Posted inNewsletter

Newsletter Issue #5

1. Industry Report: The Forrester Wave™: Third-Party Risk Management Platforms, Q1 2026

I read Forrester’s first TPRM Wave in two years this week, and the framing alone tells you something has changed – the report opens by calling TPRM “an urgent business risk and board-level priority,” not just a vendor management function.

  • 12 vendors evaluated across 27 criteria, with ProcessUnity, LogicGate and Archer as leaders.
  • ProcessUnity is called out for dynamic questionnaire scoping (depth and cadence adjust to vendor risk profile) and preconfigured AI workflows for risk response
  • LogicGate scored 5/5 across all 11 evaluated criteria in current offering and strategy.. Forrester’s note of caution: “best suited to buyers with a clear TPRM vision, an appetite for DIY, and the discipline to keep workflow flexibility from becoming a double-edged sword”
  • The 27-criterion framework covers AI governance and risk management as a standalone dimension, a new addition that wasn’t in the Q1 2024 evaluation

If you want to see a list of GRC tools with their analyst ratings, visit https://allaboutgrc.com/grc-tools/

Link: https://reprint.forrester.com/reports/the-forrester-wave-tm-third-party-risk-management-platforms-q1-2026-16c13b09/index.html

2. Resource: Ten Practical Guidelines to Improving Board Communication

The Corporate Secretaries International Association (CSIA) published a practical guide that provides some practical tips on how to improve Board communication.

My personal favorite is this:

Keep a “stakeholder register” noting any specific or special requirements (for example, some preferring not to receive communication over a weekend unless it is an absolute emergency or electronic versus hard copy preferences).

The ten guidelines are aimed at corporate secretaries but apply broadly to anyone preparing board materials. Some things that I liked:

  • Become a proactive information gatherer – actively source what directors need to make decisions, not just consolidate what management sends up
  • Be an honest broker – never filter information to protect management’s position; a good cultural test is whether bad news travels as fast as good news
  • Engage directors on their information preferences – keep a “stakeholder register” noting individual preferences for format, volume, and timing
  • Use a standard submission template – every board paper should include: purpose, executive summary (for documents over 10 pages), risk analysis, financial implications, and a clear decision/resolution required
  • Board pack available 7 days in advance – late papers or papers arriving in multiple tranches are explicitly called out as a problem
  • Communicate more rather than less – when in doubt whether to share something: “if in doubt, put it out”

Link: https://csiaorg.com/wp-content/uploads/2023/02/Ten_Guidelines_Board_Communication_28Apr16.pdf

3. Resource: LogicGate Experience Report 2026 – 96% Manager Approval

A GRC vendor publishing its own culture report is an unusual move…but the employee sentiment numbers inside are worth a look.

LogicGate released its 2026 Experience Report, a document focused squarely on workplace culture and employer brand rather than product. The headline stats come from their April 2025 Employee Experience Survey and October 2025 Culture & Inclusion Pulse:

  • 96% of employees say their manager genuinely cares about their wellbeing
  • 92% feel respected at LogicGate
  • 88% feel their opinion is valued; 88% say the company values diversity; 88% say they can be their authentic self at work
  • Named a top workplace by the Chicago Tribune, Built In, and Crain’s Chicago Business in 2025 — their fourth consecutive year partnering with DEI firm Paradigm
  • Employees logged 212+ volunteer hours in 2025 through a paid volunteer time-off program

Link: https://www.logicgate.com/resources/reports/

4. Video Recommendation: Governing AI Agents at Scale: Identity, Scope, and Observability (with Glean and Cvent)

I wanted to share this fireside chat on YouTube. A CIO and a CISO discuss how they govern AI agents in their organizations. Some of the practical tips I noticed the panel gave:

  • Create safe sandboxes for the business — pre-approved sandboxes that give business units a sanctioned route to adopt AI
  • Train employees on using AI and include governance expectations
  • Assess value validate ROI of agents
  • Use the AWARE framework for evaluating AI agent governance. This framework was seen as a more practical technical guide than others like NIST AI RMF which is more “organizational governance”
  • Structured risk process that business and security can use to understand the risks with proposed ideas.

I also liked how they both focussed on the business. Its a great 20 min watch!

Link:

5. Article: BSP Orders Philippine Banks to Phase Out SMS OTPs by June 2026

A bit late but I found this news quite aggressive and shows why sometimes a regulator has to step in to promote security.. The Central Bank in Philippines gave institutions a hard deadline to drop SMS OTP.

  • – BSP Circular No. 1213 (June 2025) requires all BSP-supervised institutions to phase out SMS and email OTPs as a sole authentication mechanism by June 25, 2026 — one year from the circular’s effective date
  • – Mandated replacements: phishing-resistant MFA using FIDO passkeys, on-device biometrics (fingerprint, face), or hardware tokens; behavioral biometrics and passwordless authentication are also accepted
  • – Context driving the mandate: the country’s digital fraud rate sits at 13.4% — nearly triple the global average — and ranked second worldwide

Link: https://www.bsp.gov.ph/Regulations/Issuances/2025/1213.pdf

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply