Risk is Our Business

In this episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Richard Anderson, Chair, Non-Executive Director, and host of The Risk Appetite Podcast, to explore what separates bad risk management from good, and why so many organizations still get it wrong. Together they chart the difference between process-driven compliance and purpose-driven risk. Bad risk management, they argue, is obsessed with heat maps, registers, and rituals; good risk management understands context, links to objectives, and drives intelligent decision-making. The discussion turns to the UK landscape, where Richard and Michael assess whether organizations are truly getting risk management right. The answer, as ever, depends, on sector, circumstance, and above all, personality. From there, the conversation warps into the heart of governance i.e., risk appetite—not as a box-ticking exercise, but as a compass defined by context and aligned with objectives. They close by examining risk culture and communication, emphasizing how scenario planning and storytelling can help leaders make sense of uncertainty. For anyone trying to bridge the gap between compliance and comprehension, this episode is a navigational chart for risk done right, because every enterprise, at warp or impulse, needs to know just how much uncertainty it can handle.

In this episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Renee Murphy, independent industry analyst, storyteller, and one of the most recognizable voices in GRC, to tackle one of the most misunderstood dimensions of risk: reputation. Renee explains why reputational risk remains so elusive for many organizations, and why ERM frameworks often have metrics for finance and operations but almost none for reputation, customer experience, or employee experience. Together, they dissect recent examples of brand turbulence (from Cracker Barrel to Anheuser-Busch to Target) and explore why reputational fallout can and should be quantified.  The conversation ventures into ESG and stewardship, showing how environmental and social commitments carry enormous reputational weight and why they can’t be managed in isolation. Renee emphasizes the need for risk leaders to engage with every department, especially sales and marketing, since some of the biggest reputational crises are born from campaigns gone wrong. For boards, CROs, and GRC professionals, this episode reframes reputational risk not as an abstract concept but as a measurable, manageable force that determines whether your organization is trusted or left adrift in the void.

In this episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Amir Ramezanpour, Vice President of Global Risk Technology and Intelligence, and Global Risk Transformation Office at Manulife, to explore how risk must be defined, framed, and operationalized in a world of constant unpredictability. Michael and Amir both lean on ISO 31000’s central principle, risk as the effect of uncertainty on objectives, to emphasize why context and clarity of objectives are mission-critical. From there, the conversation dives into risk intelligence, and how organizations can plan for the unplannable by building frameworks and operations designed to thrive in turbulence. They explore engagement with the first line of defense, asking whether risk is still seen as a bureaucratic pain or whether it can become a trusted partner in helping leaders make better business decisions. Amir shares his vision for how agentic AI and digital twins will power the future of risk management, automating the routine, enabling what-if scenario planning, and equipping leaders to simulate futures before charting their course. Rather than striving to eliminate uncertainty, Amir reminds us that the real mission is to navigate it. By grounding risk in objectives, engaging the first line as active copilots, and harnessing new tools like risk intelligence and AI-driven simulations, leaders can transform unpredictability into strategic advantage. For those ready to lead at warp, the path forward is to embrace uncertainty with purpose, clarity, and resilience.

In this warp-speed episode of Risk Is Our Business, Captain Michael Rasmussen connects across the comms with Akira Muranaka, GRC/IRM/ESG Technology Manager and global risk assurance veteran, to explore how enterprises can reimagine GRC as a driver of objectives rather than a compliance checkbox. Akira explains why the future of risk management depends on moving away from ritualistic controls and toward a risk-based approach that enables the business to take the right risks with confidence. Together, they navigate the question every enterprise faces: should GRC run on a single monolithic platform, or is the future an architecture of integrated technologies stitched together to match organizational needs? The discussion dives into what Akira looks for in GRC tools, the core capabilities that matter most for scalability, resilience, and trust. From there, they scan the horizon: what GRC technology and the risk programs they support will look like in the next five years, as AI, automation, and architecture reshape how enterprises govern uncertainty. For GRC leaders, technologists, and boards alike, this episode is a star chart to the next era of digital trust, one where GRC isn’t trapped in compliance nebulas but powered by risk engines designed to accelerate the enterprise mission.

