Category: Blogs

Technology does not give you good third-party risk management. Governance does.

I’ve said this before about enterprise risk management, but it applies even more profoundly to what we now call third-party risk management — or, as I prefer, the governance of the extended enterprise. Risk is not the enemy; disconnection is. The organization that cannot see, understand, and govern the relationships that sustain it is already adrift.

The greatest challenge facing organizations today is not internal risk, but the risk that lives in the relationships we depend on. Every business is now an ecosystem: suppliers, outsourcers, intermediaries, distributors, technology partners, data processors, and consultants all working in a web of shared responsibility. In that web, the boundaries of the enterprise have dissolved. The extended enterprise is the enterprise.

---

The Language Problem: When Taxonomy Fractures Accountability

• Forrester calls it Third-Party Risk Management (TPRM).
• Gartner divides it into Supplier Risk Management and Third-Party Risk Management.
• Spend Matters calls it Supplier Experience Management: Risk Enhanced.

Each of these labels pulls buyers in different directions. Procurement teams interpret it as sourcing automation. Compliance sees it as due diligence and control mapping. Risk management treats it as an extension of operational risk. Analysts then benchmark these fragmented categories as if they were comparable.

Terminology isn’t a semantic issue—it’s strategic. Words define ownership, ownership defines architecture, and architecture defines outcomes. By calling this a risk problem, we’ve built an industry obsessed with controls and checklists.

By redefining it as governance, we expand the scope to purpose, performance, and integrity.

---

Governance Before Risk

Governance begins with the “why.” Using the OCEG framing of GRC—achieve objectives, address uncertainty, and act with integrity—the same applies to our relationships.

We must:

• Achieve objectives in relationships (and across relationships).
• Address uncertainty in relationships (and across relationships).
• Act with integrity through relationships (and across relationships).

That is the true scope of extended enterprise governance. It is not about scoring vendors or collecting attestations; it is about ensuring that every external relationship advances the mission of the organization safely, responsibly, and effectively.

Too much of what passes for TPRM today is still a compliance ritual: onboarding forms, questionnaires, and reassessments performed at arbitrary intervals. It checks boxes but doesn’t prevent disruption. It doesn’t tell you which suppliers are critical, which are financially unstable, or how a single point of failure might ripple through your operations.

Analyst frameworks treat risk as posture to be measured, not as a system to be managed. They rarely address the operational realities of fraud, duplicate payments, contract leakage, or overbilling, just an example of one domain of issues that quietly drain revenue and expose governance gaps.

What’s missing isn’t technology. It’s strategy and orchestration.

---

If I Were the Executive Responsible for the Extended Enterprise

If I were the executive responsible for the extended enterprise — or advising one, as I often do — this is the platform I would demand.
It’s not another TPRM checklist tool. It’s an extended enterprise governance platform or we can say third-party GRC platform for the next decade.

---

1. A Holistic Governance Fabric

Governance is not a module; it’s an ecosystem.

The platform must unify the full lifecycle of supplier relationships — information, performance, risk, and integrity — into one living model.

That means connecting:

• Supplier information and performance data.
• Risk and compliance assessments (cyber, ESG, financial, integrity).
• Contracts and spend data.
• Fraud, sanctions, and negative news intelligence.
• Sustainability, ethics, and human rights indicators.

Each relationship should be understood not as a transaction but as a contributor to strategic objectives.

---

2. Digital Twins of the Extended Enterprise

You can’t govern what you can’t model.

A 2030-ready platform should enable digital twins: living models of your relationships, suppliers, contracts, facilities, and dependencies. These allow organizations to simulate disruption and visualize interdependencies.

Imagine the ability to see, in real time:

• The ripple effect of a geo-political crisis.
• Which logistics routes, contracts, and services are disrupted.
• Which objectives and customers are at risk.
• What alternate suppliers or mitigations exist.

That is what transforms TPRM from a static audit function into a resilience command center.

---

3. Agentic AI for Relationship Intelligence

AI should not replace governance: it should amplify it.

We need agentic AI that works alongside human analysts to identify weak signals, automate due diligence, and model scenarios.
The right approach to AI in governance includes:

• Contextual signal detection and triage.
• Synthesis of internal and external intelligence feeds.
• Transparent and explainable recommendations.
• Human-in-the-loop validation and accountability.

AI must enhance human judgment, not obscure it.

---

4. Lifecycle-Oriented Design

Risk doesn’t end at onboarding.

The governance platform must orchestrate every stage of the relationship — from initiation to offboarding — with learning loops at every turn.

• Onboarding: Define purpose, validate integrity, and calibrate controls.
• Monitoring: Track performance, risk, and compliance continuously.
• Performance Management: Align objectives, KPIs, and KRIs dynamically.
• Audit and Assurance: Test, remediate, and learn.
• Offboarding: Retire relationships cleanly, closing data and access gaps.

As I often note, offboarding remains the most broken and neglected stage of the lifecycle, one that leaves residual risk and exposure long after contracts end.

A true governance platform closes that gap.

---

5. Integration with the Enterprise Backbone

No system should operate in isolation.

Governance platforms must connect seamlessly with ERP, procurement, finance, cybersecurity, and sustainability systems through open APIs and a shared ontology.

Integration isn’t just about moving data. It’s about:

• Maintaining a single source of truth for supplier data.
• Enabling contextual insights across departments.
• Ensuring that supplier, contract, and risk data are consistent and current.

This is how governance moves from informational to operational.

---

6. Intelligence Feeds and Continuous Sensing

Risk intelligence is no longer optional.

The platform must ingest and synthesize multiple sources:

• Financial viability and credit risk.
• Sanctions, PEPs, and negative media.
• ESG and sustainability metrics.
• Cyber, data privacy, and geopolitical risk indicators.

The objective is not to overwhelm teams with data, but to provide foresight; connecting external signals to business impact and enabling faster, smarter decisions.

---

7. Relationship-Centric Performance and Risk Alignment

Risk divorced from performance is meaningless.

Governance must connect how a relationship performs with how much risk it introduces—or mitigates. Every third party contributes to business outcomes, and those outcomes must be measured in both value created and uncertainty introduced.

Each relationship should have:

• Defined objectives – what value or outcome the relationship is meant to deliver (e.g., quality targets, delivery timelines, innovation goals, cost savings).
• Measurable KPIs and KRIs – indicators of performance and risk that move together, not in isolation.
• Dynamic thresholds and tolerances – where deviations in performance automatically flag emerging risk or opportunity.
• Connected accountability – linking the business owner, control owner, and payer for each mitigation or performance variance.

When signals change—financial stress increases, delivery quality drops, or ESG performance deteriorates—the platform should automatically:

• Adjust performance forecasts and resilience scores.
• Trigger alerts and workflows for review and remediation.
• Re-prioritize risk treatment plans based on business impact and contractual criticality.

This is objective-centric governance in practice: embedding risk within performance, not beside it. It transforms risk management from a reporting function into a real-time performance discipline that continuously optimizes outcomes across the extended enterprise.

---

8. Configurable, Scalable, and Extensible Architecture

Every organization’s ecosystem is unique.

The platform must:

• Support complex relational structures (1:many, many:many).
• Offer conditional workflows that adapt to proportional risk.
• Enable drag-and-drop configuration without vendor lock-in.
• Allow program changes to cascade globally without coding.

Rigid, one-size-fits-all tools can’t handle the complexity of modern ecosystems.

---

9. Quantification and Value Demonstration

Governance is not a cost center; it’s a performance engine.

A robust platform must quantify:

• Efficiency gains from automation and process alignment.
• Risk avoidance from better supplier decisions.
• Financial recovery from fraud prevention and overpayment detection.
• Brand protection from integrity and compliance assurance.

The ROI is real—and measurable.

---

10. A Program, Not a Project

Technology will fail without governance maturity.

A successful extended enterprise program begins with structure and strategy:

• Charter – Define purpose, scope, and objectives. Get groups to work together.
• Blueprint – Map roles and responsibilities, functionality, integrations, and dependencies.
• Roadmap – Stage implementation toward increasing maturity.
• Maturity – Identify capability gaps and progress milestones.
• Value – Track and communicate business outcomes.

This framework turns compliance projects into governance programs that endure and evolve.

---

The Organizational Reality: Silos Kill Governance

Technology alone doesn’t cause fragmentation, organizations do.

Procurement, compliance, finance, IT, and operations often manage different parts of the same ecosystem with conflicting metrics and disconnected tools. Each owns a piece of truth, but no one owns the whole.

The result is predictable:

• Tools optimized for one function ignore others.
• Handoffs hide risk and delay response.
• No unified measure of business impact exists.

