Articles and Learning

Explore toolkit
Looking for a quick definition? See the GRC & risk management glossary

Featured Article

Control Frameworks Explained: Types, Design and Effectiveness

Risk Management
13 min read

Controls are where risk management becomes real. This full guide explains what internal controls and control frameworks are, the main types, what makes a control well-designed and effective, and how to design and test them - with worked examples.

Elliot Poublan
Read more

All Articles

What Is the Three Lines of Defence Model in Risk Management?

Risk Management
6 min read

Who owns risk? Who oversees it? Who provides independent assurance? The Three Lines of Defence model answers all three - and it's the framework your board and regulators expect to see in action.

Elliot Poublan
Read

How to Choose a GRC Tool in 2026

GRC Tools
12 min read

A buyer guide for risk management tools and GRC platforms. What mid-market firms should look for, when to leave spreadsheets, and how to avoid overbuying enterprise suites.

Elliot Poublan
Read

10 Questions to Ask GRC Vendors in 2026

GRC Tools
8 min read

A practical question set you can use in GRC RFPs, demos, and vendor meetings - focused on methodology, implementation, pricing, and board-ready reporting for mid-market organisations.

Elliot Poublan
Read

Best GRC Software for Mid-Market in 2026: 5 Platforms Compared

GRC Tools
11 min read

Shortlisted the best risk management tools and GRC software for mid-market organisations. Enterprise suites, point tools and right-sized platforms compared - and when Initia Risk is the better fit.

Elliot Poublan
Read

Is GRC Worth It? The Financial Case for Enterprise Risk Management

GRC Tools
10 min read

Evidence shows that mature GRC frameworks pay off - both by avoiding costly fines and by unlocking value through better valuations, lower financing costs, and operational efficiency. Here's what the numbers tell us.

Elliot Poublan
Read

How to Build an ERM Framework: The Essential Guide

Risk Management
7 min read

Enterprise Risk Management doesn't have to be complicated. Here's how to build a structured ERM framework that actually works - from documenting your approach to making sure everyone uses it.

Elliot Poublan
Read

How to Assess Enterprise Risk: A Practical Guide for ERM Teams

Risk Management
12 min read

From judgement-based scoring to quantitative modelling - a clear guide to the four main risk assessment approaches, when to use each, and how to choose the right level of sophistication for your ERM programme.

Elliot Poublan
Read

How ERM Teams Produce Consistent, Board-Ready Risk Reports on a Recurring Cadence

Risk Management
8 min read

How ERM teams run board reporting as a repeatable process: pack structure, week-by-week cadence, and the mistakes that break consistency. For what boards and regulators require in the pack, see our board-level reporting guide.

Initia Risk Team
Read

How Much Does GRC Software Cost in 2026? UK Pricing Guide

GRC Tools
10 min read

How do GRC vendors price their platforms in the UK? A clear guide to module-based pricing, per-seat licensing and hybrid models - and what to look for when comparing GRC software quotes.

Elliot Poublan
Read

What Is an RCSA? Full Form, Meaning & Why Most Fail (2026)

Risk Management
11 min read

RCSA and risk and control assessment are the same job under different names. Most programmes look fine on paper; in practice they become calendar exercises that exhaust the first line and rarely change decisions. Here is what risk and control assessment is, why it exists, where it breaks, and what good looks like.

Elliot Poublan
Read

How to Run Risk and Control Assessment (RCSA): Step-by-Step

Risk Management
12 min read

A practical sequence for risk and control assessment and RCSA: define risks, map controls, assess design and effectiveness, close gaps, and track actions. How to run the process so the first line engages and the output holds up to scrutiny.

Elliot Poublan
Read

Excel vs GRC Tools for Risk and Control Assessment (RCSA): When Should You Move?

GRC Tools
10 min read

Excel is where most risk and control assessment and RCSA programmes start - and for good reason. Here is when spreadsheets are enough, when they break, the signs you have outgrown them, and what to look for in a GRC tool without enterprise bloat.

Elliot Poublan
Read

Risk Positions: Gross vs Net Risk, Appetite & Target Explained

Risk Management
7 min read

Gross/inherent risk vs net (post-control) risk - the split that matters in registers and board packs. Residual risk is usually the same post-control score as net; plus risk appetite and target risk. Practical definitions for ERM and RCSA scoring.

Elliot Poublan
Read

What Is a Risk Rating? Definition, Formula and How to Calculate It

Risk Management
9 min read

A risk rating is the output of assessing how likely a risk is and how bad it would be - derived from financial and non-financial impact and likelihood matrices, then Likelihood × Impact on a 5×5 scale. This guide explains the formula, the matrices underneath, rating bands, and where ratings typically break down.

Elliot Poublan
Read

The 5×5 Risk Matrix and Heat Maps: What Boards See - and What the Numbers Hide

Risk Management
10 min read

Heat maps remain a staple of committee packs. This guide explains what they do well, where they mislead, how to define what sits under the grid, and how they relate to assessment, ownership, and reporting-without treating the chart as a substitute for judgement.

