May 7, 2025 • 16 mins
A seismic shift is underway in the Integrated Risk Management (IRM) technology market, revealed through an unexpected stock sell-off that signals much deeper transformations. What appeared as a minor tremor—Workiva's stock declining despite positive earnings—actually illuminates fundamental changes in how regulatory uncertainty directly impacts market valuations and growth expectations.
The catalyst? Whispers about potential delays to the EU's Corporate Sustainability Reporting Directive and paused sustainability rules created immediate investor concern. But this reaction points to a more profound reality: the IRM market no longer operates on technology innovation alone. It's now inextricably linked with regulatory timetables, political decisions, and strategic business imperatives beyond compliance.
Our analysis reveals distinct patterns across IRM segments. Governance, Risk and Compliance (GRC) platforms feel regulatory shifts most acutely, with legacy vendors potentially facing steeper challenges than modern, flexible alternatives. Enterprise Risk Management (ERM) demonstrates greater resilience through its focus on strategic decision-making rather than specific regulations. Operational Risk Management (ORM) balances compliance with growing emphasis on business continuity amid cyber threats and supply chain disruptions. Meanwhile, Technology Risk Management (TRM) emerges as the standout segment, forecasted for 12.9% CAGR through 2032, largely immune to ESG regulatory uncertainty while addressing what many boards now view as existential business risks.
The strategic message becomes clear: integration across these different risk domains provides the key to true business resilience. The future belongs to platforms offering comprehensive, adaptive frameworks for managing uncertainty—not just compliance tools. As regulations become increasingly unpredictable, organizations must strike a delicate balance between compliance needs and building genuine operational resilience for whatever challenges emerge next. How is your organization navigating this evolution?
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
OK, let's unpack this .
There's been a real wake upcall in the integrated risk
management market IRM right.
Speaker 2 (00:08):
Definitely.
It's, like you said, a tremorSomething small seemingly, but
it signals a much bigger shifthappening underneath.
Speaker 1 (00:15):
Exactly.
We saw it clearly in the firstquarter of 2025.
Speaker 2 (00:19):
It's pretty interesting how one company's
stock performance kind of shonea light on these well, these
wider trends across the wholeIRM space.
Speaker 1 (00:28):
Totally so.
Rekiva, big player in IRM.
They announced positiveearnings, things looked good on
paper, but then, surprise, selloff of their stock.
And you might think, okay, onecompany, maybe an isolated thing
.
Speaker 2 (00:39):
But it wasn't.
Was it the reason behind it iswhat makes this worth digging
into.
Speaker 1 (00:43):
Right Connecting the dots.
It wasn't really aboutWorkiva's specific number.
It was more about this growingnervousness around the
regulatory environment.
Speaker 2 (00:51):
Specifically the whispers coming out of Germany
and Riesel about potentiallydelaying or watering down the
EU's corporate sustainabilityreporting directive, csrd.
Speaker 1 (01:07):
Yes, csrd.
And then, on top of that, theEuropean Parliament hit pause on
some new sustainability and duediligence rules Right.
Speaker 2 (01:10):
So for a company like Workiva, whose bread and butter
is significantly tied to ESGreporting to those workflows,
any sign of those rules gettingdelayed or weakened?
Well, that spooks investors bigtime.
Speaker 1 (01:23):
And that's the crux of it.
This whole situation suggeststhe drivers in the IRM market
are well, they're changing.
It's not just about having theflashiest technology anymore,
now it seems like the certainty,the timeline of these
regulations actually beingimplemented.
That's become just as important.
Speaker 2 (01:40):
Maybe even more important in some cases.
It really brings up thisfundamental question about the
dynamics you know, techinnovation isn't in a vacuum
anymore.
Speaker 1 (01:48):
No, it's tangled up with politics, with regulatory
calendars.
It's complex.
So our mission for this deepdive really is to dissect these
new dynamics.
How is this affecting thedifferent parts of IRM?
Speaker 2 (02:00):
And what does it all mean for you, the listener,
Whether you're deep in riskmanagement, involved in tech
decisions or just trying to keepup with key business shifts?
Speaker 1 (02:09):
Exactly?
What are the takeaways?
Speaker 2 (02:11):
It's about seeing those ripple effects and trying
to figure out where the market'sheading now.
Speaker 1 (02:15):
Now the analysis we're digging into today.
It comes from a reallyinsightful article in the RTJ
Bridge.
Speaker 2 (02:21):
Ah yes, the premium version of the Risk Tech Journal
.
Speaker 1 (02:26):
TJ Bridge.
Ah yes, the premium version ofthe Risk Tech Journal, that's
the one from Wheelhouse Advisors.
