Risk is Our Business

In this episode of Risk Is Our Business, Captain Michael Rasmussen connects over a slightly distant comms link (via Teams) with Hakkı Sarp, Enterprise Risk Management leader at QIAGEN, for a conversation on how risk management is being reshaped by today’s fast-moving environment. They begin by examining the limitations of traditional risk practices, and why approaches built for slower, more predictable conditions are struggling to keep up with the velocity and complexity organizations now face. From there, the discussion turns to AI and separating real value from hype, including identifying where it is genuinely enhancing risk management today versus where expectations may be running ahead of reality. Hakkı and Michael explore the dual challenge of predicting risks while remaining adaptable, and how organizations must balance short-term financial pressures with longer-term sustainability considerations that don’t always fit neatly into existing frameworks. They also unpack the role of risk culture and what it really means, why it’s so difficult to embed, and how leadership behaviors ultimately determine whether risk is lived or simply documented. The conversation closes with a simple but powerful perspective on how leaders should approach risk in a world where uncertainty is constant and conditions change faster than frameworks can keep up.

In this return episode of Risk Is Our Business, Captain Michael Rasmussen welcomes back Graeme Keith for a sequel to Wrath of Math, this time shifting from models to meaning. They take aim at cookie-cutter risk management, unpacking what separates genuine practice from templated frameworks that look good on paper but fail to influence decisions. The conversation centers on Graeme’s recent writing on risk appetite, and his frustration with how often organizations discuss the risks they’re willing to take without addressing the more fundamental question of why are we taking those risks at all? From there, they explore how risk appetite is often less about numbers and more about culture, intent, and context, and why effective risk management must always be anchored to the decisions it is meant to support. Without that connection, risk becomes descriptive rather than directional. They also dive into the realities of interconnected risk, the current state of risk technology, and where the discipline may be heading by 2030, including whether tools are helping organizations make better decisions, or simply producing more sophisticated noise. If Wrath of Math challenged how we quantify risk, this episode challenges how we make sense of it and whether risk management is truly helping us navigate, or just giving us more charts while we drift.

In this episode of Risk Is Our Business, Captain Michael Rasmussen is joined by Karan Rao, Head of Enterprise Risk at Embark Student Corp., for a conversation that started not in a boardroom but on LinkedIn. A post from Karan caught Michael’s attention on how the best risk managers aren’t the ones with the most complex models, but the ones who can walk into a room, read the people, interrogate the data, and explain risk so clearly that action becomes unavoidable. From there, the discussion dives into the human side of risk. They explore why understanding behavior is just as important as understanding data, and why the ability to communicate, write, and present with clarity separates those who inform from those who influence. Risk leaders, they argue, don’t hide behind dashboards, they translate insight into decisions. They also discuss the importance of developing skills that compound over time: communication, storytelling, emotional intelligence, and business understanding. Karan shares how ideas from Atlas of the Heart shape his approach to risk leadership, helping him connect emotion, clarity, and decision-making in high-stakes environments. This episode is about moving risk from a reporting function to a leadership discipline, one where the ability to engage the room matters just as much as the data on the screen.

In this episode of Risk Is Our Business, Captain Michael Rasmussen welcomes Anne Louise Higgins, Global Head of Cyber Governance, Risk and Control at BNY Mellon, for a conversation about how the risk profession has evolved and who will be leading it into the future. Anne reflects on the growing role of women in risk management and cybersecurity, and how diversity of experience and perspective strengthens decision-making at every level of the enterprise. From there, the discussion broadens into how the practice of risk management itself has changed over time, from compliance-driven reporting toward more integrated, business-aligned approaches. They also explore the cultural differences in how risk is approached in the United States versus Europe, and how those perspectives shape governance, accountability, and engagement with leadership. The conversation then turns to risk technology, what currently stands out in the market, and how emerging capabilities are reshaping the way organizations understand and manage uncertainty. Michael and Anne also discuss the future of careers in risk, cyber, and GRC, particularly in an era increasingly shaped by AI and rapid technological change. The episode closes with practical insights on how professionals can future-proof their careers and build the skills, adaptability, and strategic mindset needed to stay relevant on the bridge as the risk landscape continues to evolve.

