Risk is Our Business
Risk is Our Business
Podcast Description
Welcome to Risk Is Our Business, where we explore the principles of Governance, Risk Management, and Compliance — to reliably achieving objectives, navigating uncertainty, and act with integrity.
Here, we follow the Prime Directive of Risk Management: No decision or strategy moves forward without understanding its impact on our objectives, our resilience, and our values. Because risk isn’t the enemy, it’s the mission.
After all, risk is our business.
Join us as we go boldly into the world of GRC.
Podcast Insights
Content Themes
The podcast highlights essential themes in GRC, with episodes covering topics such as the evolution of risk management, the impact of cultural context on compliance, and the strategic adjustments needed for risk adaptation. For example, episodes explore how GRC has transitioned from a compliance-centric view to a more strategic, objective-driven approach, alongside discussions about technological integration in risk processes.
Welcome to Risk Is Our Business, where we explore the principles of Governance, Risk Management, and Compliance — to reliably achieving objectives, navigating uncertainty, and act with integrity.
Here, we follow the Prime Directive of Risk Management: No decision or strategy moves forward without understanding its impact on our objectives, our resilience, and our values. Because risk isn’t the enemy, it’s the mission.
After all, risk is our business.
Join us as we go boldly into the world of GRC.
In this return episode of Risk Is Our Business, Captain Michael Rasmussen reconnects with Tony Martin-Vegue for a wide-ranging conversation built around his new book, From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification.
At the center of the discussion is a simple but uncomfortable idea: most organizations aren’t really measuring cyber risk, they’re describing it. Heatmaps, scoring models, and qualitative frameworks may look familiar, but they rarely help leaders make better decisions.
Tony breaks down what’s going wrong, and why. Along the way, he uses an unexpected historical example (the Hanoi Rat Massacre of 1902) to illustrate how well-intentioned interventions can create worse outcomes when incentives, measurement, and behavior are misaligned.
The conversation moves through the core themes of the book:
- Why cybersecurity often behaves like two separate disciplines under one label
- Why quantitative risk is less about advanced math and more about structured thinking
- The biggest myth about data that keeps organizations stuck in qualitative approaches
- Where methods like Monte Carlo simulation and FAIR fit and where they don’t
They also explore why many cyber risk quantification programs fail, what it takes to make them practical, and how the same principles apply beyond cyber to operational risk more broadly.
At over an hour, this is one of the most in-depth conversations on the show! It’s less a summary and more a working session on how to move from risk reporting to decision-making.
Disclaimer
This podcast’s information is provided for general reference and was obtained from publicly accessible sources. The Podcast Collaborative neither produces nor verifies the content, accuracy, or suitability of this podcast. Views and opinions belong solely to the podcast creators and guests.
For a complete disclaimer, please see our Full Disclaimer on the archive page. The Podcast Collaborative bears no responsibility for the podcast’s themes, language, or overall content. Listener discretion is advised. Read our Terms of Use and Privacy Policy for more details.