Voice-over: This is Leaders in Finance, a podcast where we find out more about the people behind a successful career. We speak with the leaders of today and tomorrow to discuss their motivations, their organizations and their personal lives. Why? Because the financial sector could use a little more honest conversation. We’d like to thank our partners for their ongoing support. They are EY, MeDirect, RiskQuest, Kayak and Roland Berger. Our guest this episode has been called the father of GRC.
Michael: So GRC is a capability to reliably achieve objectives, address uncertainty and act with integrity. Unfortunately, a lot of GRC programs are more CRG programs or just CR or just C programs and they forget the G and the G is where everything starts. It’s what is the business is actually trying to achieve.
Voice-over: What’s his take on taking risks in business?
Michael: U.S. President Teddy Roosevelt said risk is like fire; controlled, it will help you, uncontrolled, it will rise up and destroy you.
Voice-over: Who better to sum it up than Captain Kirk himself?
Michael: And my absolute favorite is Captain James T. Kirk of the Starship Enterprise. In season two, episode 20 of the original series, in the executive committee room with Spock, Scotty, and McCoy, they’re making a decision—do they go on this mission? And Captain Kirk says, risk is our business. That’s what the Starship is all about. That’s why we’re aboard her. Every business is a Starship of risk. It’s not about avoiding risk; it’s about taking the right risks and managing them well.
Voice-over: Our guest this episode is Michael Rasmussen, GRC analyst. Your host is Jeroen Broekema.
Jeroen: Welcome, listeners, to a new episode of Leaders in Finance. This time, an extra episode with Michael Rasmussen, a governance, risk, and compliance (GRC) expert who has worked across the globe with numerous institutions, including in the financial services industry. I’m very glad he’s here. What I’d love to add to this very short introduction is the fact that, by many people, after researching you online, you’re called the father of GRC. So we’ll get into that and see where that comes from. But first of all, as I said before, welcome, Michael, to the show.
Michael: That’s great. It’s a pleasure to be here. Wonderful.
Jeroen: And first of all, for people that don’t know you, a very simple question: where are you from?
Michael: I’m from the United States. I grew up in Montana, but married a girl from Wisconsin. So I live in Milwaukee, Wisconsin, and we’re entering the NBA season—go Bucs! I follow the Milwaukee Bucs in the NBA, but yeah, I enjoy living in Wisconsin. My business, though, is global. Last month, I was in Riyadh, Copenhagen, London, Houston, Texas, and San Francisco. I’m sure I missed a few places, but now I’m here in the Netherlands.
Jeroen: Truly a global citizen. Do you miss Montana?
Michael: Oh, I love Montana. The mountains and the wild will always have a little place in my heart.
Jeroen: That’s great. So, what’s the reason you’re traveling the globe?
Michael: For governance, risk, and compliance. I define my job as research. I research what challenges companies face in governance, risk management, and compliance (GRC), and how they solve those challenges with strategy, processes, and technology. I spent seven years at Forrester Research as their top analyst. My claim to fame is that, in February 2002, I defined a model for the market and labeled it GRC. So that’s going on 23 years now. After Forrester, I went independent, so I now compete with Gartner, Forrester, Chartis, Verdantix, I see my job as really a hobby—it’s a passion for how organizations, financial services firms, and other industries can improve corporate governance, improve risk management (which is often very broken), and improve compliance.
Jeroen: I’ll definitely get back to that. But now you’re in the Netherlands, and obviously, you came all the way here for the podcast. Apart from that, what was the reason for your visit?
Michael: I was helping one solution provider with their strategy in the market. And then I had another podcast I recorded the other day with the Institute of Internal Auditors in the Netherlands.
Jeroen: That’s great. So what’s the business you’re working with now?
Michael: The business I worked with here? Corporator. Corporator, right.
Jeroen: But you work with all of them, right?
Michael: Yeah, I work with Corporator and its competitors. About 40% of my time is with technology solutions and professional services firms to help them understand the market, improve their approach, and improve their solution or service. About 40% of my time is with buyers of solutions, where I help with RFPs and keep vendors and solution providers honest during the process. And 20% of my time is with private equity firms that engage me to do due diligence on technologies they’re going to invest in.
Jeroen: Right. Well, busy man. I like that you mentioned this moment where you coined the term GRC, you know, with a whole new way of thinking around it.
Was it really that moment that was so important for you, or is that just with the benefit of hindsight? Did you define it that way?
Michael: It was like a light bulb went on because in the 90s, I was a risk management consultant, and I dreamed of technology that could map controls, risks, and compliance together. I’m not a coder, I’m not a software developer, but I wished we had that. Then, that day at Forrester, I had a briefing on a solution that did just that. I said, “This is what I dreamed of. There’s a market for this.”
