Risk is Our Business

In this transmission of Risk Is Our Business, Captain Michael Rasmussen connects across the comms with Ayoub Fandi, Security Assurance Automation Team Lead at GitLab and founder of the GRC Engineer Podcast and Newsletter, for a deep dive into what might be the next frontier of governance, risk, and compliance: GRC engineering. Ayoub explains what GRC engineering is, what it does, and the value it provides, moving GRC away from after-the-fact verification and closer to the design phase, where software engineering problem-solving can be applied to solve long-standing compliance and assurance challenges. Together, they map out the core elements of GRC engineering, explore where it should be applied, and ask whether its cyber-heavy focus today limits its potential, or whether it’s destined for broader adoption across the enterprise galaxy. The conversation also scans the role of agentic AI in this evolving discipline, from automating repetitive assurance checks to embedding risk intelligence directly into systems that power organizational strategy. Along the way, they highlight how GRC engineering can transform perception, from compliance burden to strategic enabler, much like replacing impulse drives with warp cores. GRC engineering is a structural shift. For GRC leaders, engineers, and innovators, this is a star chart to the future of assurance and resilience.

In this stardate transmission of Risk Is Our Business, Captain Michael Rasmussen beams in Emma Price, Deloitte Partner and UK Enterprise Risk Management Lead, to chart how risk management has transformed across decades, and where it’s set to warp next. Their voyage begins with language itself: from business continuity and disaster recovery to the all-encompassing term “resilience.” Emma explains why substituting “risk” with “resilience” often earns more traction in boardrooms and beyond, and how resilience can unify disciplines too often stranded in siloes. From there, they confront the bad and ugly of risk programs, such as isolated operations, failure to account for interconnectivity, and compliance exercises masquerading as strategy. The discussion moves through third-party risk, the growing role of external intelligence on geopolitical, economic, and regulatory turbulence, and the big drivers shaping risk programs in the UK today. Emma and Michael scan the horizon of ERM’s future, from strategy and technology to the value of managed services, and debate how risk leaders can avoid drifting into orbit around checklists and instead plot resilient, forward-facing courses. For risk officers, boards, and strategists, this episode is a navigational chart across the risk nebula, and a reminder that the enterprise mission demands not paperwork, but perspective, integration, and resilience at warp speed.

In this star-mapping episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Tony Martin-Vegue, risk consultant, advisor, and author of the upcoming book Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification. With 25 years navigating the galaxy of cyber risk, Tony has guided enterprises from the gravitational pull of checklists and color-coded charts into the warp lanes of defensible, quantitative analysis. Their journey begins with the dark matter of bad risk management: programs designed to placate auditors, check boxes, or reassure customers without truly informing decisions. From there, they plot a course toward what good risk management looks like—proactive, integrated, and tied directly to organizational objectives. Tony traces the lineage of risk management back to the late 1600s, when probability theory first emerged, showing how centuries of thinking have led us to today’s crossroads. The conversation dives into heatmaps, when they can still provide navigational value, and when they collapse under the weight of oversimplification. From there, they move to the promise of histograms, simulations, and CRQ models that help businesses not only understand thresholds and acceptable levels of risk, but also chart their path with clarity and confidence. For CISOs, CROs, and risk leaders, this episode is both history lesson and star chart, a reminder that risk management isn’t about artifacts to prove you exist, but about enabling the mission. If your current program is orbiting in circles, this is the transmission that will help you break free, align your coordinates, and accelerate to warp speed.

In this mission-critical episode of Risk Is Our Business, host Michael Rasmussen opens the comms with Hardik Mehta, Global Head of Risk and Regulatory Compliance at JPMorgan Chase. With two decades of experience across Uber, Microsoft, and global advisory firms, Hardik has charted risk programs that span continents, cloud migrations, and regulatory galaxies. Their conversation starts with what keeps him up at night: the turbulence of geopolitical risk, ever-changing regulations, data security challenges, and the inertia of legacy platforms slowing cloud adoption. From there, they examine what bad risk management looks like (siloed programs cut off from strategy) versus what good risk management should deliver (i.e., integrated, technology-enabled frameworks that guide the enterprise toward its objectives). Resilience comes to the forefront as Hardik explains how he weaves it into risk strategy, not as an afterthought but as a forward-facing capability. He emphasizes the need for both left-brain precision in quantification and right-brain imagination in creative foresight, a duality essential for navigating uncertainty. The discussion explores the technologies enabling better risk programs today, the role of risk intelligence in scanning horizons, and how AI is reshaping the future of risk management. For boards, CROs, and risk leaders, this episode is a navigational chart for transforming risk into resilience, and for steering your enterprise at warp speed toward intelligent, mission-aligned futures.