A single pane of glass is the antidote: one operational view where every stakeholder sees the same intelligence, metrics, and action paths. This is the “bridge of the Enterprise” for the extended enterprise, where governance finally connects the dots.

---

Metrics That Matter

Legacy metrics (number of questionnaires completed, suppliers onboarded) are meaningless in this new paradigm.

The modern governance program measures what matters:

• Relationship-adjusted performance and resilience.
• Time-to-detect and time-to-remediate supplier risk.
• Concentration and geographic exposure.
• ESG/sustainability and integrity alignment across tiers.
• Risk-adjusted return on relationship investment.
• Lifecycle efficiency and supplier exit hygiene.

These metrics turn governance into a performance discipline—one that measures value protected, not paperwork completed.

---

By 2030: The Platform the Extended Enterprise Demands

By 2030, every organization will need to govern its extended enterprise with the same intelligence it applies to customer and financial management.

• CRM connected the front office.
• ERP connected the back office.
• Now, extended enterprise governance must connect the outside office: the network where resilience, revenue, and reputation live.

The next generation of platforms will act as the external nervous system of the enterprise, continuously sensing, analyzing, and orchestrating relationships. They will simulate the future, not just audit the past. They will help leaders make faster, more confident, and more ethical decisions.

---

The Call to Action

If I were the executive responsible for the extended enterprise — or advising one, as I often do — this is the platform I would demand:

• A system that governs, not just monitors.
• Intelligence that connects data to decisions.
• Digital twins that reveal interdependencies.
• AI that augments judgment, not replaces it.
• A lifecycle that ends with accountability, not neglect.
• A culture that treats relationships as extensions of the business, not externalities.

The extended enterprise is not an appendage: it is the organization itself. It’s where objectives are achieved, where uncertainties unfold, and where integrity is proven. Governance of the extended enterprise is not a compliance exercise. It is the operating system of trust for the modern enterprise.

And by the next decade, it won’t be optional. It will be expected.

I’ll be exploring this theme in depth at Gameday Ready, London – November 7, 9:00 am–1:00 pm GMT and during the Supplier Risk Resolution Workshop – November 10, 1:00 pm–4:00 pm GMT. Both sessions will examine the inevitability of failure as the cornerstone of risk and resilience management across strategy, objectives, and operations.

---

“Failure is not the opposite of success; it is the landscape through which success must travel.”

Steinbeck’s borrowed line from Robert Burns — “The best laid plans of mice and men often go awry” — captures a truth that every leader must face. Even the most advanced GRC architectures, the most disciplined controls, and the most intelligent systems cannot eliminate risk.

In a world defined by uncertainty, failure is not an anomaly: it is inevitable. The challenge is not to avoid failure, but to design for it: to build the capacity to anticipate, absorb, and adapt when the unpredictable becomes reality.

From Security to Resilience: My Early Encounter with the Inevitability of Failure

In the mid-1990s, my work centered on information security: the frontier of what I now call digital risk and resilience to deliver digital trust. Those were formative years, as the internet connected the world and simultaneously exposed its vulnerabilities.

A paper from the U.S. National Security Agency titled “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments” profoundly shaped my early thinking. It argued that absolute security is an illusion: the growing complexity of computing systems ensures that somewhere, at some time, something will fail.

Over time, I came to see that this principle applies far beyond the digital realm. It’s a universal law: as business expand, operate globally, depend on the extended enterprise, systems grow more interconnected and adaptive, so too does their exposure to uncertainty. The inevitability of failure is not a flaw in our systems: it is a fact of their complexity.

This realization has guided my evolution from cybersecurity to governance, risk management, and compliance (GRC) — from protecting systems to understanding the architecture of risk and resilience management that allows organizations not merely to survive failure, but to learn and grow through it. Even thrive in it!

---

The Personal Reality of Failure

The inevitability of failure is not an abstract concept for me; it has been a personal journey.

My wife, Mandi, has always embodied health and vitality: active, strong, and without a trace of genetic risk factors or family history. Her diagnosis of breast cancer came as a devastating shock. It shattered assumptions and redefined our understanding of certainty, shaped our perspectives on risk, and watching her this past year my understanding of resilience.

As she now reaches the end of treatment, I’ve been reminded that even when everything appears perfectly aligned — every control, every indicator positive — failure can still strike without warning. Her heart and organs have been weakened from all of the treatment. Despite having no sign of cancer present, it has led to other “operational issues.”

This experience has deepened my belief that organizations must confront uncertainty the same way individuals do: with perspective, humility, adaptability, and resilience. The absence of warning is not the absence of risk.

---

The Certainty of Failure in a World of Uncertainty

Steinbeck’s borrowed line from Robert Burns — “The best laid plans of mice and men often go awry” — captures a truth that every leader must face. Even the most advanced GRC architectures, the most disciplined controls, and the most intelligent systems cannot eliminate risk.

Failure will always find a way in. The only question is how we will respond when it does.

Modern organizations operate within a perpetual storm of uncertainty:

• Geopolitical volatility and shifting trade landscapes.
• Technological dependency creating fragile interconnections.
• Extended enterprise of complex relationships and dependencies.
• Regulatory complexity spanning jurisdictions and expectations.
• Societal and environmental pressures driving accountability and transparency.

In this environment, risk is not a variable to control; it is a condition to navigate. Strategic foresight, objective alignment, and operational preparedness form the triad of resilience: the ability to absorb disruption and emerge stronger.

---

Strategic Level: The Failure of Foresight

Strategic failure rarely begins with catastrophe; it begins with assumption. It begins when leadership mistakes stability for certainty . . . when confidence blinds foresight.

At the strategic level, organizations often fail because they design for predictability rather than adaptability and resilience:

• A company doubles down on a single market just before geopolitical tensions erupt.
• A financial institution assumes interest rates will remain stable, until they don’t.
• A manufacturer invests in efficiency at the cost of redundancy, eliminating resilience.

These are not poor decisions; they are incomplete decisions. They reveal the danger of treating the future as a linear extension of the past.

Strategic risk and resilience management is the art of living with uncertainty without being paralyzed by it. It demands that boards and executives engage both hemispheres of thinking:

• The left-brain that structures, measures, and plans.
• The right-brain that imagines, questions, and re-envisions.

The resilient strategist does not seek control, but coherence amid chaos; constantly testing strategic assumptions through simulation, scenario analysis, and cross-functional dialogue.

Failure at the strategic level is not a single event. It is the erosion of curiosity.

---

Objective and Performance Level: The Failure of Alignment

Between the boardroom and the front line lies the zone of objectives and performance, where purpose becomes execution. This is where organizations most often fracture: not because of poor intent, but because of poor integration.

Here, failure hides in misalignment:

• KPIs without KRIs — performance measured in isolation from risk exposure.
• Objectives detached from purpose — efficiency pursued at the expense of ethics or resilience.
• Fragmented accountability — where performance, compliance, and risk operate on different timelines and metrics.

The result is a silent drift between what the organization says it values and what it actually measures.

The answer lies in GRC — Governance, Risk Management, and Compliance: a unified model that views objectives not as fixed targets, but as dynamic relationships between ambition and uncertainty. A capability to reliable achieve and perform against objectives (governance), address uncertainty (risk and resilience management), and act with integrity (compliance).

A resilient organization continuously tunes its objectives to environmental signals. It understands that every success metric must be weighed against the volatility that sustains it.

Failure at this level is subtle but dangerous: it is the illusion of progress while risk accumulates beneath the surface.

---

Operational Level: The Failure of Execution

At the operational level, failure is most visible. It is where systems break, processes stall, and controls falter. Yet even here, the root cause is often not incompetence but complexity.

Operations today are a living network of technologies, suppliers, and people. A disruption in one node can cascade globally.

Examples abound:

• A single supplier’s disruption halts production for months.
• A cyber vulnerability, left unpatched, becomes the entry point for a systemic breach.
• An overly rigid process delays crisis response, because it was built for compliance, not agility.

These are not anomalies: they are the natural symptoms of complex adaptive systems under stress.

Operational resilience requires a shift from control mentality to capability mindset. From preventing every failure to ensuring that when failure occurs, it is absorbed without collapse.

That means embracing continuous testing, tabletop exercises, and micro-simulations; where failure is rehearsed, not feared. It means creating digital twins of the organization to simulate cascading risks and test response strategies in real time.

As I explored in Gamification of Risk: The Art of Role-Playing in Micro-Simulations and Digital Twins in a Complex Risk World, organizations must make risk experiential. People learn best not from instruction, but from interaction.