In this episode of Risk Is Our Business, Captain Michael Rasmussen connects over a slightly long-distance subspace channel (also known as a video call) with Alex Dali, President of the G31000 Risk Institute, to explore the evolution of one of the most widely recognized frameworks in modern risk management. Alex walks through the story of ISO 31000, where the standard came from, how it has evolved since its original release, and what the next phase of its development may look like as organizations confront an increasingly complex risk landscape. Along the way, they unpack the difference between bad risk management (overly procedural, disconnected from decisions, and driven by checklists and heat maps) and good risk management, which aligns with organizational objectives and supports leadership in navigating uncertainty. The conversation also turns to the current state of risk technology, including the ongoing search for tools that genuinely support the principles of ISO 31000 rather than forcing risk management into rigid compliance workflows. From there, they explore how AI may reshape the discipline, the role technology should play in enabling better decision-making, and how the Chief Risk Officer role itself may evolve as risk becomes more integrated with strategy and business operations. The discussion offers a thoughtful look at how risk management standards, technology, and leadership must evolve together if organizations are to navigate uncertainty with clarity rather than simply documenting it.

In this episode of Risk Is Our Business, Captain Michael Rasmussen is joined by Geoff Trickey, founder of Psychological Consultancy and creator of the Risk Type Compass™, alongside Elliot Phillips, Principal Risk Psychologist, for a conversation that shifts the focus of risk management from systems to psychology. They begin by unpacking psychometrics—what it is, how it works, and why measuring personality traits can provide powerful insight into how individuals and teams perceive and respond to uncertainty. From there, they explore the concept of risk psychology and how risk-taking is not simply situational or financial, but deeply rooted in personality. Geoff explains the origins of the Risk Type Compass™ and walks through its eight distinct risk types and how individuals are categorized, what differentiates them, and how those differences shape decision-making and risk culture within organizations. The discussion highlights an often-overlooked dimension of diversity—diversity of risk disposition. When leaders understand the varied ways people approach uncertainty, they can build more balanced teams, improve governance conversations, and avoid collective blind spots. The episode also examines how organizations use this approach in practice, not as a personality exercise, but as a measurable way to strengthen risk management, enhance communication, and align decision-making with strategic objectives. If every enterprise is a starship navigating uncertainty, this conversation reminds us that understanding the temperament of the crew may be just as important as the strength of the shields.

In this return episode of Risk Is Our Business, Captain Michael Rasmussen welcomes back Amir Ramezanpour to unpack the thinking behind his new book, Beyond Controls: Reshaping Risk Into Intelligent Advantage. The conversation begins with a direct challenge to risk managers: too much of risk management is still focused on controls. Controls that validate compliance. Controls that document activity. Controls that comfort regulators. But in an AI-driven, high-velocity environment, are controls alone enough? Amir explains why the title Beyond Controls is intentionally provocative and why some initially resist it while agreeing with the substance. The core argument is not about removing controls, but about elevating risk into something more powerful: risk intelligence. That means turning fragmented risk data into meaningful insight that helps leaders make better decisions amid uncertainty. They explore how good risk intelligence supports business objectives, how it enables clarity rather than bureaucracy, and how organizations can move from static oversight to more adaptive, learning-oriented models. The discussion also touches on the role of AI, agentic AI, and digital twins, not as hype, but as tools that can help organizations anticipate rather than simply react. Finally, Amir shares practical advice for leaders who want to begin building this vision today—start with mindset, anchor to objectives, and design systems that support decisions, not just documentation. If traditional risk management built stronger guardrails, this episode asks how we build something smarter, an engine that helps the enterprise move forward with confidence.

