Risk Management Is Not a SOX Coloring Book: A Call for Risk Management as a Strategic Discipline

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Risk Management Is Not a SOX Coloring Book: A Call for Risk Management as a Strategic Discipline

For more than twenty years, risk management has been shaped by the gravitational pull of Sarbanes-Oxley. SOX arose from a genuine crisis of trust, and its intentions were honorable: to reinstate accountability, protect investors, and restore faith in financial reporting. But its unintended legacy has been far larger and far more limiting. Instead of elevating the role of risk management across the enterprise, SOX compressed it, concentrating the discipline into a narrow, compliance-oriented model rooted in documentation and evidence trails. Entire organizations came to believe that if they could prove controls were executed, they were “managing risk.” In reality, they were managing paperwork.

This is the heart of what I call the SOX Coloring Book: a worldview in which risk is represented not by thoughtful exploration of uncertainty but by grids shaded in red, yellow, and green. It is a worldview in which risk becomes a performative exercise for auditors rather than a strategic dialogue for executives. It is a worldview that keeps the discipline of risk firmly planted in the past, while the organization demands a capability oriented toward the future in decisions and achieving obectives.

SOX is not what risk management was meant to be. And it is not what OCEG envisioned when it articulated the modern definition of GRC as the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. That definition is perhaps the most concise articulation of what organizations require today. It places decisions, performance and objectives at the center, surrounded by the term governance, infused with integrity, and sharpened by a clear-eyed understanding of uncertainty.

The tragedy is that many U.S. organizations (and worldwide), under the long cultural influence of SOX, have inverted this model. They begin with compliance, shape risk around compliance, and never arrive at the horizon where objectives and strategy reside. Risk becomes mechanical rather than meaningful, captured rather than understood, constrained rather than harnessed.

How SOX Diminished the Discipline of Risk

The unintended damage of SOX is not the regulation itself but the mindset it produced. The act conditioned organizations to believe they were practicing risk management when they were merely validating control execution. SOX created a generation of leadership and practitioners who thought the essence of risk was:

  • proving a control existed,
  • documenting that it operated as designed,
  • remediating deficiencies, and
  • producing evidence to satisfy an auditor.

But this is not risk management; it is compliance maintenance. Compliance is necessary, even vital, but it is fundamentally backward-looking. Its responsibility is to confirm whether guardrails were followed, whether required steps were taken, whether behaviors aligned with expectations.

Risk management, by contrast, is about the terrain ahead, not the path behind. It is about anticipating what might influence objectives, understanding the potential pathways of uncertainty, preparing for resilience, and enabling the organization to move with confidence toward its goals.

When SOX became the archetype for risk, it pulled the entire function backward. Risk became episodic instead of continuous; administrative instead of analytical; procedural instead of strategic. It became a discipline obsessed with demonstration rather than insight. And because SOX rewarded proof over perspective, organizations increasingly staffed and structured risk functions to serve compliance needs rather than strategic ones.

The Problem With Heatmaps: When Color Replaced Analysis

As this mindset took hold, the visual language of risk followed suit. Heatmaps and RAG (red, amber, green) stoplight diagrams became ubiquitous—not because they provided meaningful insight, but because they were easy to generate, easy to present, and easy to misunderstand as “analysis.” They offered leaders the illusion that risk had been neatly captured on a single slide, when in truth, the most important dimensions of uncertainty were nowhere represented. Consider that . . .

  • A heatmap cannot reveal the velocity of a risk, the speed at which it can materialize.
  • It cannot reveal the interconnectedness of risks, the way supply chain fragility influences cyber exposure, or how geopolitical volatility alters operational resilience.
  • It cannot reveal the depth of uncertainty surrounding a risk estimate.
  • And it certainly cannot reveal how a risk influences—or is influenced by—the organization’s objectives.

Heatmaps turned risk into something decorative. They reduced uncertainty to a handful of colors. They made risk appear deceptively simple, concealing the fact that modern uncertainty is anything but. Heatmaps became the coloring book pages of risk management: tidy, symmetric, and ultimately disconnected from the strategic and operational realities leaders must navigate.

The greatest danger of heatmaps is that they create false confidence. Executives begin to believe that risks fit neatly into categories, that qualitative estimates are truth, that the world conforms to a grid of nine or sixteen cells. But the world is not a grid, and risk certainly is not. Risk is fluid, relational, systemic. It is shaped by context. It evolves by the hour. To reduce it to red, amber/yellow, and green is to flatten a three-dimensional world into a two-dimensional cartoon.

Reclaiming Risk as the Discipline That Guides Performance

To move beyond the SOX Coloring Book, organizations must return to the true purpose of risk management: supporting making decisions and the reliable achievement of objectives. This is where the OCEG model offers such clarity. Governance is the structure by which objectives are set and aligned. Risk is the engagement with uncertainty in pursuit of those objectives. Compliance is the assurance that integrity underpins the journey. Together, they form a coherent, integrated capability: GRC as an enterprise system of purpose, insight, and resilience.

When organizations treat risk as a compliance artifact, they prevent it from fulfilling this purpose. But when risk is understood as a proactive, decision-oriented discipline, it becomes the lens through which leaders evaluate choices, interpret signals, and understand the conditions under which performance will succeed or fail. Risk becomes an enabler of agility, not a barrier to it. It becomes the partner to innovation, not its adversary. It becomes the instrument through which strategy is informed, shaped, refined, and strengthened.

The shift required is not from bad tools to better ones; it is from a backward-looking posture to a forward-looking one. It is a shift from asking, “How do we demonstrate compliance?” to asking, “How do we navigate uncertainty to achieve our objectives?” It is a shift from cataloging risks to understanding relationships among risks. It is a shift from controlling yesterday’s failures to preparing for tomorrow’s realities.

This is why introspection is needed at all levels of risk practice.

The Three Levels of Risk & Resilience: A Narrative Architecture

If risk is to serve the enterprise, it must operate across three levels—each distinct, each essential, each reinforcing the others. These levels are not technical constructs; they are narrative layers of how organizations understand themselves, their environments, and their ambitions.

Strategic Risk & Resilience: Risk as the Author of Decisions

At the highest level, risk becomes a strategic companion to leadership. It is not there to prevent bold choices but to inform them. Strategic risk management is not a defensive shield but an interpretive intelligence. It allows leaders to envision multiple possible futures, evaluate emerging signals, and understand how forces — geopolitical, technological, economic, environmental — shape their pathways.

At this level, risk does not guard strategy; it guides strategy. It enables leaders to ask not only “What could go wrong?” but also “What must go right?” and “How do we steer through uncertainty to arrive where we intend?” This is risk as a cognitive asset, embedded in the executive conversation. It is the antithesis of the SOX view.

Objective-Centric ERM: Risk as the Interpreter of Performance

The second level — objective-centric ERM — is where risk meets the engine of the organization’s performance. Here, uncertainty is evaluated not in abstraction but in the context of what the enterprise is trying to accomplish. Traditional ERM often loses itself in risk registers and taxonomies. Objective-centric ERM resists this gravitational pull and instead keeps its focus on outcomes.

