on Governance, Risk Management, and Internal Audit
Explore Austria’s MiCA Regulation: licensing rules, implementation timeline, and essential insights for crypto firms navigating EU compliance under MiCA.| CyberUpgrade -
I admit it. This post is inspired by a post with a similar name by my good friend and occasional debate partner, Richard Chambers: 10 Red Flags Your Internal Audit Function May Be Losing Ground. Have a look if you haven’t already read it. He makes some very good points. Here are his ten red […]| Norman Marks on Governance, Risk Management, and Internal Audit
Before I explain the mantra in the title of this blog post, I want to review some basics. 1. Boards and the CEO measure success based on the achievement of objectives. Some say those objectives are…| Norman Marks on Governance, Risk Management, and Internal Audit
Giving every employee full access to all your IT systems, from databases to dev-ops, is convenient, but also a security nightmare. Unfortunately, that’s exactly what happens with broad access controls; privileges are too generous and not tailored to actual needs. Granular access control gives employees custom access that opens only the specific systems and processes...| Sprinto
Rolling out in September, embedded intelligence that thinks like an analyst, not a script SAN FRANCISCO, CA – August 28, 2025 — While others rebrand automation as AI, ZenGRC today introduced an assistant that actually replaces analyst-level work, transforming weeks of control evaluations and framework mapping into minutes of review. “The market blurred the line […]| ZenGRC
Crisis Action Management Planning (CAMP) elevates business resilience, and helps teams prepare, respond, and adapt to threats.| GuidePoint Security
Dive into the MiCA Regulation in Croatia, from licensing steps and timelines to critical tips—everything crypto firms need to know to stay compliant.| CyberUpgrade -
I would say that most IT auditors and CAEs are familiar with pre-implementation reviews. These are audit engagements designed to proactively work with management when there are system implementations. They provide assurance, advice, and insight on the effectiveness of the internal controls and security that will exist when the system is live. Pre-implementation reviews are […]| Norman Marks on Governance, Risk Management, and Internal Audit
My thanks and congratulations to Alexander Ruehle for his post this week on LinkedIn: Internal audit has just been audited by internal auditors. Why do I ask whether the profession and the IIA are at a crisis point? Consider that according to the IIA’s own Vision 2035 (and his post): 48% still view Internal Auditors […]| Norman Marks on Governance, Risk Management, and Internal Audit
I am going to look into my AI-enabled crystal ball and imagine the world of the future (the not-too-distant future) decision-maker. Then I will look again to see what the risk practitioner and the …| Norman Marks on Governance, Risk Management, and Internal Audit
Get expert strategies to navigate the top risks for operations teams so you can prevent disruptions, maintain trust, and sustain business continuity.| Resolver
Learn how an efficient, resilient, and agile strategy can build a strong business case for modernizing and adding GRC benefits to your organization.| Resolver
Explore common misconceptions & limitations of risk and compliance software, plus the game-changing truths for efficient compliance management.| Resolver
Take a closer look at inherent vs. residual risk assessments to understand their value in your risk management processes and risk mitigation strategies.| Resolver
Learn how to foster integrity and accountability across your employees & leadership to build a strong compliance culture that prevents costly fines.| Resolver
Discover MiCA regulation in the Netherlands: licensing, implementation phases, and critical insights for crypto firms to navigate compliance effectively.| CyberUpgrade -
I recently discovered how some people are projecting that AI will transform the work of corporate counsel. Yes, there are several on how it will transform the work of the law firms, but I am concer…| Norman Marks on Governance, Risk Management, and Internal Audit
Master SOC 2 background checks in 2025—build a compliant screening program, meet audit expectations, and choose the right vendor with confidence.| CyberUpgrade -
Business Impact Analysis (BIA) enables organizations to evolve their business resilience strategies in response to emerging threats. Here’s why!| GuidePoint Security