In this episode of Risk Is Our Business, Captain Michael Rasmussen is joined by Chyono Flynn, Head of Enterprise Risk Management at Rolls-Royce, for a candid conversation about the realities of running risk management inside one of the world’s most complex engineering organizations. They begin with what really keeps risk leaders awake at 2 a.m., which is not abstract frameworks, but execution risk, governance expectations, and whether the organization truly understands its most critical exposures. From there, the discussion moves into the UK Corporate Governance Code, with particular focus on Provision 29, and what it means in practice for boards, executives, and risk teams responsible for viability and long-term resilience. Chyono and Michael draw clear distinctions between bad risk management  (compliance-driven, disconnected, and report-heavy) and good risk management that engages the business, informs decisions, and earns trust at the executive and board level. They explore how to communicate the value of risk in a way that resonates, how to build and sustain a healthy risk culture, and why partnership matters more than policing. They also discuss the role of technology as an enabler rather than a solution in itself, and how tools must support judgement, insight, and dialogue rather than replace them. This episode offers a grounded look at what enterprise risk management looks like when governance expectations are high, stakes are real, and risk must help the organization stay on course, even when the pressure is on and sleep is in short supply.

In this episode of Risk Is Our Business, Captain Michael Rasmussen is joined by Fayadh Alenezi, strategic risk leadership architect and presilience advisor, for a candid discussion on where risk management stands today and where it needs to go next. They begin by unpacking the current state of practice and what works, what doesn’t, and why too much risk management still feels like process without purpose. From there, the conversation moves into risk intelligence and the importance of good information, meaningful insight, and decision-relevant signals rather than noise. Fayadh introduces the concept of presilience, shifting the focus from reacting to disruption toward building the foresight and decision capability to stay ahead of it. This naturally leads into a deeper discussion on risk leadership and what distinguishes strong risk leaders from framework managers, and why mindset, judgment, and clarity matter as much as models and data. They also explore risk culture, with particular attention to the Middle East and Saudi Arabia, where cultural context, leadership norms, and rapid transformation shape how risk is perceived and practiced. The discussion connects these themes to Vision 2030, and how it is acting as a catalyst for more mature, strategic, and leadership-driven approaches to risk management across the Kingdom. Rather than treating risk as a compliance obligation, this episode reframes it as a leadership discipline—one rooted in intelligence, culture, and the ability to act with confidence before the alarm sounds.

Recorded live at the GPRC Summit in Riyadh, this episode of Risk Is Our Business features Thamer Al Hamed, Executive General Manager of GRC and Data Management, in a timely conversation on how risk management and resilience are converging as strategic capabilities in Saudi Arabia. Michael and Thamer explore the relationship between risk and resilience, asking whether they truly belong together and how that relationship changes at national and organizational scale. The discussion then turns to the Saudi context, examining both the challenges and the opportunities shaping the evolution of GRC across the Kingdom. A central theme is Vision 2030, and the role GRC plays in enabling it. Thamer explains how Vision 2030 has become a powerful catalyst for the growth and maturity of governance, risk, and compliance practices—shifting GRC from a supporting function into a strategic enabler of transformation, accountability, and long-term value creation. They also discuss how GRC is being received across organizations, how mindsets are changing, and what it takes for risk management to move beyond formality and into real decision support. The conversation closes with Thamer reflecting on his own career journey and how he sees both his role, and the broader GRC landscape in Saudi Arabia, evolving as 2030 approaches. This episode offers a clear window into how risk, resilience, and governance are being redefined in one of the world’s fastest-moving transformation agendas.