Gamification transforms risk management from a static compliance function into a creative rehearsal of resilience.

---

Thinking Beyond the Binary: The Right-Brain of Risk and Resilience

Risk management has long been dominated by left-brain logic: quantitative models, frameworks, and matrices. These tools matter, but they capture only half the picture.

The right-brain — intuitive, emotional, imaginative — is equally vital. It is what enables leaders to anticipate patterns that models cannot yet see. It is what fosters empathy, creativity, and the human connection that sustains organizations through disruption.

Resilience emerges from the balance between logic and imagination. It is both an engineering discipline and a human art.

By merging analytics with storytelling, simulations with strategy, and controls with culture, organizations develop not only stronger defenses but also more adaptive identities.

---

Small Failures, Big Consequences

History reminds us that small oversights often lead to the largest catastrophes:

• A faulty O-ring destroyed the Challenger.
• A single line of code triggered a global outage.
• A missed email escalated into a regulatory crisis.

The resilient organization treats near-misses as data, not as dismissible anomalies. It studies them, learns from them, and adapts . . . building an institutional memory that transforms failure into foresight.

---

Preparing for the Inevitable

The inevitability of failure is not a curse . . . it is a call to design for risk (uncertainty) and resilience.

Resilience is not about invincibility; it is about recoverability. It is about organizations that fail gracefully, learn continuously, and adapt dynamically.

The most resilient organizations are not those that avoid risk but those that understand it, engage with it, and turn adversity into evolution.

I’ll explore these ideas further at Gameday Ready, London and Supplier Risk Resolution Workshop — diving deeper into how we can build strategic foresight, performance alignment, and operational adaptability in an age when failure is not an exception but a constant companion.

Orchestrating Integrity, Performance, and Foresight from the Bridge of the Enterprise

The strength of the ship lies not only in its hull or engines, but in how every system — navigation, engineering, and life support — operates in perfect synchronization under a unified command.

In the same way, an enterprise’s strength depends on the orchestration of its systems of governance, risk, compliance, and performance; working not in isolation, but as a synchronized command structure.

The OCEG definition of GRC provides the foundation:

• GRC is the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).

It all begins with objectives. Objectives define the mission of the enterprise—why it exists and what it seeks to achieve. These objectives set the context for risk, which addresses the uncertainty that could impact those objectives, and for compliance, which defines the boundaries of integrity within which those objectives must be pursued.

Governance is therefore not a static function of oversight; it is the continuous process of defining objectives, aligning performance, managing risk, and ensuring integrity.

In the modern organization, this orchestration occurs not through forms, workflows, and siloed modules, but through a dynamic architecture — what I define as GRC 7.0 – GRC Orchestrate: an intelligent, integrated ecosystem built on digital twins, agentic AI, and business-integrated processes that together create a living model of the enterprise . . .

[The rest of this blog can be read on the Corporater blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

The past several weeks have been a whirlwind of engagement, ideas, and energy — and I wouldn’t have it any other way. Currently, this week is South Africa and continuing the ‘trek’ onward for two action-packed weeks in London, the conversations around governance, risk management, and compliance (GRC) with GRC 7.0 – GRC Orchestrate continue to engage — and I’m thrilled to be part of shaping what’s next.

Choose Your Own Risk Adventure: Now Available to Watch

Captain’s Log, Stardate 2025: The video of my most galactic keynote ever has landed!

I’m excited to announce the release of my keynote “Choose Your Own Risk Adventure”, now available for public viewing from the Riskonnect Konnect 2025 event in Miami two weeks back. I suited up in my Risk Starfleet leather jacket for “Choose Your Own Risk Adventure: Leveraging Risk Management to Navigate the Business and Deliver Value.”

After charting what great risk management looks like across the galaxy at the start of my keynote, I invited four brave volunteers from nearly 500 attendees to join me on stage as the crew of our corporate starship: together we navigated a live risk adventure through the stars.

It was the most fun I’ve ever had on stage!

This keynote takes audiences on a narrative journey through the evolving landscape of risk decision-making. We explore how every organization faces branching paths — moments of choice that define resilience, integrity, and success. It’s an invitation to rethink how we approach uncertainty, linking governance, risk, and compliance back to the story of our organizations: the choices we make, the risks we take, and the lessons we learn along the way.

I encourage everyone to take the time to watch the keynote — it’s one of my most creative explorations yet into how GRC leaders can engage the enterprise through story, strategy, and structure.

Watch it now: Choose Your Own Risk Adventure Keynote

---

A GRC Week in South Africa

This week’s GRC engagements in South Africa are nothing short of inspiring. I had the privilege of engaging with leaders across industries who are navigating the intersection of governance, ethics, and digital transformation.

Key to this was being the keynote at the GPRC Summit with 300+ registered. I did a Masterclass on Enterprise GRC Management by Design and then did the opening keynote on Advanced GRC Strategies: Shaping Progress and Performance for African Business and Government Organisations.

I summarized my thoughts on this in the article: GRC in an African Context. From Johannesburg, the discussions highlighted how African organizations are rapidly maturing their approaches to enterprise risk and compliance. These conversations reinforced a central truth: no matter where we operate, the need for integrated, agile, and ethical GRC is universal. It has been a week of insight and inspiration — and a reminder of how global the GRC journey truly is. And there are still a few days of meetings with South African Organizations before I continue the journey on to London this weekend . . .

---

London Calling: November 2–14

Now, it’s time to shift focus northward. From November 2 through November 14, I’ll be based in London for two full weeks of meetings, RFP support, keynotes, workshops, and roundtable dinners — a dense and dynamic stretch that captures the full spectrum of modern GRC dialogue.

If you’re in London during that period, let’s connect. I’m always happy to meet for a coffee, share a pint, or stop by your office for a conversation on GRC strategy, technology, and trends.

All event details are listed on GRC 20/20 Events, but here’s an overview of where you can find me:

Dinner Events

November 11 @ 6:30 pm – 10:00 pm GMT
Resilient Supply Chains – An Executive Roundtable Dinner
Hosted by NAVEX
An exclusive evening for senior compliance, risk, and procurement leaders to discuss evolving European and UK regulations driving greater supply chain transparency, documentation, and resilience.

November 12 @ 6:00 pm – 9:00 pm GMT
Where GRC Conversations Continue: Dinner After #RISK Europe
Hosted by CoreStream GRC
An intimate dinner following Day 1 of #RISK Europe, designed for real conversation and connection among GRC leaders.

November 13 @ 6:00 pm – 9:00 pm GMT
Beyond the #RISK Expo: Corporater Executive GRC Dinner
Hosted by Corporater
A private dinner for executives to exchange ideas and explore what’s next in governance, performance, risk, and compliance.

---

Workshops

November 6 @ 8:00 am – 4:30 pm GMT
UK Corporate Governance Code by Design
A deep dive into the implications of Provision 29 — the most significant shift in UK risk and control expectations in over a decade.

November 7 @ 9:00 am – 1:00 pm GMT
Gameday Ready
Preparing cyber and resilience teams for compound crises and AI-driven disruptions — because the next severe but plausible event won’t come alone.

November 10 @ 1:00 pm – 4:00 pm GMT
Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain
A practical session on aligning supplier risk oversight with strategic priorities and demonstrating ROI across the third-party ecosystem.

---

Conferences

November 4 @ 4:00 pm – 8:00 pm GMT
COMPLYConnect | London 2025
A focused gathering exploring the evolving landscape of compliance oversight, culture, and non-financial misconduct.

November 12–13
#RISK Europe 2025, London
The capstone of this London stretch. For the fourth consecutive year, I will serve as keynote speaker, master of ceremonies, and host of the GRC Theatre— where the most meaningful conversations in the risk world happen. Look for me in my “Risk Is Our Business” leather jacket as we bring together 4,000+ professionals from across GRC, Risk, RegTech, Privacy, and Security. This year, #RISK London expands to #RISK Europe, reflecting its growing pan-European influence.

---

The Road Ahead

From Johannesburg to London, the past and coming weeks remind me that GRC is not a static discipline — it’s a living narrative of choices, consequences, and collaboration.

As we move through this season of global engagement, I look forward to continuing the dialogue — in person, online, and in the boardrooms where strategy meets integrity.

If you’re in London this November, reach out and let’s connect. The best GRC conversations often begin not in sessions, but over shared ideas, shared stories — and occasionally, a shared pint. BTW . . . back in London the week of December 8th, and in Germany the week before that . . .

In just a few weeks, I’ll be in London for Gameday Ready — an immersive event designed to test how we think, decide, and adapt when the unexpected unfolds. It’s not a conference in the traditional sense; it’s a rehearsal for reality. A half-day where cyber, risk, and resilience leaders come together to simulate the unthinkable and learn through experience, not theory.