It's actually a newsubscription thing.
They're doing weekly researchnotes, just like this one,
focused on the latest inintegrated risk management.
Speaker 2 (02:33):
Very timely stuff then.
Speaker 1 (02:34):
Yeah, exactly, and if this kind of in-depth analysis
is useful for you, you can checkit out at wheelhouseadvisorscom
.
It's only like $6.99 a month or$69.99 for the year.
Speaker 2 (02:47):
And they have a free trial month too, right they?
Speaker 1 (02:48):
do First month free, so wheelhouseadvisorscom Just
wanted to give context on wherethis perspective is coming from.
Speaker 2 (02:56):
Good context.
Knowing the source helps framethe insights we're about to
explore.
Speaker 1 (03:00):
Okay, so let's get down to brass tacks.
The article breaks down the IRMmarket, and the first segment
it looks at is GRC governance,risk and compliance.
Speaker 2 (03:09):
Makes sense, and yeah , it seems GRC felt these
regulatory shifts the mostdirectly.
Speaker 1 (03:15):
Which you'd kind of expect.
Right, grc is often veryclosely tied to specific
regulations.
Q1 2025 really put a spotlighton that vulnerability,
definitely so.
The article mentions key GRCplayers were Kiva, obviously,
but also Diligent, onetrust,navx.
Speaker 2 (03:31):
Uh-huh.
Speaker 1 (03:32):
Familiar names.
Speaker 2 (03:33):
And a lot of their business, their recurring
revenue.
It depends on these workflowsdriven by regulations,
especially around ESG reporting.
So if CSRD slows down, Thentheir sales pipeline can slow
down too.
Potential customers might justyou know wait and see what
happens before committing.
Speaker 1 (03:48):
It's interesting how directly the market linked those
potential delays to the growthforecasts for these vendors
shows how much investorconfidence here rides on that
regulatory schedule.
Speaker 2 (03:58):
But and this is important the article also
stresses that GRC isn't goingaway.
Speaker 1 (04:03):
No, not at all.
It's still foundational.
Think about core things likeinternal audit, ethics and
compliance managing policies.
Speaker 2 (04:10):
Absolutely the central functions.
Those are critical for anycompany.
Esg rules or not, they're thebedrock.
Speaker 1 (04:16):
Right, the momentum on ESG might ebb and flow a bit,
but you always need goodgovernance, good risk management
, basics Always.
Now what about some of thelegacy GRC players?
The article calls out ArcherMetricStream SAI 360.
Speaker 2 (04:31):
Yeah, the more established names.
Speaker 1 (04:33):
It suggests they might face bigger hurdles
because their tech is well,maybe a bit more dated, and it
often relied heavily on thaturgency, created by regulatory
deadlines, to push sales.
Speaker 2 (04:43):
That makes sense If you connect the dots.
Maybe those platforms lack someof the agility, the integration
capabilities that buyers want.
Now they were built for aslightly different compliance
world.
Speaker 1 (04:53):
But it's not all bad news for GRC.
The article sees an opportunityfor the more modern platforms.
Names like Diligent NEVX AuditBoard come up again.
Speaker 2 (05:02):
OK, how so?
Speaker 1 (05:03):
They can potentially reposition GRC not just as a
compliance tool but as the entrypoint to a wider IRM strategy
offering flexibility,integration things buyers really
value now.
Speaker 2 (05:14):
Ah, so pivoting the message making GRC the core
operating system for risk ratherthan just a reporting engine.
That's smart.
Speaker 1 (05:21):
Yeah, and the article gives some direct advice to GRC
vendors Shift your messagingtowards resilience, not just
ticking boxes.
Speaker 2 (05:30):
Resilience Good angle .
Speaker 1 (05:38):
Diversify beyond just ESG solutions and maybe even
look at acquiring some of thosespecialized ESG reporting
startups, especially if theirvaluations dip because of this
uncertainty.
Speaker 2 (05:42):
Interesting.
Speaker 1 (05:43):
So adapt, broaden the scope and maybe find some M&A
opportunities in the disruptionPretty astute and just to give
you a map of the GRC vendorworld, the article uses the IRM
Navigator Vendor Compass for GRC.
It groups them.
You've got integrators likeArcher, ideagen, navx,
riskconnect, think BroadSuites.
Then accelerators, auditboard,corporater, diligent,
(06:04):
logicmanager, metricstream,onetrust, servicenow.
Speaker 2 (06:07):
They often focus on speed and ease of use and pace
setters like IBM, openpages,croll Resolver, logicgate,
onspring, often the ones pushinginnovation in the category.