And then, of course, that same year, 2002, Enron and WorldCom hit, followed by Sarbanes-Oxley. That drove the market for several years from a Sarbanes-Oxley point of view. I had a broader vision for what GRC should be, but that first generation of GRC software, I call the Sarbanes-Oxley captivity of GRC.
Jeroen: Yeah, I can see that. So, if we take that moment and step back, but also later move a few steps forward, what’s your background by training?
Michael: I’ve got a business degree, then a law degree. On the personal side, I’ve got a master’s in medieval church history. So that’s sort of my personal hobby—medieval history.
Jeroen: So many things I’d like to ask about both. So the more regular degrees, quote unquote, what was the reason you were studying that?
Michael: Why did you choose that? I love compliance. I mean, laws, regulations, they fascinate me. The overall ethics and integrity of an organization fascinates me. So I went to law school to just get that learning. I never want to practice law. I’d make a horrible lawyer. I don’t like negotiation. Going to buy a new car or something just drives me nuts because I don’t like negotiation. So I would make a horrible lawyer, but I love law. So I went to law school.
Jeroen: So what’s fascinating for people that are not in compliance and only know the risk aspects around it?
Michael: What is fascinating about it for you particularly? To me, I just like the idea of ethics and integrity, and understanding what are the requirements and obligations and even systems of ethics because you’ve got some people that are rules-based ethical people, like “let me know the rules and I’ll follow the rules.” I just spent some time in Copenhagen and they’re very much rule followers. Even at one in the morning, they will not cross the street if it’s not a walk sign, with no cars around. And, you know, you have those rules-based ethical systems, but then you have more of a utilitarian-based ethical system where it’s like “I’ll break the rules if it means a better outcome for myself or for the organization.” And just to me, the way people make decisions and they either follow rules or bend rules or break rules, I think it’s rather interesting. And then how can we use technologies and things to improve overall corporate culture around that?
Jeroen: Any other studies? Medieval church history, is that right?
Michael: Yeah, medieval church history.
Jeroen: What made you study that?
Michael: I’ve always fallen in love with the medieval times, the Middle Ages. I mean, I became a Lord of the Rings Tolkien fan. I guess that really influenced it a lot. And so my ancestry comes a lot from England on my mom’s side, her maiden name is York, but also from the Danish side of my ancestry, and I just really liked that whole era of medieval history. So I’ve been fascinated by it. As a student, there was a next-year job much later. I actually just finished my degree in medieval history two years ago.
Jeroen: Oh, really? Yeah, so you did it next to this really busy job?
Michael: Yeah.
Jeroen: Amazing. It took you 10 years, but you did it. And you really graduated?
Michael: Yeah, got my diploma and everything.
Jeroen: Wow, that’s amazing. And just one more follow-up on this one because it’s intriguing. People like Steve Jobs always say like sometimes you do something completely different from your regular job, but you still, there’s always a way why you use it, right? Like his calligraphy. Was it the same for you with medieval history, apart from the fact that you enjoyed it, are you also somehow using it in your current work?
Michael: Well, I always use it with different stories in my presentations and things like that. Definitely.
Jeroen: Yeah, you did?
Michael: Yeah. So what’s an example? I mean, I talked about Thomas Aquinas where he said, “If the highest aim of the captain is to preserve the ship, he would stay in port.” But you know what? That’s not what ships are built for. You know, a business that doesn’t take risks is the business that’s out of business.
Jeroen: Right, yeah. What was the moment, the very first moment in your life, that you became interested in what we would now call GRC?
Michael: Oh, I sort of evolved into it. Originally, growing up, I thought I was going to be a backcountry forest ranger in Montana, but then I actually went into theology, thinking I was going to go into ministry. But I got married, had children, and had to fall back on computers. So we were expecting our first child, and I started at what was a Kinko’s store back in 1993 as their desktop publishing coordinator, and I oversaw the computers there. Then I got hired as a graphic designer for a manufacturing company that made signs a year later. I was the only person who understood how the computers networked. So the lady from IT left, and I became the MIS director. I migrated from a System 36 to an AS/400, installed a Novell network and wide-area network, and all this stuff. I was learning on the job, getting certifications and things, then moved over to healthcare/life sciences as a senior network security analyst. Later, I became a consultant in the Chicago-Milwaukee market. I started the Milwaukee ISSA chapter, the Information Systems Security Association. In that role, I went on the international board of the ISSA as VP of standards and public policy, representing ISSA members in Washington, D.C., and other places around the world. It was quite a bit of fun. Then Steve Hunt, who was the Chicago chapter president and an analyst at Giga Information Group (Gideon Gartner started Gartner and then left to start Giga), kept throwing his questions on regulatory compliance and policies at me. He eventually said, “Why don’t you come work here?” So I got hired by Giga. And just a year later, Giga got acquired by Forrester Research and into the analyst world right now.
