Risk isn’t just a threat to manage, it’s a signal, revealing the gaps hiding beneath the surface of strategy and foresight. In this insightful conversation, TrustCloud’s own Molly Mullinger and Abheer Bipin dig into today’s most pressing risk-management challenges and offer a refreshing perspective on how to navigate uncertainty with clarity, creativity, and control.
Whether you’re wrestling with emerging threats, chasing ecosystem resilience, or simply wondering how to stay three steps ahead, this discussion offers a rare blend of practical wisdom and optimistic strategy. From reframing risk as a guide to growth, to integrating smarter tools and tight feedback loops, Molly and Abheer bring both vision and grounded know-how, helping you turn ambiguity into advantage.
Let this conversation open the door to risk management as a proactive, empowering force, not just a safety net.
Risks are like icebergs. Will you sink or sail?
From financial risks to operational risks and cyber threats, businesses face a range of challenges that require a robust and secure risk strategy.
With the complexities of modern business, risk management can no longer be put on the back burner, and companies will need to keep up with the latest practices and solutions to stay afloat.
Two SMEs from the TrustCloud team paired up to tackle a few hot topics:
- Why companies should care about risk management
- Current issues with risk management practices and solutions
- Where they see the future of risk management heading
- How teams can start paving the way forward
Read on to see how they weighed in, or check out their conversation on Youtube.
Meet our subject matter experts
Molly Mullinger, Director of Product Solutions – Molly helps potential TrustCloud customers determine how to best leverage the TrustCloud platform. She joined TrustCloud from AuditBoard, and began her career as an auditor with EY.
Abheer Bipin, Senior Product Manager – Abheer is product manager for TrustOps and TrustRegister, working with customers to gain a deep understanding of their needs and pain points, and with engineering to build products that turn GRC into a profit center. He previously worked at Deloitte and OneTrust.
What is risk management?
Molly: Risk management is an organization’s way of defining and understanding all of the risk events that could occur, or anything that could go wrong when operating upon and meeting your organizational objectives.
It’s something that organizations are doing on a quarterly & annual basis in order to make sure that they understand exactly what risk events could occur, based on changes in the market, economic environment, sociopolitical climate and other factors.
It’s increasingly important for companies to make sure that as they’re focusing on risk management, they’re thinking not only about what’s happening right now, but also considering what could happen and what could go wrong.
Abheer: It’s kind of like you’re on the Titanic, and you’re crossing the Atlantic Ocean, and the risks are icebergs. They’re going to be there, they’re a part of your organization, you’re not running away from them.
What risk management, as a function, can do is not only help you steer around those icebergs, but if you do hit one of those icebergs on accident, it’ll at least give you enough life rafts or a big enough door that two people can float on. That’s really risk management in a nutshell.
You’re not getting away with it, you have to start at some point. The sooner your organization really starts looking at risk, the better and easier the process gets over time and the more insightful and data- driven the process gets.
Why should companies care about risk management?
Abheer: There are a few reasons why a company really needs to care about risk management. Quite frankly, the current situation we’re in in 2023 – there’s a certain level of risk in the market, and it’s important for organizations to understand the challenges ahead as well as actively prevent risks from taking place as a result.
There’s also heightened sensitivity from stakeholders and regulators. Boards of directors and leadership teams are asking about risk, and they’re making risk-driven decisions.
Most importantly, risk is an essential component of how businesses operate and grow. If you were to look at a startup customer who’s predominantly focused on achieving a standard or a framework so they can enable their sales teams, for them, monitoring risk is a compliance obligation.
Whereas if we move towards more advanced use cases for public companies and enterprises, risk becomes a tool to guide the organization to avoid obstacles and to drive decision making.
So wherever a company or individual sits on that spectrum, between a startup and an enterprise customer, risk is an essential component for how they operate, and more importantly, how they grow.
Tired of manual risk assessments that leave your board exposed?
Automate IT risk quantification with TrustCloud and confidently minimize CISO and Board liability.
Learn MoreWho’s asking about risk management?
Molly: For standards such as SOC 2, ISO, and NIST, regulators require that you go out and perform a risk assessment in order to meet that requirement. That’s the simple example.