In this galaxy-spanning episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Todd Fitzgerald, former Fortune 500 CISO, cybersecurity hall-of-famer, and #1 best-selling author of CISO Compass. With over 25 years navigating the outer reaches of information security, Todd has seen the CISO role evolve from the days of dial-up to today’s warp-speed threat environment. Their mission is to chart the vast and sometimes confusing constellation of terminology in our sector, from information security, to cybersecurity, to digital risk, cyber risk, and beyond, and explore why these distinctions matter when steering an enterprise through uncertainty. They trace the history of the CISO from its 1990s origins to its current form as a strategic officer on the bridge, responsible not just for defense but for enabling the business to boldly go toward its objectives. From cyber risk quantification done right (and how to make it more than a numbers game) to managing the digital supply chain and interconnected risk, Todd offers a star map of practical strategies. He tackles the long-standing perception of security as the “department of no” and reframes it as a mission-critical enabler, helping organizations comprehend what’s an acceptable risk and navigate toward opportunity without drifting into a black hole. For any security leader, risk officer, or governance professional, this episode is a tricorder reading of where we’ve been, where we’re headed, and how to ensure your cybersecurity program is aligned with the Prime Directive: enabling the mission.

In this transmission of Risk Is Our Business, host Michael Rasmussen connects over comms with Tim Leech, pioneer of Objective Centric Risk and Uncertainty Management (#OCRUM), longtime board advisor, and someone who’s spent decades trying to rescue enterprise risk from the black hole of checkbox compliance. Recorded over a long-distance call (no transporters this time), this episode dives straight into the uncomfortable truth of modern ERM often being more about optics than outcomes. Tim and Michael dismantle the illusion of risk registers and heat maps, exposing how many programs are built to pacify boards and regulators rather than support real decision-making. But Tim doesn’t stop at critique. He offers a new model, one where risk starts with the people who actually run the business, where strategy sets the coordinates, and where the board isn’t kept in the dark behind colored charts but engaged with objective-driven insight. Together, they explore how to overcome resistance across the enterprise, align the crew, and finally bring risk back to the bridge—not as an afterthought, but as a core navigational system. If your program is still flying blind on outdated frameworks, it’s time to recalibrate.

In this starlog entry of Risk Is Our Business, recorded live at the Risk-In Conference in Zurich, Captain Michael Rasmussen sits down with Pascal Busch, Global Head of ERM & BCM at Acino and creator of VirtueSpark, for a deep-space transmission on the future of enterprise risk. What keeps a seasoned risk commander up at night? Pascal opens up about the unknown anomalies in the system, such as inefficiencies, blind spots, and missed signals that still plague too many GRC programs. But he’s not just scanning for threats, he’s building the future. From digital twins to decision intelligence, Pascal charts a course toward a risk program that’s faster, smarter, and fully integrated into the mission of value creation. Together, they explore where his tech journey is today, where he wants it to be in two years, and how risk professionals can move from compliance copilots to strategic navigators, guiding organizations through the turbulence of uncertainty with precision and purpose. If your risk program feels stuck in the past, it’s time to reroute power to the engines. Because as Pascal makes clear, the future of GRC isn’t about avoiding risk, it’s about managing it at warp speed.

In this episode of Risk Is Our Business, Michael Rasmussen welcomes Stefan Gershater, Head of Risk and Governance at the Co-op, for a bold and unflinching conversation that challenges the very foundations of modern risk management. Broadcasting from the front lines of strategic uncertainty, Stefan shares insights from his forthcoming book, a deep critique of the risk orthodoxy shaped by accounting firms, software vendors, and low expectations. He argues that what passes for risk management in many boardrooms is little more than a comforting illusion—one that fails to serve strategy, enable decisions, or engage with the complexity of the real world. Together, they explore the good, the bad, and the ugly of today’s risk practices, from the myth of “risk appetite” to the misuse of assurance resources and the danger of chasing frameworks over outcomes. But this isn’t just a teardown, it’s a mission briefing. Stefan lays out how risk can be reimagined as a cognitive, analytical, and strategic asset that improves decision velocity and organizational intelligence. For risk professionals ready to break orbit and leave behind the gravitational pull of mediocrity, this episode is both roadmap and rallying cry.