Jeroen: Right, yeah. That’s great. And what was the moment you decided to leave Forrester and go on your own?
Michael: That was at the end of 2007. It was more of a realization. I was regularly hitting the top analyst award at Forrester, and I was my own sales, marketing, and analyst all in one because Gartner and Forrester mainly sell to the IT department. But my interactions were with corporate compliance, ethics, and operational risk roles outside of IT. So, I thought, I’ll just do this independently.
Jeroen: Right. And that was quite a good move, right?
Michael: Oh, it was. I loved it.
Jeroen: That’s great. So, in my preparation, I heard you say a couple of times something like “those who do not risk do not win.” That’s an important phrase for you, right? Can you explain why?
Michael: Because I think a lot of people don’t understand what risk is. U.S. President Teddy Roosevelt said, risk is like fire—if controlled, it will help you; if uncontrolled, it will rise up and destroy you. John Paul Jones, a U.S. naval hero from 250 years ago during the U.S. fight for independence from the British, is known for saying, I have not yet begun to fight, but he also said, it is a law of nature, inflexible and inexorable, that those who do not risk do not win. I mentioned Thomas Aquinas, but Judge Mervyn King from South Africa, who was the impetus for the King Reports on corporate governance, said business is the undertaking of risk for reward. Businesses take risks to make money. And my absolute favorite is Captain James T. Kirk of the Starship Enterprise. In season two, episode 20 of the original series, in the executive committee room with Spock, Scotty, and McCoy, they’re making a decision—do they go on this mission? And Captain Kirk says, risk is our business. That’s what the Starship is all about. That’s why we’re aboard her. Every business is a Starship of risk. It’s not about avoiding risk; it’s about taking the right risks and managing them well.
Jeroen: Yeah, that’s very well said. I love the examples and quotes, by the way. So, GRC, right? Governance, risk, compliance. Why did you coin it that way?
Michael: Because it puts things in perspective. We see a lot of terms like ERM, ORM, and IRM, but a lot of times, it’s putting the cart before the horse. It doesn’t start with risk; it starts with objectives. The official definition of GRC, found in the GRC capability model that I helped contribute to with OCEG, is that GRC is a capability to reliably achieve objectives—that’s the governance function, setting objectives, and performing against them. Addressing uncertainty is next—that’s risk management. ISO 31000 says risk is the effect of uncertainty on objectives, so there’s a relationship. And finally, act with integrity—that’s compliance, whether it’s your policies, procedures, values, or regulatory obligations. So, GRC is a capability to reliably achieve objectives, address uncertainty, and act with integrity. Unfortunately, many GRC programs are more CRG programs or just CR or just C programs, and they forget the G, which is where everything starts. What is the business trying to achieve? Only in the context of strategy and objectives can we understand the risks and uncertainties to those objectives and the boundaries that need to be set ethically, legally, and with regulatory focus.
Jeroen: And you’ve seen all these companies from the inside, maybe some public sector as well, I don’t know, but mostly private?
Michael: Limited.
Jeroen: Limited, mainly private, right? Do you ever visit a business and think, they’re not taking enough risk?
Michael: Definitely, yeah.
Jeroen: Oh, you do?
Michael: There was an interesting article I read in The Economist magazine back in 2007, before the 2008 downturn. It was called Goldman Sachs: Behind the Brass Plate, and it revealed a lot about Goldman Sachs’ internal risk culture. Part of the article compared them to Lehman Brothers. Lehman was conservative with risk and wasn’t known for aggressive risks, while Goldman was extremely aggressive, made more money, and grew. We saw what happened to Lehman in 2008 and what happened to Goldman Sachs. Being conservative with risk doesn’t necessarily see you through.
Jeroen: That’s a great example. The outcome for those two businesses was so different, right? Very interesting. But do you think it was because of risk?
Michael: It’s about how they took and managed risk. At that time, Goldman Sachs had a culture where if you were taking a significant risk, you needed a team effort. You couldn’t make major risks as an individual. You had to get other perspectives, which gave a multifaceted view of risk to ensure it was the right decision to move forward with.
Jeroen: Just before the interview, I asked if you were active in the financial services industry. I think you said you’ve seen a substantial number of financial institutions from the inside. I’m curious, how is the financial services industry different in terms of risk-taking compared to other industries you’ve seen?