Because the threats that matter most rarely arrive alone.
One opens the door. Another walks through it.

And in an age where artificial intelligence accelerates both opportunity and threat, where misinformation spreads faster than truth, and where interconnected systems amplify every shock — the future won’t be a scenario we’ve seen before.

That’s why we have to practice imagination.

Role-Playing and the Imagination

I’ve long believed that risk management isn not just a science — it is also an art. It’s part logic, part instinct, and part storytelling. It involves both the left-brain and right-brain. And when I think about how we cultivate that artistry, my mind drifts to something unexpected: role-playing games.

Yes, I mean Dungeons & Dragons.

Those late nights around a table — dice scattered, maps drawn, characters imagined — were never about dragons or dungeons (although that provides the fun context). They were about decision-making under uncertainty. About creativity, collaboration, and consequence.

Every player had a role. The strategist, the healer, the diplomat, the skeptic. The group would set out on a campaign with a rough sense of direction, but no one ever truly knew what was ahead. The adventure emerged through interaction — not control, but improvisation. The dungeon master set the stage; the players shaped the story.

It was, in hindsight, a brilliant exercise in risk and resilience management.

Risk Micro-Simulations and Tabletop Exercises

That same spirit now lives in the best micro-simulations and tabletop exercises organizations are using to build foresight. They are, in essence, our modern-day campaigns — the D&D of enterprise risk.

The objective isn’t to pass or fail. It’s to explore. To play through what we don’t yet understand.

When teams gather around a simulation — whether to navigate a cyberattack, an AI-driven misinformation event, or a complex supply chain disruption — something shifts. The conversation becomes alive. The compliance officer sees how operations interprets risk. The CISO hears how communications frames a breach. The CFO learns how culture shapes response.

These are moments when people start thinking differently. They feel the tension, the trade-offs, the human element that no policy can fully capture. They see risk not as an obstacle, but as a space for creativity and discovery.

It’s in these rehearsals — these simulated crises — that people start to find their footing in uncertainty. They experiment. They collaborate. They make mistakes, reflect, and try again.

That’s how resilience is built: not through checklists, but through practice.

Gamification of Risk & Resilience

Gamification adds another layer to this — one that transforms learning from passive to participatory.

When you introduce narrative and consequence, suddenly the exercise becomes real. Teams feel ownership. There’s energy, curiosity, even a little competitive tension. It’s not “compliance training.” It’s an adventure.

Gamified simulations give people permission to explore beyond the expected. To see risk from multiple angles. To test ideas. To understand how the same scenario can feel very different depending on who’s holding the sword — or, in our case, the data, the decision, the communication line to the board.

What makes this powerful is that it unites the analytical and the imaginative. It reminds us that risk management is not just about reducing exposure — it’s about enabling boldness with awareness.

And sometimes, you learn that best by playing through the chaos.

Leveling Up with Digital Twins

Now imagine taking that same spirit — that improvisational creativity — and amplifying it through digital twins.

If micro-simulations are like playing out a scenario around a table, the digital twin is the living world map that surrounds you. It’s the visualization of every decision, dependency, and ripple effect, rendered in real time on the organization, its operations, and its objectives.

Through digital twins, we can simulate entire ecosystems: how a disruption in one part of the enterprise cascades through others. How geopolitical shifts influence logistics. How a cyber breach impacts reputation, operations, and compliance all at once.

It’s the evolution of the game — a campaign where the story isn’t fictional but drawn from live data, and the outcomes are lessons that shape real-world resilience.

Digital twins give us the ability to practice foresight at scale. To see how interconnections behave under pressure. To experiment with “what if” — not as theory, but as a lived digital experience.

It’s the same impulse that drives every good dungeon master: to create a world where imagination and consequence meet.

At its heart, all of this — the simulations, the gamified learning, the digital twins — comes down to one idea: experience before crisis.

We can’t predict the next event, but we can prepare the minds and systems that will face it.

We can teach people not just to respond, but to think differently. To question, to explore, to adapt. We can give them the muscle memory to act with clarity when the moment of uncertainty arrives.

This is what the best risk and resilience programs do — they don’t script outcomes; they cultivate curiosity. They don’t aim to eliminate surprise; they help us meet it intelligently.

And that is the future of GRC in GRC 7.0 — GRC Orchestrate.

Join us in WarGame to GameDay at Gameday Ready, London

That’s why I’m so energized for Gameday Ready, London — because it’s not about passive learning or theoretical frameworks. It’s about participation, story, and shared discovery.

It’s about coming together to play through the future before it happens — to explore how our decisions, instincts, and imagination intersect when the stakes are high.

Because when the next disruption hits, the best-prepared organizations won’t be those with the most controls in place. They’ll be the ones that have already played the game — that have practiced improvisation, collaboration, and foresight.

Resilience, after all, is less about reaction and more about rehearsal.

And in that spirit, every great risk leader is, in their own way, a dungeon master — guiding teams through uncertainty, balancing freedom and structure, and ensuring the story continues no matter what dice the world decides to roll next.

Shields up! Red alert!

On the bridge of the Enterprise, when an unknown anomaly threatens the ship, the crew does not panic — they orchestrate. Helm adjusts course, engineering reroutes power, science runs scans, and command makes decisions with the best available intelligence. Survival depends on coordination.

This spirit of orchestration is exactly what organizations must embrace when approaching operational resilience in today’s environment of relentless disruption. It is also why GPRC — governance, performance, risk, and compliance — provides the essential framework for resilience. GPRC ensures that governance defines clear objectives, performance measures continuity, risk anticipates uncertainty, and compliance assures alignment to obligations. Together, these elements enable resilience to be embedded in the very fabric of the enterprise.

The regulatory landscape has raised the stakes. The EU NIS2 Directive and the EU Critical Entities Resilience (CER) Directive expand the mission of resilience far beyond financial services. While DORA concentrated on ICT and financial firms, NIS2 and CER extend the focus to critical infrastructure, digital service providers, and essential services across Europe.

The demand is simple yet profound: organizations must show that their operations — and by extension, the societies that depend on them — can withstand disruption from cyberattacks, outages, supply chain failures, and geopolitical shocks . . .

[The rest of this blog can be read on the Corporater blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

When I stepped onto the keynote stage in Miami at Riskonnect Konnect 2025, it felt less like a ballroom and more like a bridge. The room hummed the way a starship does before a jump to warp: alive with expectation, crewed by leaders who navigate complex systems every day. I introduced the mission simply: we would not talk about risk management; we would do risk management — together — through a Choose Your Own Adventure simulation where every decision would change the story. Because that is how it works in real life. You do not get the luxury of a single timeline. You choose, you commit, you face the branches.

I framed the session the way I frame my podcast: risk is not the enemy, it is the mission. Too many organizations still steer using the rearview mirror: audit findings, stale registers, and red–yellow–green heatmaps that tell us where we have been, not where we are going. Real navigation requires foresight — connecting internal telemetry to external signals, aligning decisions to objectives, and operating with integrity even when the turbulence hits.

To make that point tangible, I called four “Trekkies” from the audience to the bridge and gave them their roles. Costumes included (Vulcan ears for the Science Officer — irresistible).

• Captain (CEO): Bob Bowman, Chief Risk Officer & Chief Ethics and Compliance Officer, The Wendy’s Company
• Science Officer (Risk): Drew Stipe, Director, Professional Services, Riskonnect, Inc.
• Security Officer (Compliance): Fritz Hess, Chief Technology Officer, Riskonnect, Inc.
• Engineering/Ops (IT): Janet Dold, Corporate Data System Analyst, Fairview Health Services

They did not know what was coming. That was the point. We rarely do.

---

The Mission Begins: Expansion into Country Zed

Our board — yours and mine, in the simulation — had approved outsourcing expansion into a promising new market. The question was not “Is there risk?” The question was “Which risk will we choose to own?” The Captain set tone and objective. The Science Officer surfaced geopolitical stability and corruption indices. Security mapped regulatory exposure and ethical tripwires. Engineering checked capacity, resilience, and digital trust. The audience voted on pace: fast, phased, or delay for more assurance.

The vote split, as it often does in real committees. Speed has a cost. Caution has a cost. Not deciding is also a decision. That was Lesson One: every path trades one risk profile for another.

• Strategic choice framing helps: objective, appetite, threshold, constraint.
• Forward telemetry beats backward reporting: what could happen next, not only what did.
• Shared language reduces friction: scenario, exposure, control, consequence.