In this return voyage of Risk Is Our Business, Captain Michael Rasmussen reconnects with Stefan Gershater for a candid, occasionally interrupted conversation from opposite ends of a video call—a fitting setup for a discussion about signal, noise, and what actually matters in modern risk management. The episode centers on the real value of risk and GRC software, and how leaders should measure it. Stefan brings a healthy skepticism to the conversation, challenging an industry that too often sells efficiency for efficiency’s sake. Over dinner in London, he recalls receiving a message from a vendor promising to save him 80% of his time. His reaction was blunt: No one cares how hard risk teams work, they care about outcomes, decisions, and results. From there, the discussion explores what risk leaders should actually evaluate in risk technology. Rather than control-heavy platforms built primarily for compliance, Stefan argues for solutions designed to support value creation, decision-making, and the achievement of objectives. They unpack what “good” looks like when it comes to risk data, data strategy, and visualization, and why many tools still struggle to present risk in ways the business can act on. As the conversation turns to how risk technology should evolve, reality intervenes. A call from Stefan’s CEO pulls him away from the bridge mid-discussion, an unscripted reminder that risk management doesn’t live in dashboards or demos, but in the real-time demands of leadership. This episode is a sharp look at why not all risk software deserves a place on the bridge, and why separating meaningful intelligence from false alerts has never mattered more.

In this episode of Risk Is Our Business, Captain Michael Rasmussen is joined by Christopher Hetner, Senior Cyber Risk Advisor serving the boardroom community and former senior cybersecurity advisor to the Chair of the U.S. Securities and Exchange Commission. The conversation opens by tackling a deceptively simple question: what do we even call this space anymore? Information security, IT security, cybersecurity, cyber risk, digital risk, digital resilience — are these distinct disciplines with meaningful nuance, or different labels for the same underlying reality? Christopher and Michael unpack how language shapes expectations, accountability, and how risk is understood across the enterprise. From there, they dive into Michael’s widely discussed essay, “The CISO Is Dead: A Eulogy and a Resurrection,”exploring why the title provoked resistance while the substance resonated. The discussion reframes the modern CISO not as a narrow security operator, but as a steward of digital risk and resilience in a world where every function, product, and decision carries a digital footprint. They explore the dangers of cybersecurity leaders operating in isolation, the limits of traditional security-centric models, and why cyber risk can no longer live on its own island. The conversation then turns to the boardroom, what directors tend to understand about cyber and digital risk, where gaps remain, and how risk leaders can engage boards more effectively by shifting from technical reporting to strategic navigation. Rather than treating cyber risk as a technical problem to be delegated, this episode makes the case for digital risk and resilience as a bridge-level responsibility, one that requires shared ownership, clearer language, and leadership capable of steering the enterprise through an increasingly interconnected and uncertain risk universe.

In this episode of Risk Is Our Business, Captain Michael Rasmussen opens a subspace channel with Bradley Jewett, Chief Financial Officer at LeadVenture and a seasoned operating executive who helped shape enterprise risk management inside Microsoft and BMC Software. The discussion begins by contrasting bad risk management (periodic, siloed, and designed to check a box) with good risk management that actively informs how organizations make decisions. From there, Brad introduces the philosophy he championed at Microsoft: the Rhythm of Risk. Rather than positioning risk as a separate function, Brad describes an approach where risk management keeps pace with the enterprise itself. Strategic planning cycles, annual operating plans, mergers and acquisitions, audit planning, SEC reporting, investor communications, and product roadmaps all become natural moments for risk to surface and influence outcomes. Risk moves in time with the business, strategic and operational, top-down and bottom-up. Recorded over a live video link, the conversation also explores how this mindset was received by leadership, what it took to set expectations that risk should shape daily decisions, and why aligning risk to the organization’s cadence is far more effective than standalone frameworks or annual exercises. The episode offers a practical, experience-led perspective on what it means to keep risk on the bridge, not as a warning light, but as a steady navigational rhythm guiding the enterprise through uncertainty at warp speed.