Initia Risk Team
Read

How to Create Real Risk Ownership in Your Organisation

Risk Management
14 min read

Every risk register has an owner column. Almost none of them reflect genuine accountability. Here is why risk ownership fails, what actually makes it stick, and why talking about money and strategic objectives is the fastest way to get the first line engaged.

Elliot Poublan
Read

Board-Level Risk Reporting: A Practical Guide

Risk Management
8 min read

What boards and regulators expect in board-level risk reporting: eight components, governance expectations, and supervisory scrutiny. Pair with our cadence article for how ERM teams deliver the pack every quarter.

Initia Risk Team
Read

Risk and Compliance Expectations for Universities in 2026 - What Heads of Risk Need to Evidence

Governance
10 min read

From OfS registration conditions and public interest governance to financial sustainability, cyber resilience, GDPR and freedom of speech - the challenge for university Heads of Risk is increasingly one of evidence and operating discipline, not just policy design.

Initia Risk Team
Read

Provision 29 of the UK Corporate Governance Code: An End-to-End Compliance Guide

Governance
12 min read

From 1 January 2026, boards of UK premium-listed companies must publicly declare the effectiveness of their material internal controls. Here is what Provision 29 actually requires, the four control categories that matter, and a step-by-step roadmap to get there.

Initia Risk Team
Read

Provision 29 vs SOX: A 2026 Guide for UK and US Internal Controls

Governance
13 min read

Provision 29 has been called "UK SOX". It is not. The two regimes share DNA but diverge on scope, assurance, materiality, sanctions and intent. Here is how they line up, where dual-listed companies should rationalise, and where they should not.

Elliot Poublan
Read

How to Identify Material Internal Controls Under Provision 29 (2026 Methodology)

Governance
14 min read

The hardest decision in any Provision 29 programme is which controls are material. The FRC has deliberately not told you. Here is a working definition, a three-test methodology, a scoring rubric and a worked example for landing on a board-defensible inventory.

Elliot Poublan
Read

What Is GRC? Governance, Risk and Compliance Explained for 2026

Risk Management
9 min read

Governance, Risk and Compliance (GRC) is a strategic approach to aligning IT and business with rules and risks. Here is what GRC actually means, how the three disciplines connect, and what good looks like in a mid-market firm.

Elliot Poublan
Read

What Is a Risk Register? Definition, Structure & Examples (2026)

Risk Management
8 min read

A risk register is the canonical list of an organisation's risks, their owners, their scores, the controls that mitigate them and the actions in flight. Here is what it should contain, how it should be structured, and why most registers break down in practice.

Elliot Poublan
Read

Best Risk Management Tools UK 2026: Software Shortlist for Mid-Market Firms

GRC Tools
11 min read

A practical UK shortlist of risk management tools and software for regulated firms in 2026. How enterprise platforms, point tools and right-sized alternatives compare - and how to choose without overbuying.

Elliot Poublan
Read

Best Risk Management Software for UK Startups & SMEs (2026)

GRC Tools
9 min read

Most risk software is built for enterprises with a six-figure budget and a consulting team. UK startups, scale-ups and SMEs need something simpler - and increasingly, something modern. A shortlist for 2026.

Elliot Poublan
Read

Risk Register Software (2026): Replace the Spreadsheet, Keep the Discipline

GRC Tools
8 min read

A risk register that lives in a shared spreadsheet works until it does not. Risk register software is what comes next: structured ownership, scoring, controls and audit trail, without losing the discipline that made the spreadsheet usable in the first place.

Elliot Poublan
Read

Enterprise Risk Assessment: Process, Methodology & Output (2026)

Risk Management
10 min read

A project risk assessment looks at one piece of work. An enterprise risk assessment looks at the whole organisation - all risks, all owners, scored consistently, in one place. Here is the process, the methodology, and what good output looks like.

Elliot Poublan
Read

Soft Skills Matter: What to Look for Beyond Technical Compliance Expertise

ComplianceGuest
6 min read

When hiring compliance professionals, technical knowledge is only the starting point. Guest writer Lauren Eager-Hey on the soft skills that separate good hires from great ones.

Lauren Eager-Hey
Read

What Is Operational Risk Software? Tooling, RCSA & Control Testing (2026)

Risk Management
8 min read

Operational risk tooling is more than a risk register. It is the connected operating layer - register, RCSA, control testing, KRIs and risk events - that turns operational risk from a quarterly spreadsheet exercise into a defensible, board-ready profile. Here is what good operational risk software looks like and how to choose it.

Elliot Poublan
Read

What "Good" Looks Like Under Provision 29

GovernanceGuest
5 min read

Provision 29 moves from describing frameworks to defending their effectiveness. Guest writer Pamela Stacey, founder of GRC Catalyst, on what "good" actually looks like in practice - and why it is about coherence, not completeness.

Pamela Stacey
Read