Build a Better Bingo Card: Enabling Growth with Proactive Risk Management

Reflections from my presentation "Build a Better Bingo Card: Enabling Growth with Proactive Risk Management" @ AuditBoard ’s Audit & Beyond 2025 in San Diego

It’s fitting that my session began with a reference to Star Trek, Season 2, Episode 20 — “Risk Is Our Business.” Captain Kirk (and the theme of my Risk Is Our Business Podcast ), , declares:

“Risk! Risk is our business. That’s what this starship is all about. That’s why we are aboard her.”

That moment captures exactly what we forget in modern governance, risk management, and compliance. Business itself is a starship navigating the cosmos of chaos and uncertainty — a vessel of ambition that must take risk to reach new worlds. Yet most organizations, particularly in the United States, are trying to steer this ship by looking in the rear-view mirror.

The Rear-View Problem

Let’s be blunt: MOST risk management in the U.S. is poor. It’s not forward-looking. It’s not strategic. It’s not even “risk” management — it’s issue management masquerading as such or it is compliance tick-box focused driven by Sarbanes-Oxley or IT . . . that is NOT risk management.

Too often, risk functions are buried under Sarbanes-Oxley compliance. Boxes are ticked, reports are filed, and leaders call it risk management. But by the time something makes it onto the “risk register,” it’s already happened. The risk has become an event. The “management” is reaction, not anticipation.

That’s like driving while staring only into the rear-view mirror — efficient at recording what just hit you, but utterly useless at preventing the next collision.

True risk management must be forward-looking — not about documenting failure, but enabling achievement. It’s the difference between surviving and thriving.

GRC: The True Triad

We must return to the foundational definition of GRC — something I helped shape over twenty years ago:

• Governance: Reliably achieve objectives
• Risk Management: Address uncertainty
• Compliance: Act with integrity

These three are symbiotic yet distinct. Too many organizations collapse them into one reporting chain — or worse, have compliance report into risk or vice versa. That structure muddies accountability and weakens both.

Compliance ensures integrity. Risk management enables performance amid uncertainty. They must collaborate — not report into one another — because each offers a different perspective on the same landscape.

The Tunnel of Eupalinos: Aligning the Top and Bottom

Over two millennia ago, the ancient Greeks built the Tunnel of Eupalinos on the island of Samos — a feat of engineering that began from opposite sides of a mountain. Against all odds, the two excavation teams met in the middle, perfectly aligned.

That’s what effective risk management must do today: align a top-down strategic view of risk with a bottom-up operational reality.

Too often, we only manage the bottom layer — the operational. It becomes a compliance-centric exercise focused on control testing and audit readiness. That’s not risk management. That’s risk accounting.

We need to connect the mountain’s two sides — strategy and operations — through objective-centric risk management, operationally effective risk management, empowered and driven by risk in strategy and decisions.

The Three Levels of Risk Management

In my model, this alignment happens across three levels, each essential to a truly proactive risk and resilience program:

1️⃣ Strategic Risk & Resilience Management – Decisions

At the top, risk must shape strategy. This is the decision-driven layer — where risk intelligence informs where the business goes, not just how it protects itself. Risk isn’t a shield here; it’s a compass. This is where the organization moves from protecting strategy to shaping strategy. Risk becomes a strategic asset — not an inhibitor of ambition but its enabler.

2️⃣ Objective-Centric Risk & Resilience Management – Performance

The middle layer ties risk directly to performance. Enterprise risk management becomes objective-centric, aligning uncertainties to measurable goals. Every objective carries both threats and opportunities, and the discipline of ERM is to manage both. This is where risk shifts from being an afterthought to being part of how objectives are achieved.

3️⃣ Operational Risk & Resilience Management – Execution

At the base is the operational layer, ensuring reliability, efficiency, and adaptability in daily processes. This is where internal controls live — but also where agility and learning happen. Far from being defensive, operational risk provides the confidence in execution that allows strategy to flourish.

Unfortunately, most organizations only focus on the third level — and even then, do it poorly. They obsess over controls but neglect objectives and decisions, the context for risk. They manage compliance, not risk.

The challenge — and opportunity — is to federate these layers. Risk cannot live in silos. The Chief Risk Officer must be the conductor of the symphony of risk, ensuring strategy, performance, and operations play in harmony.

Left Brain, Right Brain: The Duality of Risk

Effective risk management demands both left-brain logic and right-brain creativity.

The left brain gives us structure — quantitative models, loss events, Monte Carlo simulations. The right brain gives us context — imagination, table top exercises, bow-ties, narrative, intuition, and foresight.

Together, they form the art and science of risk. Numbers without story miss meaning. Story without numbers lacks rigor. This dual engagement allows risk leaders to see around corners — to imagine what could happen and measure what would follow.

GRC 7.0 – Orchestrate: The Future of Risk and Resilience

This is where we enter the next frontier — GRC 7.0, or what I call GRC Orchestrate.

We are now integrating Agentic AI and Digital Twins into risk practice. Agentic AI can act as an intelligent co-pilot — scanning data, identifying early signals, and autonomously proposing mitigation strategies before humans even recognize the pattern. Digital Twins, meanwhile, create virtual models of the organization’s processes, people, and systems — allowing leaders to stress-test decisions and model cascading impacts before they happen.

Together, they transform risk management from passive reporting to active simulation — turning hindsight into foresight.

Imagine being able to test a new product launch, merger, or supply-chain shift within a living digital model before committing in the real world. That is proactive risk management in its purest form.

From Bingo to Business Intelligence

The title of my session, “Build a Better Bingo Card,” reflects a shared reality: for years, our enterprise risk “bingo cards” have included surprises no one saw coming — pandemics, geopolitical conflict, AI disruption, trade shifts.

You can’t eliminate surprise. But you can design for it.

Scenario planning, simulations, and digital twins give us the ability to anticipate and prepare for those wild-card events — to stress-test strategies before reality does. That’s what it means to be proactive, not reactive.

The ROI of Risk: Efficiency, Effectiveness, Resilience, and Agility

When risk is orchestrated across the enterprise, the value is measurable:

• Efficiency: Time saved, duplicated work eliminated, faster decision cycles.
• Effectiveness: Quantifiable reduction of actual risk exposure.
• Resilience: Cracks discovered and repaired before they widen into crises.
• Agility: Forward-looking intelligence that enables smarter, faster decisions aligned with business objectives.

These are not abstract benefits; they are competitive advantages.

Risk Is Our Business

Risk isn’t something to be avoided — it’s something to be mastered. It’s what propels the enterprise forward, what keeps the starship moving toward its next discovery.

Every organization must choose whether it wants to drift, reacting to every asteroid it encounters, or to chart its course with clarity, purpose, and foresight.

Because at the end of the day, as Captain Kirk reminded us — and as every great leader knows —

“Risk is our business.”