For more than two decades, I’ve watched the disciplines of Governance, Risk, and Compliance (GRC), Cybersecurity, and Business Resilience evolve: often in parallel, sometimes in tension, but rarely in sync.
When I founded Archer IRM in the early 2000s, the market was just beginning to formalize the concept of integrated risk management.
Fast-forward twenty years, and we’re seeing something extraordinary: a genuine convergence between the domains of GRC, cybersecurity, and operational resilience.
This isn’t a marketing buzzword. It’s a fundamental shift in how financial institutions, and increasingly, the regulators that oversee them, are managing risk in a connected world.
The End of the Silos
For years, GRC, cybersecurity, and business continuity operated in silos.
- GRC teams focused on policies, controls, audits, and regulatory reporting.
- Cyber teams managed threats, incidents, and vulnerabilities.
- Resilience teams focused on crisis management, recovery, and continuity.
Each discipline developed its own frameworks, taxonomies, and technologies. They spoke different languages, measured different metrics, and reported to different leaders.
But the world changed.
Digital transformation, third-party dependencies, and continuous regulatory scrutiny have made it impossible to separate “cyber risk” from “operational risk,” or “resilience” from “compliance.”
Today, an incident in the cloud is a compliance issue. A regulatory breach is a cyber event. A resilience gap is a board-level risk.
The silos are no longer sustainable, and the institutions that cling to them are finding it harder to manage the velocity of modern risk.
The Drivers of Convergence
Three major forces are driving this convergence across the financial services landscape: regulatory harmonization, operational interdependence, and technological integration.
1. Regulatory Harmonization
Across the world, regulators are no longer treating cybersecurity, compliance, and resilience as separate mandates.
The European Union’s DORA (Digital Operational Resilience Act) unites ICT, cyber, and third-party risk under one framework.
In the U.S., the Cyber Risk Institute’s CRI Profile is harmonizing thousands of regulatory expectations into a single, actionable model for the financial sector.
For the first time, we’re seeing supervisors, regulators, and industry alliances align around the idea that resilience is cybersecurity, and cybersecurity is risk management.
2. Operational Interdependence
Modern institutions are systems of systems.
A single workflow, like onboarding a third-party vendor or processing a loan, can touch risk, IT, legal, and compliance functions simultaneously.
One weak link anywhere in that chain can trigger ripple effects across the enterprise.
Organizations that treat these as separate domains inevitably lose visibility. Those that connect them can anticipate and respond before disruptions escalate.
3. Technological Integration
The rapid evolution of no-code platforms, automation, and data integration is making it possible to operationalize convergence.
Instead of forcing teams to work in disconnected tools, platforms like SmartSuite are enabling unified workflows where controls, incidents, and resilience plans live side by side.
Technology is no longer the bottleneck: culture is.
💡 Listen in for a powerful conversation on how SmartSuite is transforming the way financial institutions approach CRI Profile implementation to replace the FFIEC CAT and modernize a broader GRC integration:
A Common Language for Risk
One of the most exciting developments I’ve seen recently is the rise of industry-standard taxonomies that make this convergence practical.
The Cyber Risk Institute’s CRI Profile is leading the way in financial services.
Built on the NIST Cybersecurity Framework, it harmonizes over 2,500 regulatory requirements into roughly 300 diagnostic statements that can be mapped across resilience, cyber, and compliance programs.
This is a breakthrough.
For the first time, we have a shared language that allows:
- Boards and CISOs to speak about risk in business terms.
- Regulators and auditors to evaluate maturity consistently.
- Product vendors and consulting partners to integrate around the same foundation.
At SmartSuite, we’ve embedded the CRI Profile directly into our GRC Solution Suite, enabling financial institutions to manage assessments, remediation, and reporting within a single connected workflow.
This integration allows risk, compliance, and resilience teams to collaborate seamlessly, uniting the core elements of governance and cyber oversight in one modern platform.
The result: faster alignment, reduced redundancy, and measurable progress toward resilience.
The Role of the Board
Convergence isn’t just a technical challenge, it’s a governance one.
Boards are no longer content with static risk registers or siloed dashboards. They want clarity. They want to know:
- What risks could disrupt our ability to operate?
- Are our controls effective across functions?
- How does our resilience maturity compare to peers?
The convergence of GRC, cyber, and resilience provides a structure for those answers. It turns fragmented reports into cohesive stories that link operational controls, incident data, and resilience outcomes.
This is why frameworks like CRI and DORA are so powerful: they provide a model the board can understand.
From Integration to Intelligence
Once these domains are unified, something new becomes possible: intelligence.
When risk, cyber, and resilience data live in one connected ecosystem, organizations can move from reactive to predictive. They can detect weak signals across systems, measure the impact of controls, and model resilience under different threat scenarios.
This is where we’re heading next, from convergence to connected intelligence.
Platforms like SmartSuite are building the architecture to make that real: automated control monitoring, integrated incident-to-remediation workflows, and AI-assisted insights that turn complexity into clarity.
The Human Factor
While the technology enables convergence, the transformation ultimately depends on people.
The organizations that succeed will be those that:
- Break down the walls between teams.
- Standardize on shared taxonomies like CRI.
- Invest in data governance and process design.
- Foster a culture where risk is everyone’s responsibility.
Convergence isn’t a project, it’s a mindset.
It’s the recognition that resilience, compliance, and cybersecurity aren’t competing priorities, but interconnected expressions of the same objective: trust.
The Future of Connected Risk
Looking ahead, I believe the next decade of GRC innovation will be defined by this convergence.
Just as the early 2000s were about digitizing risk management and the 2010s were about automating it, the 2020s will be about connecting it: unifying data, frameworks, and teams under one intelligent fabric of governance.
This is not theoretical.
It’s already happening inside forward-thinking financial institutions, regulators, and vendors who recognize that managing risk in isolation no longer works.
The convergence of GRC, cyber, and resilience isn’t just an evolution.
It’s the foundation of the future, a world where trust, transparency, and technology finally operate as one.
Jon Darbyshire is CEO and Founder of SmartSuite and previously founded Archer IRM, one of the first enterprise GRC platforms. He continues to work closely with financial institutions, regulators, and technology partners to advance the future of integrated risk management.
Run your entire business on a single platform and stop paying for dozens of apps
- Manage Your Workflows on a Single Platform
- Empower Team Collaboration
- Trusted by 5,000+ Businesses Worldwide