In this episode of Risk Is Our Business, Captain Michael Rasmussen beams into a cross-continental conversation with Karsten Findeis, Head of Risk Management at Nordex Group, and Dr. Ayman Nagi, Corporate Risk Manager, for a deep look at how risk maturity evolves inside a global renewable-energy manufacturer. They discuss how Nordex has transformed its risk mindset over the past decade, shifting from a compliance-driven obligation to a strategic discipline that captures both risks and opportunities. By treating risk as the effect of uncertainty on objectives, the team explains how they’ve moved beyond the old hazard-and-harm framing to a more balanced, value-creating approach that resonates across the business. Karsten and Ayman share how Nordex built trust with the organization, how the perception of risk has shifted from burden to business partner, and why logging opportunities alongside risks reflects a more advanced, enterprise-wide understanding of uncertainty. They also dig into IDW PS 340, how its requirements have sharpened their processes, and how implementing the right technology elevated data quality, reporting, and decision-making across the fleet. They also chart where risk management at Nordex is headed in the coming years, from enhanced digital twins to deeper integration with strategic planning and operational execution. For organizations navigating uncertain markets, the Nordex journey offers a blueprint for turning risk into propulsion rather than drag.

In this latest episode of Risk Is Our Business, Captain Michael Rasmussen connects via subspace (okay… a Zoom call) with Marc Leipoldt, CEO of Global Risk Advisory Services. Marc and Michael take a candid look at the state of operational risk management in financial services today. Has it become little more than a Basel-born compliance checkbox? Or can it truly guide strategic decision-making and protect the organization when volatility strikes? Together, they outline what good operational risk management really requires, starting with deep understanding of how the bank actually works—its processes, systems, and the complex interactions between them. Marc emphasizes that KRIs must be actionable and aligned to accountability, not just dashboards for dashboards’ sake. They also grapple with the messy truth of technology in risk. GRC tools are accelerators, not saviors, and without a clear strategy, strong governance, and well-defined processes, no platform will deliver the transformation banks are hoping for. And finally, Marc looks five years ahead. What will operational risk maturity look like across global banks? How will regulatory expectations evolve? And can risk finally break free from compliance-only thinking to become the steward of organizational foresight?

In this episode of Risk Is Our Business, Captain Michael Rasmussen welcomes aboard Mark Heywood, writer, presenter, creative director, novelist, screenwriter, and former global crisis-management leader, for a conversation that travels well beyond the neutral zone of traditional risk models. Together, they explore why risk and resilience can’t be governed by left-brain logic alone, and why the future of the discipline requires imagination, narrative, and the kind of storytelling that has steered starships and boardrooms alike. Mark draws from his dual life in operational resilience and the arts to explain what happens when organizations rely solely on spreadsheets, heat maps, and linear thinking. They discuss how right-brain capabilities (creativity, empathy, narrative framing, and world-building) are essential for helping leaders actually understand risk, not just document it. From micro-simulations and tabletop exercises to gamification and immersive storytelling, Mark outlines how to design experiences that engage decision-makers emotionally as well as analytically. The episode charts a course into the future where logic and imagination operate in tandem, where resilience teams think like screenwriters, and where storytelling becomes a strategic asset for preparing organizations to face the unexpected at warp speed.

In this episode of Risk Is Our Business, Captain Michael Rasmussen welcomes aboard Reshad Alam, Vice President of Information Systems Security at Regal Rexnord, for a conversation about navigating risk at enterprise scale, and why the greatest threat is often the one you can’t see coming. Reshad describes the sheer scope of Regal Rexnord’s global footprint, and with it, the vast digital surface he’s responsible for protecting. What keeps him up at night isn’t any single threat vector, but the unknowns—the blind spots, the emerging risks, the things security leaders can’t yet quantify. From there, the discussion expands into the evolving nature of the CISO role, which Michael sees not as security’s gatekeeper, but as the enterprise’s digital risk and resiliency officer, a creator of digital trust. Together they explore why a company unwilling to take risks is a company on the path to irrelevance, and why the job of security is not to say “no,” but to help the business take the right risks for the right reasons. They discuss the art of engaging the business on security, shifting away from fear-based messaging and toward shared objectives, shared language, and shared accountability. The episode also looks ahead at where the CISO role is heading, and of course, no future-focused conversation would be complete without AI. Reshad shares whether it excites him or worries him, and why, despite the threats, he’s far more energized by the potential of AI to strengthen defenses, accelerate detection, and enhance digital trust across the enterprise. For security and risk leaders charting their own course through uncertainty, this episode is a reminder that the mission isn’t to eliminate the unknown, it’s to navigate it with confidence, clarity, and a willingness to boldly go where the future demands.