As organizations are starting to be more forward-thinking, and as they’re trying to think through how they can make sure that they’re meeting their strategic objectives, we’ve seen more and more interest from boards, leadership, and investors.
We’re probably going to see a continued increase in the number of people who are asking about your risk protocols and risk approaches as the number of requirements continue to increase and change and evolve.
It’s interesting when we talk about boards and how they’re requesting risk information because it looks a little bit different from the regulators:
When regulators are asking, people tend to approach it as a check-the-box type of exercise.
When boards are asking about it, they want to know more about how their organization is performing the way they want it to, and how to make sure that they can maintain business continuity. It’s starting to shift into a type of decision-making exercise that teams are using to understand where to invest to make sure that they’re appropriately protecting their company.
Prove how your security program protects your business and drives growth
Showcase financial liability reduction with IT risk quantification, cut costs while automating 100s of manual security and GRC workflows, and accelerate revenue by earning regulator, auditor and customer trust.
Challenges that companies run into when performing risk assessments
Abheer: Risk management is done predominantly through spreadsheets, and that makes reporting and collaboration very challenging. Spreadsheets are not real-time. You’re conducting an assessment, you’re evaluating your risk profile at a point in time, and then saying, “Okay, I’ll come back 6 months from now, 12 months from now, and reevaluate my risk posture.”
The challenge is, with our rapidly moving, highly digitized world, the risks that you’ve put in today may not be valid six months from now, or there might be more risks that pop up between your assessment periods. And that’s where one of the challenges comes in with spreadsheets. You’re not monitoring anything, and generating a report for your board becomes very challenging, therefore making actions difficult too.
Similarly, we’re looking at point solutions as well. There are risky products out there in the market. This is not necessarily a new concept, but on their own, risk products also have the same challenge of real-time reporting. You’re looking at controls for mitigation, for example. A point-in-time risk solution does not connect to the rest of your ecosystem, nor does it connect to the rest of your GRC program.
At TrustCloud, we want to build this trust assurance platform, where all of these different elements within a GRC space are connected. Point solutions are not really able to collect all this information across an organization and make data-driven decisions on what should or should not be done.
One of the other issues is that people outside of the CISOs team don’t really pay attention to risk, which makes it hard to execute mitigation efforts or satisfy risk requirements, particularly within large organizations.
Read the “Thrive through uncertainty with powerful risk management strategies in 2025” article to learn more!
Where is risk management going?
Abheer:For 2023 in particular, it’s a catalyst for change. You’re going to see four trends coming out of this environment.
- Predictive risk assessments, whether they’re done at a six-month mark or a 12-month mark, miss out on a large number of events that take place between those two timeframes. So we’re going to see a world where predictive risk, or risk alerting, becomes a fundamental component. You don’t have to wait for the assessment. You can do this on a more real-time basis as and when risks pop up within the organization.
- Data-driven risk management: Right now, there’s a subjectivity with risk, and as more and more information comes and as more data-driven or data-influenced practices permeate throughout an organization, we’ll see the same trend taking place with risk where data is used to justify why a risk is high or low versus just a subjective element based on emotion or gut instinct.
- Unified system of record: Point solutions or Excel solutions are very good at collecting information, but they’re not good at doing it in real time. So we’re going to see a trend where a unified system of record spans across GRC and sales enablement, thus becoming a connected ecosystem. You can pull risk information from different areas rather than focusing on manual input.
- Financial impact and progression being tagged or assigned to risks:As mentioned earlier, leadership teams are looking to risks to drive organizational decisions and to drive organizational budgets. Being able to connect a risk with its financial impact/projected financial impact is going to be a critical component of where this industry is heading in the next 18 to 24 months, as our economic climate and macro world really change.
Paving the way forward, or as we like to say, preparing for icebergs
Molly:There are a couple of ways to get started, depending on where your organization is at from a maturity perspective.
If you do not have an existing risk program or risk environment, performing a risk rationalization effort is super valuable to go through your risks. Understand what is still applicable or maybe not so applicable anymore based on the changing and evolving world.
If you don’t have a program, a really great place to start is your controls. What are the things your controls are helping to mitigate against? Why do you have them in place? What are they protecting you from in order to make sure that you really have a cohesive risk environment?