This level is where risk becomes integrated, proactive, and relevant. It fosters the conversations that matter:

  • What uncertainties matter most to this objective?
  • How does our understanding of risk shape our operational and strategic planning?
  • What leading indicators must we monitor to anticipate shifts that affect performance?

By tying risk to objectives, the organization for the first time gains a risk management discipline that is not just descriptive, but decisive.

Operational Risk & Resilience: Risk as the Guardian of Today and Tomorrow

The third level — operational risk and resilience — provides the stability upon which all strategy depends. It encompasses the everyday realities of process reliability, system performance, third-party dependencies, and the organization’s ability to adapt to disruptions. Operational resilience is not merely the avoidance of failure; it is the active cultivation of durability and adaptability. It is the ability to perform today without compromising the capacity to perform tomorrow.

This is where risk takes physical form: where uncertainty meets operations, where resilience meets real-world conditions. Yet in many SOX-shaped organizations, operational risk was overshadowed by a far narrower focus on financial control testing. The cost has been a generation of firms less prepared for the complexity of modern disruption.

A Call to Action: Release Risk From the Coloring Book

To practice risk across these three levels, organizations require a modern architecture — one that moves far beyond the tools of the SOX era. This is what I refer to as GRC 7.0 – GRC Orchestrate with digital twins simulate the movement of risk. Agentic AI expands the capacity for monitoring, detection, and interpretation of signals. Shared ontologies create coherence across silos. Where risk management is architected in an orchestrated framework. These capabilities do not eliminate the human element; they enhance it. They allow risk professionals to spend less time compiling evidence and more time shaping insight. They allow leaders to make decisions with clarity rather than conjecture. They align the discipline of risk with the speed and complexity of the modern world.

The time has come for organizations to acknowledge the limitations of their inherited SOX risk paradigm. The SOX Coloring Book never did risk management. To navigate the world, organizations must release risk from the confines of compliance and restore it to its rightful place: as a strategic, objective-driven, forward-looking discipline intimately connected to the heart of performance.

Risk is how organizations make decisions.
Risk is how organizations pursue opportunity.
Risk is how organizations reliably achieve objectives.
Risk is our business.

And it is time to practice it as such.

GPRC for Enterprise Risk Management

The GRC Pundit BlogPublished onUpdated onLeave a Comment on GPRC for Enterprise Risk Management

Orchestrating Strategic, Objective-Centric, and Operational Risk & Resilience through GRC 7.0

Risk! Risk is our business. That’s what this starship is all about. That’s why we’re aboard her — Captain James T. Kirk, Star Trek: The Original Series, Season 2, Episode 20

The Enterprise was not built to sit safely in space dock. Its mission — “to boldly go where no one has gone before” — embodies both ambition and uncertainty. It is a vessel of purpose, guided by command decisions made under imperfect information, relying on systems, crew, and foresight to navigate the unknown.

In the same way, the modern enterprise is a starship of risk. It exists not to avoid uncertainty but to chart opportunity through it. The organization’s ability to govern, perform, and act with integrity depends on how well it understands and orchestrates risk across all levels of its mission . . .

[The rest of this blog can be read on the Corporater blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

READ MORE

Building a GRC STORYBOARD for Executive Management to Get Buy-In and Funding

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Building a GRC STORYBOARD for Executive Management to Get Buy-In and Funding

In my decades of advising organizations across industries and geographies, one recurring challenge persists: articulating the value of Governance, Risk Management, and Compliance (GRC) in a way that resonates with executive leadership. Despite its mission-critical role, GRC is often seen as a cost center, a necessary but uninspiring function that checks regulatory boxes and manages risk registers. This is a dangerous misperception. When done right, GRC is a performance enabler, a guardian of reputation, a driver of resilience, and a compass that steers the organization through complexity. But to reach that level, you need executive buy-in-and in today’s world, that often means making the business case for automation.

So, how do you move from tactical firefighting to strategic transformation? You build a GRC storyboard that tells a compelling narrative, tailored to executive priorities. Let’s explore how to construct that narrative, link GRC to program. Measurable business outcomes, and gain the support and funding needed to automate and elevate your GRC.

Start with Why? Anchor GRC in Strategic Objectives . . .

[The rest of this blog can be read on the GRCxperts blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

READ MORE

Seeing the Risk Landscape Anew: Reflections on Enterprise Risk Intelligence and the Future of Modern GRC

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Seeing the Risk Landscape Anew: Reflections on Enterprise Risk Intelligence and the Future of Modern GRC

Over the past several years — and particularly throughout this past year — I have observed a profound transformation in how organizations confront uncertainty. The traditional boundaries we once relied upon have dissolved. What used to live neatly inside departments and functions now stretches across the full expanse of the enterprise, influencing strategy, culture, ethics, technology, and operations simultaneously. As I worked on my recent Strategy Perspective on Enterprise Risk Intelligence, I found myself returning to the same recurring theme: the world organizations must navigate no longer resembles the world their risk programs were designed for.

This mismatch between reality and design is growing. The organizations I advise feel it every day; sometimes subtly, sometimes painfully. And it has become clear to me that our collective understanding of risk must evolve just as rapidly as the forces reshaping the global business environment.

The Modern Enterprise: An Interconnected Organism

If I distill the past decade of GRC evolution into a single insight, it is this:
the enterprise has become an interconnected organism of human and algorithmic decision-makers, digital and physical operations, and external dependencies that change constantly.

It is no longer possible to think of the organization as a chart of boxes connected by lines. Instead, it resembles a dynamic mesh of:

  • Distributed processes and systems
  • Layers of third-party and fourth-party relationships
  • AI-driven automation and decision flows
  • Data streams that cross borders and jurisdictions
  • Reputational, ESG, and geopolitical pressures
  • Real-time digital signals that shape public and market expectations

In such a world, a disruption anywhere becomes a disruption everywhere. Geopolitical instability affects supply chains; supply chain delays influence customer experience; customer experience shapes reputation; reputation affects market performance and regulatory scrutiny. The dependencies are inseparable.

Yet our traditional approaches to GRC still treat them as if they are distinct.

The Intelligence Gap: Why Organizations Fail to See What Matters

The most striking finding from my research is not the lack of available intelligence — organizations today are drowning in data — but rather the lack of connected intelligence. Many failures do not stem from absence of signals but from:

  • Fragmentation: Internal and external intelligence sits in separate systems.
  • Lack of context: Signals are observed but not interpreted.
  • Manual processes: Spreadsheets and emails cannot keep pace with the velocity of risk.
  • Point-in-time thinking: Annual and quarterly assessments assume a stable world.
  • Siloed perspectives: Risk domains operate with different taxonomies, metrics, and assumptions.

These disconnects create a widening intelligence gap, the space between the complexity of the world and the organization’s ability to comprehend it.

In that gap, blind spots form. And in blind spots, risks grow unnoticed.

Enterprise Risk Intelligence: A Cognitive Shift, Not a Technical One

As I wrote the paper, it became evident that Enterprise Risk Intelligence (ERI) is not simply another component of the GRC toolbox. It is a cognitive shift in how organizations sense, interpret, and respond to risk.