---

First Shockwave: A Modern Slavery Exposure

Two months into expansion, the first shock hit: an exposé tied our outsourcer to modern slavery. Phones lit up. Investors wanted reassurance. Regulators wanted answers. Internal teams wanted a plan. The Captain weighed options, the Science Officer modeled impacts, Security reviewed legal obligations and values, Engineering tested whether we could re-platform quickly.

The dilemma was not academic, and the audience felt it. Cut ties immediately and absorb sunk cost? Audit and remediate with transparency and risk the optics? Pause for certainty and risk reputational collapse? The room leaned toward “act with integrity and rebuild” — not because it was easy, but because it aligned with purpose and preserved long-term value.

• Integrity is a control — not just a slogan — and protects license to operate.
• ESG is operational when it drives supplier governance, not just disclosure.
• Remediation readiness (playbooks, partners, KPIs) determines whether “fix” is credible.

---

Second Shockwave: An Activist Ransomware Strike

Then the second shock wave: a coordinated ransomware attack by an activist group demanding we sever ties or suffer a data breach. This is how risks really behave — they cluster. A social/ethical exposure becomes cyber becomes operational becomes financial. The bridge got very quiet. The Captain asked for probabilities of recovery and time-to-restore. The Science Officer calculated; Security confirmed disclosure triggers; Engineering reported containment limits. We debated whether to pay, stall, or resist.

No option was clean. Paying invited recidivism. Resisting meant downtime and headlines. Negotiating bought time but not certainty. The audience discussed cyber insurance posture, segmentation, and tabletop preparedness as if we were actually under fire — again, the point. Exercises beat memos.

• Interconnected risk is the rule: one event, many domains.
• Preparedness is evidence: segmented backups, crown-jewel mapping, breach comms, insurance terms.
• Transparency beats silence: timely, fact-based updates build trust even in failure.

---

The Final Fork: Retreat, Rebuild, or Pivot

With regulators, media, and investors watching, we faced the last branch: pull out of Country Zed entirely; stay and rebuild with strict governance and transparency; or pivot to a new region with stronger controls but strained resources. The vote settled on stay and rebuild — a choice that accepts pain now to build competence later. It is also where real programs separate themselves: rebuilding is not a press release; it is architecture and muscle.

• Rebuild playbook: supplier offboarding/onboarding rigor, continuous control monitoring, third-party assurance, board-level oversight.
• Metrics that matter: mean-time-to-detect, mean-time-to-remediate, % critical suppliers with independent assurance, loss exceedance curves.
• Culture signals: leaders who front the issue, incentives that reward reporting, consequences that are consistent.

---

Debrief: What the Adventure Proved

When the applause faded and the crew returned to their seats, we closed the loop. The adventure worked not because it was theatrical but because it was familiar. Everyone in the room had lived some version of it. The difference between “we survived” and “we created durable value” is usually not a single hero; it is orchestration.

Here is what the simulation made concrete:

• Risk is in the decision, not just the register. Strategic choices (market entry, M&A, products) need the same discipline we bring to operational risks: scenarios, distributions, and thresholds — not just traffic lights.
• Objectives are the north star. ISO 31000’s definition — risk is the effect of uncertainty on objectives — forces clarity: what are we actually trying to achieve, what will we accept, and what will we never trade away?
• Compliance and risk are complementary, not hierarchical. Risk analysis is neutral; compliance draws the boundary lines of law and ethics. Collaboration with segregation of duties keeps the ship on course.
• Quant beats color. Move from heatmaps to histograms; from likelihood × impact guesswork to loss exceedance curves, control efficacy, and ROI of mitigation.
• Resilience is the business case. After the last five years, no process owner wants “more risk.” Every one of them wants less surprise and faster recovery.

---

Practical Tools You Can Lift Tomorrow

Because a keynote should leave you with handles, not just headlines:

• Decision pre-briefs for big bets: objective → scenarios → exposures → controls → “tripwires” (KRIs) → go/hold criteria.
• Third-party lifecycle discipline: intake, due diligence depth by criticality, continuous monitoring, and a real offboarding playbook.
• Cyber tabletop with ethics overlay: run the technical drill and the disclosure and integrity decisions side by side.
• Risk rhythm with the business: quarterly sessions with each function on their objectives and the risks to those objectives; build dashboards they actually use.
• Story + stats: pair Monte Carlo or Bayesian outputs with a bow-tie narrative; the board funds what it understands.

---

Why the Starfleet Motif Works

Star Trek gives us a clean frame: a mission, a crew, a code, a universe that will test us. It keeps us honest about trade-offs, because space is indifferent to our intentions. It also keeps us optimistic: the point is not to avoid the unknown, but to reach it well — with clarity of objectives, disciplined curiosity, and integrity.

That is why we played Choose Your Own Adventure on stage. Not as theater, but as a mirror. In your organization, the pages you will turn next month are already numbered. The only question is who will decide, how they will decide, and what data, ethics, and controls will sit beside them when they do.

Risk is not the handbrake. It is the navigation system.

Set objectives. Tune your sensors. Orchestrate your crew.

Engage. 

Technology does not give you good risk management. Strategy does.

Risk is everywhere—and that’s not a problem. As I say on the Risk Is Our Business podcast, the organization that is not taking risk is already out of business. The job is not to eliminate risk; it’s to take the right risks, at the right time, with eyes wide open.

Yet too much of what passes for “risk management” is a compliance exercise. In the United States in particular, risk has been conflated with Sarbanes‑Oxley controls. Sufficient? Absolutely not. Managing issues and losses after the fact is like driving with your eyes glued to the rearview mirror. You might learn from what you hit, but you won’t avoid the next one.

In my workshops, one of the best summaries I’ve heard is: risk management’s role is to ensure there are no surprises in achieving objectives. I agree—and I’d go further. Risk management is about making better decisions. Not just reporting on whether prior decisions met their objectives.

On the podcast, we’ve explored this repeatedly—from Renee Murphy on the slipperiness of reputational risk and the poverty of metrics beyond financials, to guests who challenge the orthodoxy of defensive risk. Tony argued we should be risk seekers—strategically, not recklessly. I’m with him. The modern risk leader is less a “risk cop” and more a risk strategist and facilitator who enables the business to take calculated risk in pursuit of value. EY’s recent work on the risk strategist echoes this pivot.

So if I were the Chief Risk Officer—or advising one as I do daily—what would I require from a risk management platform? Below is my buyer’s manifesto, grounded in GRC 7.0 – GRC Orchestrate, infused with hard‑won lessons from client engagements and conversations on Risk Is Our Business.

---

TL;DR — The Non‑Negotiables

1. Model the business (strategy, objectives, value streams, processes, services, assets).
2. Performance & Objective Management comes first; risks live in that context.
3. Strategic Risk & Resilience (Decisions) risk as a strategy shaper.
4. Objective‑Centric ERM performance‑aligned, proactive, integrated.
5. Operational Risk & Resilience day‑to‑day reliability that enables strategy.
6. Risk Analysis, Aggregation & Visualization — distributions, not heat maps.
7. Risk Quantification that actually works (credible math, tested models).
8. Rich Visualization incl. bow‑tie, event/fault trees, loss exceedance.
9. Digital Twins of the enterprise and extended enterprise.
10. Scenario Modeling & Simulation war‑games, tabletops, stress tests.
11. Collaboration & Accountability owner, control owner, payer of risk.
12. Insurance & Risk Transfer integrated with quantification.
13. Risk Intelligence external/internal signals feeding foresight.
14. Integration with ERP/OPS/Cyber/TPRM/H&S/etc. via a data fabric & ontology.
15. Artificial Intelligence explainable, governed, and agentic as it matures.

---

First Principles: Strategy → Frameworks → Process → Then Technology

GRC 7.0 – GRC Orchestrate starts with the operating model, not the tool. The sequence matters:

1. Strategy & Governance. Clarify the mission, risk culture, decision rights, and the roles/responsibilities across business and risk functions. Risk belongs on the bridge, not in the boiler room.
2. Frameworks. Anchor in standards that emphasize objectives and uncertainty.
3. Processes. Define how sensing, analyzing, deciding, acting, and learning flow across the lines of the business.
4. Technology. Choose a platform that enables and orchestrates the above—not one that forces your organization to color inside its heat‑map lines.

If the platform can’t model how your business creates value and how decisions propagate through that model, it can’t help you manage risk — only inventory it, and those are most often out of date and of little value.

