As we approach the close of the fiscal year, we're getting a lot of reminders to complete our trainings and sign some documents to confirm that we understood and acknowledge whatever the document was talking about. I sign. I acknowledge I'm compliant. And the auditor can now say we are compliant and that the controls are in place.
Wait, what was that document I signed? Never mind. My manager is happy and the executives see reassuring numbers. Auditors see evidence. Everyone exhales.
Everyone in the office is polite, even the passive-aggressive co-worker. The same is true of corporate policy certifications, which assume that if an employee acknowledged a policy, then they read it. If they read it, they understood it. If they understood it, they will remember it and act exactly as the policy requires when the situation arises.
But all this really proves is that the employee interacted with a system. In an actual pressure-filled sales conversation, an employee is far more likely remember the quota or a KPI more than the policy.
Checkboxes are easy. Human behavior is not.
Most employees don't ignore policies because they are reckless. They ignore them because policies blend into the background easily. There are too many of them but all of them are mandatory. All important. All urgent. If every item is treated as special, none of them really stand out.
If mandatory becomes the default, it becomes less meaningful.
There's the matter of language too. Many policies are written less like tools for employees and more like legal exhibits. They are precise, defensible, and seem to exist for external auditors to understand them. But auditors are not the ones implementing them. For employees, they're like wallpaper.
Timing makes it worse. Certifications often arrive during quarter closing, annual planning or fiscal year-ends. That's when employees are mostly concerned with deadlines, cut-offs, KPIs, quotas and performance evaluation. Employees are asked to pay attention in the moments they are most distracted.
Trainings don't always help. Too often, it tests memory instead of judgment. In the same way that I answer certification exam questions, my answer is based on what I think the examiner expects as an answer. Further, at the end of the training, the certification asks me to confirm "I acknowledge" but there's no button for "I'm confused."
Does this mean we should remove our annual certifications then? That's not the solution either. Certification has value. It creates a formal moment of accountability and a record that expectations were communicated. But it should not carry more weight than it actual supports.
Annual certifications are not useless. They can reinforce accountability, prepare employees for high-risk situations, and support compliance evidence. Yes, we still need clean audit reports. But certifications are not a magic control, and they do not prove true understanding or guarantee behavior.
The goal is not to make employees click faster but to help them make better decisions when the pressure is real. The real test is what happens in the moment that matters most: whether the organization has prepared them to choose well.
I have read and acknowledged the above article.
P.S. For those like me who struggle to catch up with Gen Z slang, Mr. Guy Z here is hired to help with awareness.
Every organization claims integrity as its highest value. Top management makes sure to deliver this message during town halls. It is then followed by a discussion on cost reductions, accelerated delivery timelines, and "doing more with less". Executives encourage employees to speak up, challenge risks, and uphold ethical standards - often with the sincere confidence of people who have not personally wrestled with three simultaneous audit requests while trying to close month-end operations. Somewhere between the executive floor and operational reality, these messages lose oxygen. By the time they reach the middle layers of the business, "do the right thing" quietly becomes "do the practical thing." By the time they reach the ground level, it becomes "do something."
We've seen this happen. Companies proudly promote a "speak up culture", except when the topic is sensitive such as during layoff seasons or when budgets are being cut. Risk appetite statements become legendary documents frequently referenced but rarely understood, like ancient corporate scrolls nobody dares question. Meanwhile, compliance hotlines technically exist, but employees often prefer the more efficient "Slack backchannel framework" where concerns are discussed privately (or semi-privately). The usual red flag appears when the trusted coworker begins a message with "This is probably not okay, but..."
The root problem is rarely bad intent. It is usually incentive misalignment wrapped in corporate optimism. Leadership teams reward growth, speed, and efficiency, while governance teams promote caution, documentation, and control discipline. Employees quickly learn which priorities actually matter during performance evaluations. Smart and efficient employees learn to create shortcuts using "temporary workarounds" while risks accepted gradually accumulate. Organizations eventually learn that culture is shaped by what must be done to survive quarterly targets.
The remedy is not another awareness campaign or refreshed corporate values poster. Organizations need leadership messages that align with operational realities and incentives. If employees are expected to escalate issues, managers cannot be punished every time escalation delays delivery. Risk appetite statements should not need a two-hour workshop to be understood. Governance teams need to spend more time understanding business pressures and less time making training videos about corporate values and culture of integrity. Most importantly, leaders need to create environments where bad news travels upward before it becomes external news. In governance, real tone at the top is usually discovered in the chaos and disaster unfolding in the middle and the bottom.
"AI Rush" - that's when AI is the buzzword in town hall meetings and management strategy sessions. AI is causing the acceleration of business operations faster than governance teams can keep up. Excel files are not cutting it anymore. Transactions move faster and products get built in a a fraction of the time it used to take development teams six months ago. Decisions are being made by algorithms that never sleep. But we have not yet reached the point where we are comfortable with trusting AI to assess the risk for us. Risk and compliance teams are trying to keep up.
In order to cope, continuous controls monitoring has been the preferred solution because manual reviews simply cannot scale anymore. Because AI relies heavily on probability, organizations increasingly expect broader transaction testing coverage. The advantage is obvious: automated monitoring can detect anomalies across millions of activities in real time. The disadvantage is also obvious: automated monitoring can detect anomalies across millions of activities in real time, including false positives, suspicious activities, and unusual occurrences that may or may not matter.