ERI is an architecture of understanding. It demands:

  • A unified framework for organizing risk intelligence
  • Mechanisms to aggregate and curate internal and external signals
  • Defined roles that connect insight to accountability
  • Workflows that move information to action
  • Continuous monitoring that reflects the shifting reality of operations and environment

At its core, ERI is about the enterprise developing the ability to see itself more clearly: to understand how one signal, event, or shift in context affects the rest of the system. It is about perceiving patterns, relationships, and meaning, rather than simply collecting data.

This is the work of cognition, not compliance.

Toward Integrated Awareness: Overcoming the Fragmentation of Modern GRC

One of the most persistent challenges I see is the fragmentation of risk into separate programs and disciplines. Each uses its own tools, language, and metrics:

  • Compliance tracks obligations
  • Operational risk measures process exposures
  • Cybersecurity monitors technical threats
  • ESG examines sustainability commitments
  • Resilience teams assess continuity and recovery
  • Internal audit evaluates controls and assurance

Individually, these functions may be capable. Collectively, they often lack coherence.

The future of GRC requires a shift toward integrated awareness, a capacity to see risk not in slices but in systems. This is not something technology alone can solve. It requires a deliberate redesign of governance structures, accountability models, information flows, and decision-making culture.

As I will discuss in the conversations and workshops ahead, this evolution demands that organizations think differently about how they:

  • Interpret external intelligence alongside internal indicators
  • Connect risk management with strategy and performance
  • Build federated, business-integrated governance
  • Create lifecycle-based, context-aware operational models
  • Use technology to support — not dictate — organizational intelligence

These themes are central not only to the ERI paper but to the broader direction in which GRC must evolve.

A Moment of Reckoning; and of Possibility

We are entering a period in which boards, executives, regulators, and stakeholders are all demanding greater transparency, stronger assurance, and more integrated approaches to risk. Provision 29 in the UK, DORA in the EU, CPS 230 in Australia, and a wave of global regulatory and strategic pressures are pushing organizations toward designs that reflect real-world complexity rather than outdated assumptions.

The question is no longer whether organizations must transform their approach to GRC. The question is how they will do it, and whether they can do so with the speed and clarity the environment now requires.

This is why I wrote the Strategy Perspective on Enterprise Risk Intelligence.
It is why I will be discussing these themes in the days ahead through a webinar and two workshops (see below). And it is why I believe the next phase of GRC will be defined not by controls or compliance frameworks but by intelligence, integration, and context.

Organizations that cultivate these capabilities will be able to anticipate rather than react, to adapt rather than absorb damage, and to align risk-taking with purpose and performance.

Those that do not will struggle to see the terrain they are walking across.

Upcoming Sessions

For those interested in exploring these ideas further, I will be expanding on the themes in the ERI report during the following sessions:

Risk Is Our Business: Why the GRC Market of 2030 Will Look Nothing Like Today

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Risk Is Our Business: Why the GRC Market of 2030 Will Look Nothing Like Today

A Structural Break, Not a Cycle

By the end of this decade, the governance, risk management, and compliance (GRC) market will be almost unrecognizable. Not because a few new tools emerge or because a handful of legacy platforms finally modernize, but because the very nature of risk has outgrown the architecture most GRC solutions are built upon compounded by AI built and designed within the platform and not bolted on. The market leaders of 2030 will not be defined by scale, brand, or marketing budget — they will be defined by whether they understand the fundamental reality that the world has changed and our models with it.

The risk frameworks guiding most institutions today were built for a bygone era: slower, more linear, more bounded, too often focused on compliance and checkboxes. They assumed risks could be catalogued neatly, assessed annually, and managed through periodic adjustments. But risk no longer behaves this way, actually it never has but most risk management programs were stuck as a SOX compliance exercise and not true risk management. In reality, risk clusters, cascades, mutates, and compounds at speeds legacy models and systems cannot process. Uncertainty itself has become exponential.

This is not the emergence of “new risks.” It is the collapse (or more approrpriately correction) of the idea that risk can be understood as discrete events. What we are facing is a structural shift: the end of an era where annual assessments, static registers, and siloed taxonomies could plausibly represent reality.

Today, risk does not sit within departments. It flows through the organization like weather patterns across a landscape, forming storms where heat, pressure, and volatility intersect. Few organizations appreciate the magnitude of this shift, and fewer still are truly preparing for it. The question is no longer whether we can manage the risks we know, but whether we can adapt quickly enough to understand the ones we cannot yet see.

And at the far edge of this horizon sits the ultimate test:
Are you ready for Q-Day?

Most organizations aren’t. And that is the point.

Choosing Our Future: Blade Runner or Star Trek

The choice ahead of us is not philosophical. It is strategic. It is the difference between drifting into a Blade Runner future or consciously building a Star Trek one.

Both futures are powered by extraordinary technology. But they represent radically different outcomes.

  • Blade Runner is a neon-lit dystopia of fragmentation, corporate dominance, fragile systems, and ethical erosion — a universe where technology accelerates risk and outpaces governance.
  • Star Trek offers a vision of possibility — where technology, values, and governance align to help diverse organizations navigate uncertainty collaboratively and purposefully. It all starts with objectives and flows into uncertainty and integrity.

Every organization, intentionally or not, is already choosing between these futures through how it governs, how it manages risk, and how it upholds integrity. Technology is not destiny. Governance is.

And nothing reveals this choice more clearly than the way we approach GRC.

Rearview-Mirror Risk Management Is Broken

Most organizations still practice what looks like risk management but isn’t. It is risk-by-documentation: a mechanical process focused on what happened yesterday, not on what threatens tomorrow. This rearview-mirror view is incapable of steering a business accelerating into a world of compounding uncertainty.

It shows up in recognizable symptoms:

  • Incident logs, not risk intelligence
  • Backward-looking reports that describe losses, not conditions
  • CROs excluded from the strategic decisions that reshape risk more than anything else
  • Cultures where raising emerging concerns feels dangerous because risk is seen as failure

I recall a European CRO describing his interview with a CEO who asked, “What value do you bring me?” His answer was elegant: “If I do my job well, you have no surprises in achieving your objectives.” Of course, surprises will still occur — failure in complex systems is inevitable — but the aspiration highlights what modern GRC should be: a capability to radically reduce the frequency, severity, and strategic consequences of those surprises.

Rearview-mirror models cannot do this. They are designed for a world that no longer exists.

Every Business Is a Starship of Risk

In my keynotes, I frame the enterprise as a starship navigating a universe of uncertainty — a metaphor that resonates because it is true.

  • The captain and bridge crew: board, CEO, executive leadership
  • The mission: strategic and operational objectives
  • The specialists: risk, compliance, IT, audit, finance, HR, operations
  • The universe: markets, geopolitics, regulation, technology shifts, societal expectations

Every day, this starship sets a course, encounters uncertainty, and must remain true to its principles.

But when risk is treated as a brake rather than a navigation system, organizations drift toward the Blade Runner future — technology overtakes governance, and risk intelligence is buried beneath bureaucracy.

When risk becomes part of how the organization steers, however, the entire culture shifts:

  • Risk functions evolve from “no” to “know.”
  • Leadership uses risk insight to guide decisions rather than justify them.
  • Risk becomes central to performance, not peripheral to it.

