As season 4 Star Trek: Strange New Worlds returns later this month, I find myself reflecting on one of the most important risk management scenes from the first episode of the previous season (season 3, episode 1, Hegemony Part II) . That may sound odd to some. Most people watch Star Trek for the exploration, the characters, the ethical dilemmas, the humor, the tension, and the enduring optimism that humanity can become something better than it is today. I watch it for all of that as well. But I also watch Star Trek because it has always understood something about risk that too many organizations still struggle to grasp . . .

Risk is not simply danger to be avoided. Risk is the terrain of the mission.

That idea goes back to Captain Kirk in The Original Series, in season two, episode twenty, “Return to Tomorrow,” when he states plainly, “Risk is our business.” That line has stayed with me for decades, and is the theme of my Risk Is Our Business Podcast. It is more than a memorable piece of Starfleet bravado. It is one of the clearest statements of enterprise leadership I know . . .

The mission requires uncertainty. Exploration requires exposure. Strategy requires movement into the unknown. The role of leadership is not to eliminate risk, because that would eliminate the mission itself. The role of leadership is to understand uncertainty, make informed decisions, preserve integrity, protect the crew, and continue toward the objective.

That is the heart of modern GRC!

  • Governance sets the mission, makes decisions, sets objectives in context of decisions, and engages for performance.
  • Risk management addresses uncertainty in decisions and achieving those objectives.
  • Compliance keeps the organization acting with integrity within obligations, boundaries, and values.

Together, they are not a bureaucratic exercise. They are the operating capability by which an organization moves through uncertainty without losing its way.

This is why one story line from that first episode of season 3 last year of Strange New Worlds has stayed with me. Captain Batel is infected by a Gorn parasite. The situation is urgent, complex, and beyond standard medical treatment. The crew cannot simply apply a checklist and hope for the best. They cannot rely on instinct alone. They cannot wait for perfect certainty, because time itself has become a risk factor. What they need is a way to understand her condition dynamically, test possible interventions, explore consequences, and choose a path before acting in the real world.

So they create a digital twin.

That moment is science fiction, but it is also one of the clearest pictures I have seen of where GRC and particularly risk management must go. The digital twin of Batel is not a static record. It is not a medical file. It is not a dashboard of yesterday’s indicators. It is a living model that allows the crew to simulate decisions before making them. It creates a space between uncertainty and action where intelligence can operate.

That is GRC 7.0 – GRC Orchestrate!

GRC 7.0 — what I call GRC Orchestrate — is not about digitizing the stale forms and workflows of the past. We have done enough of that. In too many organizations, technology has simply made bad risk processes faster, more expensive, and more visible. A broken process with automation is still a broken process. A risk register with a prettier dashboard is still a risk register. A heat map in a modern interface is still a heat map. The future of GRC is not another workflow layer over yesterday’s thinking. The future of GRC is a living architecture that can sense, model, decide, act, and learn.

The digital twin is at the center of that future.

From Captain Kirk’s Philosophy to GRC Orchestration

Captain Kirk’s statement that “risk is our business” is not a call to recklessness. It is a call to disciplined courage. The Enterprise does not drift aimlessly through space looking for danger. It has a mission. It has command structure. It has science, engineering, medical, navigation, communications, and tactical capabilities. It has protocols, but it also has judgment. It has systems, but it also has people. It operates in uncertainty, but it does not surrender to uncertainty.

That is what organizations need from GRC.

Too often, GRC has been reduced to documentation, reporting, and compliance activity. Risk becomes a list. Controls become evidence. Compliance becomes attestation. Governance becomes a committee calendar.

The living system of the organization gets flattened into artifacts that can be reviewed, archived, and audited. These artifacts may be necessary, but they are NOT enough. They do not tell leadership how uncertainty moves through the business. They do not show how decisions create consequences. They do not reveal how dependencies connect. They do not allow the enterprise to simulate options before acting.

The Starfleet bridge is not a filing cabinet.

