From frameworks to fundamentals: rethinking risk in 2026

Regulatory frameworks like NIS2, DORA and GDPR have raised the stakes for compliance. Yet treating compliance as the end goal can leave organisations exposed to risks that threaten operations and long-term resilience. At a recent RANT roundtable, security leaders debated whether compliance is overshadowing risk management, and how organisations can strike a better balance that supports business objectives.

Compliance is a baseline, not the destination

Compliance provides assurance. It does not guarantee resilience. Too often, organisations focus on passing audits rather than addressing real threats that could disrupt operations.

As one participant put it, “Compliance is second line assurance.” Another noted that audits can become a tick box exercise when external teams do not fully understand how the business operates. This exposes a broader tension. Are risk decisions being made in line with business objectives, or are frameworks driving the agenda on their own?

The consensus was clear. Compliance sets minimum standards. Effective risk management protects continuity, supports growth and aligns decisions with what matters most to the organisation.

The reality of tooling: clarity before complexity

Many teams still rely on spreadsheets to track risks and evidence compliance. For small environments this can be workable. Scale introduces fragility.

“All it takes is for someone to delete the Excel,” one attendee observed. Others highlighted a disconnect between vendor promises and practical needs. “The dream is sold as one tool,” said a participant, while another added, “Policies can map and do assessments and have action plans, yet we still end up in Excel.”

GRC platforms can help prioritise risks, document activity and maintain a reliable source of truth. But success depends on clarity of purpose. A single tool rarely solves every challenge. The roundtable highlighted how overambitious rollouts often fail because expectations do not match reality. While some teams expect full maturity within 12 to 16 weeks, experienced practitioners cautioned that meaningful implementation often takes two to three years.

The advice was consistent. Start small. Define what you want the tool to deliver, whether that is visibility, accountability or stronger alignment with business objectives. Build momentum through measurable, incremental wins.

Sector context shapes priorities

Risk and compliance priorities differ by sector. Some organisations emphasise continuity and operational resilience. Others focus on enabling faster delivery and supporting rapid scaling. The roundtable chair noted that a CISO’s priorities often reflect the organisation’s tolerance for disruption and the pace of its growth strategy.

Participants also highlighted challenges working with auditors who lack full context on the organisation’s business model. When audit expectations diverge from operational realities, security teams can be pulled away from addressing high impact risks. Bridging that gap requires better internal alignment and a shared understanding of what the organisation values most.

Leadership and language matter

Technology alone cannot close the gap between compliance and effective risk management. Engagement from senior leadership is essential.

“The business has got to want to be engaged,” one attendee said. Another noted that leaders do not want to be told, “You are doing it wrong.” They want clarity on trade-offs, not roadblocks.

The discussion also surfaced a language problem. Different teams often use different terminology to describe issues, risks and controls. Without a shared vocabulary, assessments do not translate into clear decisions.

When risk is framed in business terms, engagement improves. Leaders want to understand the commercial impact of inaction. They respond to clear evidence of which risks could halt operations, delay high priority initiatives or damage customer trust, and what pragmatic steps will strengthen resilience without slowing delivery.

A practical playbook for progress

The roundtable surfaced a set of practical steps that any organisation can apply, regardless of size or sector.

1. Start with one priority area
   Select a process or unit with clear impact on the business. Map risks and controls, establish a simple reporting rhythm and build from there.
2. Define outcomes before choosing tools
   Decide what success looks like. Visibility of risks, better alignment to objectives, faster evidence collection or clearer accountability. Choose tools that serve those outcomes.
3. Standardise language
   Create shared definitions for issues, risks and controls. Align scoring so that assessments convert into clear decisions.
4. Set realistic timelines
   Expect incremental progress. Use phased implementation rather than a big bang approach. Review adoption and impact quarterly.
5. Prioritise risks that move the business
   Focus on exposures that could disrupt operations, delay initiatives or erode trust. Avoid trying to address everything at once.
6. Build leadership engagement early
   Frame risk in terms of commercial impact. Present scenarios, trade-offs and measurable improvements to secure ongoing support.
7. Measure and share results
   Track time saved, reductions in repeat findings, improvements in closure rates and changes in exposure levels. Sharing progress reinforces momentum.

What good looks like

Participants who reported success described a disciplined focus on outcomes. They resisted making platforms do everything. They agreed success measures upfront. They concentrated on creating a reliable, shared source of truth for risks, controls and evidence. They used data to prioritise action and demonstrate improvement over time.

One attendee summarised the reality well: “Risk is obvious if you have not done the basics.” The message is not to chase complexity. It is to get the fundamentals right, show progress and keep risk aligned with what the business needs most.

The bottom line

Compliance frameworks will continue to evolve. Resilience depends on understanding and managing the risks that matter most. Integrating compliance into a broader risk strategy allows organisations to protect operations, maintain trust and move forward with confidence.

The discussion made one thing clear. Compliance is essential, but it is not the strategy. Focus on fundamentals, build incrementally and keep risk aligned with business objectives. That is where resilience starts.

Ready to transform cyber risk oversight with integrated GRC capabilities? Schedule a demo to see how Diligent’s platform delivers comprehensive cyber risk intelligence to boards.