Practitioner research that moves the work forward.
Original research, market commentary, and practitioner perspective on risk, governance, cyber, AI governance, and GRC implementation. Written by people who have delivered the work across regulated industries in APAC, GCC, and the United Kingdom.
This month.
Navigating AI: Your essential guide to trustworthy AI governance with ISO/IEC 42001
The definitive practitioner guide to ISO/IEC 42001:2023 - what the standard requires, what auditors actually look for, and how to build an AI Management System that survives certification.
Risk maturity assessments - how mature is your function, really?
Embracing the future of enterprise risk: the transformative role of AI
Effective RM Virtual Risk Office services explained
Practitioner data, not vendor surveys.
Insights drawn from 40+ enterprise engagements across 10 sectors. Anonymised and aggregated where individual data is sensitive. Published openly, no email gate.
GRC implementations missing adoption targets
Across 50+ implementations reviewed, two-thirds fall below 30% active user adoption two years post go-live.
Months average from selection to value
Median time from GRC product selection to first measurable business value - far longer than vendor projections.
Average cyber maturity (out of 5)
Mean cyber maturity score across APAC enterprises assessed - persistent gaps in third-party and resilience domains.
Have a formal AI governance program
Only 22% of enterprises assessed in 2025 had a documented AI governance program aligned to ISO 42001 or equivalent.
The full archive.
Navigating AI: Your Essential Guide to Trustworthy AI Governance with ISO/IEC 42001
The definitive practitioner guide to ISO/IEC 42001:2023 - what the standard requires, what auditors actually look for, and how to build an AI Management System that survives certification.
Risk Maturity Assessments - How mature is your risk function, really?
How to assess your risk function maturity in a couple of hours. Includes a free downloadable checklist covering operating model, risk appetite, controls, reporting, and culture.
Effective RM Virtual Risk Office Services
What a Virtual Risk Office is, when it makes sense, and how to structure it for organisations between $200M and $5B revenue. Practical guide to fractional CRO engagements.
Embracing the Future of Enterprise Risk Management: The Transformative Role of AI
How AI is changing the practice of enterprise risk management - from horizon scanning to control monitoring to scenario analysis. Practical applications and pitfalls.
Part 2: Understanding the Siloed Functions Between Risk and Strategic Planning
Why risk and strategy still operate in silos in most organisations - and the operating models that bring them together effectively. Sequel to Part 1.
Part 1: Integrating Risk Management with Strategic Planning - Challenges
The structural reasons risk management gets disconnected from strategic planning - budget cycles, governance forums, language differences, and incentive misalignment.
Beyond Tariffs: Navigating the New Strategic Risk Landscape - Insights from Ray Dalio
Geopolitical and macroeconomic risk through Ray Dalio's framework, applied to enterprise risk management practice. Implications for risk appetite and scenario planning.
Tariffs: The New Norm in Global Trade
What tariff-driven supply chain disruption means for enterprise risk frameworks. Where to add it to your risk taxonomy and how to integrate it into existing controls.
2024: Trends That Shaped Risk Management and What Lies Ahead in 2025
The themes that defined 2024 in enterprise risk - AI governance, operational resilience, third-party concentration, geopolitical risk - and what to plan for in 2025.
Third-Party Management Design & Governance - Five Lessons from Recent Cyber Breaches
Recent cyber breaches reveal critical vulnerabilities in third-party management. Five key insights gathered from these incidents and the necessary improvements in TPRM design.
Embracing the Future of Enterprise Risk Management: The Transformative Role of AI (Original)
The original article on AI in enterprise risk - the foundation piece that led to the Wahid AI platform development. Practical applications across the risk lifecycle.
The GRC Tool Implementation Lifecycle - Six Stages That Determine Success
The six lifecycle stages from product selection through to value optimisation - and which stage decisions make or break the implementation. Foundation for the RiskBridge platform.
CPS 234 Compliance Is Not Cyber Maturity - What APRA Entities Should Measure Beyond the Standard
Meeting the prudential standard is necessary but insufficient. What APRA-regulated entities should be measuring beyond compliance to demonstrate genuine cyber maturity.
Why 68% of GRC Implementations Miss Adoption Targets - The Three Patterns That Work
Original research from 50+ GRC implementations across APAC and the GCC. The structural reasons most fall short, and the three intervention patterns that consistently deliver adoption.
CPS 230 Readiness: Where Most Organisations Are Getting Stuck
Seven-pillar resilience is the aspiration. Most organisations are still working through the first three. Where the gaps are and what to prioritise for the deadline.
Downloadable research reports.
Long-form research reports drawn from our practitioner work and aggregate market data. Free to download, no email gate, no marketing follow-up.
The APAC GRC Vendor Landscape 2026
Comprehensive analysis of 180+ GRC vendors with APAC implementation data, Gartner MQ positioning, and weighted buyer-side evaluation criteria.
Why GRC Implementations Fail - 2026 Field Report
Original research from 50+ implementations reviewed across regulated industries. Failure patterns, root causes, and the three interventions that consistently work.
APAC GRC Maturity Benchmark 2026
Aggregate maturity benchmarking across financial services, healthcare, telco, government, and critical infrastructure. Sector-by-sector scoring.
Where our research comes from.
We are transparent about our research methodology. Every piece of original research follows the same three principles - designed to keep insights grounded in real practice.
Practitioner-authored
Every article and report is written by someone who has delivered the work in practice. No ghost-writers, no agency content, no AI-generated thought leadership.
Anonymised aggregate data
Benchmarks and statistics are drawn from 40+ enterprise engagements across 10 sectors. Individual client data is never identified. Sample sizes and methodology disclosed.
Peer-reviewed before publish
Every research report is reviewed by at least one other practitioner with relevant domain expertise before publication. Errors corrected publicly, version history preserved.
Get new research in your inbox.
Weekly insights on risk, governance, and compliance from practitioners who deliver. No generic roundups. No sponsored content. Just practitioner perspective.
Start with a conversation.
Whether you are evaluating GRC platforms or looking for a practitioner who has done the work - we respond within one business day. No SDR sequences.