It is a command center. It brings together information from specialized systems, interprets it in the context of the mission, and supports decisions under uncertainty. That is where GRC must go. The board and executive team down into business operations need a bridge view of the enterprise. They need to understand the mission, the environment, the systems, the crew, the controls, the obligations, the dependencies, the risks, and the possible courses of action.

GRC Orchestrate is the architecture for that bridge view.

The Strange New Worlds Moment: Modeling Before Acting

In the Batel scene, the medical team faces a situation where direct experimentation on the patient could be catastrophic. Acting without understanding could kill her. Waiting too long could also kill her. The answer is not paralysis. The answer is simulation. The digital twin allows the crew to explore interventions, evaluate consequences, and improve the quality of decisions and actions.

This is exactly the challenge boards, executives, business operations, and risk leaders face in the modern enterprise. They cannot wait for perfect certainty. Nor can they run the business by instinct alone or assume that yesterday’s controls, yesterday’s suppliers, yesterday’s markets, yesterday’s geopolitical assumptions, or yesterday’s regulatory models will hold tomorrow. They need to model uncertainty before it becomes reality.

Consider the common scenarios organizations face:

  • A new regulation is passed in one jurisdiction that affects products, services, policies, controls, reporting, third parties, and customer commitments across several others.
  • A company considers acquiring a business that brings with it hidden compliance obligations, cyber vulnerabilities, cultural issues, third-party dependencies, contractual exposures, and control gaps.
  • A divestiture requires separation of shared services, technology, data, policies, processes, licenses, controls, and supplier relationships that were never designed to be pulled apart.
  • A move into a new market creates new geopolitical exposures, local regulatory obligations, sanctions concerns, labor issues, tax implications, privacy requirements, and operational resilience demands.
  • A supplier failure appears local at first, but cascades into production delays, customer commitments, financial exposure, regulatory reporting, and reputational damage.
  • A cyber incident starts in technology but quickly becomes an operational, legal, financial, customer trust, and board-level crisis.

These are not theoretical possibilities. They are the everyday reality of enterprise risk. The problem is that many organizations still try to manage this reality through fragmented systems, disconnected taxonomies, static risk registers, periodic assessments, and departmental reporting. Each function sees part of the picture. Few see the whole.

The digital twin changes that.

The Business Digital Twin

When many people hear “digital twin,” they think of a physical asset: a factory, an aircraft engine, a wind turbine, a ship, a production line, an offshore platform, or a data center. These are important applications, and some industries are already quite mature in using digital twins to monitor assets, anticipate maintenance, optimize performance, and improve resilience.

But the next frontier is broader. It is the business digital twin.

A business digital twin models the enterprise as a living system. It connects objectives to processes. Processes to assets. Assets to systems. Systems to data. Data to obligations. Obligations to controls. Controls to assurance. Assurance to confidence. Confidence to decision-making. It also connects third parties, suppliers, geographies, people, contracts, policies, regulatory requirements, cyber dependencies, financial exposures, and strategic initiatives.

The digital twin is not a glorified dashboard. A dashboard tells you what is happening or what has happened. A digital twin helps you understand what could happen, why it could happen, how it could unfold, and what actions might change the outcome.

This is the shift from rearview reporting to forward-looking decision support.

In traditional approaches, organizations often begin with the risk register. They ask people to identify risks, score them, assign owners, link controls, and update status. That may provide some structure, but it often misses the most important point. Risk does not begin with the risk register. Risk begins with decisions and objectives. If risk is the effect of uncertainty on objectives (ISO 31000), then the model must begin with what the organization is trying to achieve.

The risk register is not the center of the universe. Objectives are.

A business digital twin starts with the mission, decisions, and objectives of the organization. It then models the uncertainty that could affect those decisions and objectives, the controls that support them, the obligations that constrain them, the dependencies that enable them, and the scenarios that could threaten or advance them. This is how risk management becomes decision- and objective-centric. This is how GRC becomes meaningful to the business.

Risk Intelligence Feeds the Twin

A digital twin is only as useful as the intelligence that feeds it. A model without current intelligence becomes an elegant fiction. It may describe the organization as it once was, or as leadership wishes it to be, but it will not reflect the reality of changing conditions.