Recorded live at Corporate Risk Minds 2025 in Berlin, this episode of Risk Is Our Business features a conversation with Florian Worm—risk technologist, modeling expert, and one of the sharpest minds charting the next frontier in enterprise risk. Florian joins Michael Rasmussen on the bridge to explore the processes and paradigms reshaping risk management in a world where volatility is no longer an anomaly, it’s the environment. Together, they examine the limitations of legacy frameworks, the regulatory gravity of IDW PS 340, and why good risk quantification requires more than Monte Carlo curves and dashboards. In a galaxy of noise, it’s about decision-useful insight, grounded in rigor and relevance. At the heart of the episode is a deep dive into digital twins, not as sci-fi theory, but as a real-world capability to simulate risk environments, explore alternate futures, and make better decisions in real time. Whether you're scanning for weak signals, stress-testing for resilience, or mapping out mission-critical paths, digital twins are fast becoming the warp core of forward-looking risk. For those ready to chart a new course, this episode offers a shift from static risk logs to living systems, where uncertainty is mapped, modeled, and understood.  

In this episode of Risk Is Our Business, Michael Rasmussen charts a course with Klaus Jaeck and Daniel Cassel of Horváth to explore the next frontier in enterprise risk management, where resilience is just the baseline, and business confidence is the true objective. Recorded at Corporate Risk Minds 2025 in Berlin, Klaus and Daniel offer a sharp perspective on how risk management is evolving across the region, moving beyond regulatory routines and static controls into dynamic systems that align risk with strategy, trust, and decision-making agility. They unpack why trust and resilience, while critical, aren’t enough on their own, and why organizations need something more to thrive in the vast unknowns of modern business. They also take us deep into the heart of GRC transformation in Germany—what’s working, what’s lagging, and how digitalization, ESG, and a growing risk consciousness are reshaping expectations. The conversation explores how risk leaders can act less like tactical responders and more like bridge officers, guiding the ship, not just guarding the hull. And yes, they have fun along the way. As Klaus and Daniel say, “no risk, no fun”, but with the right GRC model, it’s a mission worth taking.

In this episode of Risk Is Our Business, Michael Rasmussen beams into EY Germany to speak with Patrick Risch and Benjamin Lüders, two senior officers on the frontier of governance, risk, and compliance transformation. Together, they explore how to navigate the multidimensional challenges of orchestrating GRC across systems, silos, and starships, otherwise known as modern enterprises. Their mission is to create a unified command structure where GRC isn't just a regulatory afterthought, but an enterprise-wide operating model aligned with strategy, resilience, and purpose. From aligning core processes to enabling agility with cutting-edge technology, Patrick and Benjamin map out how successful organizations are shifting from fragmented control systems to integrated, mission-ready frameworks. They also introduce the concept of digital twins, not as a sci-fi abstraction, but as real-time simulations of organizational ecosystems that help leaders monitor, adapt, and course-correct with greater precision. It’s a new model of GRC that reflects the living, breathing dynamics of business. Finally, they reflect on the unique risks and opportunities facing German companies as they transition from traditional governance models to more dynamic, tech-enabled approaches. It's a sector where regulations are strict, expectations high, and the path to transformation requires both cultural alignment and technological firepower. If your enterprise is preparing for deep space exploration, or simply the next compliance cycle, this episode offers a navigational chart for GRC leaders ready to break free of orbit.

In this episode of Risk Is Our Business, Michael Rasmussen beams up Graeme Keith, mathematician, strategist, and CEO of Stochastic ApS, for a charged discussion on the fundamental divide between Risk Management 1 and Risk Management 2. Spoiler alert: most organizations are stuck in RM1, clinging to risk registers, risk appetite statements, and heatmaps that do little more than appease auditors. But as Graeme explains, like the Kobayashi Maru, those are unwinnable exercises that distract from supporting decisions with logic, evidence, and quantitative clarity. Together, they dissect the common symptoms of bad risk management: using the wrong method in the wrong context, misunderstanding what “quantification” really means, and misapplying Monte Carlo simulations in a sea of poorly designed software tools. Graeme expands on his recent GRC Report article The Misery of Risk Matrices, pushing back on the false sense of security these subjective tools create. He argues that the real R in GRC should stand for risk-informed decision-making, not retroactive compliance filler. The episode also unpacks why the growing push toward quantification often defaults to Monte Carlo analysis. Graeme offers a breakdown of where Monte Carlo simulations shine, where they fail, and what risk leaders should be asking when evaluating quantification tools and methodologies. At warp core, this conversation is about upgrading risk from visual comfort to strategic relevance, from vague heatmaps to models that support action under uncertainty. If you’re ready to move beyond the checkbox galaxy and into the decision-making nebula, The Wrath of Math is required listening.

