From frameworks to fundamentals: rethinking risk in 2026

Regulatory frameworks like NIS2, DORA and GDPR continue to raise expectations for security and compliance teams. Yet many organisations still treat compliance as the finish line. That approach can create blind spots that place operations and long term resilience at risk.

At a recent RANT roundtable, security leaders debated whether compliance is overshadowing risk management, and how organisations can strike a better balance that supports business objectives.

Compliance is a baseline, not the destination

Compliance provides assurance. It does not guarantee resilience. Too often, organisations focus on passing audits rather than addressing real threats that could disrupt operations.

As one participant put it, “Compliance is second line assurance.” Another noted that audits can become a tick box exercise when external teams do not fully understand how the business operates. This exposes a broader tension. Are risk decisions being made in line with business objectives, or are frameworks driving the agenda on their own?

The consensus was clear. Compliance sets minimum standards. Effective risk management protects continuity, supports growth and aligns decisions with what matters most to the organisation.

The reality of tooling: clarity before complexity

Many teams still rely on spreadsheets to track risks and evidence compliance. For small environments this can be workable. Scale introduces fragility. “All it takes is for someone to delete the Excel,” one attendee observed. Others highlighted a disconnect between vendor promises and practical needs. “The dream is sold as one tool,” said a participant, while another added, “Policies can map and do assessments and have action plans, yet we still end up in Excel.”

Modern GRC platforms like Diligent AI Risk Essentials are designed to break that cycle by helping teams prioritise risks, document activity and maintain a reliable source of truth — without a heavy IT lift or months-long deployments. With a simple three-step workflow (identify, assess, mitigate), board-ready reporting and all-in-one collaboration, teams can move from spreadsheets to a foundational ERM programme in days, not months.

But tooling alone is never the full story. The roundtable discussion underlined that success starts with clarity of purpose: knowing whether you’re solving for visibility, accountability or alignment with business objectives. Overambitious rollouts that promise instant “full maturity” still tend to disappoint, whereas right-sized implementations that focus on quick, measurable wins create momentum and adoption.

The shared advice was simple. Start small. Decide exactly what you want the tool to achieve, whether that is clearer visibility, stronger accountability or better alignment with business objectives. Then build momentum through gradual, measurable wins.

Risks don’t wait. Are you ready?

Uncover the gaps in your risk management strategy and get a tailored recommendation with our 10-question quiz.

Take the quizchevron_right

Sector context shapes priorities

Risk and compliance priorities differ by sector. Some organisations emphasise continuity and operational resilience. Others focus on enabling faster delivery and supporting rapid scaling. The roundtable chair noted that a CISO’s priorities often reflect the organisation’s tolerance for disruption and the pace of its growth strategy.

Participants also highlighted challenges working with auditors who lack full context on the organisation’s business model. When audit expectations diverge from operational realities, security teams can be pulled away from addressing high impact risks. Bridging that gap requires better internal alignment and a shared understanding of what the organisation values most.

Leadership and language matter

Technology alone cannot close the gap between compliance and effective risk management. Engagement from senior leadership is essential.

“The business has got to want to be engaged,” one attendee said. Another noted that leaders do not want to be told, “You are doing it wrong.” They want clarity on trade-offs, not roadblocks.

The discussion also surfaced a language problem. Different teams often use different terminology to describe issues, risks and controls. Without a shared vocabulary, assessments do not translate into clear decisions.

When risk is framed in business terms, engagement improves. Leaders want to understand the commercial impact of inaction. They respond to clear evidence of which risks could halt operations, delay high priority initiatives or damage customer trust, and what pragmatic steps will strengthen resilience without slowing delivery.

A practical playbook for progress

The roundtable surfaced a set of practical steps that any organisation can apply, regardless of size or sector.

1. Start with one priority area Select a process or unit with clear impact on the business. Map risks and controls, establish a simple reporting rhythm and build from there.
2. Define outcomes before choosing tools Decide what success looks like. Visibility of risks, better alignment to objectives, faster evidence collection or clearer accountability. Choose tools that serve those outcomes.
3. Standardise language Create shared definitions for issues, risks and controls. Align scoring so that assessments convert into clear decisions.
4. Set realistic timelines Expect incremental progress. Use phased implementation rather than a big bang approach. Review adoption and impact quarterly.
5. Prioritise risks that move the business Focus on exposures that could disrupt operations, delay initiatives or erode trust. Avoid trying to address everything at once.
6. Build leadership engagement early Frame risk in terms of commercial impact. Present scenarios, trade-offs and measurable improvements to secure ongoing support.
7. Measure and share results Track time saved, reductions in repeat findings, improvements in closure rates and changes in exposure levels. Sharing progress reinforces momentum.

What good looks like

Participants who reported success described a disciplined focus on outcomes. They resisted making platforms do everything. They agreed success measures upfront. They concentrated on creating a reliable, shared source of truth for risks, controls and evidence. They used data to prioritise action and demonstrate improvement over time.

One attendee summarised the reality well: “Risk is obvious if you have not done the basics.” The message is not to chase complexity. It is to get the fundamentals right, show progress and keep risk aligned with what the business needs most.

The bottom line

Compliance frameworks will continue to evolve. Resilience depends on understanding and managing the risks that matter most. Integrating compliance into a broader risk strategy allows organisations to protect operations, maintain trust and move forward with confidence.

The discussion made one thing clear. Compliance is essential, but it is not the strategy. Focus on fundamentals, build incrementally and keep risk aligned with business objectives. That is where resilience starts.

Ready to transform cyber risk oversight with integrated GRC capabilities? Schedule a demo to see how Diligent's platform delivers comprehensive cyber risk intelligence to boards.