This is where risk intelligence becomes essential . . . The enterprise needs to continuously sense the external and internal environment. That includes geopolitical developments, regulatory change, enforcement actions, sanctions, tariffs, supplier distress, cyber threats, vulnerability data, climate events, litigation trends, market shifts, customer sentiment, workforce signals, financial indicators, peer incidents, and emerging technologies. It also includes internal signals such as control performance, incidents, audit findings, policy exceptions, project changes, third-party issues, and operational disruptions.

Risk intelligence feeds the digital twin with reality. But intelligence alone is not enough. Many organizations already have more data than they can interpret. The problem is not the absence of signals. The problem is connecting signals to business context.

A geopolitical event matters differently depending on suppliers, contracts, routes, customers, jurisdictions, products, and strategic objectives. A regulatory change matters differently depending on obligations, policies, controls, business processes, systems, and third parties. A cyber vulnerability matters differently depending on critical services, data flows, operational dependencies, and recovery capabilities.

Risk intelligence must be contextualized . . . This is where agentic AI becomes powerful.

Agentic AI Interrogates and Orchestrates

The future of AI in GRC is not simply faster policy drafting, automated control narratives, better regulatory summaries, or chatbots that answer compliance questions. Those capabilities are useful, but they are not the transformation. They are efficiencies. The deeper transformation is when agentic AI can work with the digital twin to interpret signals, test scenarios, recommend actions, and orchestrate response.

Risk intelligence feeds the twin. Agentic AI interrogates the twin. GRC Orchestrate acts through the twin. This is the architecture that matters. AI without a digital twin lacks business context. A digital twin without risk intelligence lacks current reality. Risk intelligence without orchestration lacks action. GRC 7.0 brings these together into a living system.

Agentic AI can help answer questions such as:

  • Which objectives are affected by this regulatory change?
  • Which controls need to be updated if we enter this new market?
  • Which third parties create concentration risk in this scenario?
  • Which business services are exposed if this system fails?
  • Which policies, obligations, and training requirements are inherited in this acquisition?
  • Which controls must be separated, redesigned, or retested in this divestiture?
  • Which cyber vulnerabilities matter most because of business criticality?
  • Which emerging geopolitical events could affect suppliers, logistics, sanctions exposure, or revenue?
  • Which assurance activities provide confidence, and where are we relying on assumptions?

This does not mean AI replaces human judgment. That would be the wrong lesson. Spock and Chapel did not use the digital twin so they could stop thinking. They used it so they could think better. The purpose of AI in GRC is not to remove accountability. It is to improve the quality, speed, and context of accountable decisions.

AI should not replace governance. It should strengthen governance. AI should not replace risk professionals. It should elevate them. AI should not turn GRC into a black box. It should make the enterprise more transparent, more explainable, and more prepared.

Three Levels of Risk and Resilience, with Digital Risk Embedded Across Operations

To make this practical, GRC 7.0 must operate across three connected levels of risk and resilience, with digital risk and resilience embedded deeply within the operational layer. These are not separate silos. They are different views of the same enterprise system. The digital twin has to model their relationships.

Strategic Risk and Resilience

Strategic risk and resilience focus on the decisions that shape the future of the organization. This is where boards and executive teams make choices about markets, products, mergers, acquisitions, divestitures, capital allocation, business models, major partnerships, and long-term positioning. These decisions are filled with uncertainty, and too often that uncertainty is not modeled deeply enough before action is taken.

A business digital twin can help leadership test strategic decisions before they become irreversible.

  • What happens if we acquire this company?
  • What obligations, controls, culture issues, data risks, third-party dependencies, cyber exposures, litigation history, geopolitical concerns, and operational weaknesses come with it?
  • What happens if we divest this business unit?
  • Which shared services, data flows, systems, licenses, controls, people, policies, and contracts have to be separated?
  • What happens if we enter a new market?
  • What regulations apply?
  • What local authorities matter?
  • What sanctions, corruption, human rights, labor, privacy, tax, supply chain, and resilience issues must be understood?

