Recorded live at the GPRC Summit in Riyadh, this episode of Risk Is Our Business features Thamer Al Hamed, Executive General Manager of GRC and Data Management, in a timely conversation on how risk management and resilience are converging as strategic capabilities in Saudi Arabia.

Michael and Thamer explore the relationship between risk and resilience, asking whether they truly belong together and how that relationship changes at national and organizational scale. The discussion then turns to the Saudi context, examining both the challenges and the opportunities shaping the evolution of GRC across the Kingdom.

A central theme is Vision 2030, and the role GRC plays in enabling it. Thamer explains how Vision 2030 has become a powerful catalyst for the growth and maturity of governance, risk, and compliance practices—shifting GRC from a supporting function into a strategic enabler of transformation, accountability, and long-term value creation.

They also discuss how GRC is being received across organizations, how mindsets are changing, and what it takes for risk management to move beyond formality and into real decision support. The conversation closes with Thamer reflecting on his own career journey and how he sees both his role, and the broader GRC landscape in Saudi Arabia, evolving as 2030 approaches.

This episode offers a clear window into how risk, resilience, and governance are being redefined in one of the world’s fastest-moving transformation agendas.

In this return voyage of Risk Is Our Business, Captain Michael Rasmussen reconnects with Stefan Gershater for a candid, occasionally interrupted conversation from opposite ends of a video call—a fitting setup for a discussion about signal, noise, and what actually matters in modern risk management.

The episode centers on the real value of risk and GRC software, and how leaders should measure it. Stefan brings a healthy skepticism to the conversation, challenging an industry that too often sells efficiency for efficiency’s sake. Over dinner in London, he recalls receiving a message from a vendor promising to save him 80% of his time. His reaction was blunt: No one cares how hard risk teams work, they care about outcomes, decisions, and results.

From there, the discussion explores what risk leaders should actually evaluate in risk technology. Rather than control-heavy platforms built primarily for compliance, Stefan argues for solutions designed to support value creation, decision-making, and the achievement of objectives. They unpack what “good” looks like when it comes to risk data, data strategy, and visualization, and why many tools still struggle to present risk in ways the business can act on.

As the conversation turns to how risk technology should evolve, reality intervenes. A call from Stefan’s CEO pulls him away from the bridge mid-discussion, an unscripted reminder that risk management doesn’t live in dashboards or demos, but in the real-time demands of leadership.

This episode is a sharp look at why not all risk software deserves a place on the bridge, and why separating meaningful intelligence from false alerts has never mattered more.

In this episode of Risk Is Our Business, Captain Michael Rasmussen is joined by Christopher Hetner, Senior Cyber Risk Advisor serving the boardroom community and former senior cybersecurity advisor to the Chair of the U.S. Securities and Exchange Commission.

The conversation opens by tackling a deceptively simple question: what do we even call this space anymore? Information security, IT security, cybersecurity, cyber risk, digital risk, digital resilience — are these distinct disciplines with meaningful nuance, or different labels for the same underlying reality? Christopher and Michael unpack how language shapes expectations, accountability, and how risk is understood across the enterprise.

From there, they dive into Michael’s widely discussed essay, “The CISO Is Dead: A Eulogy and a Resurrection,”exploring why the title provoked resistance while the substance resonated. The discussion reframes the modern CISO not as a narrow security operator, but as a steward of digital risk and resilience in a world where every function, product, and decision carries a digital footprint.

They explore the dangers of cybersecurity leaders operating in isolation, the limits of traditional security-centric models, and why cyber risk can no longer live on its own island. The conversation then turns to the boardroom, what directors tend to understand about cyber and digital risk, where gaps remain, and how risk leaders can engage boards more effectively by shifting from technical reporting to strategic navigation.

Rather than treating cyber risk as a technical problem to be delegated, this episode makes the case for digital risk and resilience as a bridge-level responsibility, one that requires shared ownership, clearer language, and leadership capable of steering the enterprise through an increasingly interconnected and uncertain risk universe.