---

What I Would Demand From the Platform (and How I Would Test It)

1) Model the Business (Strategy → Value Streams → Processes → Assets → Obligations)

• Why it matters. Risk doesn’t float in the ether; it attaches to objectives, processes, services, products, vendors, locations, technology, and people.
• What good looks like. A native business architecture: objectives and KPIs/KRIs; value streams and processes (with owners); services; assets; third‑parties; and obligations mapped to each. A graph/ontology under the hood to keep relationships first‑class.
• Red flags to avoid. A flat risk register with custom fields pretending to be a model.
• Ask vendors. Show me a graph of how a change in a supplier’s risk posture propagates to service performance and strategic objectives in real time.

2) Performance & Objective Management (Context Before Risk)

• Why it matters. Objectives provide the frame for uncertainty. Starting with risk is starting in the middle, like putting the cart before the horse. This dovetails into #4 below.
• What good looks like. First‑class objectives with measurable KPIs, tolerance bands, and explicit linkage to risk, controls, scenarios, and initiatives. Ability to do objective‑level risk appetite and track risk‑adjusted performance.
• Red flags to avoid. “We support objectives”—but only as a picklist on a risk form.
• Ask vendors. Create a new strategic objective live. Link three KRIs, two initiatives, and a scenario. Now show me the risk‑adjusted forecast for that objective.

3) Strategic Risk & Resilience (Decisions)

• Why it matters. Risk doesn’t only protect strategy; it shapes it.
• What good looks like. A decision intelligence layer: option analysis, assumptions management, stress testing, and strategy simulations. Ability to quantify upside risk and optionality. Governance for how strategic decisions are logged, evidenced, and reviewed.
• Podcast tie‑in. We often highlight how boards fixate on downside while ignoring the risk of missed upside. “Risk seeking” (hat tip, Tony) lives here.
• Ask vendors. Demonstrate how the platform compares strategic options (build/buy/partner) using scenarios, quantification, and sensitivity analysis.

4) Objective‑Centric ERM

• Why it matters. ERM must be performance‑aligned, not control‑centric.
• What good looks like. Risks owned where work happens; KRIs/KPIs joined at the hip; near‑misses and weak signals captured and learned from; thematic risk aggregation that rolls from objective to objective, not from forms to forms.
• Red flags to avoid. Quarterly risk reviews that never change the plan.
• Ask vendors. Show me how a deteriorating KRI automatically triggers re‑forecasting of the objective and proposes mitigations with owners and funding.

5) Operational Risk & Resilience (ORM)

• Why it matters. Strategy rides on the rails of operations.
• What good looks like. Process‑level risks, controls, and impact tolerance mapped to important business services; automated controls & evidence where feasible; incident/near‑miss capture; playbooks tied to scenarios; resilience tests with learning loops.
• Ask vendors. Run a tabletop on a payment outage. Show me the stress on impact tolerances, customer outcomes, and the handoff to issue/cause/corrective action management.

6) Risk Analysis, Aggregation & Visualization (Distributions, Not Dots)

• Why it matters. Risk is not a color. Risk is a distribution over outcomes.
• What good looks like. Histograms, cumulative loss curves, tornado/sensitivity charts; correlation/aggregation that is explicit and explainable; ability to roll up by structure (org) and function (themes) without double counting.
• Red flags. A heat map as the main screen. Even worse, a stop light.
• Ask vendors. Quantify a scenario, show the distribution, and explain aggregation assumptions. Change an assumption; show sensitivity in real time.

7) Risk Quantification (Credible Math)

• Why it matters. Decisions require scale and trade‑offs.
• What good looks like. Transparent models (e.g., Monte Carlo where appropriate), parameter estimation from internal/external data plus expert judgment with credibility weighting; support for heavy tails; scenario libraries with calibration; model validation and versioning. I appreciate approaches like Graeme Keith’s work on robust estimation and aggregation—because they respect uncertainty rather than wish it away.
• Red flags. One‑size‑fits‑all scoring engines and black‑box “AI risk scores.”
• Ask vendors. Walk me through your model risk management: documentation, testing, drift monitoring, and auditability.

8) Risk Visualization (Make It Think & Feel)

• Why it matters. The right picture shortens the distance to a good decision.
• What good looks like. Bow‑tie analysis (causes/controls/consequences), fault and event trees, causal maps, control effectiveness cones, loss exceedance curves. Executive views that are decision‑forward, not dashboard‑pretty.
• Ask vendors. Build a bow‑tie live; link controls to testing/evidence and show how a failed test reshapes the consequence distribution.

9) Digital Twins (Of the Organization and the Extended Enterprise)

• Why it matters. You can’t simulate what you haven’t modeled.
• What good looks like. A living digital twin of your organization’s value streams, services, sites, suppliers, data, and dependencies. Twins support what‑if analysis: supplier outage, regulatory change, cyber event, demand surge. They learn as new data arrives. Twins extend to third parties and fourth parties via shared data and attestations.
• How it works in GRC 7.0. The twin is driven by a semantic graph/ontology; an orchestration engine sustains synchronization across systems (ERP, cyber, H&S, TPRM). Agentic AI can probe the twin with experiments, surface nonlinearities, and propose mitigations with cost/benefit.
• Ask vendors. Show me the twin of an important business service. Knock out a critical supplier. Quantify customer impact, regulatory exposure, and the mitigation portfolio with cost, time, and residual risk.

10) Scenario Modeling & Analysis

• Why it matters. Scenarios are the wind tunnel for strategy and operations.
• What good looks like. Stress and reverse stress testing; war‑gaming and tabletop exercises that are instrumented (evidence, timings, decisions); scenario trees with branching; Bayesian updating as facts accumulate; playbook linkage.
• Ask vendors. Run a geopolitical escalation scenario affecting logistics. Show the branching decisions, updated probabilities, and funding trade‑offs.

11) Collaboration & Accountability (Owner, Control Owner, Payer)

• Why it matters. Risk is everyone’s job but not no one’s job.
• What good looks like. Clear RACI across risk, control, and budget ownership (who pays for mitigations and residual risk). In‑flow collaboration for executives and frontline managers, not just risk staff. Human‑centered UX; mobile capture for incidents/near‑misses; conversation linked to decisions.
• Ask vendors. Assign an accountable executive, a control owner, and a payer to a mitigation. Route for approval; evidence funding and benefits realization.

12) Insurance & Risk Transfer

• Why it matters. Transfer is one lever in the portfolio.
• What good looks like. Policies, limits, exclusions, and claims data tied to scenarios and quant models; optimization of retain vs transfer; integration with brokers/insurers; evidence for insurability and premium negotiations.
• Ask vendors. Show me how cyber control maturity shifts expected loss and the optimal retention/limit selection.

13) Risk Intelligence (Foresight Beats Hindsight)

• Why it matters. External signals widen the field of view.
• What good looks like. Feeds for geopolitical, regulatory, macroeconomic, ESG/reputation, threat intel, and supplier signals. Signal ingestion → enrichment → triage → linkage to twins, objectives, and scenarios.
• Podcast tie‑in. Our episode on reputation underscored the gap between narrative risk and operational metrics. Intelligence connects the two.
• Ask vendors. Demonstrate how a negative media surge or sanction change flows into scenarios, KRIs, and decision options.

14) Integration (Data Fabric & Ontology, Not Spaghetti ETL)

• Why it matters. Risk sits at the seams.
• What good looks like. Open APIs, event streams, and connectors; a semantic layer so data lands meaningfully; identity integration for least‑effort adoption; low‑code mapping; lineage and quality checks.
• Ask vendors. Show the canonical ontology and how ERP incidents, SIEM alerts, vendor ratings, and HR data map to it—live.

15) Artificial Intelligence (Useful, Governed, and Agentic)

• Why it matters. AI amplifies sensing, analysis, and orchestration—if governed.
• What good looks like. ML for anomaly detection; NLP for unstructured evidence; copilots for authorship and decision support; agentic AI to run simulations, propose mitigations, and draft playbooks—with guardrails: model cards, bias/robustness testing, audit trails, human‑in‑the‑loop, and a clear RAIL/AI governance framework.
• Ask vendors. Explain how your AI is validated, how humans supervise it, and how you prevent model drift and hallucination from entering decisions.

---

What I Will Not Buy

• A static risk register with pretty heat maps.
  
• “Compliance‑first” risk that never touches objectives or decisions.
  
• Black‑box quantification with no model risk discipline.
  
• Dashboards that report but never re‑plan.
  
• AI without governance, provenance, or explainability.
  
• Integration that means CSVs and weekend heroes.

---

The GRC 7.0 – GRC Orchestrate Blueprint

Sense → Model → Decide → Act → Learn is the feedback loop. The platform should:

• Sense. Ingest internal telemetry and external intelligence.
  