Learn to build a clear, up-to-date DORA Register of Information to map your ICT service providers, ensuring compliance and operational visibility.| CyberUpgrade -
CyberUpgrade launched the DORA Registry Tool to tedious spreadsheets with a single, guided platform. Learn how this tool can improve your compliance process.| CyberUpgrade -
Explore Norway’s ISO 27001 overlays—Digital Security Act, sector statutes, NA accreditation—and how one ISMS simplifies audits, tenders and resilience.| CyberUpgrade -
Discover Slovakia’s ISO 27001 overlays—SNAS accreditation, Cyber-Security Act, sector rules—and how one ISMS streamlines audits, tenders and resilience.| CyberUpgrade -
Discover Ireland’s ISO 27001 overlays—INAB accreditation, NIS rules, sector baselines—and how one ISMS secures audits, tenders, funding and cyber resilience.| CyberUpgrade -
Explore Croatia’s ISO 27001 overlays—HAA accreditation, NIS laws and sector checklists—and learn how one ISMS simplifies audits, tenders and cyber resilience.| CyberUpgrade -
Explore Lithuania's ISO 27001 landscape—LA-accredited certificates, NIS-2 duties, sector add-ons—and see how one ISMS streamlines audits, tenders and risk.| CyberUpgrade -
Learn Slovenia’s ISO 27001 overlays, from SA-accredited certificates to ZInfV-1 and ZEKom-2 rules, and how one ISMS streamlines audits, KPIs and tenders.| CyberUpgrade -
Discover Latvia’s ISO 27001 twists—cyber-law KPIs, data localisation, bilingual docs—and how one ISMS streamlines audits, tenders and insurance costs.| CyberUpgrade -
Explore Liechtenstein’s ISO 27001 requirements, sector overlays and compliance tactics, and see how one ISMS boosts audits, tenders and resilience.| CyberUpgrade -
Discover the key elements of building a risk-aware culture in your organization and learn how they contribute to long-term success.| Resolver
4 actionable ways to help leaders create & maintain a better security & compliance culture on your internal team through to your entire organization.| Resolver
From Complexity To Compliance When managing hundreds of global vendors and navigating their ISO 27001 certification became overwhelming, Bazaarvoice sought a better way. By implementing ZenGRC at the beginning of 2024, they simplified their audit workflows and compliance documentation management while maintaining their customized GRC practices. About Bazaarvoice What began as a simple ratings and […]| ZenGRC
Richard Chambers and I go back many decades, first as colleagues and then as friends, and we have great mutual respect. While we often appear to disagree, that is more often than not in our choice …| Norman Marks on Governance, Risk Management, and Internal Audit
Now is a great time for MSPs to build a "Compliance as a Service" offering. Help clients navigate complex regulations and assist with audits, certifications and cyber insurance for competitive advantage and continued success. The post Compliance as a Service: The New MSP Growth Driver appeared first on CYRISMA Cyber Risk Management Platform.| CYRISMA Cyber Risk Management Platform
Now is a great time for MSPs to build a "Compliance as a Service" offering. Help clients navigate complex regulations and assist with audits, certifications and cyber insurance for competitive advantage and continued success. The post Compliance as a Service: The New MSP Growth Driver appeared first on CYRISMA Cyber Risk Management Platform.| CYRISMA Cyber Risk Management Platform
Threat actors target supply chain vulnerabilities to breach your operations. Learn how to conduct a supply chain cybersecurity risk assessment to stop them.| Onspring
A recent article by Carol Williams of Strategic Decision Solutions carried this title and had some wisdom to share. For example, she said: Enterprise risk assessment can be defined as: “the practic…| Norman Marks on Governance, Risk Management, and Internal Audit
Learn about software bill of materials (SBOM) in the context of governance, risk and compliance (GRC) and how to implement it in your organization.| Onspring
What is governance, risk and compliance, and why is it important for organizational management? Learn about this integrated aspect of business operations.| Onspring
Cybersecurity spending trends and their impact on businesses| Help Net Security
Learn how to identify and mitigate operational risks with proven frameworks. Improve your risk posture with Sprinto's ORM guide.| Sprinto
The CYRISMA GRC and Compliance Assessment module is expanding! Track controls, generate reports, collaborate with other departments| CYRISMA Cyber Risk Management Platform
