My name is Michael Werneburg. My specialty is in governance, risk, and compliance in technology organizations. I do this for a living because I like to build useful technology and I believe we do a better job when we build things in a robust and secure fashion. I enjoy enabling the provision of good software and services in "systemically important" regulated environments. I live in Toronto.


Subject matter expertise: I've implemented the governance standards (ITIL, COBIT, COSO); I've worked under the audit standards (SOX, J-SOX, SOC-2); time and again, I have built processes from scratch and turned them over to operations. I've also co-written a system for evaluating cybersecurity risk management at technology vendors for a trade association. I hold a master degree in risk management. I've been published in a IT governance publication. I've been invited to panels at conferences in the US and Canada.

Project management: You're only as good as your last implementation. Over the past decade, I've been working with C-suite executives, technical staff, project teams, compliance, and auditors to deliver in some challenging environments. I am a certified Project Management Professional (PMP).

Broad experience: I've lived and worked in three countries and for companies from four continents – primarily in finance but also in health care and media. I spent my first dozen years working in technology, and another dozen in analysis and process implementation. I have held executive positions.



I have written a number of articles on a website dedicated to my exploration of the fields of information risk, strategic risk analysis, and third-party risk. RiskTopics is here.


In 2017, my first published peer-reviewed journal article appeared in ISACA's "Journal". An introductory blog article appears here while the actual Journal article is available by permission here.


Also in 2017, I co-authored a guide for investment firms on the evaluation of cyber security readiness in industry vendors. This is proprietary to the Investment Industry Association of Canada, but I can make this available upon request depending on the circumstances.

Masters dissertation

In 2014, I completed a masters degree in risk management with Birmingham City University by completing a study of seven technology vendors in regulated industries across North America. I was attempting to understand whether implementing a risk management function at a technology vendor in a regulated industry would help the vendor improve the overall delivery of its service. That turned out to be the case, but the study found that the #1 impact was actually in sales and marketing! If you like to read thousands of words, I've got some here.

my strengths

In 2017 I took an extensive DISC analysis that described my work strengths:

here to help

If you're trying to meet your business objectives by threading the needle of technical complexity and regulatory entanglements, I can help. I am at michael@wirm.ca and +1 647-896-2850.