In this bridge-level episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Tayler Kuhn, Director of Internal Audit, IT, and Jeanne Cline, Chief Audit Executive at StoneX Group Inc., to explore the evolving role of internal audit in the GRC galaxy. Their discussion begins with how internal audit has changed over the years, from back-office compliance to a strategic function collaborating across governance, risk, and compliance. They highlight the mission-critical truth that a business not taking risks is a business out of business, and that internal audit’s role is to help the enterprise understand, navigate, and take the right risks. The conversation explores how technology is reshaping both GRC broadly and internal audit specifically at StoneX, including how AI is already influencing assurance work and where it’s headed. Tayler and Jeanne share their vision of the next 2–3 years, where the internal audit profession is more automated and data-driven, spending less time on testing and manual work and more time analyzing risks, understanding interconnectivity, and supporting strategic decisions. They also confront the identity of the profession itself, whether to call it internal audit or assurance, and how that language shift reflects a broader transformation in purpose. At warp speed, this episode charts a course for internal auditors and GRC leaders alike to move beyond testing artifacts, toward enabling resilience, strategy, and performance

In this transmission of Risk Is Our Business, Captain Michael Rasmussen connects across the comms with Ayoub Fandi, Security Assurance Automation Team Lead at GitLab and founder of the GRC Engineer Podcast and Newsletter, for a deep dive into what might be the next frontier of governance, risk, and compliance: GRC engineering. Ayoub explains what GRC engineering is, what it does, and the value it provides, moving GRC away from after-the-fact verification and closer to the design phase, where software engineering problem-solving can be applied to solve long-standing compliance and assurance challenges. Together, they map out the core elements of GRC engineering, explore where it should be applied, and ask whether its cyber-heavy focus today limits its potential, or whether it’s destined for broader adoption across the enterprise galaxy. The conversation also scans the role of agentic AI in this evolving discipline, from automating repetitive assurance checks to embedding risk intelligence directly into systems that power organizational strategy. Along the way, they highlight how GRC engineering can transform perception, from compliance burden to strategic enabler, much like replacing impulse drives with warp cores. GRC engineering is a structural shift. For GRC leaders, engineers, and innovators, this is a star chart to the future of assurance and resilience.

In this stardate transmission of Risk Is Our Business, Captain Michael Rasmussen beams in Emma Price, Deloitte Partner and UK Enterprise Risk Management Lead, to chart how risk management has transformed across decades, and where it’s set to warp next. Their voyage begins with language itself: from business continuity and disaster recovery to the all-encompassing term “resilience.” Emma explains why substituting “risk” with “resilience” often earns more traction in boardrooms and beyond, and how resilience can unify disciplines too often stranded in siloes. From there, they confront the bad and ugly of risk programs, such as isolated operations, failure to account for interconnectivity, and compliance exercises masquerading as strategy. The discussion moves through third-party risk, the growing role of external intelligence on geopolitical, economic, and regulatory turbulence, and the big drivers shaping risk programs in the UK today. Emma and Michael scan the horizon of ERM’s future, from strategy and technology to the value of managed services, and debate how risk leaders can avoid drifting into orbit around checklists and instead plot resilient, forward-facing courses. For risk officers, boards, and strategists, this episode is a navigational chart across the risk nebula, and a reminder that the enterprise mission demands not paperwork, but perspective, integration, and resilience at warp speed.

In this star-mapping episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Tony Martin-Vegue, risk consultant, advisor, and author of the upcoming book Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification. With 25 years navigating the galaxy of cyber risk, Tony has guided enterprises from the gravitational pull of checklists and color-coded charts into the warp lanes of defensible, quantitative analysis. Their journey begins with the dark matter of bad risk management: programs designed to placate auditors, check boxes, or reassure customers without truly informing decisions. From there, they plot a course toward what good risk management looks like—proactive, integrated, and tied directly to organizational objectives. Tony traces the lineage of risk management back to the late 1600s, when probability theory first emerged, showing how centuries of thinking have led us to today’s crossroads. The conversation dives into heatmaps, when they can still provide navigational value, and when they collapse under the weight of oversimplification. From there, they move to the promise of histograms, simulations, and CRQ models that help businesses not only understand thresholds and acceptable levels of risk, but also chart their path with clarity and confidence. For CISOs, CROs, and risk leaders, this episode is both history lesson and star chart, a reminder that risk management isn’t about artifacts to prove you exist, but about enabling the mission. If your current program is orbiting in circles, this is the transmission that will help you break free, align your coordinates, and accelerate to warp speed.