This shift is the foundation for the GRC market we will see by 2030.

What Vendors Must Understand — And Most Don’t

The GRC market is saturated, and buyers are not naïve. The old playbook won’t work anymore. Vendors must confront several uncomfortable truths, as the head of Risk & Governance at one retail organization has recently stated:

  • Stop selling only to risk leaders. Convince them, yes — but then sell to those who sign the cheques. They care about protecting and growing the business, not about how many workflows you automate. Demonstrate how you enable the organization to achieve objectives and manage uncertainty and integrity in this context. STOP putting the cart before the horse.
  • Nobody cares that the risk team works hard. No one applauds long hours. Buyers want solutions that enable value, efficiency is nice but it is not the value that sells to the business.
  • AI is not a clear differentiator anymore. Adding a vague LLM to your platform without a clear use case only produces work to do explaining its risk to our InfoSec team.
  • Don’t promise the “one right way” to do GRC. It doesn’t exist.
  • And scoring risks 0–10 is not quantification. If you call it quantitative, know what the word means.

If your platform does not place objectives at the center — not just risks, controls, and issues — then it is not aligned with reality. GRC exists to help organizations reliably achieve objectives, address uncertainty, and act with integrity. Anything else is administration.

The winners of the 2030 market will be those who build technology that enables businesses to perform — not just to document.

GRC Orchestrate and the Transformation Ahead

The next five years will see progressive maturity in GRC 7.0 — GRC Orchestrate — a true break from past generations of GRC technology. It will reshape not only the tools we use, but the role GRC plays inside organizations.

This transformation is anchored in two profound capabilities: agentic AI and digital twins of the enterprise.

Agentic AI: From Tasks to Orchestration

This is not generative AI as a feature. It is a coordinated mesh of semi-autonomous agents that:

  • sense
  • interpret
  • decide
  • and act

across the entire GRC ecosystem.

Consider examples such as:

  • Agents dynamically adjusting monitoring based on emerging signals
  • Bots mapping regulatory changes to obligations and controls before humans review
  • Assistants contextualizing risk information for individual decision-makers rather than publishing generic reports

The power is not in discrete features. It is in orchestration — connections forming an intelligent, adaptive ecosystem rather than a series of isolated automations.

Digital Twins: The Future Palantír

Digital twins of the enterprise transform risk into a dynamic, simulated environment — a way to see consequences before they manifest.

Imagine asking:

  • If Taiwan is invaded tomorrow, which of our facilities fail first?
  • Which customers experience disruption?
  • Which suppliers become bottlenecks?
  • What alternatives exist within our operating model?

With digital twins, these are no longer conceptual questions — they are simulations that leadership can run.

This is the modern Palantír: powerful, predictive, and deeply dependent on governance. Used wisely, it gives Dr. Strange-like visibility into futures and consequences. Used poorly, it amplifies bias and accelerates the journey toward dystopia.

Integrity as the Differentiator of Futures

Technology does not determine whether we land in Blade Runner or Star Trek.

Integrity does.

This is why GRC is not paperwork — it is the organization’s strategic and moral operating system, what OCEG calls Principled Performance. GRC does not exist to slow the business down. It exists to give the business the capability to move faster safely, to take bigger bets intelligently, and to pursue bold missions responsibly. This is the navigation system of the starship of business.

Risk Is Our Business — And Our Future Depends on How We Treat It

Every organization today sits at the helm of its own starship. The universe ahead is uncertain, volatile, and full of possibility. The business that avoids risk will stagnate and go out of business. The business that takes risk blindly will collide with reality. The business that navigates risk intelligently, ethically, and dynamically will chart a course toward a better future.

By 2030, the GRC leaders — both in technology and in practice — will be those who understand that:

  • GRC is not the handbrake.
  • GRC is the navigation system.
  • And risk is not the enemy; it is the business.

The future we land in — Blade Runner or Star Trek — will be determined not by chance, but by how seriously we take this responsibility today.

Because in the end:

Risk is our business.
That’s what this starship is all about.

And every decision we make over the next five years will determine which universe we build.

Governing the Extended Enterprise: The TPRM Platform I Would Demand

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Governing the Extended Enterprise: The TPRM Platform I Would Demand

Technology does not give you good third-party risk management. Governance does.

I’ve said this before about enterprise risk management, but it applies even more profoundly to what we now call third-party risk management — or, as I prefer, the governance of the extended enterprise. Risk is not the enemy; disconnection is. The organization that cannot see, understand, and govern the relationships that sustain it is already adrift.

The greatest challenge facing organizations today is not internal risk, but the risk that lives in the relationships we depend on. Every business is now an ecosystem: suppliers, outsourcers, intermediaries, distributors, technology partners, data processors, and consultants all working in a web of shared responsibility. In that web, the boundaries of the enterprise have dissolved. The extended enterprise is the enterprise.

The Language Problem: When Taxonomy Fractures Accountability

  • Forrester calls it Third-Party Risk Management (TPRM).
  • Gartner divides it into Supplier Risk Management and Third-Party Risk Management.
  • Spend Matters calls it Supplier Experience Management: Risk Enhanced.

Each of these labels pulls buyers in different directions. Procurement teams interpret it as sourcing automation. Compliance sees it as due diligence and control mapping. Risk management treats it as an extension of operational risk. Analysts then benchmark these fragmented categories as if they were comparable.

Terminology isn’t a semantic issue—it’s strategic. Words define ownership, ownership defines architecture, and architecture defines outcomes. By calling this a risk problem, we’ve built an industry obsessed with controls and checklists.

By redefining it as governance, we expand the scope to purpose, performance, and integrity.

Governance Before Risk

Governance begins with the “why.” Using the OCEG framing of GRC—achieve objectives, address uncertainty, and act with integrity—the same applies to our relationships.

We must:

  • Achieve objectives in relationships (and across relationships).
  • Address uncertainty in relationships (and across relationships).
  • Act with integrity through relationships (and across relationships).

That is the true scope of extended enterprise governance. It is not about scoring vendors or collecting attestations; it is about ensuring that every external relationship advances the mission of the organization safely, responsibly, and effectively.

Too much of what passes for TPRM today is still a compliance ritual: onboarding forms, questionnaires, and reassessments performed at arbitrary intervals. It checks boxes but doesn’t prevent disruption. It doesn’t tell you which suppliers are critical, which are financially unstable, or how a single point of failure might ripple through your operations.

Analyst frameworks treat risk as posture to be measured, not as a system to be managed. They rarely address the operational realities of fraud, duplicate payments, contract leakage, or overbilling, just an example of one domain of issues that quietly drain revenue and expose governance gaps.

What’s missing isn’t technology. It’s strategy and orchestration.

If I Were the Executive Responsible for the Extended Enterprise

If I were the executive responsible for the extended enterprise — or advising one, as I often do — this is the platform I would demand.
It’s not another TPRM checklist tool. It’s an extended enterprise governance platform or we can say third-party GRC platform for the next decade.

1. A Holistic Governance Fabric

Governance is not a module; it’s an ecosystem.

The platform must unify the full lifecycle of supplier relationships — information, performance, risk, and integrity — into one living model.

