In this episode of Risk Is Our Business, Captain Michael Rasmussen sits down with Michael Erlandsson Jensen at April Coffee in Copenhagen, a busy café whose ambient hum feels oddly right for a conversation grounded in real-world experience.

Michael opens by tracing his path through global risk management, and from there the two find their way into something that doesn't get discussed enough: how differently risk culture actually plays out depending on where you are in the world. The Danish and broader European approach tends to weave risk into everyday business dialogue—collaborative, embedded, almost organic. That's a sharp contrast to the more compliance-first environments Michael has worked in across parts of the Middle East and the U.S., where risk can feel like something done to the business rather than with it.

That tension shapes the heart of the conversation. For Michael, good risk management isn't about control or enforcement, it's about facilitation. Helping the business understand its own risks, take ownership of them, and actually talk about them. Bad risk management, by contrast, is disconnected from decisions that matter, buried in process, and more interested in checking boxes than in being useful.

They also dig into risk appetite a concept that's often treated as a document to file away and forget. Michael pushes back on that, reframing it as something that should reflect how an organization actually behaves, not just what it says on paper. The real work, he argues, is closing the gap between strategy, risk, and what happens on the ground day to day.

It's a grounded, cross-cultural take on GRC and a reminder that the real work of risk doesn't live in frameworks. It lives in conversations.

In this episode of Risk Is Our Business, Captain Michael Rasmussen brings together a cross-functional crew of risk, audit, cyber, and technology leaders for a candid conversation recorded in the Netherlands. Joined by David Ngu, Brett Steinmetz, Jos Bredero, and Eric Groen, the discussion opens with a simple question: what actually keeps you up at 1 a.m. when it comes to risk?

From there, the conversation explores the key drivers shaping risk management in the Netherlands, and how they compare to broader European and U.S. approaches. The group reflects on how Europe tends to lean more toward principles and outcomes-based thinking, while the U.S. often emphasizes rules and compliance and how those differences play out in practice across organizations and industries.

They then turn to the role of professional services firms, unpacking what a successful engagement really looks like. Rather than focusing purely on tooling, the discussion emphasizes the importance of a business-oriented approach, ensuring that technology implementations are grounded in real operational needs, not just frameworks or features.

The episode closes with each guest offering a key takeaway and practical insights drawn from their experience working across risk, controls, cyber, and consulting.

This is a grounded look at how risk is actually managed on the ground (across regions, disciplines, and perspectives) when the frameworks meet reality.

In this return episode of Risk Is Our Business, Captain Michael Rasmussen reconnects with Tony Martin-Vegue for a wide-ranging conversation built around his new book, From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification.

At the center of the discussion is a simple but uncomfortable idea: most organizations aren’t really measuring cyber risk, they’re describing it. Heatmaps, scoring models, and qualitative frameworks may look familiar, but they rarely help leaders make better decisions.

Tony breaks down what’s going wrong, and why. Along the way, he uses an unexpected historical example (the Hanoi Rat Massacre of 1902) to illustrate how well-intentioned interventions can create worse outcomes when incentives, measurement, and behavior are misaligned.

The conversation moves through the core themes of the book:

• Why cybersecurity often behaves like two separate disciplines under one label
• Why quantitative risk is less about advanced math and more about structured thinking
• The biggest myth about data that keeps organizations stuck in qualitative approaches
• Where methods like Monte Carlo simulation and FAIR fit and where they don’t

They also explore why many cyber risk quantification programs fail, what it takes to make them practical, and how the same principles apply beyond cyber to operational risk more broadly.

At over an hour, this is one of the most in-depth conversations on the show! It's less a summary and more a working session on how to move from risk reporting to decision-making.