Michael: The financial services industry is much more structured in risk governance and requirements because of regulations like Basel. It doesn’t mean they always have the right processes in place, but there’s often more regulatory pressure and oversight to ensure things are in place. In other industries like manufacturing, risk management might fall under the CFO or someone else and not get as much attention.
Jeroen: So it’s more naturally the business of a financial institution to manage risk, right?
Michael: Yeah, it’s much more structured. In areas like credit market risk or in the insurance industry, with actuaries, it’s down to a science. Operational risk is rather elusive because there are so many variables and inputs. It becomes more art than science at points.
Jeroen: And for you as a consultant, is it different in a financial institution than in, let’s say, a car manufacturer or any other non-financial business?
Michael: That’s what I love about my job—the variety. For example, with a car manufacturer, you deal with supply chain risks, disruptions, and the impact of geopolitical risks. That’s fascinating.
Jeroen: So, is it more complex in financial services, or would you say it’s similar?
Michael: If it’s a large organization, the complexity is there for all of them. The difference with financial services is regulatory risk, due to the volume of regulations. For example, using a Thomson Reuters figure from a few years ago, global financial services firms deal with 257 regulatory change events every business day from 1,217 regulators worldwide. It could be a new law or regulation, a change, or enforcement action. One-third of these come from North America, one-third from Europe, and one-third from the rest of the world. That’s a lot to keep up with.
I worked with one global European bank where a regulatory change required a policy update. It took six months, with 75 reviewers, to finalize the document in a check-in and check-out process. That’s not agile. Now they’re asking how to leverage technology where multiple people can work on a policy simultaneously, instead of this linear workflow across 75 people. With 257 regulatory change events every business day, even if a small fraction impacts policy, you still need to address changes quickly. We need agility.
Jeroen: Yeah, it makes total sense. You already mentioned the size of the organization, right? So, the size is a good indicator of how complex the risk systems are, correct?
Michael: Yeah.
Jeroen: It sounds logical, but is that the reason why risk management has become so difficult because the organizations are large, operating in many countries, with fast supply chains?
Michael: Oh, definitely. In the non-financial world, I worked with a global organization with 300,000 employees. They had 30 departments handling risk, 10 different GRC platforms, and tens of thousands of documents, spreadsheets, and emails for risk.
Jeroen: Yeah, but can such fast-moving organizations manage all that?
Michael: It’s possible with the right architecture and highly agile technology that adapts to the business. There are solutions that integrate information feeds easily. I work with some of the largest global organizations, looking at next-generation solutions. Many financial services firms, particularly tier-one banks, are frustrated with their operational risk systems, but they don’t see new things on the block. And so there’s a lot of complexity in some of the older systems, but we’re seeing a new generation of technology out there, particularly enabled by artificial intelligence that leverages and brings things to be more efficient, time-saved, money-saved, more effective, like accurate, complete, thorough, less than slipping through cracks, resilient to be able to find issues and correct them when they’re still small issues. And, but that agile, that horizon scanning to see what’s coming at us and prepare for the organization.
Jeroen: We’ll get to solutions for managing all this, but first, this vast amount of global regulation you mentioned—hundreds of changes every day—is it ultimately driven by a lack of trust? A more philosophical question, but…
Michael: Yeah, I’d say regulation exists because people make mistakes, and things happen. Government reacts with legislation and regulation, and it grows. I’ve been told (though I haven’t tested it) that if you print the UK’s FCA rulebook, it’s about two meters tall. If you print the US Code of Federal Regulations, it’s longer than a marathon. That’s a lot of paper and enforcement actions.
Jeroen: Apart from not being efficient, can it ever be effective?
Michael: There are always going to be gaps. Humans make mistakes, and greed can get in the way.
Jeroen: Yeah. It feels like there’s just so much regulation—one third from Europe, one third from the US—if you’re a small bank, it’s almost impossible to keep up, right? Maybe if you operate in one country, you can manage, but if you’re in multiple countries, how could a C-level executive stay ahead of it all? Do you have any thoughts on that?
Michael: Yeah. In the UK, there’s the SMCR (Senior Managers and Certification Regime) with about 28 senior management functions responsible for different areas of risk and compliance. They can be personally fined. Barclays’ former CEO was fined £800,000 for a whistleblower infraction. TDS Bank was fined £40 million for an operational resilience failure, and the CIO, responsible for third-party risk, was personally fined £80,000. In Australia, there’s FAR (previously BARE). Singapore, Hong Kong, and South Africa all have accountability regimes modeled after the UK’s. We’re seeing that more and more.