That means connecting:

  • Supplier information and performance data.
  • Risk and compliance assessments (cyber, ESG, financial, integrity).
  • Contracts and spend data.
  • Fraud, sanctions, and negative news intelligence.
  • Sustainability, ethics, and human rights indicators.

Each relationship should be understood not as a transaction but as a contributor to strategic objectives.

2. Digital Twins of the Extended Enterprise

You can’t govern what you can’t model.

A 2030-ready platform should enable digital twins: living models of your relationships, suppliers, contracts, facilities, and dependencies. These allow organizations to simulate disruption and visualize interdependencies.

Imagine the ability to see, in real time:

  • The ripple effect of a geo-political crisis.
  • Which logistics routes, contracts, and services are disrupted.
  • Which objectives and customers are at risk.
  • What alternate suppliers or mitigations exist.

That is what transforms TPRM from a static audit function into a resilience command center.

3. Agentic AI for Relationship Intelligence

AI should not replace governance: it should amplify it.

We need agentic AI that works alongside human analysts to identify weak signals, automate due diligence, and model scenarios.
The right approach to AI in governance includes:

  • Contextual signal detection and triage.
  • Synthesis of internal and external intelligence feeds.
  • Transparent and explainable recommendations.
  • Human-in-the-loop validation and accountability.

AI must enhance human judgment, not obscure it.

4. Lifecycle-Oriented Design

Risk doesn’t end at onboarding.

The governance platform must orchestrate every stage of the relationship — from initiation to offboarding — with learning loops at every turn.

  • Onboarding: Define purpose, validate integrity, and calibrate controls.
  • Monitoring: Track performance, risk, and compliance continuously.
  • Performance Management: Align objectives, KPIs, and KRIs dynamically.
  • Audit and Assurance: Test, remediate, and learn.
  • Offboarding: Retire relationships cleanly, closing data and access gaps.

As I often note, offboarding remains the most broken and neglected stage of the lifecycle, one that leaves residual risk and exposure long after contracts end.

A true governance platform closes that gap.

5. Integration with the Enterprise Backbone

No system should operate in isolation.

Governance platforms must connect seamlessly with ERP, procurement, finance, cybersecurity, and sustainability systems through open APIs and a shared ontology.

Integration isn’t just about moving data. It’s about:

  • Maintaining a single source of truth for supplier data.
  • Enabling contextual insights across departments.
  • Ensuring that supplier, contract, and risk data are consistent and current.

This is how governance moves from informational to operational.

6. Intelligence Feeds and Continuous Sensing

Risk intelligence is no longer optional.

The platform must ingest and synthesize multiple sources:

  • Financial viability and credit risk.
  • Sanctions, PEPs, and negative media.
  • ESG and sustainability metrics.
  • Cyber, data privacy, and geopolitical risk indicators.

The objective is not to overwhelm teams with data, but to provide foresight; connecting external signals to business impact and enabling faster, smarter decisions.

7. Relationship-Centric Performance and Risk Alignment

Risk divorced from performance is meaningless.

Governance must connect how a relationship performs with how much risk it introduces—or mitigates. Every third party contributes to business outcomes, and those outcomes must be measured in both value created and uncertainty introduced.

Each relationship should have:

  • Defined objectives – what value or outcome the relationship is meant to deliver (e.g., quality targets, delivery timelines, innovation goals, cost savings).
  • Measurable KPIs and KRIs – indicators of performance and risk that move together, not in isolation.
  • Dynamic thresholds and tolerances – where deviations in performance automatically flag emerging risk or opportunity.
  • Connected accountability – linking the business owner, control owner, and payer for each mitigation or performance variance.

When signals change—financial stress increases, delivery quality drops, or ESG performance deteriorates—the platform should automatically:

  • Adjust performance forecasts and resilience scores.
  • Trigger alerts and workflows for review and remediation.
  • Re-prioritize risk treatment plans based on business impact and contractual criticality.

This is objective-centric governance in practice: embedding risk within performance, not beside it. It transforms risk management from a reporting function into a real-time performance discipline that continuously optimizes outcomes across the extended enterprise.

8. Configurable, Scalable, and Extensible Architecture

Every organization’s ecosystem is unique.

The platform must:

  • Support complex relational structures (1:many, many:many).
  • Offer conditional workflows that adapt to proportional risk.
  • Enable drag-and-drop configuration without vendor lock-in.
  • Allow program changes to cascade globally without coding.

Rigid, one-size-fits-all tools can’t handle the complexity of modern ecosystems.

9. Quantification and Value Demonstration

Governance is not a cost center; it’s a performance engine.

A robust platform must quantify:

  • Efficiency gains from automation and process alignment.
  • Risk avoidance from better supplier decisions.
  • Financial recovery from fraud prevention and overpayment detection.
  • Brand protection from integrity and compliance assurance.

The ROI is real—and measurable.

10. A Program, Not a Project

Technology will fail without governance maturity.

A successful extended enterprise program begins with structure and strategy:

  • Charter – Define purpose, scope, and objectives. Get groups to work together.
  • Blueprint – Map roles and responsibilities, functionality, integrations, and dependencies.
  • Roadmap – Stage implementation toward increasing maturity.
  • Maturity – Identify capability gaps and progress milestones.
  • Value – Track and communicate business outcomes.

This framework turns compliance projects into governance programs that endure and evolve.

The Organizational Reality: Silos Kill Governance

Technology alone doesn’t cause fragmentation, organizations do.

Procurement, compliance, finance, IT, and operations often manage different parts of the same ecosystem with conflicting metrics and disconnected tools. Each owns a piece of truth, but no one owns the whole.

The result is predictable:

  • Tools optimized for one function ignore others.
  • Handoffs hide risk and delay response.
  • No unified measure of business impact exists.

single pane of glass is the antidote: one operational view where every stakeholder sees the same intelligence, metrics, and action paths. This is the “bridge of the Enterprise” for the extended enterprise, where governance finally connects the dots.

Metrics That Matter

Legacy metrics (number of questionnaires completed, suppliers onboarded) are meaningless in this new paradigm.

The modern governance program measures what matters:

  • Relationship-adjusted performance and resilience.
  • Time-to-detect and time-to-remediate supplier risk.
  • Concentration and geographic exposure.
  • ESG/sustainability and integrity alignment across tiers.
  • Risk-adjusted return on relationship investment.
  • Lifecycle efficiency and supplier exit hygiene.

These metrics turn governance into a performance discipline—one that measures value protected, not paperwork completed.

By 2030: The Platform the Extended Enterprise Demands

By 2030, every organization will need to govern its extended enterprise with the same intelligence it applies to customer and financial management.

  • CRM connected the front office.
  • ERP connected the back office.
  • Now, extended enterprise governance must connect the outside office: the network where resilience, revenue, and reputation live.

The next generation of platforms will act as the external nervous system of the enterprise, continuously sensing, analyzing, and orchestrating relationships. They will simulate the future, not just audit the past. They will help leaders make faster, more confident, and more ethical decisions.

The Call to Action

If I were the executive responsible for the extended enterprise — or advising one, as I often do — this is the platform I would demand:

  • A system that governs, not just monitors.
  • Intelligence that connects data to decisions.
  • Digital twins that reveal interdependencies.
  • AI that augments judgment, not replaces it.
  • lifecycle that ends with accountability, not neglect.
  • culture that treats relationships as extensions of the business, not externalities.

