For something called Governance, Risk, and Compliance, the industry spends most of its energy on compliance. Risk is the reason these programs exist, yet it remains the hardest thing to define, measure, and operationalize. Most organizations have risk registers, risk assessments, and risk scores, and still cannot confidently answer the simplest question their board will ask: are we actually reducing risk?

In this session, Michael Rasmussen, the analyst who has shaped how the industry thinks about GRC for two decades, joins Anecdotes GRC Evangelist Maril Vernon for a candid conversation about why risk became the most important part of GRC and somehow the least operationalized, and what it will take to change that.

What you'll take away

• Why compliance became easy to operationalize while risk stayed stuck on paper, and how the two quietly got conflated
• The gap between risk registers and risk operations, and why mature programs still cannot show whether risk is going up or down
• How connected risk works in practice, as third-party, operational, AI, and cyber risk stop behaving like separate programs
• What continuous assurance looks like when environments change faster than any point-in-time assessment can keep up with
• Where risk operations are heading over the next decade, from controls intelligence to risk-informed decision making

If you were asked tomorrow how much risk was actually reduced over the last twelve months, could you answer with confidence? Join us on July 7 and bring your hardest questions.

‍