Jeroen: So on one side, there’s a massive amount of regulation, and on the other, more personal liability for senior management.
Michael: Yeah,
Jeroen: it’s a great combination.
Michael: It makes for chaos, right?
Jeroen: It makes for chaos. That’s probably why you’re so popular everywhere—this is really important. But just to rephrase, can CEOs or other C-level leaders actually be liable for all that? Can they be responsible for it all?
Michael: Well, it definitely rolls up to them. The challenge is that, particularly in the EU, there’s a focus on evidence-based compliance. In the US, the mindset is more checklist-driven: check all the boxes, and you’re good. In the EU, it’s more risk-based and open to interpretation. It’s harder, but also more flexible.
Jeroen: Yeah, makes sense. Here in the Netherlands, there’s talk of it being harder and harder to find CEOs for banks due to all the liability. Is that something you see globally, or is it a local issue?
Michael: Oh, definitely. There’s a lot of turnover worldwide.
Jeroen: So it’s just as hard to get the right people, and it’s even harder to keep them.
Michael: Exactly.
Jeroen: Not a great development.
Top of Form
Bottom of Form
Michael: Yeah, it can be stressful. I mean, with all the change and keeping up, something is bound to get missed somewhere.
Voice-over: You’re listening to Leaders in Finance with Jeroen Broekema.
Jeroen: Ultimately, I think what you would say is you need to structure all your risks really well in the organization. So, if I’m at a bank, what’s the most important thing I need to do to really organize and structure the way we do risk management?
Michael: I think having clear lines of accountability and ownership of risk is really important. Good risk management systems, and also regulatory management systems, to be able to do horizon scanning—what’s developing six months or one year out, what’s happening now, that immediate redlining of regulations and things.
Jeroen: What do you mean by a system? Like, technically, or…
Michael: Oh, yeah. Technically. I mean a system, including strategy, people, process, and technology, and how that all comes together. Technology by itself doesn’t fix anything, but if technology enables the right strategy and process, that’s important.
Jeroen: Is technology often seen as a solution?
Michael: Yeah, definitely.
Jeroen: And you’re saying that’s wrong. It’s just a means to an end.
Michael: Technology enables the right strategy and process. You have to have the design. There’s this house in San Jose, California, called the Winchester Mystery House. It was built by the heiress to the Winchester fortune for Winchester guns. It cost 5.5 million U.S. dollars to build in the 1800s. If you calculate inflation, that’s a very expensive house today. It took 38 years to build, had 147 different builders, but had no design, no blueprint, no architect. So at the end of the day, it has walls that open to doors or 20-foot drops, stairways that go to nowhere, halls that go to nowhere, skylights that are on floors instead of ceilings. But that’s a lot of times, you know, banks, particularly mergers and acquisitions and all this—they’ve got this Winchester Mystery House of GRC that, over the last 38 years, people have been doing their little things and nobody’s really designed it. The right structure for risk and compliance—strategy and process enabled by technology—can work. Now, it doesn’t mean that nothing will go wrong. No, there will always be incidents.
There will always be events. Hopefully, though, they won’t become a regulatory event or cause significant fines or reputational damage.
Jeroen: And is this all a top-down approach, the way you work?
Michael: The top-down approach is how it should work, yes.
Jeroen: I’m interested in that because it’s really the tone and the whole agenda of all of this. If you want to restructure and come in as a new CEO, should it come from that person? Is that where it starts?
Michael: Yeah, definitely. There are also people who say, well, it’s important to have it organized more decentralized, so when something goes wrong, the entire organization isn’t affected, or for other reasons. But you say, no, it really starts at the top.
Michael: You have to have it at the top. But can there be accountability at different levels? Absolutely. And there needs to be. There’s different regional and geographic jurisdiction accountability because the rules differ from the US to Europe in many areas, particularly privacy, like GDPR.
Jeroen: Yeah, exactly. I also wanted to ask you about ownership—because ownership, is that something formal, or is it about people needing to feel ownership?
Michael: Technically, it has to be both. It needs to be formal and on paper, but it can’t just be passing the buck. If someone is assigned accountability, they need the right information and tools to take that accountability. Too often, risk becomes like a hot potato being passed around. Now, that’s an interesting nuance too. Risk is often seen negatively. I’ve already told you about the positive side—that businesses take risks—but within a bank or even a non-financial services firm, risk can be scary. Who wants to own a risk? But on the other side, there’s this whole world of resilience. We see EU DORA and UK Operational Resilience. What process owner, service owner, or business manager in a bank doesn’t want to be resilient? We all want to be resilient, especially after the last several years with COVID, conflicts, economic concerns, and foreign exchange fluctuations. We all want to be resilient.