This is where risk becomes a tool of strategic clarity. It is not there to say no to the mission. It is there to make sure leadership understands the terrain before crossing it.

Strategic risk also requires understanding the difference between local performance and enterprise value. A project may appear to be failing because it misses a schedule KPI, but from the enterprise view, preserving value may matter more than preserving the date. Another project may look successful locally while creating long-term risk for the enterprise. The digital twin helps leadership see across the portfolio and ask whether decisions are optimizing the mission or merely optimizing metrics.

Objective-Centric Risk and Resilience

Objective-centric risk and resilience begin with a simple but often ignored truth: risk must be understood in relation to objectives.

Too many risk processes start by asking, “What are your risks?” That question is incomplete. The better question is, “What are you trying to achieve, and what uncertainty could affect that?”

This is the foundation of meaningful risk management. Decisions and objectives give risk context. Without objectives, risk becomes a list of concerns. With objectives, risk becomes decision intelligence.

The business digital twin allows the organization to map objectives to the processes, controls, obligations, resources, systems, third parties, and people that support them. It helps leadership see whether objectives are realistic, whether controls are sufficient, whether dependencies are understood, whether obligations are changing, and whether uncertainty is increasing or decreasing.

This is particularly important in regulatory change. A new law, rule, supervisory expectation, enforcement trend, or reporting obligation should not simply trigger a compliance task. It should be modeled against objectives and operations.

  • What products are affected?
  • What business units are affected?
  • What jurisdictions are affected?
  • What policies must change?
  • What controls must be redesigned?
  • What training is required?
  • What third parties are involved?
  • What data is needed?
  • What evidence will prove compliance?
  • What strategic decisions are constrained or enabled by this change?

Regulatory change is not just a legal update. It is a business change.

The same is true for corporate transformation. A merger, acquisition, divestiture, restructuring, new product launch, new market entry, or major technology implementation changes the shape of the enterprise. If GRC cannot model that change, it will always be reacting after the fact. GRC 7.0 requires the ability to model change before change breaks the business.

Operational Risk and Resilience

Operational risk and resilience focus on whether the organization can deliver its products, services, commitments, and obligations in the face of disruption. This is where the digital twin becomes very tangible. It maps processes, assets, systems, facilities, suppliers, people, controls, incidents, issues, recovery plans, and dependencies. It allows the organization to understand not simply that something failed, but what that failure means.

This is also where digital risk and resilience lives. Digital risk is not separate from operational risk. It is now one of the primary ways operational risk materializes . . .

  • A ransomware attack on a system is not merely a cyber event. It is an operational event that may affect order fulfillment, manufacturing, customer service, safety, regulatory reporting, contractual commitments, financial close, and executive decision-making.
  • A cloud outage is not merely an IT outage. It may become a business outage.
  • A data integrity issue is not merely a technical issue. It may become a compliance, financial, customer, and trust issue.
  • An AI failure is not merely a model issue. It may become an operational, ethical, regulatory, and reputational issue.

Digital risk and resilience deserve a distinct lens because digital technology now underpins the operating fabric of the enterprise. But that lens should sit within the broader operational risk and resilience picture. The point is not to separate cyber, technology, data, cloud, identity, and AI from operations. The point is to understand how deeply they are embedded in operations.

A digital twin of the enterprise must therefore understand the digital fabric of the business. It must know . . .

  • Which systems support which objectives.
  • Which data flows support which obligations.
  • Which identities have access to which processes.
  • Which third parties support which services.
  • Which vulnerabilities matter because of business criticality.
  • Which AI models create regulatory, ethical, operational, or reputational exposure.
  • Which digital dependencies could become single points of failure.

Operational resilience requires modeling the chain of consequence. A supplier failure is not just a procurement issue. It may affect production, quality, sustainability commitments, customer obligations, revenue, and brand trust. A natural disaster is not just a business continuity scenario. It may affect people, assets, logistics, compliance obligations, insurance, and market reputation. A cyber incident is not just a technology scenario. It may affect the organization’s ability to operate.

