CAPTAIN’S LOG: Choose Your Own Risk Adventure
When I stepped onto the keynote stage in Miami at Riskonnect Konnect 2025, it felt less like a ballroom and more like a bridge. The room hummed the way a starship does before a jump to warp: alive with expectation, crewed by leaders who navigate complex systems every day. I introduced the mission simply: we would not talk about risk management; we would do risk management — together — through a Choose Your Own Adventure simulation where every decision would change the story. Because that is how it works in real life. You do not get the luxury of a single timeline. You choose, you commit, you face the branches.
I framed the session the way I frame my podcast: risk is not the enemy, it is the mission. Too many organizations still steer using the rearview mirror: audit findings, stale registers, and red–yellow–green heatmaps that tell us where we have been, not where we are going. Real navigation requires foresight — connecting internal telemetry to external signals, aligning decisions to objectives, and operating with integrity even when the turbulence hits.
To make that point tangible, I called four “Trekkies” from the audience to the bridge and gave them their roles. Costumes included (Vulcan ears for the Science Officer — irresistible).
- Captain (CEO): Bob Bowman, Chief Risk Officer & Chief Ethics and Compliance Officer, The Wendy’s Company
- Science Officer (Risk): Drew Stipe, Director, Professional Services, Riskonnect, Inc.
- Security Officer (Compliance): Fritz Hess, Chief Technology Officer, Riskonnect, Inc.
- Engineering/Ops (IT): Janet Dold, Corporate Data System Analyst, Fairview Health Services
They did not know what was coming. That was the point. We rarely do.
The Mission Begins: Expansion into Country Zed
Our board — yours and mine, in the simulation — had approved outsourcing expansion into a promising new market. The question was not “Is there risk?” The question was “Which risk will we choose to own?” The Captain set tone and objective. The Science Officer surfaced geopolitical stability and corruption indices. Security mapped regulatory exposure and ethical tripwires. Engineering checked capacity, resilience, and digital trust. The audience voted on pace: fast, phased, or delay for more assurance.
The vote split, as it often does in real committees. Speed has a cost. Caution has a cost. Not deciding is also a decision. That was Lesson One: every path trades one risk profile for another.
- Strategic choice framing helps: objective, appetite, threshold, constraint.
- Forward telemetry beats backward reporting: what could happen next, not only what did.
- Shared language reduces friction: scenario, exposure, control, consequence.
First Shockwave: A Modern Slavery Exposure
Two months into expansion, the first shock hit: an exposé tied our outsourcer to modern slavery. Phones lit up. Investors wanted reassurance. Regulators wanted answers. Internal teams wanted a plan. The Captain weighed options, the Science Officer modeled impacts, Security reviewed legal obligations and values, Engineering tested whether we could re-platform quickly.
The dilemma was not academic, and the audience felt it. Cut ties immediately and absorb sunk cost? Audit and remediate with transparency and risk the optics? Pause for certainty and risk reputational collapse? The room leaned toward “act with integrity and rebuild” — not because it was easy, but because it aligned with purpose and preserved long-term value.
- Integrity is a control — not just a slogan — and protects license to operate.
- ESG is operational when it drives supplier governance, not just disclosure.
- Remediation readiness (playbooks, partners, KPIs) determines whether “fix” is credible.
Second Shockwave: An Activist Ransomware Strike
Then the second shock wave: a coordinated ransomware attack by an activist group demanding we sever ties or suffer a data breach. This is how risks really behave — they cluster. A social/ethical exposure becomes cyber becomes operational becomes financial. The bridge got very quiet. The Captain asked for probabilities of recovery and time-to-restore. The Science Officer calculated; Security confirmed disclosure triggers; Engineering reported containment limits. We debated whether to pay, stall, or resist.
No option was clean. Paying invited recidivism. Resisting meant downtime and headlines. Negotiating bought time but not certainty. The audience discussed cyber insurance posture, segmentation, and tabletop preparedness as if we were actually under fire — again, the point. Exercises beat memos.
- Interconnected risk is the rule: one event, many domains.
- Preparedness is evidence: segmented backups, crown-jewel mapping, breach comms, insurance terms.
- Transparency beats silence: timely, fact-based updates build trust even in failure.
The Final Fork: Retreat, Rebuild, or Pivot
With regulators, media, and investors watching, we faced the last branch: pull out of Country Zed entirely; stay and rebuild with strict governance and transparency; or pivot to a new region with stronger controls but strained resources. The vote settled on stay and rebuild — a choice that accepts pain now to build competence later. It is also where real programs separate themselves: rebuilding is not a press release; it is architecture and muscle.
- Rebuild playbook: supplier offboarding/onboarding rigor, continuous control monitoring, third-party assurance, board-level oversight.
- Metrics that matter: mean-time-to-detect, mean-time-to-remediate, % critical suppliers with independent assurance, loss exceedance curves.
- Culture signals: leaders who front the issue, incentives that reward reporting, consequences that are consistent.
Debrief: What the Adventure Proved
When the applause faded and the crew returned to their seats, we closed the loop. The adventure worked not because it was theatrical but because it was familiar. Everyone in the room had lived some version of it. The difference between “we survived” and “we created durable value” is usually not a single hero; it is orchestration.
Here is what the simulation made concrete:
- Risk is in the decision, not just the register. Strategic choices (market entry, M&A, products) need the same discipline we bring to operational risks: scenarios, distributions, and thresholds — not just traffic lights.
- Objectives are the north star. ISO 31000’s definition — risk is the effect of uncertainty on objectives — forces clarity: what are we actually trying to achieve, what will we accept, and what will we never trade away?
- Compliance and risk are complementary, not hierarchical. Risk analysis is neutral; compliance draws the boundary lines of law and ethics. Collaboration with segregation of duties keeps the ship on course.
- Quant beats color. Move from heatmaps to histograms; from likelihood × impact guesswork to loss exceedance curves, control efficacy, and ROI of mitigation.
- Resilience is the business case. After the last five years, no process owner wants “more risk.” Every one of them wants less surprise and faster recovery.
Practical Tools You Can Lift Tomorrow
Because a keynote should leave you with handles, not just headlines:
- Decision pre-briefs for big bets: objective → scenarios → exposures → controls → “tripwires” (KRIs) → go/hold criteria.
- Third-party lifecycle discipline: intake, due diligence depth by criticality, continuous monitoring, and a real offboarding playbook.
- Cyber tabletop with ethics overlay: run the technical drill and the disclosure and integrity decisions side by side.
- Risk rhythm with the business: quarterly sessions with each function on their objectives and the risks to those objectives; build dashboards they actually use.
- Story + stats: pair Monte Carlo or Bayesian outputs with a bow-tie narrative; the board funds what it understands.
Why the Starfleet Motif Works
Star Trek gives us a clean frame: a mission, a crew, a code, a universe that will test us. It keeps us honest about trade-offs, because space is indifferent to our intentions. It also keeps us optimistic: the point is not to avoid the unknown, but to reach it well — with clarity of objectives, disciplined curiosity, and integrity.
That is why we played Choose Your Own Adventure on stage. Not as theater, but as a mirror. In your organization, the pages you will turn next month are already numbered. The only question is who will decide, how they will decide, and what data, ethics, and controls will sit beside them when they do.
Risk is not the handbrake. It is the navigation system.
Set objectives. Tune your sensors. Orchestrate your crew.
Engage.