Risk is Our Business

Michael Rasmussen

Welcome to Risk Is Our Business, where we explore the principles of Governance, Risk Management, and Compliance — to reliably achieving objectives, navigating uncertainty, and act with integrity. Here, we follow the Prime Directive of Risk Management: No decision or strategy moves forward without understanding its impact on our objectives, our resilience, and our values. Because risk isn’t the enemy, it’s the mission. After all, risk is our business. Join us as we go boldly into the world of GRC.

  1. 10h ago

    Conducting Resilience: Beyond Compliance and Into Action with Aurore Chatard

    Recorded live at Risk-!n Conference 2026, this episode of Risk Is Our Business features Aurore Chatard in a conversation about what it truly takes to build resilience in an increasingly complex and interconnected world. Captain Michael Rasmussen and Aurore begin by discussing what keeps resilience leaders awake at night and why many organizations still struggle to move beyond a compliance-driven view of continuity and resilience. They unpack what bad resilience looks like, including programs that exist primarily to satisfy regulatory requirements, before exploring the characteristics of organizations that are genuinely prepared to adapt, respond, and recover. A central theme of the discussion is orchestration. Michael and Aurore compare resilience to a symphony orchestra, where success depends not on individual performers but on how well people, processes, technologies, and leadership work together. Without coordination, even the most capable functions can fail when disruption strikes. The conversation also explores the growing influence of regulations such as NIST and DORA, examining whether they help organizations become more resilient or risk turning resilience into another compliance exercise. Along the way, Aurore shares lessons learned from years spent leading security, continuity, and crisis management programs, offering practical insights for professionals looking to strengthen resilience capabilities within their own organizations. They close by reflecting on Risk-!n Conference 2026 itself, discussing the growth of the event, the conversations shaping the future of the profession, and the increasing recognition that resilience is becoming a core business capability rather than a specialist discipline.

    12 min

  2. Jun 1

    Shaking the Prime Directive: Rethinking Risk from the Ground Up with Adrian Clements

    Recorded live at Risk-!n Conference 2026, this episode of Risk Is Our Business begins with a warning from Adrian Clements. Before agreeing to come aboard, he made it clear that he intended to "shake the tree." Captain Michael Rasmussen's response was simple: engage. What follows is a conversation that challenges some of the profession's most deeply held assumptions. Adrian argues that many organizations are still navigating with outdated star charts, relying on inherited frameworks and conventional wisdom that no longer match the realities of today's environment. Rather than tweaking existing approaches, he makes the case for stepping back, questioning first principles, and rebuilding from the ground up. They explore what that looks like in practice. How do organizations break free from legacy thinking? How do leaders create the conditions for better decision-making? And what practical steps can be taken to transform risk from a compliance exercise into a driver of performance and value creation? The discussion also examines the role of technology. Not as the destination, but as an enabler that helps organizations operationalize better thinking, improve visibility, and support more intelligent decisions. Along the way, Adrian and Michael reflect on their key takeaways from Risk-!n Conference 2026, discussing the ideas and trends that suggest the profession may be entering a new phase of evolution.

    25 min

  3. May 26

    The Speed of Risk: Controls and Decision-Making with Hermann Suter

    Recorded live at the Risk-!n Conference 2026, this episode of Risk Is Our Business features Hermann Suter, Head of Group Enterprise Risk Management at Barry Callebaut Group, in a conversation on how risk management must evolve in an environment where the speed of change is accelerating faster than many organizations can absorb. Hermann and Captain Michael Rasmussen begin with a deceptively simple question. If organizations claim to have an enterprise-wide view of risk, shouldn’t they also have an enterprise-wide view of controls? From there, the discussion turns to what actually keeps risk leaders awake at night. Not just specific threats, but the sheer pace and velocity of risk itself. They unpack what bad risk and control management looks like. In contrast, they argue that effective risk management starts with understanding that every meaningful decision already contains a form of risk analysis, whether organizations recognize it or not. The conversation also explores how to align risk with business culture rather than impose it from the outside, how Swiss and broader European perspectives influence approaches to governance and controls, and where technology is genuinely helping modern ERM programs. They close by discussing what excited them most at the conference itself, including the growing focus on interconnected risk, operational resilience, and the future direction of enterprise risk management.

    18 min

  4. May 19

    The Extended Enterprise: Third-Party Risk at Warp Scale with Darren Smith

    In this episode of Risk Is Our Business, Captain Michael Rasmussen welcomes Darren Smith for a deep dive into third-party risk management in the age of the extended enterprise. The conversation explores how modern organizations now operate through vast and increasingly interconnected networks of suppliers, partners, outsourcers, and service providers, creating a web of dependencies that stretches far beyond traditional organizational boundaries. Darren explains why TPRM can no longer sit within a single function, and how procurement, security, compliance, legal, operations, sustainability, and business leadership all play critical roles in managing third-party exposure. They also unpack what separates bad TPRM (fragmented, compliance-driven, reactive) from good TPRM that is integrated, collaborative, and aligned with business objectives. They also examine how organizations define “critical suppliers,” why that definition is often more complex than it appears, and how businesses can better coordinate across departments to create a unified view of third-party risk. The discussion then turns to technology and AI. Darren shares his perspective on where current TPRM tooling adds value, where maturity is still lacking, and how organizations can move beyond treating TPRM as a checkbox exercise toward something more strategic and forward-looking. This episode is about managing risk in a world where the enterprise no longer ends at the company boundary and where resilience depends on understanding the entire ecosystem connected to the ship.