In this mission-critical episode of Risk Is Our Business, host Michael Rasmussen opens the comms with Hardik Mehta, Global Head of Risk and Regulatory Compliance at JPMorgan Chase. With two decades of experience across Uber, Microsoft, and global advisory firms, Hardik has charted risk programs that span continents, cloud migrations, and regulatory galaxies. Their conversation starts with what keeps him up at night: the turbulence of geopolitical risk, ever-changing regulations, data security challenges, and the inertia of legacy platforms slowing cloud adoption. From there, they examine what bad risk management looks like (siloed programs cut off from strategy) versus what good risk management should deliver (i.e., integrated, technology-enabled frameworks that guide the enterprise toward its objectives). Resilience comes to the forefront as Hardik explains how he weaves it into risk strategy, not as an afterthought but as a forward-facing capability. He emphasizes the need for both left-brain precision in quantification and right-brain imagination in creative foresight, a duality essential for navigating uncertainty. The discussion explores the technologies enabling better risk programs today, the role of risk intelligence in scanning horizons, and how AI is reshaping the future of risk management. For boards, CROs, and risk leaders, this episode is a navigational chart for transforming risk into resilience, and for steering your enterprise at warp speed toward intelligent, mission-aligned futures.

In this galaxy-spanning episode of Risk Is Our Business, Captain Michael Rasmussen beams aboard Todd Fitzgerald, former Fortune 500 CISO, cybersecurity hall-of-famer, and #1 best-selling author of CISO Compass. With over 25 years navigating the outer reaches of information security, Todd has seen the CISO role evolve from the days of dial-up to today’s warp-speed threat environment. Their mission is to chart the vast and sometimes confusing constellation of terminology in our sector, from information security, to cybersecurity, to digital risk, cyber risk, and beyond, and explore why these distinctions matter when steering an enterprise through uncertainty. They trace the history of the CISO from its 1990s origins to its current form as a strategic officer on the bridge, responsible not just for defense but for enabling the business to boldly go toward its objectives. From cyber risk quantification done right (and how to make it more than a numbers game) to managing the digital supply chain and interconnected risk, Todd offers a star map of practical strategies. He tackles the long-standing perception of security as the “department of no” and reframes it as a mission-critical enabler, helping organizations comprehend what’s an acceptable risk and navigate toward opportunity without drifting into a black hole. For any security leader, risk officer, or governance professional, this episode is a tricorder reading of where we’ve been, where we’re headed, and how to ensure your cybersecurity program is aligned with the Prime Directive: enabling the mission.

In this transmission of Risk Is Our Business, host Michael Rasmussen connects over comms with Tim Leech, pioneer of Objective Centric Risk and Uncertainty Management (#OCRUM), longtime board advisor, and someone who’s spent decades trying to rescue enterprise risk from the black hole of checkbox compliance. Recorded over a long-distance call (no transporters this time), this episode dives straight into the uncomfortable truth of modern ERM often being more about optics than outcomes. Tim and Michael dismantle the illusion of risk registers and heat maps, exposing how many programs are built to pacify boards and regulators rather than support real decision-making. But Tim doesn’t stop at critique. He offers a new model, one where risk starts with the people who actually run the business, where strategy sets the coordinates, and where the board isn’t kept in the dark behind colored charts but engaged with objective-driven insight. Together, they explore how to overcome resistance across the enterprise, align the crew, and finally bring risk back to the bridge—not as an afterthought, but as a core navigational system. If your program is still flying blind on outdated frameworks, it’s time to recalibrate.

In this starlog entry of Risk Is Our Business, recorded live at the Risk-In Conference in Zurich, Captain Michael Rasmussen sits down with Pascal Busch, Global Head of ERM & BCM at Acino and creator of VirtueSpark, for a deep-space transmission on the future of enterprise risk. What keeps a seasoned risk commander up at night? Pascal opens up about the unknown anomalies in the system, such as inefficiencies, blind spots, and missed signals that still plague too many GRC programs. But he’s not just scanning for threats, he’s building the future. From digital twins to decision intelligence, Pascal charts a course toward a risk program that’s faster, smarter, and fully integrated into the mission of value creation. Together, they explore where his tech journey is today, where he wants it to be in two years, and how risk professionals can move from compliance copilots to strategic navigators, guiding organizations through the turbulence of uncertainty with precision and purpose. If your risk program feels stuck in the past, it’s time to reroute power to the engines. Because as Pascal makes clear, the future of GRC isn’t about avoiding risk, it’s about managing it at warp speed.