This is where controls become critical. Controls are not merely compliance artifacts. They are operating mechanisms that help the organization remain within a desired state . . .

  • A recovery plan is a control.
  • A supplier exit strategy is a control.
  • A system configuration is a control.
  • An identity access rule is a control.
  • A quality checkpoint is a control.
  • A safety procedure is a control.
  • A local regulatory engagement process in a high-risk jurisdiction can be a control.
  • A decision cadence can be a control.
  • A culture of escalation can be a control.

In the digital twin, controls should be modeled as measurable states . . .

  • Are they present?
  • Are they operating?
  • Are they effective?
  • Are they sufficient for the current level of uncertainty?
  • Are they aligned to the objective?
  • Are they creating friction without reducing risk?
  • Are they duplicated?
  • Are they failing because of technology, process, ownership, culture, or people?

These are very different questions from, “Did someone complete the attestation?”

Modeling Business Change Before Change Breaks the Business

One of the most powerful applications of digital twins in GRC is modeling business change. Most organizations are better at modeling financial outcomes than GRC consequences. A business case for an acquisition may include revenue synergies, cost savings, valuation assumptions, and integration timelines, but the other GRC implications are often scattered across legal, compliance, cyber, finance, HR, procurement, operations, and audit. By the time the hidden obligations, control gaps, culture conflicts, third-party exposures, data risks, and policy misalignments are discovered, the deal is already in motion.

GRC 7.0 changes that. It brings GRC into strategic decision-making before the decision is locked. A digital twin can model the GRC impact of . . .

  • Mergers and acquisitions
  • Divestitures and separations
  • New market entry
  • New product and service launches
  • Major technology transformations
  • Supplier transitions
  • Outsourcing and managed service arrangements
  • Regulatory change
  • Restructuring and operating model changes
  • Geopolitical shifts and sanctions exposure

This is not about slowing the business down. It is about preventing the business from flying blind. The goal is not to create more bureaucracy around change. The goal is to give leadership better visibility into the obligations, controls, risks, dependencies, and resilience requirements that change creates.

In the language of Starfleet, you do not wait until the ship is inside the anomaly to ask whether the shields work.

Homeostatic GRC

The concept I keep returning to is homeostasis. A living organism survives because it senses change, interprets signals, acts, and restores stability within viable boundaries. Temperature, oxygen, infection, fatigue, pressure, and stress are continuously monitored and adjusted. The organism does not wait for a quarterly meeting to notice that something is wrong. It responds because survival requires responsiveness.

The enterprise needs the same capability. Homeostatic GRC continuously senses internal and external change, understands objectives and thresholds, detects drift, recommends action, orchestrates response, and learns from the outcome. This is not annual risk management. It is not quarterly compliance theater. It is not a static risk register waiting for someone to update it. It is GRC as a living system.

A homeostatic enterprise can ask:

  • Where are we exposed?
  • Where are controls weakening?
  • Where are objectives threatened?
  • Where are obligations changing?
  • Where are local incentives undermining enterprise value?
  • Where are emerging risks forming before they become visible?
  • Where are we resilient, and where are we brittle?
  • Where do we need to adapt before disruption forces adaptation upon us?

This is where GRC Orchestrate becomes more than a technology vision. It becomes an operating model. The digital twin provides the model. Risk intelligence provides the signals. Agentic AI provides interpretation and recommended action. Controls provide the mechanisms. Governance provides accountability. Assurance provides confidence. Resilience provides the ability to absorb, adapt, and continue.

People Risk as Field Zero

No digital twin of the enterprise is complete if it ignores people. We are comfortable modeling assets, systems, suppliers, applications, regulations, financial exposure, and operational processes. We are less comfortable modeling the human conditions that determine whether any of those things work as intended. Yet people affect nearly every dimension of risk and resilience.

People affect control effectiveness. People affect fraud, safety, cyber hygiene, escalation, decision quality, culture. People affect whether issues are surfaced early or hidden until they become crises. A tired crew makes mistakes. A fearful crew hides problems. A poorly trained crew bypasses controls. A misaligned crew optimizes locally and damages the mission. A culture that punishes bad news will eventually become blind.