There are also a number of solutions that are out there, as well as free resources to help identify a starting point for a risk register in order to make sure that as you’re going through, you’re thinking about things that could get in the way of your organization’s strategic objectives and the different ways that you should be thinking.
The first step in a robust risk strategy is creating a risk register. Not sure how to start? Check out our step-by-step guide, which includes a downloadable template.
Then continue to run assessments on a regular basis. Using a fully integrated system, such as TrustCloud, can allow you to not only see your risks but also get data-driven insights and programmatic results from your controls environment to understand what risks are out there that you can’t necessarily see with your naked eye.
Summing it up
As our conversation with Molly Mullinger and Abheer Bipin wraps up, one thing stands clear: risk management isn’t just about avoiding pitfalls; it’s about cultivating strength and foresight. By weaving together thoughtful strategy, smart tools, and dedicated collaboration, organizations can transform uncertainty into opportunity.
Feeling inspired? Start small:
- Take one insight from today’s discussion and test it in your own environment.
- Share your learnings with a colleague; sometimes the best ideas come from conversation.
- Most importantly, stay curious. The risk world never stands still, and neither will you.
Here’s to a future where managing risk isn’t a chore but a chance to build resilience, trust, and success from the inside out.
FAQs
What is risk management, and why does it matter for organizations?
Risk management is the process of identifying potential threats, technical, operational, or strategic and taking action to reduce their likelihood or impact. It’s not just a box-checking activity; it underpins organizational resilience. In a business landscape where cyber threats escalate rapidly and regulatory mandates tighten, understanding and managing risks proactively means fewer surprises, smoother operations, and stronger stakeholder trust. Ultimately, effective risk management equips teams to act with clarity, seeing what could go wrong, assessing the consequences, and setting in motion controls or contingencies before incidents happen.
What are the common shortcomings in current risk management practices and tools?
While most companies perform risk assessments, many do so in silos, relying on ad-hoc spreadsheets, infrequent audits, or disconnected data sources. This outdated approach often results in blind spots, outdated insights, and slow responses to emerging threats. Tools may not support continuous monitoring or fail to integrate with evolving compliance frameworks, making it hard to scale. Without automation and real-time context, risk becomes a lagging metric rather than a forward-looking gauge. This leads to delays in detecting critical vulnerabilities, overworked teams, and a false sense of security, until something goes wrong.
How should teams get started and evolve their risk management programs?
Starting strong means shifting from reaction to proactivity. Begin with a clear framework: catalog your risks, define criteria for what matters most, and appoint accountability. Use tools (or platforms) that automate risk identification and tracking. Build a culture of continuous review, regularly update assessments, incorporate threat intelligence, and revisit your risk appetite. Engage stakeholders, especially leadership, to ensure risk decisions align with business goals. Finally, invest in future-proofing: as tech, regulations, or business models evolve, your risk program should adapt in lockstep, not fall behind. The goal is to turn risk management from a one-time exercise into a living, strategic function.
What are the common challenges companies face when performing risk assessments?
One recurring challenge is scope creep and complexity, organizations try to assess every possible risk, diluting focus and resources. Inconsistent data and limited visibility across departments add friction. Another problem is fragmented ownership: without clear accountability, risk owners remain undefined, and mitigation efforts stall.
Also, static assessments (done only quarterly or yearly) struggle to keep up with fast-changing environments. Molly and Abheer also name cultural resistance: many teams see risk as an obstacle rather than an enabler. Overcoming these hurdles requires simplification, stakeholder alignment, and iterative risk processes that evolve with business change.
How should companies begin improving their risk management approach based on the conversation?
First, start small and build confidence: pick a limited scope (e.g., a business unit or high-impact domain), define key risks, and iterate. Molly and Abheer caution against overengineering at the outset; simpler frameworks often win adoption. Next, align stakeholders and assign accountability; identifying risk owners ensures execution doesn’t stall.
Third, create feedback loops: review outcomes, adjust controls, and evolve the risk taxonomy over time. Importantly, invest in tools and workflows that automate evidence gathering, dashboards, and monitoring to free teams from manual burden. And finally, embed risk thinking across teams, make it part of product planning, operations, and strategic review so it becomes a habit, not a periodic task.