The extended enterprise is not an appendage: it is the organization itself. It’s where objectives are achieved, where uncertainties unfold, and where integrity is proven. Governance of the extended enterprise is not a compliance exercise. It is the operating system of trust for the modern enterprise.

And by the next decade, it won’t be optional. It will be expected.

The Inevitability of Failure: Building Resilience in a World of Uncertainty

The GRC Pundit BlogPublished onUpdated onLeave a Comment on The Inevitability of Failure: Building Resilience in a World of Uncertainty

I’ll be exploring this theme in depth at Gameday Ready, London – November 7, 9:00 am–1:00 pm GMT and during the Supplier Risk Resolution Workshop – November 10, 1:00 pm–4:00 pm GMT. Both sessions will examine the inevitability of failure as the cornerstone of risk and resilience management across strategy, objectives, and operations.

“Failure is not the opposite of success; it is the landscape through which success must travel.”

Steinbeck’s borrowed line from Robert Burns — “The best laid plans of mice and men often go awry” — captures a truth that every leader must face. Even the most advanced GRC architectures, the most disciplined controls, and the most intelligent systems cannot eliminate risk.

In a world defined by uncertainty, failure is not an anomaly: it is inevitable. The challenge is not to avoid failure, but to design for it: to build the capacity to anticipate, absorb, and adapt when the unpredictable becomes reality.

From Security to Resilience: My Early Encounter with the Inevitability of Failure

In the mid-1990s, my work centered on information security: the frontier of what I now call digital risk and resilience to deliver digital trust. Those were formative years, as the internet connected the world and simultaneously exposed its vulnerabilities.

A paper from the U.S. National Security Agency titled “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments” profoundly shaped my early thinking. It argued that absolute security is an illusion: the growing complexity of computing systems ensures that somewhere, at some time, something will fail.

Over time, I came to see that this principle applies far beyond the digital realm. It’s a universal law: as business expand, operate globally, depend on the extended enterprise, systems grow more interconnected and adaptive, so too does their exposure to uncertainty. The inevitability of failure is not a flaw in our systems: it is a fact of their complexity.

This realization has guided my evolution from cybersecurity to governance, risk management, and compliance (GRC) — from protecting systems to understanding the architecture of risk and resilience management that allows organizations not merely to survive failure, but to learn and grow through it. Even thrive in it!

The Personal Reality of Failure

The inevitability of failure is not an abstract concept for me; it has been a personal journey.

My wife, Mandi, has always embodied health and vitality: active, strong, and without a trace of genetic risk factors or family history. Her diagnosis of breast cancer came as a devastating shock. It shattered assumptions and redefined our understanding of certainty, shaped our perspectives on risk, and watching her this past year my understanding of resilience.

As she now reaches the end of treatment, I’ve been reminded that even when everything appears perfectly aligned — every control, every indicator positive — failure can still strike without warning. Her heart and organs have been weakened from all of the treatment. Despite having no sign of cancer present, it has led to other “operational issues.”

This experience has deepened my belief that organizations must confront uncertainty the same way individuals do: with perspective, humility, adaptability, and resilience. The absence of warning is not the absence of risk.

The Certainty of Failure in a World of Uncertainty

Steinbeck’s borrowed line from Robert Burns — “The best laid plans of mice and men often go awry” — captures a truth that every leader must face. Even the most advanced GRC architectures, the most disciplined controls, and the most intelligent systems cannot eliminate risk.

Failure will always find a way in. The only question is how we will respond when it does.

Modern organizations operate within a perpetual storm of uncertainty:

  • Geopolitical volatility and shifting trade landscapes.
  • Technological dependency creating fragile interconnections.
  • Extended enterprise of complex relationships and dependencies.
  • Regulatory complexity spanning jurisdictions and expectations.
  • Societal and environmental pressures driving accountability and transparency.

In this environment, risk is not a variable to control; it is a condition to navigate. Strategic foresight, objective alignment, and operational preparedness form the triad of resilience: the ability to absorb disruption and emerge stronger.

Strategic Level: The Failure of Foresight

Strategic failure rarely begins with catastrophe; it begins with assumption. It begins when leadership mistakes stability for certainty . . . when confidence blinds foresight.

At the strategic level, organizations often fail because they design for predictability rather than adaptability and resilience:

  • A company doubles down on a single market just before geopolitical tensions erupt.
  • A financial institution assumes interest rates will remain stable, until they don’t.
  • A manufacturer invests in efficiency at the cost of redundancy, eliminating resilience.

These are not poor decisions; they are incomplete decisions. They reveal the danger of treating the future as a linear extension of the past.

Strategic risk and resilience management is the art of living with uncertainty without being paralyzed by it. It demands that boards and executives engage both hemispheres of thinking:

  • The left-brain that structures, measures, and plans.
  • The right-brain that imagines, questions, and re-envisions.

The resilient strategist does not seek control, but coherence amid chaos; constantly testing strategic assumptions through simulation, scenario analysis, and cross-functional dialogue.

Failure at the strategic level is not a single event. It is the erosion of curiosity.

Objective and Performance Level: The Failure of Alignment

Between the boardroom and the front line lies the zone of objectives and performance, where purpose becomes execution. This is where organizations most often fracture: not because of poor intent, but because of poor integration.

Here, failure hides in misalignment:

  • KPIs without KRIs — performance measured in isolation from risk exposure.
  • Objectives detached from purpose — efficiency pursued at the expense of ethics or resilience.
  • Fragmented accountability — where performance, compliance, and risk operate on different timelines and metrics.

The result is a silent drift between what the organization says it values and what it actually measures.

The answer lies in GRC — Governance, Risk Management, and Compliance: a unified model that views objectives not as fixed targets, but as dynamic relationships between ambition and uncertainty. A capability to reliable achieve and perform against objectives (governance), address uncertainty (risk and resilience management), and act with integrity (compliance).

A resilient organization continuously tunes its objectives to environmental signals. It understands that every success metric must be weighed against the volatility that sustains it.

Failure at this level is subtle but dangerous: it is the illusion of progress while risk accumulates beneath the surface.

Operational Level: The Failure of Execution

At the operational level, failure is most visible. It is where systems break, processes stall, and controls falter. Yet even here, the root cause is often not incompetence but complexity.

Operations today are a living network of technologies, suppliers, and people. A disruption in one node can cascade globally.

Examples abound:

  • A single supplier’s disruption halts production for months.
  • A cyber vulnerability, left unpatched, becomes the entry point for a systemic breach.
  • An overly rigid process delays crisis response, because it was built for compliance, not agility.

These are not anomalies: they are the natural symptoms of complex adaptive systems under stress.

Operational resilience requires a shift from control mentality to capability mindset. From preventing every failure to ensuring that when failure occurs, it is absorbed without collapse.

That means embracing continuous testingtabletop exercises, and micro-simulations; where failure is rehearsed, not feared. It means creating digital twins of the organization to simulate cascading risks and test response strategies in real time.