That categorization helpspicture the different strategies
and strengths playing out inthe GRC market.
Speaker 1 (06:23):
Okay, let's shift gears ERM Enterprise Risk
Management market.
Okay, let's shift gears ERMenterprise risk management.
This segment seems to beholding up better, more of a
strategic safe haven amidst theregulatory waves.
Speaker 2 (06:33):
Yeah, that tracks Because ERM, fundamentally it's
tied more closely to overallstrategy and business
performance.
Right, yeah, Not just one setof regulations that gives it
some natural insulation.
Speaker 1 (06:44):
Exactly.
The article mentions ERMvendors, risk Connect,
servicenow, audit Board DiligentAgain and how they're embedding
risk management deeper intoplanning and analytics.
Speaker 2 (06:52):
So it's less about reactive compliance and more
about proactive decision support.
Speaker 1 (06:56):
Precisely Things like risk appetite frameworks, kris,
scenario modeling.
They aren't going away.
If anything, they're becomingmore important for board-level
decisions.
Speaker 2 (07:04):
Yeah, you see risk committees focusing more on
those big systemic risks.
Now too right, Macroeconomics,geopolitics, stuff beyond just
the rule book.
Speaker 1 (07:12):
Totally, which makes ERM potentially a more stable
investment area, even if ESGtimelines shift.
Speaker 2 (07:19):
Makes sense.
Speaker 1 (07:20):
And the advice for ERM vendors.
Position ERM as that analyticallayer above GRC, informing it.
Speaker 2 (07:26):
Right, not just alongside it or underneath it.
Speaker 1 (07:28):
Deepen those integrations with planning
platforms and use thisregulatory pause maybe to really
show executives the strategicvalue ERM delivers.
Speaker 2 (07:39):
It's about elevating risk from a cost center or
compliance task to a strategicenabler, showing how it drives
better decisions and resilience.
Speaker 1 (07:45):
Yeah, and again there's an IRM navigator, vendor
compass for ERM Integrators.
Here are Diligent Ideagen,RiskConnect, sphera Accelerators
, audit Board, corporater Fusion, risk Management, logic Manager
, onetrust, sai 360, servicenow.
Speaker 2 (08:01):
Some overlap with GRC accelerators there.
Speaker 1 (08:03):
Definitely.
And Pacesetters IBM, OpenPages,CurlResolver, Mitratech,
Origami, Risk and Rekivaactually shows up here too.
Speaker 2 (08:15):
Interesting.
Speaker 1 (08:15):
That overlap really highlights the trend towards
integration vendors, playingacross different risk categories
, for sure.
Okay, next up, ORM operationalrisk management.
The article sees this as beingin a bit of a transition.
Some parts are tied tocompliance, yes, but there's
this growing strategic focus onoperational resilience.
Speaker 2 (08:30):
Which mirrors how we think about operational risk now
, doesn't it?
It's not just about avoidingfines anymore.
It's about keeping the businessrunning smoothly despite well,
despite everything.
Speaker 1 (08:40):
Right, cyber attacks, ai going wrong, supply chain
failures these are hugeoperational risks now.
Speaker 2 (08:47):
Absolutely critical.
Speaker 1 (08:48):
So ORM vendors?
The article mentions MitratechLogicBait Resolver, sai 360.
They're evolving, building inmore continuous monitoring, more
adaptive workflows.
Speaker 2 (08:58):
So regulatory delays, how do they hit ORM?
Speaker 1 (09:01):
It's a bit mixed.
According to the article, maybesome ESG-specific ORM adoption
slows down a bit temporarily,Correct but at the same time,
the demand for proactiveplatforms focused on overall
resilience.
That's likely to increasebecause the underlying
operational risks aren't goingaway.
Speaker 2 (09:15):
If anything, they're growing, so the need for robust
ORM focused on continuity andprevention gets stronger.
Speaker 1 (09:21):
Exactly so.
The strategic advice for ORMenders is lean into risk
prevention, and businesscontinuity Makes sense.
Develop modules that connectORMM with ERM and TRM, and
invest in what the article callsworkflow intelligence, making
those processes smarter, moreadaptive.
Speaker 2 (09:39):
Moving ORM from reactive to proactive and deeply
integrated.
That's the goal.
Speaker 1 (09:43):
Yeah, and just a note , the 2025 IRM Navigator Vendor
Compass for ORM is actuallycoming out in June, so we'll get
a clearer picture of thatspecific vendor space soon.
Speaker 2 (09:53):
Good to know That'll be valuable for tracking the
players and strategies there.
Speaker 1 (09:56):
Okay, finally, trm technology risk management, and
this one seems to be the outlier.