In this episode of Risk Is Our Business, Michael Rasmussen beams aboard Kristina Wiese Tranberg, ESG compliance leader, AI ambassador, and creator of the GRC board game GRC Master, for a lively discussion on making governance, risk, and compliance not only effective, but engaging. With more than two decades of experience steering internal control transformations and operationalizing ESG strategy, Kristina brings a rare blend of strategic rigor and creative energy to the command deck. Together, they explore the human side of GRC, why success isn’t just about tools or frameworks, but about building cultures that do GRC, not just buy it. Kristina shares how she developed GRC Master to make training more accessible, memorable, and yes, fun. From cross-functional collaboration to AI integration, she explains how gamification can build real fluency in GRC while strengthening control environments across the enterprise. As they chart the path toward adaptive, people-centered operating models, it becomes clear that in the future of GRC, the technology may power the ship, but it’s the crew that makes the mission possible.

In this episode of Risk Is Our Business, host Michael Rasmussen sets course with Norman Marks, renowned author, former chief audit executive, and one of the most respected minds in the risk and audit universe, for a conversation that ventures well beyond compliance into the stars of strategy and purpose. Drawing from his acclaimed books Auditing That Matters and World-Class Risk Management, Norman argues that risk management isn’t about playing it safe, it’s about enabling intelligent, informed decisions that propel the enterprise forward. Quoting Thomas Aquinas, Michael reminds us, “If the highest aim of a captain were to preserve his ship, he would keep it in port forever.” But in a world of shifting risks and high-stakes missions, the goal isn’t to anchor—it’s to voyage. Together, Rasmussen and Marks explore why every objective has its own risk appetite, how to distinguish world-class internal audit from box-checking mediocrity, and what it means to embed risk into the helm of strategic decision-making. If you’re ready to audit at warp speed and leave the port behind, this episode is your star map.

In this episode of Risk Is Our Business, Michael Rasmussen is joined by Jennifer Geary, seasoned CRO, COO, and bestselling author, for a conversation that explores risk not as a bureaucratic burden, but as a navigational system for achieving mission success. With decades of hands-on experience across fintech, banking, NGOs, and tech, Jennifer brings both operational grit and boardroom perspective to the discussion. Together, they examine why risk management must start with organizational objectives, not with fear or compliance, and how that mindset shift unlocks true strategic value. They also dive into the UK Corporate Governance Code and the growing influence of Provision 29. With London Stock Exchange-listed companies operating far beyond the UK, Jennifer and Michael explore how expectations for internal control and risk reporting are now rippling across countries, reshaping how boards think about assurance and oversight. The episode also ventures into international waters, unpacking key differences in how the US and Europe approach regulation and risk culture. From fragmented American frameworks to more principles-based European regimes, the contrasts reveal both challenges and opportunities for global risk leaders. Finally, no modern episode would be complete without AI on the radar. Jennifer shares her perspective on the emerging risks AI presents, and how risk professionals can harness AI themselves to strengthen controls, forecast threats, and evolve alongside the technology that’s redefining the enterprise. For anyone looking to move risk from checkbox to compass, and chart a course through complexity with clarity, this episode delivers.

In this episode of Risk Is Our Business, we chart a course through the unknown with Andrew Olsen, Director of Risk Management at Stewart Title and an expert in integrated risk and third-party oversight. Andrew joins host Michael Rasmussen to explore the next frontiers of risk management, from today’s operational challenges to the emerging threats just over the horizon. What keeps a modern risk leader up at night? For Andrew, it’s not just cyber threats or regulatory pressure, it’s the uncharted impact of artificial intelligence, the growing complexity of third-party ecosystems, and the need to evolve risk technology before it falls behind the threats it’s meant to monitor. In this candid conversation, Andrew unpacks the real-world hurdles of vendor risk management, shares how he's currently leveraging technology to stay ahead, and lays out his vision for the future of risk tools — systems that are not just dashboards and data, but active copilots in decision-making. He also reflects on how risk teams can escape the back-office echo chamber and deliver visible, strategic value to the enterprise. From warp-speed change to boardroom translation, this episode is a reminder that risk management isn’t about slowing down, it’s about navigating smarter.