Jeroen: Yeah, exactly. In preparing this, I saw a couple of times, which I really liked, how you described that everyone is personally taking risks every day. If we don’t, there’s no life, basically. So, as you said, it has a negative connotation, but it’s not necessarily negative. It’s like your fire example—how to control the fire. But a lot of people say they want more entrepreneurship in the organization, but they don’t want to take risks, because entrepreneurship is ultimately risk-taking. It feels contradictory. How do you create an organization, especially a bank, highly regulated with loads of rules, that fosters entrepreneurship while ensuring you’re not taking too much risk? It seems impossible to combine the two.
Michael: It’s certainly challenging, that’s for sure.
Jeroen: Do you have any thoughts on how to do this? Let’s say you want to become a neo-bank, you want to challenge the incumbents. You start a new bank. What are the things you would do in a new bank? You have the money, you’re hiring the first 100, 200 people. How do you ensure you have this founder’s mentality of entrepreneurship, but still make sure you’re not getting out of control in terms of risk?
Michael: I like the quote that’s been attributed to both Schumacher and Einstein: “Any intelligent fool can make things more complex. It takes a touch of genius to go in the other direction.” And really, that’s what happens when you rethink things—like Apple with its technologies. I’m a big Apple fan. I have been since high school, back in the 80s with the original Macintosh. But, you know, Apple reinvents spaces. They reinvented the watch, the iPhone, music. That’s how banks need to think.
That’s why you see all these challenger banks popping up. Even large banks like Capital One are making branches into cafes. It’s about restructuring and rethinking things.
Jeroen: Yeah, are these challengers managing risk differently, do you think?
Michael: A lot of times, because of their new entry into the market, they have less history to deal with, so they can be more agile in how they approach it. But they still have to address a lot of the same rules and regulations. So that makes it complex too.
Jeroen: Right. You already touched upon it, but towards more solutions—apparently, you help a lot of organizations get the right systems in place, structuring the way they work. Can you elaborate a little bit? When you enter an organization, what do you normally do? If you have a big assignment to help with their entire risk management, what are the first things you do?
Michael: A good starting point is a current state analysis. What are we doing today? Because every organization has some approach to governance, risk, and compliance. It’s more of a maturity spectrum. You might call it GRC, ERM, ORM, or something else, but some approach is already in place. It can be the “ostrich burying its head in the sand” approach—a very low maturity level—or a very high level of maturity. So where are we today? What’s the current state? Like a midsize bank I worked with, where I helped with their RFP. Before the RFP, they did an internal study of their risk, compliance, and audit resources. They found that 80% of their staff’s time was spent managing and chasing documents, spreadsheets, and emails—not managing risk, compliance, and controls. It was just trying to track down those risk assessments, finding out they were halfway completed, and sending them back. 80% of their time was wasted on inefficiency.
They wanted to flip that with technology so that 80% of their time was actually managing risk and compliance controls, improving them, and only 20% was spent reconciling and chasing things.
Jeroen: So, first, you map the current state of affairs. Then what? This is a clear example, but what are other things you could?
Michael: Build that future state: where we want to be in two years? I don’t like long-range plans for two years because the business changes too quickly. So whether it’s six months, one year, or 18 months out, what’s the future state? And what’s our roadmap to get there? Then you have to ensure you have the right team, the right technology to achieve the end goal. Maybe you have a preferred vendor, but they might not be able to achieve what you’re trying to do. So they would be the wrong one to build on. You also have to be ready for change. That’s all important.
When building a business case for the change from the current state to the future state, I focus on four value areas. Efficiency is one: time saved, money saved. It used to take 200 hours to build this risk report for the board of directors, and now it takes less than an hour. That’s an example from one of the interactions I had. The second value is effectiveness: more accurate, complete, thorough, with fewer things slipping through the cracks. The third is resilience: catching control or compliance issues while they’re small, before they become major events. And the fourth is agility: keeping up with business, risk, and regulatory changes. If you’re a global bank dealing with 257 regulatory change events every business day, that’s a lot to keep up with. How can we leverage AI to do the horizon scanning, red-lining, and suggest policy changes for us? There’s still a subject matter expert in the process, but if AI can help us suggest improvements to policies and controls and keep the bank current with changing regulations and risks, that’s great.
Jeroen: Yeah, yeah. Many people, especially chief compliance officers I interview, say, ultimately, we need to ensure compliance with laws and regulations. But at the end of the day, it’s about culture. It’s about having the right mindset, about getting people’s hearts and minds on board, instead of just ticking boxes. Do you agree with that? Is it a cultural change?