The segment least bothered bythe ESG mandate shifts.
Speaker 2 (10:03):
Well that makes sense , doesn't it?
The drivers for TRM are hugeand pretty independent of CSRD.
Digital transformation isn'tstopping.
Cyber security threats aren'tstopping.
Speaker 1 (10:12):
Not at all.
The article points to TRMvendors like Safe Security,
servicenow, risk Connect, vantaAudit Board.
They're pushing towards moreautonomous models.
Speaker 2 (10:22):
Using AI, real-time data, yep for continuous
visibility into risk and,crucially, trm speaks the
board's language.
Now it's about attack surfacefinancial exposure from cyber
threats tangible stuff.
Speaker 1 (10:34):
And boards are definitely paying attention.
Cyber and tech risk are seen asexistential threats now across
the board.
Speaker 2 (10:40):
The numbers back it up too.
The 2025 IRM Navigator for TRMforecasts a really strong growth
rate 12.9% CAGR through 2032.
That's the highest across allthe IRM segments.
Speaker 1 (10:54):
Wow, 12.9%.
That really underlines howcritical managing digital risk
is perceived to be.
Speaker 2 (11:00):
For sure.
So the strategicrecommendations for TRM vendors
are pretty straightforwardPosition your tools as essential
for the C-suite.
Absolutely Double down on AIcapabilities.
Look for partnerships in hotareas like AI governance and
cloud security.
Speaker 1 (11:13):
Solidify TRM's strategic role and keep pushing
the tech envelope to stay aheadof threats.
Speaker 2 (11:17):
Exactly, and the TRM vendor breakdown from the
compass Integrators are ArcherRisk Connect Service Now.
Speaker 1 (11:23):
Okay.
Speaker 2 (11:23):
Accelerators Corporater Diligent, fusion,
risk Management, retrotech,navex.
Speaker 1 (11:28):
And Pacesetters, audit Board, ibm, open Pages,
logic Manager, metricstream,onspring, onetrust, riskrecon
and SafeSecurity Again, you seethose familiar names popping up
across categories.
Speaker 2 (11:42):
That integration theme again.
Speaker 1 (11:44):
Yeah.
Speaker 2 (11:44):
Vendors are really trying to offer that joined-up
view across different risk types.
It's clearly where the value isseen.
Speaker 1 (11:50):
So, putting it all together, what does that Workiva
sell off really signal for thewhole market?
The article pulls out some keymarket wide implications.
Speaker 2 (11:59):
It's fascinating how one event can kind of
crystallize these bigger shifts,isn't it?
Speaker 1 (12:02):
It really is.
First big point Regulatory riskisn't just a compliance
headache anymore, it's a core,strategic business risk.
Speaker 2 (12:09):
Absolutely.
Uncertainty there can hitrevenue forecasts and investor
confidence directly, especiallyfor compliance-heavy platforms.
Speaker 1 (12:16):
Which means vendors need to be much more adaptable,
more responsive to those shifts.
Speaker 2 (12:20):
For sure.
Speaker 1 (12:20):
Second implication investors are looking beyond
just regulatory cycles now.
They want to seediversification Solutions
focused on broader resilience,automation, analytics.
Speaker 2 (12:34):
They look more appealing than just tools for,
say, esg disclosure.
That shift in focus willprobably drive more innovation
and diversification from thevendors too.
Speaker 1 (12:40):
Third point these valuation pressures could
actually spark more M&A.
Speaker 2 (12:45):
Oh, interesting Consolidation.
Speaker 1 (12:47):
Yeah, bigger players with cash might see
opportunities to snap up.
Niche specialists, maybe incarbon accounting or AI risk,
potentially at better prices.
Speaker 2 (12:56):
That could definitely reshape the competitive
landscape, lead to bigger, moreintegrated platforms.
Speaker 1 (13:00):
Fourth being global matters.
Having operations worldwide andsupporting different regulatory
frameworks acts as a hedgeagainst regional wobbles.
Speaker 2 (13:09):
Gives you flexibility , crucial in a complex global
regulatory picture.
Speaker 1 (13:13):
And finally, the push towards autonomous IRM is
gaining steam.
The market likes platforms thatreduce manual compliance effort
.
Speaker 2 (13:20):
AI and automation are definitely shaping the future
here, enabling more continuousproactive risk management.
Speaker 1 (13:26):
So the big strategic takeaway, according to the
article, is that integrationacross these different IRM areas
GRC, erm, orm, trm that's thekey to real resilience.
Speaker 2 (13:35):
Makes sense.
Silos don't work anymore.