In this episode of Risk Is Our Business, Michael Rasmussen sits down with Elena Pykohva — award-winning risk expert, international educator, and author of ' Operational Risk Management in Financial Services: A Practical Guide to Establishing Effective Solutions'. Together, they explore what it takes to move operational risk beyond checklists and siloes, and toward something far more powerful: a fully engaged, enterprise-wide force for good. With deep experience across financial services, from G-SIFIs to fintechs, Elena brings both strategic insight and hard-earned lessons from the field. She shares why operational risk must be reimagined, not as a compliance exercise, but as a people-powered, forward-looking discipline that drives real impact. Together, they discuss what distinguishes effective operational risk from empty frameworks, how to dismantle siloes that isolate risk professionals, and why conversation, culture, and connection are essential to delivering outcomes that matter. If you’re ready to leave behind fragmented models and engage risk as a dynamic, interactive driver of strategy, culture, and resilience, this episode is your star map.

In this episode of Risk Is Our Business, we embark on a journey with two forward-thinking leaders from Deloitte, Daniel Jørgensen and Rasmus Krighaar, who are reshaping the landscape of risk management and compliance. With deep expertise in AI, machine learning, advanced analytics, and GRC, they discuss the evolution of governance, risk, and compliance (GRC)—not just from a technological standpoint, but from a mentality perspective. The conversation dives into Denmark’s unique compliance culture, where the cherished tradition of following rules has shaped its approach to risk management. Daniel and Rasmus explore how this cultural commitment to compliance has positioned Denmark as a leader in various fields, from regulation to governance. Later, the discussion shifts to Denmark’s leadership in ESG, where Daniel and Rasmus highlight how the country’s commitment to sustainability is setting a global standard. The episode also covers how AI is transforming GRC, enabling smarter, faster decisions, and how Deloitte is embracing the rise of digital twins to drive the next wave of innovation in GRC. Join us on this cosmic journey as Daniel and Rasmus navigate the complex intersection of culture, technology, and governance—boldly going where few have gone before.

In this episode of Risk Is Our Business, Captain Michael Rasmussen is joined by Franck Baron—President of IFRIMA and Group General Manager for Risk Management & Insurance at International SOS—for a deep-space dive into the evolving world of enterprise risk. With a career spanning Mars to Danone, AXA to Firmenich, and leadership roles across Europe and Asia-Pacific, Franck offers a global perspective few can match. They explore how the risk profession has changed over the years, and why those changes matter. From the growing confusion between risk and compliance to the cultural divides between U.S., European, and Asia-Pacific approaches, Franck unpacks the nuance behind the titles and frameworks. He makes the case for keeping risk and compliance distinct, even in a world where compliance risks are rising fast. Most importantly, they ask the question: what does good risk management really look like inside an organization? Franck shares what works, what doesn’t, and how risk leaders can earn influence not by shouting the loudest, but by enabling better decisions, stronger resilience, and clearer strategy. If you’ve ever felt like your risk program was stuck in orbit, this conversation might just give you the coordinates to chart a new course.

In this episode of Risk Is Our Business, Captain Michael Rasmussen welcomes aboard Laura Fox, Risk Director at AstroPay, for a high-warp journey through the risk galaxy. Laura reflects on her experience as a woman navigating a still male-dominated corner of the business universe, and why diverse leadership isn’t just a nice-to-have—it reshapes how teams approach uncertainty, challenge groupthink, and make smarter decisions. She also tackles the great divide between best practice and boots-on-the-ground reality. From under-resourced teams to overengineered frameworks, Laura shares where theory often falls short—and how to bridge that gap without losing sight of what actually works. From building risk frameworks from scratch to spotting the strategic opportunities others miss, Laura shows us what it takes to bring risk out of the engine room and into the command deck—where it belongs. Tune in as they boldly go beyond the compliance checkbox and into the vibrant unknown of proactive, people-first risk leadership.