The spate of high profile data breaches have, if nothing else, proven that organizations are managing risk poorly. Part of the blame for that lies in a fundamentally flawed way that companies gather risk data. With the growing use of GRC portals, there is a reliance on questionnaires and surveys to gather risk data. This approach is generating flawed data and subsequently flawed risk management.