Speaker 1 (13:37):
And it highlights vendors like Diligent,
ServiceNow, RiskConnect as beingwell-positioned because they
offer that breadth andintegration.
Speaker 2 (13:44):
Yeah, their ability to connect the dots across
different risk domains givesthem an edge in navigating this
volatility and meeting whatorganizations actually need now.
Speaker 1 (13:54):
Ultimately, the article concludes, irm is moving
beyond just being an extensionof GRC.
It's becoming this more dynamicmodular adaptive framework.
Speaker 2 (14:02):
A way to manage uncertainty across the whole
business strategy operationscompliance tech.
All interconnected the wholebusiness strategy operations
compliance tech allinterconnected.
Speaker 1 (14:09):
It's a necessary evolution towards a more
holistic approach, given howcomplex and uncertain everything
feels right now.
Speaker 2 (14:15):
Absolutely.
Speaker 1 (14:16):
So bringing it all back, that Q1 2025 turbulence,
especially the reaction topotential CSRD delays, it really
was a wake-up call.
A clear signal.
The IRM market is definitelyshifting, moving beyond just
compliance.
Speaker 2 (14:29):
It demands a more strategic, more integrated view
of risk.
Resilience and adaptability arethe name of the game now.
Speaker 1 (14:36):
So we'd encourage you , the listener, to think about
how these shifts impact yourworld, your understanding of
risk, your tech investments.
How are you seeing these trendsplay out?
Speaker 2 (14:47):
Yeah, reflecting on these dynamics is really
important for anyone in risktech or strategic planning.
Speaker 1 (14:52):
And it leaves us with a big question, doesn't it?
As regulations get moreunpredictable, how do
organizations strike thatbalance the need to comply
versus the absolute imperativeto build real operational and
technological resilience forwhatever comes next?
Speaker 2 (15:07):
That's the core challenge, isn't it?
Balancing compliance withgenuine future-proof resilience
definitely helped me to chew on.
OK, let's unpack this .
There's been a real wake upcall in the integrated risk
management market IRM right.
Speaker 2 (00:08):
Definitely.
It's, like you said, a tremorSomething small seemingly, but
it signals a much bigger shifthappening underneath.
Speaker 1 (00:15):
Exactly.
We saw it clearly in the firstquarter of 2025.
Speaker 2 (00:19):
It's pretty interesting how one company's
stock performance kind of shonea light on these well, these
wider trends across the wholeIRM space.
Speaker 1 (00:28):
Totally so.
Rekiva, big player in IRM.
They announced positiveearnings, things looked good on
paper, but then, surprise, selloff of their stock.
And you might think, okay, onecompany, maybe an isolated thing
.
Speaker 2 (00:39):
But it wasn't.
Was it the reason behind it iswhat makes this worth digging
into.
Speaker 1 (00:43):
Right Connecting the dots.
It wasn't really aboutWorkiva's specific number.
It was more about this growingnervousness around the
regulatory environment.
Speaker 2 (00:51):
Specifically the whispers coming out of Germany
and Riesel about potentiallydelaying or watering down the
EU's corporate sustainabilityreporting directive, csrd.
Speaker 1 (01:07):
Yes, csrd.
And then, on top of that, theEuropean Parliament hit pause on
some new sustainability and duediligence rules Right.
Speaker 2 (01:10):
So for a company like Workiva, whose bread and butter
is significantly tied to ESGreporting to those workflows,
any sign of those rules gettingdelayed or weakened?
Well, that spooks investors bigtime.
Speaker 1 (01:23):
And that's the crux of it.
This whole situation suggeststhe drivers in the IRM market
are well, they're changing.
It's not just about having theflashiest technology anymore,
now it seems like the certainty,the timeline of these
regulations actually beingimplemented.
That's become just as important.
Speaker 2 (01:40):
Maybe even more important in some cases.
It really brings up thisfundamental question about the
dynamics you know, techinnovation isn't in a vacuum
anymore.
Speaker 1 (01:48):
No, it's tangled up with politics, with regulatory
calendars.
It's complex.
So our mission for this deepdive really is to dissect these
new dynamics.
How is this affecting thedifferent parts of IRM?
Speaker 2 (02:00):
And what does it all mean for you, the listener,
Whether you're deep in riskmanagement, involved in tech
decisions or just trying to keepup with key business shifts?
Speaker 1 (02:09):
Exactly?
What are the takeaways?
Speaker 2 (02:11):
It's about seeing those ripple effects and trying
to figure out where the market'sheading now.
Speaker 1 (02:15):
Now the analysis we're digging into today.
It comes from a reallyinsightful article in the RTJ
Bridge.
