All Posts

Interconnected layers of business risk, including technology, vendors, access controls, and operational processes. Risk management can feel overwhelming when treated as a large, one-time exercise. The Find the Risk in 60 Seconds series takes a different approach: short, focused conversations that can fit into regular leadership meetings. These quick checklists, spread over six weeks, assist leaders in pinpointing the actual areas of risk concentration within their organizati

Operational risk often accumulates quietly in everyday processes, people decisions, and system changes. Not all risk comes from dramatic external attacks. Often, it accumulates quietly in day‑to‑day activities: a rushed email to the wrong recipient, a change made under pressure without a full review, an incident that becomes more serious because roles and responsibilities are unclear, etc. Looking at how work is actually done can reveal important sources of operational risk.

Many organizations now run on a network of external providers. Payroll, customer relationship management, cloud hosting, marketing platforms, and collaboration tools—the list grows every year. Each vendor can improve efficiency and capability. At the same time, each one extends the organization’s risk surface. Why Vendor Risk Deserves Attention When an incident involves a vendor, customers and regulators usually look first at the organization that chose and relied on that ven

Ask a simple question in most organizations: “Who can see our most sensitive data?” The answer is often, “We’re not entirely sure.” Over time, access is easier to grant than to remove. People change roles, projects end, and teams restructure, but the permissions stay. That quiet accumulation becomes weak access control. Why weak access controls matter Access control can sound like a technical detail, but its impact is very practical: • Increased data leakage risk: more people

Shadow IT: The Hidden Risk Most Businesses Miss | Find the Risk You don’t need a major breach to be at risk. Often, the most dangerous tools in your environment are the ones nobody has officially approved. A team signs up for a free project-management app. Marketing connects a new email platform to your CRM. Finance uses a “temporary” spreadsheet in the cloud that quietly becomes permanent. Individually, these don’t feel like big decisions. Together, they create Shadow IT: sy

Many organizations believe they understand their third-party risk. They assess vendors, send questionnaires, and file SOC reports and ISO certificates. Then they stop. However, what many fail to govern is their third party’s third party—often called fourth-party risk. This blind spot is where some of the most damaging cyber, ethical, financial crime, and operational failures have originated. Regulators, courts, customers, and the public have been consistent on one point: Acco

The financial and operational impact of cyber incidents in 2025 is increasingly driven by governance failures rather than technical gaps. In 2025, cyber incidents became less about novel exploits and more about systemic failure. Organizations with mature toolsets continued to suffer costly breaches, regulatory penalties, and prolonged outages. The emerging pattern is consistent: responsibility is assigned, but accountability is fragmented . Security programs frequently assign

Requesting third-party risk due diligence through ServiceNow’s Employee Center. Why mature TPRM begins with due diligence, not forms Many organizations treat third-party risk management (TPRM) as a questionnaire exercise. A vendor is identified. A spreadsheet or portal is opened. A long list of security questions is sent out. And only after responses come back does anyone step back to ask: Was this even the right level of scrutiny? This approach is common, and it’s exactly w

The GRC crossroads New year, new goals. If you’re trying to break into Governance, Risk and Compliance (GRC), your feed is probably full of “bootcamps,” “mentorship programs,” and “job-guarantee” offers right now. Some are genuinely helpful.Too many are not. I learned that the hard way. My GRC Training Mistake: Paying for Promises Sometime ago, I paid for a GRC “program” that I was told would: Teach me everything I needed to know Connect me to hiring managers Provide mentorsh

A small business desk with sticky notes labeled “Passwords,” “Vendors,” “Backups,” etc., forming a messy cluster — contrasted with a clean, organized risk register on a laptop screen. Many small and medium-sized businesses (SMEs) assume cybersecurity and risk management are concerns reserved for banks, hospitals, or large enterprises. In reality, global data consistently shows that small businesses are frequent targets of cyber incidents, operational disruptions, and vendor f

When security controls create friction and fatigue, even well-meaning employees start looking for workarounds. Most organizations assume that if they publish an IT policy and run annual training, employees will follow the rules. Reality: they don’t. Industry surveys show a large majority of employees admit to bypassing security policies at least once a year.Many incidents are linked to people “working around” security controls to get their job done faster. So the issue isn’t

When people hear “GRC”, it often sounds like something only big banks and giant tech companies care about. The full phrase, Governance, Risk and Compliance, can feel heavy and academic. But in real life, GRC is simply:“How we decide, what we worry about, and how we follow the rules.” In this post, I’ll break down what GRC really means in practical terms and share a simple, step-by-step way to start doing GRC in any organization, even if you’re just one person.

If you had met me a few years ago, you probably wouldn’t have guessed I’d end up in cybersecurity and governance, risk and compliance (GRC). I started my career in sales, not in tech. I was more familiar with targets, territories and trade promotions than with risk registers and ISO standards. But looking back, every step in my journey quietly pushed me toward GRC and cybersecurity—even when I didn’t realize it.

Plain-Language GRC Glossary v1