Michael: It definitely boils down to a good culture. It’s not just about following the rules. It’s about the integrity of the organization. I like to quote my favorite fictional Premier League coach and philosopher, Ted Lasso. He said, “Doing the right thing is never the wrong thing.” And to me, that’s how we need to run our business.
It’s about doing the right thing. How do we build that into the business? And how do we empower our people to take risks and manage risks, while also knowing where the boundaries are that they cannot cross?
Jeroen: But you know, with culture, the hardest thing is changing it once it’s established, right? It’s like the examples with animals in a room. The only way to change their behavior is by removing some of them. It’s the same with people, probably. Changing culture is very difficult.
Michael: Changing and improving culture takes time. But culture can be destroyed overnight with corruption. It comes down to how policies are lived and maintained, not just how they’re written. I have a code of conduct from 2000 that was the model code of conduct. Companies were copying it to be their own. In one of my policy management workshops, a petroleum company from Canada said they almost copied it word for word to be their code of conduct. But that was Enron’s code of conduct. And look where that led: to Sarbanes-Oxley. You can have well-written policies, but if they’re not followed, you have a corrupt culture.
Jeroen: And what’s the number one way to ensure people follow, from a cultural perspective?
Michael: The executives and management have to live and breathe it.
Jeroen: When you enter an organization where you’ve never been, do you believe in the “smell of the place”? Can you feel if the culture is good, even if things still go wrong sometimes? And sometimes you enter an organization, and it just doesn’t smell right.
Top of Form
Bottom of Form
Michael: Oh, definitely. Yeah. I mean, you can sort of tell just by the people and how they interact.
Jeroen: And what’s an example of that?
Michael: Just, you know, how open they are and how collaborative they are. You know, the level of political fiefdoms between different departments versus collaboration and things.
Jeroen: And do you tend to tell the CEO, this is what I feel when I come in, or is that tricky because it’s hard to measure?
Michael: It sort of depends on the relationship.
Jeroen: Yeah, because sometimes, with the vast amount of experience you have, you already feel by your gut that, you know, this is not good, but you’re probably not allowed to say it because, yeah, I mean, you don’t have real evidence. It’s just a feeling, probably.
Michael: Yeah.
Jeroen: Must be kind of difficult then, but at least you know that there’s something to be done.
Michael: In larger organizations, it can be harder to find the problem. Smaller ones, I can pinpoint, it’s like this one technology provider. It’s like great technology, but I don’t think it can go anywhere because the CEO is a control freak and doesn’t, you know, allow the other managers and executives to make decisions and things. In the smaller environment, it’s much easier to pinpoint the problem. The larger organizations, there can be lots of problems, and it’s hard to trace it all out.
Jeroen: So next to GRC, you also understand and enjoy technology, but just for me, because I’m a complete outsider here, like what does technology exactly do here?
Michael: It makes, again, going to the business case, more efficient, effective, resilient, and agile.
Jeroen: But how does it do it? What is it? Is it software?
Michael: It’s what I call GRC software and really an architecture. There can be a core platform for risk, yes, but is there one platform that does everything for risk and compliance? No. So a lot of times there’s an architecture and integration of different systems, but it’s going to take and streamline workflows, particularly when they’re manual processes with a lot of documents, spreadsheets, and emails or siloed systems and things, and provide greater reporting, visibility, and structured processes with accountability and audit trails. When things go wrong, it can be documented or there’s evidence there. So there’s a lot of structured accountability that’s built into GRC-type systems.
Jeroen: Yeah, just can you make it even more concrete, like what exactly does a system do? Let’s say I’m a relationship banker in a bank, am I part of that technology as well, or is it mainly for the risk functions or for everyone?
Michael: It depends on the technology and how it’s implemented. It depends on the particular problem, but good GRC technology is going to enable the front office to the back office. With the Institute of Internal Auditors, they talk about three lines. You’ve got the third line, which is your audit and assurance function. You’ve got your second line, which is your risk and compliance management roles. The first line is the business itself out there. A lot of stuff is built for that second and third line, but good GRC is going to enable that first line because risk and compliance, these roles, they don’t own the risk, the business owns the risk. And they’re the ones we need to communicate to, and they have to have the risk dashboards in.
Jeroen: Because that’s when you start to win, right? Because then actually the first line really takes responsibility and the second and third line are just there to check, right?
Michael: Yeah, exactly.
Jeroen: But that’s what I’m curious about.
Michael: That’s that culture issue.
Jeroen: Yeah, that’s back to the culture indeed. But also, what does the technology do for me as a relationship banker, for example, in that first line? What does the technology help me with, for example?
