All 2025 Conference Sessions

Compliance 2030: The Future of Engaging Employees With Compliance Guidance

Speaker:  Mara Lindokken, Director, Gartner

Key take-aways

• Embed compliance guidance: Move away from standalone training and communications by integrating compliance guidance directly into employee workflows. This approach has been shown to significantly reduce noncompliance and employee burden.

• Localize liaison programs: Create more localized accountability for compliance through your compliance liaison networks. Local liaisons can better tailor messaging, track regulations and gather employee feedback to improve program effectiveness.

• Make speak-up culture employee-centric: Reframe reporting misconduct from a company-centric value to one that highlights personal and team benefits for employees, including explicit leniency for self-reporting.

• Build trust in investigations: Increase transparency and fairness in misconduct investigations by clarifying processes, communicating a range of possible consequences, and actively measuring employee trust and experience through feedback tools.

• Expand ethics incentives: Broaden compensation structures and consequence management beyond senior leaders to all employees, ensuring that ethical conduct is recognized and incentivized throughout the organization.

Continuous Assurance — How to Make It Work

Speaker: Devanshu Mehrotra, Senior Director Analyst, Gartner

Key take-aways

• To help meet the growing need for subject matter expertise in their teams, audit leaders should move away from one-size-fits-all training and instead architect learning journeys that are purposeful and tailored to specific business challenges.
• Linking learning to actual audit scenarios and organizational priorities ensures that skill development is immediately relevant and applicable.
• Implementing gamification, peer collaboration and real-time feedback will help to ensure that auditors are motivated and that learning sticks.
• Building expert networks and a platform for knowledge sharing enables auditors to access just-in-time expertise and contextual support, helping to embed expertise within teams.
• Continuously adapting learning strategies that are flexible and responsive to emerging risks and business needs helps teams stay relevant and prepared for future challenges.

Third-Party Risk Management: How to Mature Your TPRM Program

Speaker: Antonia Donaldson, Director Analyst, Gartner

Key take-aways

• Almost two-thirds of legal and compliance leaders surveyed last year said that TPRM was one of their top 5 legal priorities for 2025, and three-quarters noted it was a critical compliance priority.

• Assurance executives should consider the entire third-party risk management lifecycle as they build and scale their TPRM programs.

• The three most common barriers to building and scaling TPRM are (1) siloed ownership of third-party risk, (2) inefficient and redundant processes and (3) delayed implementation of TPRM technology.

• Organizations are experiencing increased complexity and pressure within their third-party ecosystems. 

• If assurance leaders take a 5-step approach to maturing their third-party risk management programs, they can better mitigate the inherent risks of working with an increasing number of third parties.

What the Audit Committee Wants to Hear From Audit Leaders

Speaker: Brian Andersen, Senior Director, Gartner

Key take-aways

• Facing mounting pressures such as increased scrutiny, a complex regulatory environment and evolving risks, audit boards need to improve risk oversight reporting. 

• Because of the limited time available to engage with audit committee members, CAEs should mindfully prioritize what to review and discuss in audit committee meetings.

• CAEs must focus on the audit committee’s priorities, areas where the audit committee wants more information, and supporting risk oversight.

• It’s imperative for CAEs to put risk oversight ahead of function oversight when engaging with the audit committee.

• CAEs should structure their communications around core directional elements such as system governance mechanisms, thematic analyses across the organization, trends in root causes of audit findings, and the health of the risk management culture — while providing more detailed data in the read-ahead or supplemental materials.

Regulatory Impacts on AI Risks: What’s the Latest?

Speaker: Viktoria Boyle, Vice President, Gartner

Key take-aways

• Legislators are enacting AI regulation at breakneck speed. For example, by 2028, more than 50% of developed countries will have enacted regulations to govern generative AI, up from less than 1% today. 

• The majority of new AI regulations are motivated by the same principles:  the importance of transparency, the need for risk management and the need to ensure fairness.

• Instead of cataloging every single AI use case in an organization to weed out the highest-risk ones that are most pertinent to AI regulation, it’s more efficient to work out a common set of use cases that will identify the AI systems most in need of controls.

• Once the high-risk AI systems have been identified, a common set of base obligations, present in around 80% of existing legislation in this area, can be used to formulate processes and controls.

Risk Reporting That Drives Action

Speaker: Elliott Long, Director, Gartner

Key take-aways

• The Gartner ERM agenda poll for 2025 found that actionable risk reporting is the second most cited priority for heads of ERM.

• Although it is a high priority, it is getting harder to drive action on risk reporting. Risk leaders agree that since 2019, there are more risks, more complexity and more information is needed to guide business decisions.

• To influence decisions, ERM leaders need to make risk reports intuitive to consume, relevant to upcoming business decisions and aligned with other information decision makers receive. 

• Making risk reports easier to consume by differentiating the level of detail to each audience’s remit.

• To make risk reports more relevant, anchor risks to strategic priorities and upcoming business decisions.