Governance, risk and compliance is no longer about avoiding trouble – it’s about enabling decision-making. At Risk-!n, GRC 20/20’s Michael Rasmussen set out his vision for business-integrated risk management, AI-enabled insight, and a culture of accountability.
“Risk is our business. That’s what this Starship is all about. That’s why we’re aboard her.” For GRC veteran Michael Rasmussen, this iconic line from Star Trek isn’t just sci-fi nostalgia – it’s a mission statement.
“Every business is a starship of risk,” he told delegates at Risk-!n. “The business not taking risk is the business that’s out of business. But are you taking the right risks? Are you aligning risk with decision making of your organisation?”
As founder of GRC 20/20 and the first analyst to define the governance, risk and compliance market back in 2002, Rasmussen has spent decades helping organisations move beyond a compliance-only mindset. Today, he argues, GRC must be about enabling performance – not just preventing failure.
“If the highest aim of the captain was the preservation of the ship, he would leave it in port forever,” he said, quoting Thomas Aquinas. “But that’s not what ships are built for… They’re built to do business.”
Beyond the rear-view mirror
Despite this need to look forward, many organisations still treat risk as a backwards-facing exercise. “So much of our risk management is like driving the car looking in the rear-view mirror,” said Rasmussen. “The rear-view mirror is a safety device – but where our focus needs to be is on the road in front of us.”
Risk registers, checklists and manual spreadsheets may be familiar, but they often reflect outdated, reactive thinking. Referencing ISO 31000, Rasmussen reminded the audience that “risk is the effect of uncertainty on objectives.” That means true risk management must engage with the business’s goals, its decision-makers, and its future – not just the past.
The interconnected risk landscape
Modern risk is inherently systemic. Rasmussen quoted physicist Fritjof Capra: “The more we study the major problems of our time, the more we come to realise they cannot be understood in isolation… They are interconnected and interdependent.”
For businesses, that means seeing risk across silos – a major challenge. Rasmussen described a global firm with over 300,000 employees and 30 separate risk departments, using ten different systems and “tens of thousands of documents, spreadsheets and emails”.
“They have no central visibility across risk,” he said. “There’s all these little islands and they can’t see the interconnectedness of risk.”
From control to conductor: the CRO’s role
Overcoming these siloes is a crucial part of the CRO’s role. Rasmussen likens the CRO to a musical conductor: “You’ve got the violins, the cellos, the percussion – those are all parts of the business. The CRO is there to facilitate risk management across these different departments and see the intersection.”
He warned that many organisations still lack this unifying leadership – or worse, risk becomes buried in back-office functions. “Who’s your risk conductor?” he asked. “Because risk is everywhere in the business. It’s in decisions. It’s in operations. It’s in IT. It’s in ESG.”
This, he said, is the primary directive of modern GRC: to enable the business to achieve its objectives – not just to track compliance.
No surprises: what great risk management looks like
In one story, Rasmussen recalled a chief risk officer candidate being asked what value he could offer the CEO. His reply: “It’s my job, if I do it correctly, to ensure you have no surprises in achieving your objectives.”
“The CEO said that’s the best answer anyone’s ever given me for risk management,” said Rasmussen. “He was hired.”
Risk, he argued, is not just a danger – it’s a business tool. Done right, it creates resilience and agility. “You want to minimise surprises… That’s the goal. No surprises is a lofty objective, but we want to reduce them, foresee them, and respond with insight.”
He contrasted Lehman Brothers and Goldman Sachs during the 2008 financial crisis: “Goldman Sachs at the time, even though they were very aggressive in taking on a lot of risks… they took and managed risk well. They had an accountability culture. If you made a big decision without bringing others in – you were shown the door.”
The evolution of GRC tech
Looking back over 25 years of risk technology, Rasmussen outlined how the GRC space has evolved – from Sarbanes-Oxley-era control systems to what he now calls business-integrated GRC.
“Too many risk programmes in the US are still just Sarbanes-Oxley compliance,” he said. “In Europe, I get much more mature discussions – aligned with ISO 31000, focused on objectives and decision-making.”
He’s also sharply critical of IT-led tech choices that prioritise internal politics over fitness for purpose. “You can’t let IT make the decisions,” he warned. “You’ll get a very handicapped approach to risk management.”
Instead, organisations need “agile, no-code, highly configurable solutions” – and a readiness to embrace cognitive tools such as AI. “It doesn’t replace us, but it extends us,” he said. “It helps us do more, faster, with better insight.”
Ultimately, for Rasmussen, risk management today must align closely with business objectives and culture. “The ultimate chief risk officer is Doctor Strange from the Marvel Universe,” he quipped. “Seeing millions of possible futures – and helping the business choose the least uncertain path.”
No comments yet