5 insights from CRX EMEA to transform risk into opportunity

CRX EMEA 2026 has wrapped in London, cementing its place as one of the flagship GRC conferences in the region.

Optro brought together hundreds of customers, partners, and visionary leaders to map the next evolution of GRC. Across every session, our lineup of industry pioneers powerfully outlined the challenges and opportunities of moving from slow, reactive legacy methods to proactive automation.

Here are the 5 core insights we learned on the ground at CRX EMEA.

1. The speed of risk has changed

The risk landscape isn't moving at the pace most GRC teams were built for. EMEA leaders are increasingly asked to manage AI-speed threats with spreadsheet-speed tools — fragmented documentation, periodic assessments, and siloed data that can't keep up with the velocity of modern disruption.

There’s a fundamental shift underway: away from GRC as a backward-looking audit function and toward something closer to an engineering discipline — proactive, connected, and built to act in real time. When risk data is unified and intelligently automated, it stops being a compliance burden and becomes a strategic signal. The organizations pulling ahead aren't just managing risk faster. They're managing it differently.

2. AI is fundamentally reshaping the risk landscape

Paul McKay, VP and Principal Analyst at Forrester, explained how compounding macro crises and ongoing policy volatility have upended traditional risk models, while AI is accelerating change faster than legacy systems can keep pace. McKay referenced the 1975 film when he said:

Legacy platforms and point-in-time assessments leave organizations exposed to continuous, high-velocity disruption. Throwing money at the problem won't close the gap, either; most enterprises expect risk budgets to climb 5% to 10% over the next year, yet that spending can't fix a structural flaw.

The fix, McKay argued, is a shift in what the technology actually does. GRC platforms must evolve from static systems of record into AI-driven ecosystem outcome orchestrators. As AI matures, manual data entry gives way to continuous controls monitoring and automated risk intelligence.

The takeaway is simple: in a volatile era, risk teams that embrace continuous, intelligence-led capabilities can move from compliance gatekeepers to strategic advisors.

3. Build your AI governance foundation

Guru Sethupathy, GM of AI Governance at Optro, warned the AI generation: there’s no utility without trust.

The pressure is ramping up. Under the EU AI Act, mandatory AI literacy is already law, and compliance deadlines are looming. Failure carries devastating penalties. If you use third-party software, you’re on the legal hook for any bias shown.

Sethupathy outlined key lessons to be gleaned from Cielo’s AI governance program:

• Centralize your AI inventory on one platform to eliminate shadow applications.
• Design a risk-based intake process to tailor compliance friction to risk tiers.
• Automate impact assessments to strip away manual documentation burdens.
• Duct-tape vendor compliance by melding AI safety requests into existing procurement.
• Keep your finger on the pulse to actively monitor live models.

By uniting these under one umbrella, you can turn AI governance into a strategic advantage.

Related reading: See how Cielo built a centralized inventory of over 50 AI systems, achieving rigorous certifications in just 3.5 months.

4. Transform risk programs to seize opportunities

Richard Chambers, Senior Advisor at Optro, brought an unflinching perspective.

Overlapping macroeconomic shocks and geopolitical fragmentation now collide before an enterprise can catch its breath. In this volatile baseline, traditional GRC is not the answer. In fact, it could be hurting the business. Legacy systems of record act as an internal police force, rewarding risk avoidance while stifling innovation.

To survive, risk teams must adopt an offensive dual mandate that balances protecting value with creating it. By replacing defensive oversight with AI-driven systems of action, organizations can instantly bridge the gap between knowing and doing. AI transforms risk data into forward-looking insights, letting teams automate workflows and identify strategic opportunities early.

Chambers left us with a crystal-clear mandate: stop managing data and start orchestrating outcomes.

5. Static systems weren’t built for dynamic enterprises

Every insight from CRX EMEA pointed to the same underlying shift: GRC programs built on static systems and siloed functions can't keep pace with how organizations actually move. Organizational resilience is no exception.

The data makes the problem hard to ignore. Ninety-two percent of leaders say they're confident they can meet recovery time objectives, but only 39% met them when disruption hit, according to Optro’s new report, When business continuity fails.

Optro's business continuity management (BCM) solution addresses this directly by integrating continuity planning into the same platform used for audit, risk, and compliance. Bottom line: Resilience is a live capability, and it only holds up when your continuity program is connected to the rest of your risk and compliance data, teams, and systems. Sandro Boeri, Internal Audit Thought Leader, Risk Audit, says:

Be part of what’s next in GRC

The throughline across every session was the same: static systems, siloed functions, and reactive programs can't keep pace with modern risk.

The next evolution of GRC will be defined by how well organizations combine human judgment with artificial intelligence. Speed and adaptability now decide who stays ahead, and that demands a fundamental rethink of how teams anticipate and respond to shifting risk.

But as automation accelerates, people matter more, not less. Risk management is ultimately about connection and building durable stability across digital, economic, geopolitical, and corporate realms. Platforms can process and predict, but only people can imagine, guide, think critically, and create. The leaders who pair that human insight with intelligent technology won't just weather disruption. They'll turn it into their greatest competitive advantage.

Join the leaders shaping the future of GRC at CRX 2026 in San Diego, CA. Connect with hundreds of GRC leaders this October for three days of sessions, insights, and community.

Join us at CRX 2026 | Oct 13-15

Save your spot

About the authors

Optro is the leading AI-powered GRC platform, transforming the way the world’s biggest companies manage risk. More than 50% of the Fortune 500 trust Optro to elevate their audit, risk, and compliance management.