In this episode of Risk Is Our Business, Captain Michael Rasmussen welcomes Richard Chambers, Senior Advisor at AuditBoard and one of the most influential voices in internal audit and assurance, to discuss how risk, audit, and compliance have evolved in a decade defined by unprecedented velocity and volatility. Richard reflects on the shifting mindset across GRC—from static frameworks and predictable cycles to a world where risk signals move fast, interdependencies compound, and organizations must adapt with greater speed and clarity than ever before. The conversation draws a sharp distinction between good and bad audit in this environment. Bad audit is adversarial, a corporate police force focused on fault-finding and paperwork. Good audit is a value protector, a trusted partner helping management navigate uncertainty, make sound decisions, and keep the organization moving toward its objectives. If the business fears internal audit, something fundamental is broken. They then examine modern risk management, emphasizing that effective programs are grounded in realistic assessments of likelihood and materiality, not abstract heat maps or theatrical risk registers. Risk is not something to be avoided; it is something to be understood so the organization can move with intention. Compliance enters the discussion as well, particularly the cultural divide between the U.S.’s checkbox-heavy approach and Europe’s more risk-based, integrity-oriented model. Compliance, Richard argues, is ultimately about who the organization chooses to be. The episode closes by looking ahead five years—where AI, automation, and intelligence-driven assurance will shape the role of audit, risk, and compliance. The mission remains the same, but the tools and tempo of the work are changing at warp speed.

In this episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Ana Valdez Rodgers, VP of Internal Audit, and Melissa Pici, Global Director of Governance, Risk & Compliance, of Syniverse to talk about what really keeps GRC leaders up at night. They dive into how GRC isn’t about ticking boxes but about aligning governance, risk, and compliance with the organization’s purpose and strategy. Drawing on Syniverse’s experience, Ana and Melissa share how their Risk and Assurance Council helps shape culture, break silos, and make GRC part of everyday decision-making, not just a quarterly ritual. They also reflect on Syniverse’s GRC Trailblazer Award, what it took to earn it, and why lasting success starts with strategy and process before technology ever enters the room. Because GRC isn’t something you buy, it’s something you do. As the conversation turns forward-looking, they chart where Syniverse’s GRC program is headed next, envisioning a future where alignment, automation, and purpose drive risk strategy. Because as Captain Kirk once said, risk is our business, and as this episode reminds us, a business that doesn’t take risks is a business out of business.

In this episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Renee Murphy, independent analyst, storyteller, and founder of The Storyteller’s Circle, to reflect on insights emerging from a recent workshop they led together. One theme rose quickly to the surface: are risk registers keeping pace with reality, or are many organizations still flying with decade-old assumptions? They explore how today’s emerging risks, from AI misuse and deepfakes to data poisoning and automated misinformation, demand more than recycled top-10 lists and stale heat maps. If the world is shifting at warp speed, risk management must evolve its star charts too. From there, the conversation jumps to the bridge of the Enterprise (naturally). Renee and Michael unpack the risk postures of Starfleet captains and how every organization needs the right mix of boldness and restraint to navigate uncertainty without flying the ship into a spatial anomaly. They round out the episode exploring the fear and promise of AI—not as a looming replacement for the crew, but as a co-pilot that enhances perception, speeds analysis, and reveals risks before red alerts sound. Because great risk management doesn’t just brace for the unknown, it boldly goes toward it with intelligence, imagination, and the right crew at the helm.