    20 min

  5. May 4

    From Controls to Clarity: Aligning Risk and Control Across the Enterprise with Kristina Wiese Tranberg, Karoline Corfitz & Morten Bjerregaard

    In this return episode of Risk Is Our Business, Captain Michael Rasmussen welcomes Kristina Wiese Tranberg back to the bridge, joined by Karoline Corfitz and Morten Bjerregaard, for a practical deep dive into internal controls and their role in modern GRC. Building on Kristina’s previous appearance, the conversation shifts from operating models and transformation to a core question of what is the real value of controls? The group explores how organizations can move beyond checkbox compliance toward control optimization that supports business outcomes rather than slowing them down. They also challenge a common disconnect. Many organizations aim for an enterprise-wide view of risk, but lack an enterprise view of controls. Without understanding how controls operate across processes and functions, can risk truly be understood at scale? The discussion then examines the relationship between risk owners and control owners, and when they should be the same, when they should be different, and how that choice affects accountability and effectiveness. They also unpack the 1-10-100 rule, illustrating how the cost of fixing issues escalates the later they are detected, and why embedding controls early in processes is critical. This episode offers a grounded, experience-led perspective on aligning risk, controls, and ownership across the enterprise.

    28 min

  6. Apr 27

    Risk in Deep Space: Culture, Appetite, and Real GRC in Practice with Michael Erlandsson Jensen

    In this episode of Risk Is Our Business, Captain Michael Rasmussen sits down with Michael Erlandsson Jensen at April Coffee in Copenhagen, a busy café whose ambient hum feels oddly right for a conversation grounded in real-world experience. Michael opens by tracing his path through global risk management, and from there the two find their way into something that doesn't get discussed enough: how differently risk culture actually plays out depending on where you are in the world. The Danish and broader European approach tends to weave risk into everyday business dialogue—collaborative, embedded, almost organic. That's a sharp contrast to the more compliance-first environments Michael has worked in across parts of the Middle East and the U.S., where risk can feel like something done to the business rather than with it. That tension shapes the heart of the conversation. For Michael, good risk management isn't about control or enforcement, it's about facilitation. Helping the business understand its own risks, take ownership of them, and actually talk about them. Bad risk management, by contrast, is disconnected from decisions that matter, buried in process, and more interested in checking boxes than in being useful. They also dig into risk appetite a concept that's often treated as a document to file away and forget. Michael pushes back on that, reframing it as something that should reflect how an organization actually behaves, not just what it says on paper. The real work, he argues, is closing the gap between strategy, risk, and what happens on the ground day to day. It's a grounded, cross-cultural take on GRC and a reminder that the real work of risk doesn't live in frameworks. It lives in conversations.

    19 min

  7. Apr 20

    When Risk Gets Real: Lessons from the Bridge

    In this episode of Risk Is Our Business, Captain Michael Rasmussen brings together a cross-functional crew of risk, audit, cyber, and technology leaders for a candid conversation recorded in the Netherlands. Joined by David Ngu, Brett Steinmetz, Jos Bredero, and Eric Groen, the discussion opens with a simple question: what actually keeps you up at 1 a.m. when it comes to risk? From there, the conversation explores the key drivers shaping risk management in the Netherlands, and how they compare to broader European and U.S. approaches. The group reflects on how Europe tends to lean more toward principles and outcomes-based thinking, while the U.S. often emphasizes rules and compliance and how those differences play out in practice across organizations and industries. They then turn to the role of professional services firms, unpacking what a successful engagement really looks like. Rather than focusing purely on tooling, the discussion emphasizes the importance of a business-oriented approach, ensuring that technology implementations are grounded in real operational needs, not just frameworks or features. The episode closes with each guest offering a key takeaway and practical insights drawn from their experience working across risk, controls, cyber, and consulting. This is a grounded look at how risk is actually managed on the ground (across regions, disciplines, and perspectives) when the frameworks meet reality.

    36 min

  8. Apr 13

    From Heatmaps to Histograms: Rewriting Cyber Risk on the Bridge with Tony Martin-Vegue

    In this return episode of Risk Is Our Business, Captain Michael Rasmussen reconnects with Tony Martin-Vegue for a wide-ranging conversation built around his new book, From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification. At the center of the discussion is a simple but uncomfortable idea: most organizations aren’t really measuring cyber risk, they’re describing it. Heatmaps, scoring models, and qualitative frameworks may look familiar, but they rarely help leaders make better decisions. Tony breaks down what’s going wrong, and why. Along the way, he uses an unexpected historical example (the Hanoi Rat Massacre of 1902) to illustrate how well-intentioned interventions can create worse outcomes when incentives, measurement, and behavior are misaligned. The conversation moves through the core themes of the book: Why cybersecurity often behaves like two separate disciplines under one label Why quantitative risk is less about advanced math and more about structured thinking The biggest myth about data that keeps organizations stuck in qualitative approaches Where methods like Monte Carlo simulation and FAIR fit and where they don’t They also explore why many cyber risk quantification programs fail, what it takes to make them practical, and how the same principles apply beyond cyber to operational risk more broadly. At over an hour, this is one of the most in-depth conversations on the show! It's less a summary and more a working session on how to move from risk reporting to decision-making.

    1h 8m
See All (59)

Ratings & Reviews

5
out of 5
4 Ratings

About

Welcome to Risk Is Our Business, where we explore the principles of Governance, Risk Management, and Compliance — to reliably achieving objectives, navigating uncertainty, and act with integrity. Here, we follow the Prime Directive of Risk Management: No decision or strategy moves forward without understanding its impact on our objectives, our resilience, and our values. Because risk isn’t the enemy, it’s the mission. After all, risk is our business. Join us as we go boldly into the world of GRC.

Information

  • Creator
    Michael Rasmussen
  • Years Active
    2025 - 2026
  • Episodes
    59
  • Rating
    Clean
  • Copyright
    © Copyright 2025 All rights reserved.
  • Show Website
    Risk is Our Business

You Might Also Like