In this episode of Risk Is Our Business, Michael Rasmussen welcomes Stefan Gershater, Head of Risk and Governance at the Co-op, for a bold and unflinching conversation that challenges the very foundations of modern risk management. Broadcasting from the front lines of strategic uncertainty, Stefan shares insights from his forthcoming book, a deep critique of the risk orthodoxy shaped by accounting firms, software vendors, and low expectations. He argues that what passes for risk management in many boardrooms is little more than a comforting illusion—one that fails to serve strategy, enable decisions, or engage with the complexity of the real world. Together, they explore the good, the bad, and the ugly of today’s risk practices, from the myth of “risk appetite” to the misuse of assurance resources and the danger of chasing frameworks over outcomes. But this isn’t just a teardown, it’s a mission briefing. Stefan lays out how risk can be reimagined as a cognitive, analytical, and strategic asset that improves decision velocity and organizational intelligence. For risk professionals ready to break orbit and leave behind the gravitational pull of mediocrity, this episode is both roadmap and rallying cry.

Recorded live at Corporate Risk Minds 2025 in Berlin, this episode of Risk Is Our Business features a conversation with Florian Worm—risk technologist, modeling expert, and one of the sharpest minds charting the next frontier in enterprise risk. Florian joins Michael Rasmussen on the bridge to explore the processes and paradigms reshaping risk management in a world where volatility is no longer an anomaly, it’s the environment. Together, they examine the limitations of legacy frameworks, the regulatory gravity of IDW PS 340, and why good risk quantification requires more than Monte Carlo curves and dashboards. In a galaxy of noise, it’s about decision-useful insight, grounded in rigor and relevance. At the heart of the episode is a deep dive into digital twins, not as sci-fi theory, but as a real-world capability to simulate risk environments, explore alternate futures, and make better decisions in real time. Whether you're scanning for weak signals, stress-testing for resilience, or mapping out mission-critical paths, digital twins are fast becoming the warp core of forward-looking risk. For those ready to chart a new course, this episode offers a shift from static risk logs to living systems, where uncertainty is mapped, modeled, and understood.  

In this episode of Risk Is Our Business, Michael Rasmussen charts a course with Klaus Jaeck and Daniel Cassel of Horváth to explore the next frontier in enterprise risk management, where resilience is just the baseline, and business confidence is the true objective. Recorded at Corporate Risk Minds 2025 in Berlin, Klaus and Daniel offer a sharp perspective on how risk management is evolving across the region, moving beyond regulatory routines and static controls into dynamic systems that align risk with strategy, trust, and decision-making agility. They unpack why trust and resilience, while critical, aren’t enough on their own, and why organizations need something more to thrive in the vast unknowns of modern business. They also take us deep into the heart of GRC transformation in Germany—what’s working, what’s lagging, and how digitalization, ESG, and a growing risk consciousness are reshaping expectations. The conversation explores how risk leaders can act less like tactical responders and more like bridge officers, guiding the ship, not just guarding the hull. And yes, they have fun along the way. As Klaus and Daniel say, “no risk, no fun”, but with the right GRC model, it’s a mission worth taking.

In this episode of Risk Is Our Business, Michael Rasmussen beams into EY Germany to speak with Patrick Risch and Benjamin Lüders, two senior officers on the frontier of governance, risk, and compliance transformation. Together, they explore how to navigate the multidimensional challenges of orchestrating GRC across systems, silos, and starships, otherwise known as modern enterprises. Their mission is to create a unified command structure where GRC isn't just a regulatory afterthought, but an enterprise-wide operating model aligned with strategy, resilience, and purpose. From aligning core processes to enabling agility with cutting-edge technology, Patrick and Benjamin map out how successful organizations are shifting from fragmented control systems to integrated, mission-ready frameworks. They also introduce the concept of digital twins, not as a sci-fi abstraction, but as real-time simulations of organizational ecosystems that help leaders monitor, adapt, and course-correct with greater precision. It’s a new model of GRC that reflects the living, breathing dynamics of business. Finally, they reflect on the unique risks and opportunities facing German companies as they transition from traditional governance models to more dynamic, tech-enabled approaches. It's a sector where regulations are strict, expectations high, and the path to transformation requires both cultural alignment and technological firepower. If your enterprise is preparing for deep space exploration, or simply the next compliance cycle, this episode offers a navigational chart for GRC leaders ready to break free of orbit.