• Model. Maintain the semantic graph and digital twins; keep them current.
  
• Decide. Run scenarios, quantify, compare options; document choices and rationale.
  
• Act. Launch initiatives, controls, transfers; assign owner/control owner/payer; fund and track benefits.
  
• Learn. Update models from outcomes, near‑misses, and after‑action reviews.

This is the bridge of the Enterprise—not a back‑office inbox.

---

A Concrete Walkthrough: Third‑Party Disruption to a Key Service

1. Signal. A high‑risk supplier’s financial health deteriorates; sanction chatter emerges.
   
2. Twin. The service twin shows a concentration risk to two geographies and a single alternate.
   
3. Objective link. Customer churn and revenue objectives flag increased variance.
   
4. Scenario. Branching: replace supplier (12–18 weeks), dual‑source (8–10 weeks), or stockpile (4 weeks) with cost/benefit quantified.
   
5. Visualization. Bow‑tie surfaces control gaps (QA on alternate supplier, logistics reroute).
   
6. Quantification. Monte Carlo + expert priors estimate loss exceedance; sensitivity highlights logistics lead time.
   
7. Decision. Executive review selects dual‑source + temp stockpile; payer funds expedited onboarding; insurance team evaluates trade‑credit cover.
   
8. Act & learn. Playbooks executed; KRIs monitored; post‑mortem updates priors and the twin.

---

Metrics That Matter (Beyond the Usual)

• Risk‑adjusted performance at the objective level.
  
• Loss exceedance probability at board‑relevant thresholds.
  
• Near‑miss capture and conversion to learning actions.
  
• Control effectiveness trajectory (not just pass/fail).
  
• Scenario coverage & currency (last run, last calibrated).
  
• Decision cycle time from signal to funded action.
  
• Reputation/experience indicators (customer & employee)—yes, Renee’s drumbeat.
  
• Insurance ROI (retained vs. transferred vs. mitigated)

---

RFP Prompts I Actually Use

• Modeling. Show me your semantic graph. What are the first‑class objects? How do relationships version over time?
  
• Objectives first. Create an objective, link KPIs/KRIs, attach scenarios—and quantify residual risk.
  
• Quant. Demonstrate parameter calibration from internal/external data and expert judgment with credibility weighting.
  
• Digital twin. Knock out a supplier in the twin; recompute service risk and objective variance.
  
• Decision log. Where do decisions live? How are assumptions captured and reviewed?
  
• AI governance. Provide model cards, validation evidence, and human‑in‑the‑loop controls.
  
• Integration. Map ERP incidents, SIEM alerts, and vendor ratings to your ontology—live.
  
• Accountability. Assign owner/control owner/payer; route approvals; show funding/budget links.

---

Final Word (and an Invitation)

Producing heat maps and generic lists to fulfill a reporting requirement is not risk management. The modern platform must help leaders make and fund better decisions—with context, quantification, accountability, and learning. That is the spirit behind GRC 7.0 – GRC Orchestrate, and the consistent theme on Risk Is Our Business.

If you’re wrestling with platform choices or shaping an RFP, I evaluate solutions constantly and carry a deep library of requirements. Reach out—and in the meantime, tune into the podcast for unvarnished conversations with leaders who are moving risk from the boiler room to the bridge.

The Enterprise Bridge for Digital Trust in the European Union

On the bridge of a starship, everything is connected. Navigation depends on sensors, sensors depend on power, power depends on engineering, and the captain’s decisions depend on the clarity and integrity of the information flowing across the ship. That is the image leaders should carry when they think about the EU Digital Operational Resilience Act (DORA). DORA is not merely another checklist of controls; it is the European Union’s insistence that financial institutions, and the ICT companies that support them, run their digital enterprise like a mission-critical vessel — coordinated from a single command center where governance, performance, risk management, and compliance operate as one.

DORA became applicable in January 2025 with a simple demand that is difficult to execute: prove that your organization can withstand, respond to, and recover from material ICT disruption while maintaining continuity of critical services. Behind that demand is the EU’s recognition that cyber threats, technology failures, concentration in third-party providers, and cross-border interdependencies can destabilize not only a firm but the confidence of markets and citizens.

Fragmented, after-the-fact, paper-driven “resilience” will not suffice. What is required is GPRC — governance, performance, risk management, and compliance — fully orchestrated, not scattered, through a modern architecture. In my GRC 7.0 language, that is GRC Orchestrate: a semantic, data-driven operating model with digital twins, agentic AI, and business-integrated processes that turn regulation into real operational capability.

Why DORA exists – and what it means in practice

The EU did not draft DORA to create busywork . . .

[The rest of this blog can be read on the Corporater blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]

This week I’m back in the United Kingdom—wall-to-wall engagements, packed rooms, and board-level urgency. Two themes are dominating every corridor conversation and every executive session:

1. Digital risk & resilience management (cyber risk, IT risk, information security), this is not your father’s information security program—and the market has noticed, and
2. UK Corporate Governance Code Provision 29—the looming attestation requirement that pulls risk and controls from the boiler room to the bridge.

They’re not separate stories. They’re the same plotline: governance must now prove risk, control, and resilience.

Next week I head to Denmark and Sweden with an overbooked schedule and an active waiting list. It’s so busy I’ve booked four business meetings on Sunday in Copenhagen because the workweek is full. Demand is surging because the operating reality has changed.

---

The UK Context: Incidents That Forced the Issue

Yesterday in London, over 90 professionals registered for my Digital Risk & Resilience Management by Design workshop. We opened with what the UK has actually experienced this year—real events that disrupted operations, damaged trust, and elevated the conversation to the board:

• Harrods disclosed a new incident after hackers compromised a third-party, stealing 430,000 e-commerce customer records—a second major event this year (see the latest from GRC Report: Harrods Suffers New Data Breach Exposing 430,000 Customer Records. This wasn’t “just” a data problem; it was a digital supply-chain failure with reputational consequences.
• Marks & Spencer acknowledged a significant cyber incident in the spring, with official updates noting personal data exposure. Independent analyses estimate substantial disruption costs.
• Co-op faced an attack that affected operations and supply, with press reporting on material revenue impact.
• Jaguar Land Rover (JLR) suffered a major cyberattack that halted production and cascaded across suppliers, leading to government action to stabilize the supply chain and a phased restart. This is cyber risk turning into industrial and financial risk overnight.
• Airports across Europe (including the UK) experienced disruptions tied to a third-party check-in provider—collateral damage when an ecosystem vendor falters.
• Looking back to 2024, the Synnovis ransomware event reminded everyone that cyber incidents can spill into clinical operations—in this case, impacting NHS pathology services across London.

Add to that the UK’s Cyber Security Breaches Survey 2025 and public warnings from officials about rising hostile activity; the trendline is clear: frequency, materiality, and interdependence are all up.

---

Provision 29: When Governance Must Prove Resilience

The updated UK Corporate Governance Code 2024 applies from 1 January 2025, with Provision 29 (the board’s declaration over the effectiveness of material internal controls, including those over reporting) applying to financial years beginning on or after 1 January 2026. Translation: boards must step beyond narrative disclosure to assert control effectiveness—and evidence it.

Practical guidance circulating in the market rightly pushes companies to identify risks to objectives, define material controls, stand up testing and monitoring cycles, and remediate weaknesses well ahead of the first reporting year. If you wait until year-end, you won’t have the audit trail, telemetry, or confidence to sign. I am teaching a full-day workshop on this on November 6th, UK Corporate Governance Code by Design, LONDON.

Provision 29 makes cyber and digital resilience a governance obligation as it is part of broader risk and internal control management. It’s no longer sufficient for security leaders to say “we’re doing our best.” Boards must demonstrate that controls over risk, operations, and reporting are effective—continuously, not sporadically.

---

“Not Your Father’s Information Security Program”: What Keeps Leaders Up at Night

In yesterday’s workshop opening breakouts, attendees shared the nightmares that wake them at 2 a.m. Below I expand on each—because every one is valid, and together they define the new scope of digital resilience.

