The Missing Letter in GRC: Why We Manage Controls but Still Struggle to Manage Risk

For something called Governance, Risk, and Compliance, the industry spends most of its energy on compliance. Risk is the reason these programs exist, yet it remains the hardest thing to define, measure, and operationalize. Most organizations have risk registers, risk assessments, and risk scores, and still cannot confidently answer the simplest question their board will ask: are we actually reducing risk?

In this session, Michael Rasmussen, the analyst who has shaped how the industry thinks about GRC for two decades, joins Anecdotes GRC Evangelist Maril Vernon for a candid conversation about why risk became the most important part of GRC and somehow the least operationalized, and what it will take to change that.

What you’ll take away

• Why compliance became easy to operationalize while risk stayed stuck on paper, and how the two quietly got conflated
• The gap between risk registers and risk operations, and why mature programs still cannot show whether risk is going up or down
• How connected risk works in practice, as third-party, operational, AI, and cyber risk stop behaving like separate programs
• What continuous assurance looks like when environments change faster than any point-in-time assessment can keep up with
• Where risk operations are heading over the next decade, from controls intelligence to risk-informed decision making

If you were asked tomorrow how much risk was actually reduced over the last twelve months, could you answer with confidence? Join us on July 7 and bring your hardest questions.

Can’t attend live?

Register anyway and we’ll send you the recording after the session.

GRC 20/20 Presenter . . .

Michael Rasmussen is an internationally recognized authority, thought leader, and pioneer in the disciplines of governance, risk management, and compliance (GRC). With over 30 years of experience, he is globally known for defining and shaping GRC strategy, processes, and technology. In February 2002, while at Forrester Research, Michael developed the concept of GRC — establishing the foundation for how organizations approach strategy, process, and technology in today’s complex business environment. For this, he is widely acknowledged as the “Father of GRC.”

A trusted advisor to boards, executives, and professionals around the world, Michael has dedicated his career to helping organizations design and implement effective GRC strategies that are aligned with business objectives. His work empowers organizations to be more effective, efficient, resilient, and agile. He is a sought-after keynote speaker, author, and advisor, with his thought leadership influencing legislation, regulatory frameworks, and corporate best practices globally.

Michael is the host of the Risk is Our Business and the Hitchhiker’s Guide to the GRC Technology podcasts, where he leads conversations with global experts exploring the evolving frontiers of risk, resilience, and corporate integrity.

Webinar Host . . .

The leading Agentic GRC platform built for the enterprise. AI is only as smart as the data it’s built on, which is why Anecdotes runs on a foundation of complete, accurate, and structured data, automatically collected from your systems and trusted by the world’s largest enterprises and auditors. With AI embedded across every task—audits, risk management, continuous control monitoring, and everything in between—you can finally get GRC right.