The Same Field But Different?
1. Entering a New Industry
Attempting to move into a new industry is a daunting task. Even early in one’s career, which I consider myself to be, only nine months into my first insurance role after graduating, the idea of making a jump can feel overwhelming.
Yet the more I work, the more I see that insurance and GRC are not separate worlds at all. They share a common foundation: risk.
How we understand risk.How we communicate risk.How we minimize risk.
And how much risk we are willing to accept.
2. Risk as an Everyday Human Activity
Risk is not an abstract corporate idea. It is something every human engages with instinctively.Getting into your car is a risk.Going online is a risk.Maxing out your credit card is a risk.
Whether we admit it or not, we constantly evaluate the threat and ask:
Have I put the right systems in place so this risk does not ruin my life?
Do you drive safely?Do you protect your information online?Can you pay the bank before your credit score collapses?
We negotiate with risk every single day. Once you see this, it becomes obvious that most industries are simply formalized versions of what people already do intuitively.
Underwriting is the investigative side of risk, deciding whether the insurer should take this chance.GRC is the mitigation side, deciding how to minimize impact and preserve integrity.
Different roles, same essence.
3. Cybernetics: The Hidden Structure Behind Everything
To really understand why these fields resemble each other, we must recognize something deeper.
All systems, biological, financial, digital, or organizational, are cybernetic.
Norbert Wiener’s book Cybernetics is more than a book about machines. It is a blueprint explaining:
- why systems drift
- why they fail
- why they attempt to correct themselves
- how they return to stability
Cybernetics teaches a simple but powerful truth:
Every system is always trying to return to an equilibrium defined when the system was first created.
Think of a thermostat adjusting temperature, an immune system fighting infection, a market correcting excess, or a company tightening controls after a breach.
Different domains.
Same principle.
Negative input, diagnosis, correction, return to baseline.
This is the foundation of risk management, GRC, and underwriting.
4. Organizations as Cybernetic Systems
When we analyze compliance frameworks, audit requirements, or underwriting guidelines, what we are really studying is how organizations attempt to maintain an acceptable internal state while the external world constantly injects threat, volatility, uncertainty, and entropy.
In underwriting, the regulated system is capital, the insurer’s ability to absorb loss.
In GRC, the regulated system is operational integrity and regulatory alignment, the ability to operate without catastrophic failure or penalty.Both systems behave cybernetically.
Examples of negative feedback signals
- A missed control
- A vulnerability left unpatched
- A policy written outside guidelines
- A vendor breach
- A compliance deadline ignored
- A claim far exceeding expected loss
- A cyber incident exploiting an overlooked weakness
These disturbances knock the system off its path. The job of risk professionals is to sense these signals and correct them before the deviation becomes unrecoverable.
5. Frameworks as Homeostatic Mechanisms
Risk frameworks, underwriting rules, SOC 2 controls, HIPAA safeguards, pricing models, and vendor assessments, despite looking like paperwork, are not bureaucratic burdens despite feeling like one as you go through your daily tasks.They are homeostatic mechanisms designed to insure the continuity of the system.
They exist so the organization can:
- Detect deviations from equilibrium
- Diagnose what went wrong
- Perform corrective actions
- Restore stability
In this light, underwriting, cybersecurity, and GRC become nearly identical professions.
They are all about interpreting feedback, measuring deviation, and applying corrective force to restore balance.
A vulnerability scan is feedback.
A SOC 2 gap is feedback.
A loss run is feedback.
A SIEM alert is feedback.
A broken workflow or untrained employee is feedback.
The system is always speaking. Most organizations do not know how to listen and truthfully most don't care to listen.
6. Learning to See Like a Cyberneticist
So the question becomes, how do we learn to understand these systems?
By viewing them through the eyes of a cyberneticist.By seeing workflows, controls, premiums, claims, policies, incidents, and audits not as isolated tasks, but as signals inside a living system.
Once you understand that all systems attempt to return to equilibrium, the entire field transforms.Risk, GRC, and underwriting stop feeling like disconnected chores and instead appear as a network of paths holding a system together under constant pressure.Underneath everything lies the true discipline.
The science of stabilizing complex systems under uncertainty.
That is what risk really is.
That is what underwriting is.
That is what GRC is.
7. TLDR: Cybernetics in Two Diagrams
Underwriting as a Cybernetic Loop
┌─────────────────────────┐ │ EXPOSURE INPUT │
│ Application, loss runs, │
│ financials, controls │
└───────────┬────────────┘
│
▼
┌─────────────────────────┐
│ UNDERWRITING MODEL │
│ risk appetite, pricing, │
│ guidelines, actuarials │
└───────────┬────────────┘
│
▼
┌─────────────────────────┐ │ FEEDBACK LOOP │
│ Claims, renewals, │
│ market data, trends │
└───────────┬────────────┘
│
▼
┌─────────────────────────┐
│ CONTROL ACTIONS │
│ Premium change, terms, │
│ exclusions, declines │
└───────────┬────────────┘
│
▼
┌─────────────────────────┐
│ CAPITAL EQUILIBRIUM │
│ portfolio stability │
└───────────┬────────────┘
│ └────► Loop repeats each renewal
GRC as a Cybernetic Loop
┌──────────────────────┐
│ RISK INPUTS │
│ Threats, vendors, │
│ incidents, audits │
└──────────┬───────────┘
│
▼
┌──────────────────────┐
│ GOVERNANCE STATE │
│ Policies, controls, │
│ compliance posture │
└──────────┬───────────┘
│
▼
┌──────────────────────┐
│ FEEDBACK │
│ Findings, metrics, │
│ SIEM alerts, gaps │
└──────────┬───────────┘
│
▼
┌──────────────────────┐
│ CONTROL ACTIONS │
│ Patching, training, │ │ policy updates, VRM │
└──────────┬───────────┘
│
▼
┌──────────────────────┐ │ NEW COMPLIANCE STATE │
│ Reduced risk, │
│ updated controls │
└──────────┬───────────┘
│
└──────► Loops infinitely
If you have read this far, I thank you for reading and I hope you enjoy my experience of learning a new perspective on risk as an industry. My plan here is to update this ghost blog about once every week or two, maybe once a week but I don't want to push myself and get burnt out for there is still a life worth living out in the real world and outside of all of these books! So until next time my dear friend, until we meet again!