1. Digital dependence. When every process is digitized, digital is business risk. Capture business-service twins (see below) that tie technology to outcomes so investment and trade-off decisions are made in business units, not technical silos.
2. Ransomware (mentioned repeatedly). Assume data theft + encryption + extortion. Emphasize identity (MFA, phishing-resistant auth), immutable backups, segmentation, EDR containment, and exfil detection. Align with cyber insurance obligations before an event.
3. Data breaches. Move beyond perimeter thinking to data-centric controls: classification, encryption, retention/rationalization, and continuous DLP tuned to business context. Reduce toxic data stores—what you don’t keep can’t be stolen.
4. Third-party & digital supply chain. Most incidents now arrive through someone else’s API, SSO, or managed service. Build tiered criticality, continuous assurance (evidence feeds, attack-surface monitoring), and kill-switch playbooks (token revocation, traffic shaping, failover).
5. Complexity of environment. Hybrid/Multi-cloud, SaaS sprawl, legacy on-prem, OT/ICS—complexity is the attack surface. Rationalize platforms, impose architectural guardrails (identity first, least privilege, service isolation), and automate hardening at the pipeline.
6. Pace of technology, business, risk, & regulatory change. Static frameworks fail in dynamic environments. Shift from annual cycles to continuous risk assessment, streaming indicators (threat intel, misconfig drift), and regulatory horizon scanning tied to policy updates and training.
7. Real-time insight into digital risk & resilience. Dashboards must reflect material risk now, not last quarter. Integrate attack surface, identity risk, vuln posture, and control status into one place, with drill-downs that show evidence, not just colors.
8. Social engineering. Human-centric attacks (phishing, pretexting, MFA fatigue) bypass hardened perimeters. Resilience demands behavioral control design, adaptive training, and active monitoring of anomalous requests—especially in finance, HR, and privileged IT channels.
9. Behavior. Policies don’t move mice; people do. Incentives, consequences, nudges, and leadership example-setting are necessary to turn rules into reflexes. Measure cultural indicators (reporting rates, near-misses, phishing test performance) as rigorously as technical KPIs.
10. AI risk. AI expands both attack surface (prompt injection, data leakage, model theft) and attacker capabilities (automation, deepfakes). Establish an AI risk register, model validation, and guardrails (content filters, retrieval hardening, data minimization), and treat AI vendors as high-risk third parties.
11. Employee practices on social media. Oversharing enables social engineering, doxxing, and physical risk. Provide clear, practical guidance, red-team your own open-source footprint, and monitor for impersonation and brand misuse.
12. Silos of oversight. Security, risk, audit, privacy, and compliance often operate on parallel tracks. Converge on a common risk ontology, unified control library, and shared telemetry to eliminate duplicative testing and blind spots.
13. Lack of assurance. Assurance is not a PDF; it’s a signal backed by evidence. Operationalize continuous control monitoring (CCM), link tests to controls, and maintain an immutable evidence ledger for internal audit and Provision 29 support.
14. Critical system availability. “Data protected” is not “business up.” Map business services to dependencies (apps, data, vendors, facilities), define impact tolerances, test recovery to realistic RTO/RPO, and engineer graceful degradation.
15. Corporate culture. A culture of speed and shadow IT without guardrails breeds loss events. Bake controls into the developer and product experience (policy-as-code, paved roads) so doing the right thing is the fastest path.
16. Interconnected nature of digital risk on other risks. Cyber incidents cascade to operational, financial, legal, and reputational risk. Quantify causal chains: “one auth outage ⇒ order backlog ⇒ revenue dip ⇒ covenant risk.” This is the language of the board.
17. Cyber incidents. Treat incident response as business continuity with forensics. Pre-negotiate counsel, crisis comms, and law enforcement engagement. Rehearse board-level tabletop exercises to align decisions under pressure.
18. Extended enterprise. Partners, affiliates, franchisees, integrators—risk propagates through contracts. Expand scope beyond “vendors” to all external relationships; standardize onboarding, evidence exchange, and offboarding data destruction.
19. Constant data breaches. Frequency has normalized, but tolerance hasn’t. Move toward event-ready posture: pre-built comms templates, regulator playbooks, customer remediation workflows, and materiality decision criteria.
20. Cyber insurance. Policies are tighter; exclusions matter. Map controls to underwriting requirements (MFA, backups, EDR, patching SLAs), maintain attestable evidence, and simulate loss scenarios to set economically rational limits.
21. PCN attacks on refineries (OT/ICS). Process Control Networks in energy and petrochemicals raise safety, environmental, and macro-economic stakes. The UK energy sector remains a prime target; bring OT and IT risk under a single governance model, with strict network isolation, asset discovery, and incident drills that include safety.
22. Access control. Identity is the perimeter. Enforce least privilege, JIT/JEA for admins, continuous access review, and session recording for high-risk functions. Kill standing privileges.
23. Out-of-date systems. Technical debt is breach bait. Build a decommission cadence, isolate what you can’t patch, and make “end-of-life” a board metric with remediation funding.
24. Lack of segmentation. Flat networks turn local issues into enterprise outages. Segment by trust zone, blast radius, and business service; verify with purple-team exercises.
25. Regulations. Requirements are multiplying (DORA, NIS2, CER, UK Code, UK Operational Resilience). Normalize obligations to controls and tests; avoid duplicate evidence generation by centralizing control mapping across frameworks.
26. Support streams such as power. Cyber resilience depends on physical resilience (power, cooling, connectivity). Model these dependencies explicitly and test alternative sites, UPS run-times, and failover contracts.

---

Why Provision 29 and Digital Resilience Are the Same Conversation

Provision 29 isn’t a paperwork exercise; it’s a capability: governance that can see material risk, control it, and prove it. Yes, Provision 29 is much broader than digital risk and resilience, but it certainly is a critical part of it. The declaration forces boards to ask:

• Which controls are material to our business services and reporting?
• Do we have evidence, not assertions?
• Can we detect control failure quickly and respond before outcomes degrade?
• Are third-party and AI-driven risks within the same scope of control and testing?

The new standard of care is continuous, assurable, and board-readable.

---

Digital Risk & Resilience in the Age of GRC 7.0 – GRC Orchestrate

This is where the next evolution—what I call GRC 7.0 – GRC Orchestrate—earns its keep. Think of it as a business-integrated command center underpinned by digital twins, agentic AI, and continuous assurance:

1. Digital twins of business services. Map each critical service (e.g., “E-commerce checkout”, “Claims adjudication”) to its applications, data, identities, vendors, facilities, and support streams (power, network). Now you can analyze materiality, simulate impact, and target investment where it moves the needle.
2. Unified risk ontology & control library. Collapse silos by adopting one language for risk, control, and obligation across security, resilience, privacy, and compliance. Provision 29 depends on a single source of control truth feeding testing, evidence, and reporting.
3. Continuous control monitoring (CCM) & evidence ledger. Automate tests (config drift, MFA coverage, backup immutability, EDR health, segmentation rules), bind the results to the control, and store signed evidence with lineage. Assurance moves from “annual binders” to streaming signals.
4. Agentic AI for detection, triage, and mapping. Use AI to reconcile findings to controls and obligations, summarize deviations for executives, draft remediation plans, and keep policies aligned to changing regs (DORA, NIS2, UK Code) without manual re-keying. Humans decide; AI does the grunt work.
5. Third-party & AI vendor orchestration. Ingest SOC2/ISO attestations, penetration reports, SBOMs, and attack-surface telemetry. Maintain live risk tiers, enforce contractual controls, and keep “pull-to-revoke” playbooks (SSO tokens, API keys) ready.
6. Identity-first architecture. Make identity and authorization the enforcement plane: phishing-resistant MFA, least privilege, continuous verification, high-risk session recording, and automated removal of stale access.
7. OT/ICS governance alongside IT. Treat PCN assets with their own twin, zoning, and procedure sets. Drill scenarios that integrate cyber response with safety and environmental controls.
8. Resilience analytics & impact tolerances. Tie recovery objectives to business outcomes (orders processed, beds filled, flights dispatched). Visualize tolerances and variance in real time; rehearse failovers using your twins, not guesswork.
9. Board-ready reporting. Replace red/amber/green with narratives grounded in evidence: “3 of 3 material access-controls for E-commerce are in tolerance; segmentation test #142 failed in Zone C; compensating control is active; remediation ETA 72 hours.” That’s a Provision 29-grade update.
10. Assured compliance. Map control signals to obligations and make audit a bystander effect: when evidence is baked into operations, audits consume it—not create it.

This is not a tool swap. It’s an operating model that treats digital risk as a system-of-systems problem, orchestrated across people, process, technology, and partners—with verifiable assurance as the output.

---

Closing the Loop

The UK incidents of 2025 — Harrods, M&S, Co-op, JLR, airport disruptions — show how quickly “IT issues” become business crises and governance tests. The only durable answer is a modern resilience architecture with continuous assurance that a board can attest to with confidence.

Now, I’m off to a string of meetings today and tomorrow in London—then wheels up for Denmark and Sweden. If you’re in Copenhagen this Sunday, you already know my schedule is spilling into the weekend. The message from every boardroom is the same: orchestrate resilience, or risk orchestrating your own headlines.