As I explored in Gamification of Risk: The Art of Role-Playing in Micro-Simulations and Digital Twins in a Complex Risk World, organizations must make risk experiential. People learn best not from instruction, but from interaction.

Gamification transforms risk management from a static compliance function into a creative rehearsal of resilience.

Thinking Beyond the Binary: The Right-Brain of Risk and Resilience

Risk management has long been dominated by left-brain logic: quantitative models, frameworks, and matrices. These tools matter, but they capture only half the picture.

The right-brain — intuitive, emotional, imaginative — is equally vital. It is what enables leaders to anticipate patterns that models cannot yet see. It is what fosters empathy, creativity, and the human connection that sustains organizations through disruption.

Resilience emerges from the balance between logic and imagination. It is both an engineering discipline and a human art.

By merging analytics with storytelling, simulations with strategy, and controls with culture, organizations develop not only stronger defenses but also more adaptive identities.

Small Failures, Big Consequences

History reminds us that small oversights often lead to the largest catastrophes:

  • A faulty O-ring destroyed the Challenger.
  • A single line of code triggered a global outage.
  • A missed email escalated into a regulatory crisis.

The resilient organization treats near-misses as data, not as dismissible anomalies. It studies them, learns from them, and adapts . . . building an institutional memory that transforms failure into foresight.

Preparing for the Inevitable

The inevitability of failure is not a curse . . . it is a call to design for risk (uncertainty) and resilience.

Resilience is not about invincibility; it is about recoverability. It is about organizations that fail gracefully, learn continuously, and adapt dynamically.

The most resilient organizations are not those that avoid risk but those that understand it, engage with it, and turn adversity into evolution.

I’ll explore these ideas further at Gameday Ready, London and Supplier Risk Resolution Workshop — diving deeper into how we can build strategic foresightperformance alignment, and operational adaptability in an age when failure is not an exception but a constant companion.

GPRC for Risk, Compliance & Internal Control System

The GRC Pundit BlogPublished onUpdated onLeave a Comment on GPRC for Risk, Compliance & Internal Control System

Orchestrating Integrity, Performance, and Foresight from the Bridge of the Enterprise

The strength of the ship lies not only in its hull or engines, but in how every system — navigation, engineering, and life support — operates in perfect synchronization under a unified command.

In the same way, an enterprise’s strength depends on the orchestration of its systems of governance, risk, compliance, and performance; working not in isolation, but as a synchronized command structure.

The OCEG definition of GRC provides the foundation:

  • GRC is the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).

It all begins with objectives. Objectives define the mission of the enterprise—why it exists and what it seeks to achieve. These objectives set the context for risk, which addresses the uncertainty that could impact those objectives, and for compliance, which defines the boundaries of integrity within which those objectives must be pursued.

Governance is therefore not a static function of oversight; it is the continuous process of defining objectives, aligning performance, managing risk, and ensuring integrity.

In the modern organization, this orchestration occurs not through forms, workflows, and siloed modules, but through a dynamic architecture — what I define as GRC 7.0 – GRC Orchestrate: an intelligent, integrated ecosystem built on digital twinsagentic AI, and business-integrated processes that together create a living model of the enterprise . . .

[The rest of this blog can be read on the Corporater blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

READ MORE

Choose Your Own Risk Adventure: From South Africa to a Fortnight in London

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Choose Your Own Risk Adventure: From South Africa to a Fortnight in London

The past several weeks have been a whirlwind of engagement, ideas, and energy — and I wouldn’t have it any other way. Currently, this week is South Africa and continuing the ‘trek’ onward for two action-packed weeks in London, the conversations around governance, risk management, and compliance (GRC) with GRC 7.0 – GRC Orchestrate continue to engage — and I’m thrilled to be part of shaping what’s next.

Choose Your Own Risk Adventure: Now Available to Watch

Captain’s Log, Stardate 2025: The video of my most galactic keynote ever has landed!

I’m excited to announce the release of my keynote “Choose Your Own Risk Adventure”, now available for public viewing from the Riskonnect Konnect 2025 event in Miami two weeks back. I suited up in my Risk Starfleet leather jacket for “Choose Your Own Risk Adventure: Leveraging Risk Management to Navigate the Business and Deliver Value.”

After charting what great risk management looks like across the galaxy at the start of my keynote, I invited four brave volunteers from nearly 500 attendees to join me on stage as the crew of our corporate starship: together we navigated a live risk adventure through the stars.

It was the most fun I’ve ever had on stage!

This keynote takes audiences on a narrative journey through the evolving landscape of risk decision-making. We explore how every organization faces branching paths — moments of choice that define resilience, integrity, and success. It’s an invitation to rethink how we approach uncertainty, linking governance, risk, and compliance back to the story of our organizations: the choices we make, the risks we take, and the lessons we learn along the way.

I encourage everyone to take the time to watch the keynote — it’s one of my most creative explorations yet into how GRC leaders can engage the enterprise through story, strategy, and structure.

Watch it now: Choose Your Own Risk Adventure Keynote

A GRC Week in South Africa

This week’s GRC engagements in South Africa are nothing short of inspiring. I had the privilege of engaging with leaders across industries who are navigating the intersection of governance, ethics, and digital transformation.

Key to this was being the keynote at the GPRC Summit with 300+ registered. I did a Masterclass on Enterprise GRC Management by Design and then did the opening keynote on Advanced GRC Strategies: Shaping Progress and Performance for African Business and Government Organisations.

I summarized my thoughts on this in the article: GRC in an African Context. From Johannesburg, the discussions highlighted how African organizations are rapidly maturing their approaches to enterprise risk and compliance. These conversations reinforced a central truth: no matter where we operate, the need for integrated, agile, and ethical GRC is universal. It has been a week of insight and inspiration — and a reminder of how global the GRC journey truly is. And there are still a few days of meetings with South African Organizations before I continue the journey on to London this weekend . . .

London Calling: November 2–14

Now, it’s time to shift focus northward. From November 2 through November 14, I’ll be based in London for two full weeks of meetings, RFP support, keynotes, workshops, and roundtable dinners — a dense and dynamic stretch that captures the full spectrum of modern GRC dialogue.

If you’re in London during that period, let’s connect. I’m always happy to meet for a coffee, share a pint, or stop by your office for a conversation on GRC strategy, technology, and trends.

All event details are listed on GRC 20/20 Events, but here’s an overview of where you can find me:

Dinner Events

November 11 @ 6:30 pm – 10:00 pm GMT
Resilient Supply Chains – An Executive Roundtable Dinner
Hosted by NAVEX
An exclusive evening for senior compliance, risk, and procurement leaders to discuss evolving European and UK regulations driving greater supply chain transparency, documentation, and resilience.

November 12 @ 6:00 pm – 9:00 pm GMT
Where GRC Conversations Continue: Dinner After #RISK Europe
Hosted by CoreStream GRC
An intimate dinner following Day 1 of #RISK Europe, designed for real conversation and connection among GRC leaders.

November 13 @ 6:00 pm – 9:00 pm GMT
Beyond the #RISK Expo: Corporater Executive GRC Dinner
Hosted by Corporater
A private dinner for executives to exchange ideas and explore what’s next in governance, performance, risk, and compliance.

