Resilience in an Era of AI and Global Volatility: What Actually Needs to Change in GRC

AI (Artificial intelligence) didn’t create risk. It exposed how unprepared most organizations already were to handle it in a period of global volatility.

That was the throughline of Onspring’s recent webinar, Resilience in an Era of AI and Global Volatility, featuring Michelle Randall, CMO at Onspring, and Valence Howden, Advisory Fellow at Info-Tech Research Group.

The conversation focused less on trends and more on what needs to change in how organizations approach governance, risk and compliance in a world where uncertainty is constant across global markets, shaped by ongoing geopolitical tensions, and defined by increasing global volatility.

The Problem Is Amplified Risk.

Most organizations already manage cyber risk, operational risk, compliance risk and third-party risk as part of broader risk management efforts..

What’s changed is how those risks interact.

Organizations are now operating in a state of high uncertainty and complexity, where traditional approaches start to break down. AI accelerates that by connecting systems, speeding up decisions, and introducing new variables all at once.

The result isn’t just more risk. It’s amplified risk, where issues compound faster than teams can respond to evolving market risks.

Valence Howden describes this shift as an “amplified state of risk,” where uncertainty, complexity, and accelerating technology converge.

Why Traditional GRC Approaches Fall Short

Many GRC programs were built for stability, defined risks, known controls and periodic reviews, rather than dynamic risk management strategies.

That model struggles in an environment where:

• Risks emerge across multiple domains at the same time
• Signals are incomplete or ambiguous
• Decisions need to happen before full data is available

In these situations, more dashboards and more documentation don’t solve the problem.

For example, a third-party issue flagged in procurement, a data concern raised by security and an AI-driven workflow behaving unexpectedly may all be connected. However when those signals live in different systems, the relationship between them is easy to miss across complex global supply chains, especially during periods of global volatility.

What’s missing is the ability to connect risk, interpret weak signals and act early.

Five Shifts That Define Resilient Organizations

The webinar highlighted five practical shifts already taking shape in more mature organizations.

Breaking Down Risk Silos

Risk is still managed in separate systems across many organizations. Cyber, compliance and AI governance often operate independently.

Resilient organizations move toward a connected view where risk is understood across the business, not confined to a single function.

Risk rarely shows up neatly in one category.

Treating Risk as a Strategic Input

Risk is often introduced after decisions are made, which keeps GRC in a reactive role.

The shift is bringing risk into decisions earlier, so it helps shape strategy rather than documenting outcomes and strengthens overall risk management strategies in the face of global volatility.

This is what separates teams that can defend decisions from those that are constantly explaining them after the fact.

Getting Better at Spotting Weak Signals

Most risks don’t announce themselves clearly. Instead, they show up as small inconsistencies or early indicators.

A delayed control update. An unusual vendor response. A pattern that doesn’t quite fit.

On their own, these signals are easy to ignore, but when they’re connected, they tell a different story.

Resilient organizations focus on identifying and acting on those signals before they escalate, even when the full picture isn’t available.

Where AI Actually Helps (And Where It Doesn’t)

AI introduces new risks, but it also creates an opportunity to reduce GRC Teams’ repetitive, manual work.

Used effectively, AI can:

• Automate repetitive documentation
• Surface insights across disconnected data
• Support faster, more informed decisions using artificial intelligence capabilities

The difference is where and how AI is used.

When AI is embedded directly within GRC workflows, it operates within the same security controls, data structures, and governance models teams already rely on. That consistency reduces risk and improves trust in outputs, especially when supported by a real-time platform.

When it sits outside those systems, it often creates gaps in oversight, inconsistent data handling and additional validation work.

The goal isn’t to add more tools. It’s to remove the manual work that keeps teams stuck in reactive cycles.

Adding Breathing Room to Operations

Many organizations operate with little margin for disruption.

That works until something goes wrong– something increasingly common during periods of global volatility.

Resilient organizations make room for response. Time to investigate. Capacity to adapt. Space to make decisions without compounding the issue and to improve supply chain resilience.

Without that margin, even well-understood risks become difficult to manage in practice.

Resilience Is Also an Operational Reality

Technology and processes only go so far.

If people don’t feel safe raising risks, those risks go unaddressed.

In many organizations, issues are visible early. They just aren’t escalated.

A team flags a concern but hesitates to push it further. A risk is acknowledged but not prioritized. Over time, those gaps compound.

Creating an environment where risks can be raised early and acted on quickly is what prevents small issues from becoming audit findings, incidents, or larger failures.

Why AI Risk Makes Governance Harder

AI doesn’t fit neatly into a single function. It touches data, models, processes, and outcomes.

That makes accountability harder to define.

Who owns the risk?

• The team using the model
• The team that built it
• The team responsible for oversight

In practice, it spans all of them. That’s why resilient organizations are clarifying ownership, defining monitoring practices, and addressing ethical considerations early.

Without that clarity, AI risk doesn’t just grow. It becomes difficult to track, explain, and defend.

Moving From Reactive to Intentional Resilience

One of the most practical approaches discussed in the webinar was scenario planning that starts with failure.

What would it look like if something went seriously wrong?

Working backward from that point helps teams identify gaps and prepare response options before they’re needed.

AI can support this by connecting signals and modeling potential outcomes, but the real shift is proactive thinking.

Resilience is something you design into your processes, not something you build after disruption.

Where Most Organizations Stand Today

Progress is happening, but not evenly.

Some organizations are already moving toward integrated risk models and using AI within their workflows to support decision-making. Others are still working through disconnected data and inconsistent processes.

AI is accelerating that gap by exposing where existing approaches no longer hold up.

What to Do Next

Resilience isn’t about doing more. It’s about working differently.

That means:

• Connecting risk across the organization
• Bringing risk into decisions earlier
• Acting on incomplete signals with more confidence
• Reducing manual work so teams can focus on what matters
• Creating the space to respond when conditions change

These shifts are what turn GRC into something leadership can rely on, not just something teams report on.

Watch the Full Webinar

Want to see how these ideas come together in practice?

Watch the on-demand webinar, Resilience in an Era of AI and Global Volatility, to hear the full conversation with Michelle Randall and Valence Howden, including real-world examples of how organizations are approaching integrated risk and using AI within their GRC programs.

Watch the webinar on demand and explore how your team can start building resilience today.