With automated monitoring, we're seeing more items in our dashboards like suspicious login attempts, unusual payment patterns, operational exceptions and AI-detected anomalies (which might possibly include AI-hallucinated anomalies). The dream was super-powered detection. The reality is alert fatigue with better aesthetics. Getting alerts without the operational capacity to investigate them (e.g. due to insufficient manpower, numbness, or wrong prioritization) is not an effective monitoring control.
Technology is not the problem here. It is the assumption that more monitoring is automatically a more effective control. It's easy to deploy monitoring tools fast, especially with AI tools capable of creating AI agents in minutes. But defining processes around them, defining ownership, escalation paths, or thresholds require judgment that has more meaning with more pondering (which is better when given time). Sometimes, alerts are even produced without operational context or based on poor quality data. Over time, excessive alerts can desensitize teams to warnings, especially if everything appears urgent. Business impacts are predictable: burnout, delayed investigations, and lack of trust on alerts and dashboards.
The solution is not to turn back to manual. Operational processes have already accelerated beyond that point and getting them to regress back "to the old ways" is not an option. Governance teams need to adapt and find ways to improve the situation:
If I had a penny for every time “risk appetite” was mentioned in an audit committee meeting, I’d be rich. I wouldn’t be a millionaire, but I could probably afford an espresso coffee every month, and that’s rich enough for me. In theory, risk appetite is the amount and type of risk an organization is willing to pursue or retain [1]. In practice, it is the scale where decision-makers position themselves between You Only Live Once and Anxiety Exists for Survival. Every business decision is ultimately an exercise in balance. Leaders do not want to turn the company into a Formula 1 car driven straight into a cliff, but they also do not want it to become a shopping cart that cannot even leave the supermarket parking lot. The current AI rush raises an important question for organizations: are companies making deliberate strategic decisions, or are they simply reacting to fear of being left behind?
Businesses rarely view speed as a problem. Fast launches are rewarded. Being first to market is often treated as a competitive advantage. Meanwhile, trust functions — compliance, audit, legal, and risk — are frequently viewed as friction that slows the business down. To be fair, I understand why. What concerns me is not speed itself, but whether the car is built to stay on the track without falling apart before it reaches the finish line. More importantly, organizations should ask what actually exists at the finish line. Is it a celebratory pit stop or a cliff? I often compare modern business decisions to driving at 150 km/h toward an unfamiliar road. In that situation, trust functions are not speed bumps. They are the brakes, headlights, and windshield wipers that help the driver avoid crashing before realizing the road conditions have changed. The pressure to move quickly has become even more intense with AI. FOMO now exists in boardrooms. “Other companies are already doing it — why aren’t we?” Executives feel pressure to adopt AI because competitors are launching it, vendors are selling it, and someone on the board read an article during a delayed flight. The result is often a trend-chasing strategy before organizations have properly discussed what risks they are actually willing to accept. Questions around data privacy, regulatory exposure, intellectual property, model accuracy, reputational harm, and cybersecurity are frequently treated as secondary concerns instead of foundational ones. There is certainly risk in failing to meet market expectations. However, that is not the only risk businesses face.
This pressure is understandable. Markets move quickly. Investors demand growth. Customers usually prioritize innovation and convenience over stability. There is always something newer, faster, or shinier entering the market, and leaders naturally worry about becoming irrelevant. Organizations want to be viewed as innovative and strategic. However, the absence of clearly defined risk appetite does not make a company strategic. It simply makes the company reactive. Leaders should also consider whether being viewed as trustworthy may ultimately matter more than being viewed as first. Risk appetite matters because long-term growth is not only about revenue. Weak governance and poor controls eventually become strategic constraints. Wells Fargo is a useful reminder of this reality. In 2024, the OCC entered into a formal agreement with Wells Fargo to address deficiencies in governance and compliance processes [2]. These kinds of issues do not simply create compliance work. They consume executive attention, damage reputation, increase regulatory scrutiny, and limit strategic flexibility. Organizations often treat governance as a cost center until weak controls begin interfering with growth itself.
For AI specifically, organizations should be explicit about their risk appetite. A company may allow the use of AI while still requiring human review for important decisions. It may accept AI-generated outputs for internal productivity purposes while rejecting AI-generated legal or regulatory advice. It may permit AI-assisted customer service for routine questions but require human escalation for higher-impact concerns.
This is not anti-innovation.
It is simply recognizing that speed without boundaries eventually creates instability.
Wearing a seatbelt does not make someone anti-driving. It improves the likelihood of surviving the journey.
Managing risk appetite requires more than a policy document.
First, communication matters. Risk appetite should be written in clear business language that people across the organization can actually understand.
For example: “We will launch customer-facing AI tools provided they do not process confidential customer data and provided that human escalation and incident response controls are approved.”
Second, risk appetite requires ownership. Boards should approve and challenge it. Executives should translate it into operational thresholds. Risk and compliance teams should help define those thresholds, while internal audit should test whether business activities remain aligned with them.
Third, incentives must match the stated appetite. Employees follow compensation structures more closely than policy documents. If AI utilization becomes a KPI, employees will naturally maximize AI usage — including in situations involving sensitive or confidential data.
Culture is ultimately shaped by what gets rewarded.
Finally, risk appetite should evolve over time. Markets, customer expectations, and regulations constantly change. Today, customers may want the newest AI tool with hundreds of features. Next year, they may simply want a product they can trust.
The organizations that succeed long term are not the ones that avoid risk entirely. They are the ones that understand risk, govern it properly, and take it deliberately rather than reactively.
The goal is not to eliminate fear of missing out. The goal is to ensure that decisions are driven by strategy instead of panic.