Michael: It can help us understand the law and regulation and provide training and the relevant policies on that. With AI and things, you can ask it questions like, is this appropriate, this interaction or whatever? Obviously, there’s elements of technology that are necessary. In the US, the SEC is having a heyday going after a lot of the investment firms and things right now with all the communications breakdown and people using back channels and non-approved communication mechanisms to customers. And so there are just areas where you have to buy GRC-related technology to comply with the law and regulation. But in general, what we’re talking about is a lot of streamlining workflows and processes to do assessments, to communicate policies, and to evaluate controls. When you do this in manual processes of documents, spreadsheets, and emails, you’re always behind. You’re never current. Technology enables us to really get 80% more efficiency, typically, in these processes. And you leverage AI typically even more. So we can make it much more efficient and accountable and prevent things from slipping through the cracks.
Jeroen: So you help a lot of businesses to find the right vendor, right? The one that fits well with them. You know them all, and you see probably all the pros and cons of this vendor and pros and cons of that vendor or to match with that particular organization, the size and everything, the complexity. But I was wondering, with all these external vendors, is it sometimes better just to do it yourself? Is that possible? Or do you actually always need an external player for this?
Michael: If you want to build it yourself, if you’re a large bank, I’ve seen that happen, but they find it’s cumbersome to own and complex. Particularly when you start getting into areas like risk modeling. Having commercially supported software that provides all the bug fixes, updates, and maintenance, and keeps things current with evolving regulations, adds a lot of value.
Jeroen: Yeah, I can see that. Especially when you need to do all the updates all the time. Another thing I’m curious about: even with my small business, I’m dependent on a couple of vendors, like Microsoft, for example, right? I can’t easily switch to another provider, whether it’s for my email or whatever. Is that something you consider with your clients? Like, if we’re going to use this vendor, we become dependent?
Michael: Yeah, like with a cloud provider. You have to consider the long-term viability, the vision of the vendor. There’s a lot more to look at than just the technology. You need to think about cultural fit, where the vendor is headed, and their stability in the market.
Jeroen: Last two questions from my side, then maybe you have other things you want to bring to the table. In my preparation, you mentioned that GRC should really be part of the strategy, right? Do you see, especially in financial services, that it’s often not?
Michael: Yeah, because too often it’s reacting to compliance obligations and not top-down. It can be buried in the weeds and not strategically driven. Good GRC and risk management should bring together the top-down strategic view of risk with the bottom-up operational view of risk. Too often, we operate only down in the weeds without a clear vision or alignment with strategy. But if we have too much top-down, it can be chaotic—like in the military, they have a term for it, a “cluster F,” where there’s too much high-level view without enough focus on operational details. Good GRC ties the top-down strategy with the operational, resilient controls in the weeds.
Jeroen: Yeah, interesting. Last question: do you have tips for particular groups of people? First, do you have a tip for the chief compliance officer within a financial institution?
Michael: Certainly. I would like to rebrand the chief compliance officer to the chief integrity officer. We already have a CIO for information, so that might not work, but ultimately compliance is about integrity. It’s not just about law and regulation; it’s about the values and ethics of the bank, the boundaries and obligations, whether ESG-related, sustainability, or legal. The chief compliance officer isn’t the corporate cop—it’s about being the evangelist for integrity within the organization.
Jeroen: Great, I like that. Another CIO, but it makes total sense to me. Do you have a tip for CEOs?
Michael: CEOs should really understand and listen to compliance and risk teams. The CEO helps judge what needs to change in the bank to align culture with the organization’s goals.
Jeroen: Lastly, a tip for someone just starting in your field, like a junior in GRC, just out of college.
Michael: My recommendation: get involved in professional associations. My career wouldn’t be what it is without ISSA, ISACA, OSEG, the Institute of Risk Management. Volunteer, overcome fears, speak at events. That’s the road to success—networking with peers and building connections.
Jeroen: I’m really glad you took the time to talk to me today. Before I thank you at length, is there something you’d love to add? Something I haven’t asked?
Michael: I think we’ve covered it all.
Jeroen: Wonderful. Thank you so much, Michael Rasmussen, for joining us. It’s great to have you here in the Netherlands with Leaders in Finance. I have a small present for you, but I’ll give it after the podcast interview. Again, thank you so much for your time.
Michael: My pleasure, thank you.
Voice-over: You’ve been listening to Leaders in Finance. We hope you’ve enjoyed the episode and would love to hear from you. What’s on your mind? Who would you like to hear next? Let us know in an Apple or Google review, via email, or on our social media channels. Finally, we’d like to thank our partners for their ongoing support: EY, Medirect, Zanders, Kayak, and Roland Berger. Thank you for listening.