Speaker 2 (02:21):
Ah yes, the premium version of the Risk Tech Journal
.
Speaker 1 (02:26):
TJ Bridge.
Ah yes, the premium version ofthe Risk Tech Journal, that's
the one from Wheelhouse Advisors.
It's actually a newsubscription thing.
They're doing weekly researchnotes, just like this one,
focused on the latest inintegrated risk management.
Speaker 2 (02:33):
Very timely stuff then.
Speaker 1 (02:34):
Yeah, exactly, and if this kind of in-depth analysis
is useful for you, you can checkit out at wheelhouseadvisorscom
.
It's only like $6.99 a month or$69.99 for the year.
Speaker 2 (02:47):
And they have a free trial month too, right they?
Speaker 1 (02:48):
do First month free, so wheelhouseadvisorscom Just
wanted to give context on wherethis perspective is coming from.
Speaker 2 (02:56):
Good context.
Knowing the source helps framethe insights we're about to
explore.
Speaker 1 (03:00):
Okay, so let's get down to brass tacks.
The article breaks down the IRMmarket, and the first segment
it looks at is GRC governance,risk and compliance.
Speaker 2 (03:09):
Makes sense, and yeah , it seems GRC felt these
regulatory shifts the mostdirectly.
Speaker 1 (03:15):
Which you'd kind of expect.
Right, grc is often veryclosely tied to specific
regulations.
Q1 2025 really put a spotlighton that vulnerability,
definitely so.
The article mentions key GRCplayers were Kiva, obviously,
but also Diligent, onetrust,navx.
Speaker 2 (03:31):
Uh-huh.
Speaker 1 (03:32):
Familiar names.
Speaker 2 (03:33):
And a lot of their business, their recurring
revenue.
It depends on these workflowsdriven by regulations,
especially around ESG reporting.
So if CSRD slows down, Thentheir sales pipeline can slow
down too.
Potential customers might justyou know wait and see what
happens before committing.
Speaker 1 (03:48):
It's interesting how directly the market linked those
potential delays to the growthforecasts for these vendors
shows how much investorconfidence here rides on that
regulatory schedule.
Speaker 2 (03:58):
But and this is important the article also
stresses that GRC isn't goingaway.
Speaker 1 (04:03):
No, not at all.
It's still foundational.
Think about core things likeinternal audit, ethics and
compliance managing policies.
Speaker 2 (04:10):
Absolutely the central functions.
Those are critical for anycompany.
Esg rules or not, they're thebedrock.
Speaker 1 (04:16):
Right, the momentum on ESG might ebb and flow a bit,
but you always need goodgovernance, good risk management
, basics Always.
Now what about some of thelegacy GRC players?
The article calls out ArcherMetricStream SAI 360.
Speaker 2 (04:31):
Yeah, the more established names.
Speaker 1 (04:33):
It suggests they might face bigger hurdles
because their tech is well,maybe a bit more dated, and it
often relied heavily on thaturgency, created by regulatory
deadlines, to push sales.
Speaker 2 (04:43):
That makes sense If you connect the dots.
Maybe those platforms lack someof the agility, the integration
capabilities that buyers want.
Now they were built for aslightly different compliance
world.
Speaker 1 (04:53):
But it's not all bad news for GRC.
The article sees an opportunityfor the more modern platforms.
Names like Diligent NEVX AuditBoard come up again.
Speaker 2 (05:02):
OK, how so?
Speaker 1 (05:03):
They can potentially reposition GRC not just as a
compliance tool but as the entrypoint to a wider IRM strategy
offering flexibility,integration things buyers really
value now.
Speaker 2 (05:14):
Ah, so pivoting the message making GRC the core
operating system for risk ratherthan just a reporting engine.
That's smart.
Speaker 1 (05:21):
Yeah, and the article gives some direct advice to GRC
vendors Shift your messagingtowards resilience, not just
ticking boxes.
Speaker 2 (05:30):
Resilience Good angle .
Speaker 1 (05:38):
Diversify beyond just ESG solutions and maybe even
look at acquiring some of thosespecialized ESG reporting
startups, especially if theirvaluations dip because of this
uncertainty.
Speaker 2 (05:42):
Interesting.
Speaker 1 (05:43):
So adapt, broaden the scope and maybe find some M&A
opportunities in the disruptionPretty astute and just to give
you a map of the GRC vendorworld, the article uses the IRM
Navigator Vendor Compass for GRC.
It groups them.
You've got integrators likeArcher, ideagen, navx,
riskconnect, think BroadSuites.
Then accelerators, auditboard,corporater, diligent,
(06:04):
logicmanager, metricstream,onetrust, servicenow.