Workshops

November 6 @ 8:00 am – 4:30 pm GMT
UK Corporate Governance Code by Design
A deep dive into the implications of Provision 29 — the most significant shift in UK risk and control expectations in over a decade.

November 7 @ 9:00 am – 1:00 pm GMT
Gameday Ready
Preparing cyber and resilience teams for compound crises and AI-driven disruptions — because the next severe but plausible event won’t come alone.

November 10 @ 1:00 pm – 4:00 pm GMT
Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain
A practical session on aligning supplier risk oversight with strategic priorities and demonstrating ROI across the third-party ecosystem.

Conferences

November 4 @ 4:00 pm – 8:00 pm GMT
COMPLYConnect | London 2025
A focused gathering exploring the evolving landscape of compliance oversight, culture, and non-financial misconduct.

November 12–13
#RISK Europe 2025, London
The capstone of this London stretch. For the fourth consecutive year, I will serve as keynote speaker, master of ceremonies, and host of the GRC Theatre— where the most meaningful conversations in the risk world happen. Look for me in my “Risk Is Our Business” leather jacket as we bring together 4,000+ professionals from across GRC, Risk, RegTech, Privacy, and Security. This year, #RISK London expands to #RISK Europe, reflecting its growing pan-European influence.

The Road Ahead

From Johannesburg to London, the past and coming weeks remind me that GRC is not a static discipline — it’s a living narrative of choices, consequences, and collaboration.

As we move through this season of global engagement, I look forward to continuing the dialogue — in person, online, and in the boardrooms where strategy meets integrity.

If you’re in London this November, reach out and let’s connect. The best GRC conversations often begin not in sessions, but over shared ideas, shared stories — and occasionally, a shared pint. BTW . . . back in London the week of December 8th, and in Germany the week before that . . .

Gamification of Risk: The Art of Role-Playing in a Complex Risk World

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Gamification of Risk: The Art of Role-Playing in a Complex Risk World

In just a few weeks, I’ll be in London for Gameday Ready — an immersive event designed to test how we think, decide, and adapt when the unexpected unfolds. It’s not a conference in the traditional sense; it’s a rehearsal for reality. A half-day where cyber, risk, and resilience leaders come together to simulate the unthinkable and learn through experience, not theory.

Because the threats that matter most rarely arrive alone.
One opens the door. Another walks through it.

And in an age where artificial intelligence accelerates both opportunity and threat, where misinformation spreads faster than truth, and where interconnected systems amplify every shock — the future won’t be a scenario we’ve seen before.

That’s why we have to practice imagination.

Role-Playing and the Imagination

I’ve long believed that risk management isn not just a science — it is also an art. It’s part logic, part instinct, and part storytelling. It involves both the left-brain and right-brain. And when I think about how we cultivate that artistry, my mind drifts to something unexpected: role-playing games.

Yes, I mean Dungeons & Dragons.

Those late nights around a table — dice scattered, maps drawn, characters imagined — were never about dragons or dungeons (although that provides the fun context). They were about decision-making under uncertainty. About creativity, collaboration, and consequence.

Every player had a role. The strategist, the healer, the diplomat, the skeptic. The group would set out on a campaign with a rough sense of direction, but no one ever truly knew what was ahead. The adventure emerged through interaction — not control, but improvisation. The dungeon master set the stage; the players shaped the story.

It was, in hindsight, a brilliant exercise in risk and resilience management.

Risk Micro-Simulations and Tabletop Exercises

That same spirit now lives in the best micro-simulations and tabletop exercises organizations are using to build foresight. They are, in essence, our modern-day campaigns — the D&D of enterprise risk.

The objective isn’t to pass or fail. It’s to explore. To play through what we don’t yet understand.

When teams gather around a simulation — whether to navigate a cyberattack, an AI-driven misinformation event, or a complex supply chain disruption — something shifts. The conversation becomes alive. The compliance officer sees how operations interprets risk. The CISO hears how communications frames a breach. The CFO learns how culture shapes response.

These are moments when people start thinking differently. They feel the tension, the trade-offs, the human element that no policy can fully capture. They see risk not as an obstacle, but as a space for creativity and discovery.

It’s in these rehearsals — these simulated crises — that people start to find their footing in uncertainty. They experiment. They collaborate. They make mistakes, reflect, and try again.

That’s how resilience is built: not through checklists, but through practice.

Gamification of Risk & Resilience

Gamification adds another layer to this — one that transforms learning from passive to participatory.

When you introduce narrative and consequence, suddenly the exercise becomes real. Teams feel ownership. There’s energy, curiosity, even a little competitive tension. It’s not “compliance training.” It’s an adventure.

Gamified simulations give people permission to explore beyond the expected. To see risk from multiple angles. To test ideas. To understand how the same scenario can feel very different depending on who’s holding the sword — or, in our case, the data, the decision, the communication line to the board.

What makes this powerful is that it unites the analytical and the imaginative. It reminds us that risk management is not just about reducing exposure — it’s about enabling boldness with awareness.

And sometimes, you learn that best by playing through the chaos.

Leveling Up with Digital Twins

Now imagine taking that same spirit — that improvisational creativity — and amplifying it through digital twins.

If micro-simulations are like playing out a scenario around a table, the digital twin is the living world map that surrounds you. It’s the visualization of every decision, dependency, and ripple effect, rendered in real time on the organization, its operations, and its objectives.

Through digital twins, we can simulate entire ecosystems: how a disruption in one part of the enterprise cascades through others. How geopolitical shifts influence logistics. How a cyber breach impacts reputation, operations, and compliance all at once.

It’s the evolution of the game — a campaign where the story isn’t fictional but drawn from live data, and the outcomes are lessons that shape real-world resilience.

Digital twins give us the ability to practice foresight at scale. To see how interconnections behave under pressure. To experiment with “what if” — not as theory, but as a lived digital experience.

It’s the same impulse that drives every good dungeon master: to create a world where imagination and consequence meet.

At its heart, all of this — the simulations, the gamified learning, the digital twins — comes down to one idea: experience before crisis.

We can’t predict the next event, but we can prepare the minds and systems that will face it.

We can teach people not just to respond, but to think differently. To question, to explore, to adapt. We can give them the muscle memory to act with clarity when the moment of uncertainty arrives.

This is what the best risk and resilience programs do — they don’t script outcomes; they cultivate curiosity. They don’t aim to eliminate surprise; they help us meet it intelligently.

And that is the future of GRC in GRC 7.0 — GRC Orchestrate.

Join us in WarGame to GameDay at Gameday Ready, London

That’s why I’m so energized for Gameday Ready, London — because it’s not about passive learning or theoretical frameworks. It’s about participation, story, and shared discovery.

It’s about coming together to play through the future before it happens — to explore how our decisions, instincts, and imagination intersect when the stakes are high.

Because when the next disruption hits, the best-prepared organizations won’t be those with the most controls in place. They’ll be the ones that have already played the game — that have practiced improvisation, collaboration, and foresight.

Resilience, after all, is less about reaction and more about rehearsal.

And in that spirit, every great risk leader is, in their own way, a dungeon master — guiding teams through uncertainty, balancing freedom and structure, and ensuring the story continues no matter what dice the world decides to roll next.