Expert Insights: Address the Risk Resiliency Gap

Regulatory expansion is accelerating. Change, especially for teams contending with regulatory compliance, is happening faster than ever before. There’s also an unprecedented explosion of data: more systems, more users, and more risks. Most teams have fewer resources than ever to tackle this expanding risk landscape. Budgets simply aren’t growing in proportion to the challenges we face. That creates a risk resiliency gap that leaders are struggling to figure out. How do we fill that gap?

We sat down with Richard Marcus, AuditBoard’s Chief Information Security Officer, to discuss:

• How innovative leaders use technology to solve the risk resiliency gap
• How to approach risk as a connected, unified organization
• How AI empowers your team to do more with less
• The soft skills your team needs to succeed

Watch the full conversation and read the can’t-miss highlights below.

How can leaders best solve the risk resiliency gap?

Richard Marcus (Chief Information Officer, AuditBoard): “For starters, issues with risk resiliency might be causing your organization to make trade-offs. If you think about legacy methods used by audit and GRC teams, they often have a few things in common. For starters, they’re time-consuming, manual, and repetitive. With limited resources, you might have to make trade-offs that limit the audit scope, frequency, or testing depth. That’s frustrating! Not just for audit, risk, and compliance leaders but also for control and asset owners.

Forward-thinking, innovative leaders in this space are looking to technology to solve the risk resiliency gap and increase their teams’ efficiency and performance. Ultimately, every solution you use should drive connectivity and collaboration within your organization. At AuditBoard, we believe it’s critical to approach risk as a connected, unified organization. That means your solution must consolidate data from across the organization to avoid silos and develop a comprehensive understanding of risk. Everyone must work off the same inventory when it comes to assets and risks. And while connecting data is critical, your teams must be connected, too. We often see that teams are not working together effectively, which results in duplicate efforts, with conflicting priorities or initiatives.

That’s why your teams–whether in risk, legal, finance, compliance, audit, or IT–must work on the same platform and with the same data to make the best decisions for the company. The ideal result of using the right technology is achieving that level of connectedness that helps you do more with less as an organization.”

How can teams leverage AI to do more with less?

Richard Marcus (Chief Information Officer, AuditBoard): “When talking about technology solutions, AI always comes up. There’s been a shift in 2025 – AI is now seen as an opportunity first and a threat second. That’s increasingly true as audit, risk, and compliance teams are starting to adopt AI-enabled technologies. Of course, this tech must be thoughtfully implemented to avoid downsides and risks. Here’s an example. A great use for AI in the audit, risk, and compliance space is drafting narratives. Often, you’ll need to write narratives, policies, risk descriptions, issue documentation, or action plans. If you are doing highly technical work, and then have to switch into drafting mode, it’s a difficult shift to make. While AI can’t singlehandedly write our board reports, it can accelerate the drafting process and reduce the amount of time it takes to produce them. Here’s how it usually works–and how you can do it better.

In most scenarios, you feed AI some data about your control environment and ask it to draft a description. Depending on the AI model you’re using and what data it is trained with, it can produce a solid narrative. However, if you’re using open-source AI or a commercial large language model, those descriptions will likely be quite generic. They’ll reflect all the policies and descriptions available on the Internet that folks have already published. However, these generic descriptions provide a solid starting point. You can tinker with this AI-generated description to make it fit your environment. However, there’s a better way to do it. 

You can use a large language model that’s been trained on your own data. At AuditBoard, we have a language model that has access to all of our findings, our risk register, and all our policies. The descriptions it produces are very, very high-fidelity. These descriptions are remarkably close to what I, or someone from my team, would write. Of course, we still take a human-in-the-loop approach to polish, refine, and tune to ensure that it’s what we want. Still, it makes it faster to do this work and then get back to tasks only humans can do–like evangelizing risks with your executive team, your board, or your control owners.”

When keeping a human in the loop, what soft skills matter most?

Richard Marcus (Chief Information Officer, AuditBoard): “It takes real human talent to build, design, operationalize, and sustain these capabilities. That means the skillset that your GRC team needs is changing. For legacy GRC teams, be sure to prioritize written and verbal communication skills in your hiring process. You want somebody who can sit in a room with an auditor or an asset owner and walk them through an audit. They need to be experienced with certain frameworks. And those people will always have a role in audit and GRC teams.”

This is an exciting time to be a professional in the audit, risk, and compliance space as we leverage these emerging technologies. Looking for more thought leadership? Check out our on-demand webinar library for more leaders and experts discussing timely issues, insights, and experiences.

About the authors

Richard Marcus, CISA, CRISC, CISM, TPECS, is the CISO at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.