In this episode of Risk Is Our Business, Michael Rasmussen beams up Graeme Keith, mathematician, strategist, and CEO of Stochastic ApS, for a charged discussion on the fundamental divide between Risk Management 1 and Risk Management 2. Spoiler alert: most organizations are stuck in RM1, clinging to risk registers, risk appetite statements, and heatmaps that do little more than appease auditors. But as Graeme explains, like the Kobayashi Maru, those are unwinnable exercises that distract from supporting decisions with logic, evidence, and quantitative clarity.

Together, they dissect the common symptoms of bad risk management: using the wrong method in the wrong context, misunderstanding what “quantification” really means, and misapplying Monte Carlo simulations in a sea of poorly designed software tools. Graeme expands on his recent GRC Report article The Misery of Risk Matrices, pushing back on the false sense of security these subjective tools create. He argues that the real R in GRC should stand for risk-informed decision-making, not retroactive compliance filler.

The episode also unpacks why the growing push toward quantification often defaults to Monte Carlo analysis. Graeme offers a breakdown of where Monte Carlo simulations shine, where they fail, and what risk leaders should be asking when evaluating quantification tools and methodologies.

At warp core, this conversation is about upgrading risk from visual comfort to strategic relevance, from vague heatmaps to models that support action under uncertainty. If you’re ready to move beyond the checkbox galaxy and into the decision-making nebula, The Wrath of Math is required listening.