Speaker 2 (06:07):
They often focus on speed and ease of use and pace
setters like IBM, openpages,croll Resolver, logicgate,
onspring, often the ones pushinginnovation in the category.
That categorization helpspicture the different strategies
and strengths playing out inthe GRC market.
Speaker 1 (06:23):
Okay, let's shift gears ERM Enterprise Risk
Management market.
Okay, let's shift gears ERMenterprise risk management.
This segment seems to beholding up better, more of a
strategic safe haven amidst theregulatory waves.
Speaker 2 (06:33):
Yeah, that tracks Because ERM, fundamentally it's
tied more closely to overallstrategy and business
performance.
Right, yeah, Not just one setof regulations that gives it
some natural insulation.
Speaker 1 (06:44):
Exactly.
The article mentions ERMvendors, risk Connect,
servicenow, audit Board DiligentAgain and how they're embedding
risk management deeper intoplanning and analytics.
Speaker 2 (06:52):
So it's less about reactive compliance and more
about proactive decision support.
Speaker 1 (06:56):
Precisely Things like risk appetite frameworks, kris,
scenario modeling.
They aren't going away.
If anything, they're becomingmore important for board-level
decisions.
Speaker 2 (07:04):
Yeah, you see risk committees focusing more on
those big systemic risks.
Now too right, Macroeconomics,geopolitics, stuff beyond just
the rule book.
Speaker 1 (07:12):
Totally, which makes ERM potentially a more stable
investment area, even if ESGtimelines shift.
Speaker 2 (07:19):
Makes sense.
Speaker 1 (07:20):
And the advice for ERM vendors.
Position ERM as that analyticallayer above GRC, informing it.
Speaker 2 (07:26):
Right, not just alongside it or underneath it.
Speaker 1 (07:28):
Deepen those integrations with planning
platforms and use thisregulatory pause maybe to really
show executives the strategicvalue ERM delivers.
Speaker 2 (07:39):
It's about elevating risk from a cost center or
compliance task to a strategicenabler, showing how it drives
better decisions and resilience.
Speaker 1 (07:45):
Yeah, and again there's an IRM navigator, vendor
compass for ERM Integrators.
Here are Diligent Ideagen,RiskConnect, sphera Accelerators
, audit Board, corporater Fusion, risk Management, logic Manager
, onetrust, sai 360, servicenow.
Speaker 2 (08:01):
Some overlap with GRC accelerators there.
Speaker 1 (08:03):
Definitely.
And Pacesetters IBM, OpenPages,CurlResolver, Mitratech,
Origami, Risk and Rekivaactually shows up here too.
Speaker 2 (08:15):
Interesting.
Speaker 1 (08:15):
That overlap really highlights the trend towards
integration vendors, playingacross different risk categories
, for sure.
Okay, next up, ORM operationalrisk management.
The article sees this as beingin a bit of a transition.
Some parts are tied tocompliance, yes, but there's
this growing strategic focus onoperational resilience.
Speaker 2 (08:30):
Which mirrors how we think about operational risk now
, doesn't it?
It's not just about avoidingfines anymore.
It's about keeping the businessrunning smoothly despite well,
despite everything.
Speaker 1 (08:40):
Right, cyber attacks, ai going wrong, supply chain
failures these are hugeoperational risks now.
Speaker 2 (08:47):
Absolutely critical.
Speaker 1 (08:48):
So ORM vendors?
The article mentions MitratechLogicBait Resolver, sai 360.
They're evolving, building inmore continuous monitoring, more
adaptive workflows.
Speaker 2 (08:58):
So regulatory delays, how do they hit ORM?
Speaker 1 (09:01):
It's a bit mixed.
According to the article, maybesome ESG-specific ORM adoption
slows down a bit temporarily,Correct but at the same time,
the demand for proactiveplatforms focused on overall
resilience.
That's likely to increasebecause the underlying
operational risks aren't goingaway.
Speaker 2 (09:15):
If anything, they're growing, so the need for robust
ORM focused on continuity andprevention gets stronger.
Speaker 1 (09:21):
Exactly so.
The strategic advice for ORMenders is lean into risk
prevention, and businesscontinuity Makes sense.
Develop modules that connectORMM with ERM and TRM, and
invest in what the article callsworkflow intelligence, making
those processes smarter, moreadaptive.
Speaker 2 (09:39):
Moving ORM from reactive to proactive and deeply
integrated.
That's the goal.
Speaker 1 (09:43):
Yeah, and just a note , the 2025 IRM Navigator Vendor
Compass for ORM is actuallycoming out in June, so we'll get
a clearer picture of thatspecific vendor space soon.