In many organizations, people risk is not simply one category among many. It is closer to field zero.

This does not mean turning the organization into a surveillance state. That would be the wrong lesson, and certainly not a Starfleet one. It means understanding how capacity, competence, culture, incentives, leadership behavior, turnover, accountability, and trust affect the operating state of the organization. The ship is not just the warp core. It is the crew. The enterprise is not just systems and processes. It is people making decisions under uncertainty.

The Boardroom Needs a Bridge View

Boards and executives do not need more disconnected reports, each produced by a different function with its own taxonomy, scoring model, and version of reality. They need a bridge view. They need to see the mission, the environment, the dependencies, the controls, the weak signals, the scenarios, the thresholds, and the decision options. They need to understand not only what the top risks are, but how those risks affect objectives.

They need to know . . .

  • Where assurance is strong and where it is thin.
  • Which controls matter most.
  • When the organization is resilient and when it is simply lucky.
  • When local metrics are creating enterprise exposure.
  • When regulatory change affects strategy.
  • When a merger brings inherited obligations that could undermine value.
  • When a divestiture could fracture controls, systems, data, and accountability.
  • When entering a new market creates risks the business case did not fully price.

The boardroom needs mission intelligence.

That is where digital twins change the conversation. They move GRC from rearview reporting to forward-looking decision support. They allow leaders to explore plausible futures, challenge assumptions, and evaluate trade-offs. They help the organization understand whether it is preserving value, creating value, or simply protecting metrics that no longer tell the whole story.

The Risk Professional as Navigator

By 2030, the best risk programs will look very different from the ones many organizations operate today. They will still have policies, controls, assessments, reports, and assurance activities. Those things are not going away. But they will be connected into a living architecture.

  • Risk management will be less about collecting updates and more about modeling uncertainty in relation to decisions and objectives.
  • Compliance will be less about chasing attestations and more about enabling integrity across changing business models.
  • Controls will be less about documentation alone and more about measurable operating states.
  • Assurance will be less about periodic comfort and more about continuous confidence.

The risk professional of the future is not a clerk of the risk register. The risk professional of the future is a navigator. Someone who understands the mission, the objectives, the uncertainty, the systems, the dependencies, the controls, and the consequences of action. Someone who can stand on the bridge with leadership and say: here is where we are, here is what is changing, here is what we know, here is what we do not know, here are the scenarios, here are the options, and here is what this means for the mission.

That is why the Star Trek analogy matters. The crew does not succeed because they avoid uncertainty. They succeed because they face uncertainty with intelligence, discipline, technology, ethics, teamwork, and command judgment. They model what they can. They challenge assumptions. They make decisions. They act.

Risk Is Our Business

Captain Kirk gave us the philosophy: risk is our business. Strange New Worlds gave us the model: the digital twin. GRC 7.0 gives us the enterprise architecture: GRC Orchestrate, where digital twins, risk intelligence, agentic AI, controls, assurance, resilience, and governance come together to help organizations make better decisions under uncertainty.

The world is not becoming simpler. Geopolitics is not becoming calmer. Regulation is not becoming less complex. Technology is not becoming less embedded. Supply chains are not becoming less fragile. Cyber threats are not becoming less disruptive. Climate, people, resilience, trust, and performance are not separate conversations. They are all part of the same mission.

The organizations that thrive will be those that build the capability to sense, think, model, decide, act, and learn. They will not treat risk as a compliance artifact or a color-coded chart. They will treat risk as part of the mission. They will build digital twins to understand the enterprise. They will use risk intelligence to keep those twins connected to reality. They will use agentic AI to interrogate scenarios and orchestrate action. They will use controls as measurable states. They will use assurance to build confidence. They will use governance to preserve accountability and integrity.

The mission is not simply to avoid danger. The mission is to explore, adapt, protect the crew, preserve the ship, uphold integrity, and keep moving toward the objective . . . Risk is not the enemy of the mission . . . Risk is the terrain of the mission.

Risk is our business!

Leave a Reply