In this episode of Risk Is Our Business, Michael Rasmussen beams up Graeme Keith, mathematician, strategist, and CEO of Stochastic ApS, for a charged discussion on the fundamental divide between Risk Management 1 and Risk Management 2. Spoiler alert: most organizations are stuck in RM1, clinging to risk registers, risk appetite statements, and heatmaps that do little more than appease auditors. But as Graeme explains, like the Kobayashi Maru, those are unwinnable exercises that distract from supporting decisions with logic, evidence, and quantitative clarity. Together, they dissect the common symptoms of bad risk management: using the wrong method in the wrong context, misunderstanding what “quantification” really means, and misapplying Monte Carlo simulations in a sea of poorly designed software tools. Graeme expands on his recent GRC Report article The Misery of Risk Matrices, pushing back on the false sense of security these subjective tools create. He argues that the real R in GRC should stand for risk-informed decision-making, not retroactive compliance filler. The episode also unpacks why the growing push toward quantification often defaults to Monte Carlo analysis. Graeme offers a breakdown of where Monte Carlo simulations shine, where they fail, and what risk leaders should be asking when evaluating quantification tools and methodologies. At warp core, this conversation is about upgrading risk from visual comfort to strategic relevance, from vague heatmaps to models that support action under uncertainty. If you’re ready to move beyond the checkbox galaxy and into the decision-making nebula, The Wrath of Math is required listening.

In this episode of Risk Is Our Business, Michael Rasmussen beams aboard Kristina Wiese Tranberg, ESG compliance leader, AI ambassador, and creator of the GRC board game GRC Master, for a lively discussion on making governance, risk, and compliance not only effective, but engaging. With more than two decades of experience steering internal control transformations and operationalizing ESG strategy, Kristina brings a rare blend of strategic rigor and creative energy to the command deck. Together, they explore the human side of GRC, why success isn’t just about tools or frameworks, but about building cultures that do GRC, not just buy it. Kristina shares how she developed GRC Master to make training more accessible, memorable, and yes, fun. From cross-functional collaboration to AI integration, she explains how gamification can build real fluency in GRC while strengthening control environments across the enterprise. As they chart the path toward adaptive, people-centered operating models, it becomes clear that in the future of GRC, the technology may power the ship, but it’s the crew that makes the mission possible.

In this episode of Risk Is Our Business, host Michael Rasmussen sets course with Norman Marks, renowned author, former chief audit executive, and one of the most respected minds in the risk and audit universe, for a conversation that ventures well beyond compliance into the stars of strategy and purpose. Drawing from his acclaimed books Auditing That Matters and World-Class Risk Management, Norman argues that risk management isn’t about playing it safe, it’s about enabling intelligent, informed decisions that propel the enterprise forward. Quoting Thomas Aquinas, Michael reminds us, “If the highest aim of a captain were to preserve his ship, he would keep it in port forever.” But in a world of shifting risks and high-stakes missions, the goal isn’t to anchor—it’s to voyage. Together, Rasmussen and Marks explore why every objective has its own risk appetite, how to distinguish world-class internal audit from box-checking mediocrity, and what it means to embed risk into the helm of strategic decision-making. If you’re ready to audit at warp speed and leave the port behind, this episode is your star map.

In this episode of Risk Is Our Business, Michael Rasmussen is joined by Jennifer Geary, seasoned CRO, COO, and bestselling author, for a conversation that explores risk not as a bureaucratic burden, but as a navigational system for achieving mission success. With decades of hands-on experience across fintech, banking, NGOs, and tech, Jennifer brings both operational grit and boardroom perspective to the discussion. Together, they examine why risk management must start with organizational objectives, not with fear or compliance, and how that mindset shift unlocks true strategic value. They also dive into the UK Corporate Governance Code and the growing influence of Provision 29. With London Stock Exchange-listed companies operating far beyond the UK, Jennifer and Michael explore how expectations for internal control and risk reporting are now rippling across countries, reshaping how boards think about assurance and oversight. The episode also ventures into international waters, unpacking key differences in how the US and Europe approach regulation and risk culture. From fragmented American frameworks to more principles-based European regimes, the contrasts reveal both challenges and opportunities for global risk leaders. Finally, no modern episode would be complete without AI on the radar. Jennifer shares her perspective on the emerging risks AI presents, and how risk professionals can harness AI themselves to strengthen controls, forecast threats, and evolve alongside the technology that’s redefining the enterprise. For anyone looking to move risk from checkbox to compass, and chart a course through complexity with clarity, this episode delivers.