Speaker 2 (09:53):
Good to know That'll be valuable for tracking the
players and strategies there.
Speaker 1 (09:56):
Okay, finally, trm technology risk management, and
this one seems to be the outlier.
The segment least bothered bythe ESG mandate shifts.
Speaker 2 (10:03):
Well that makes sense , doesn't it?
The drivers for TRM are hugeand pretty independent of CSRD.
Digital transformation isn'tstopping.
Cyber security threats aren'tstopping.
Speaker 1 (10:12):
Not at all.
The article points to TRMvendors like Safe Security,
servicenow, risk Connect, vantaAudit Board.
They're pushing towards moreautonomous models.
Speaker 2 (10:22):
Using AI, real-time data, yep for continuous
visibility into risk and,crucially, trm speaks the
board's language.
Now it's about attack surfacefinancial exposure from cyber
threats tangible stuff.
Speaker 1 (10:34):
And boards are definitely paying attention.
Cyber and tech risk are seen asexistential threats now across
the board.
Speaker 2 (10:40):
The numbers back it up too.
The 2025 IRM Navigator for TRMforecasts a really strong growth
rate 12.9% CAGR through 2032.
That's the highest across allthe IRM segments.
Speaker 1 (10:54):
Wow, 12.9%.
That really underlines howcritical managing digital risk
is perceived to be.
Speaker 2 (11:00):
For sure.
So the strategicrecommendations for TRM vendors
are pretty straightforwardPosition your tools as essential
for the C-suite.
Absolutely Double down on AIcapabilities.
Look for partnerships in hotareas like AI governance and
cloud security.
Speaker 1 (11:13):
Solidify TRM's strategic role and keep pushing
the tech envelope to stay aheadof threats.
Speaker 2 (11:17):
Exactly, and the TRM vendor breakdown from the
compass Integrators are ArcherRisk Connect Service Now.
Speaker 1 (11:23):
Okay.
Speaker 2 (11:23):
Accelerators Corporater Diligent, fusion,
risk Management, retrotech,navex.
Speaker 1 (11:28):
And Pacesetters, audit Board, ibm, open Pages,
logic Manager, metricstream,onspring, onetrust, riskrecon
and SafeSecurity Again, you seethose familiar names popping up
across categories.
Speaker 2 (11:42):
That integration theme again.
Speaker 1 (11:44):
Yeah.
Speaker 2 (11:44):
Vendors are really trying to offer that joined-up
view across different risk types.
It's clearly where the value isseen.
Speaker 1 (11:50):
So, putting it all together, what does that Workiva
sell off really signal for thewhole market?
The article pulls out some keymarket wide implications.
Speaker 2 (11:59):
It's fascinating how one event can kind of
crystallize these bigger shifts,isn't it?
Speaker 1 (12:02):
It really is.
First big point Regulatory riskisn't just a compliance
headache anymore, it's a core,strategic business risk.
Speaker 2 (12:09):
Absolutely.
Uncertainty there can hitrevenue forecasts and investor
confidence directly, especiallyfor compliance-heavy platforms.
Speaker 1 (12:16):
Which means vendors need to be much more adaptable,
more responsive to those shifts.
Speaker 2 (12:20):
For sure.
Speaker 1 (12:20):
Second implication investors are looking beyond
just regulatory cycles now.
They want to seediversification Solutions
focused on broader resilience,automation, analytics.
Speaker 2 (12:34):
They look more appealing than just tools for,
say, esg disclosure.
That shift in focus willprobably drive more innovation
and diversification from thevendors too.
Speaker 1 (12:40):
Third point these valuation pressures could
actually spark more M&A.
Speaker 2 (12:45):
Oh, interesting Consolidation.
Speaker 1 (12:47):
Yeah, bigger players with cash might see
opportunities to snap up.
Niche specialists, maybe incarbon accounting or AI risk,
potentially at better prices.
Speaker 2 (12:56):
That could definitely reshape the competitive
landscape, lead to bigger, moreintegrated platforms.
Speaker 1 (13:00):
Fourth being global matters.
Having operations worldwide andsupporting different regulatory
frameworks acts as a hedgeagainst regional wobbles.
Speaker 2 (13:09):
Gives you flexibility , crucial in a complex global
regulatory picture.
Speaker 1 (13:13):
And finally, the push towards autonomous IRM is
gaining steam.
The market likes platforms thatreduce manual compliance effort
.
Speaker 2 (13:20):
AI and automation are definitely shaping the future
here, enabling more continuousproactive risk management.
Speaker 1 (13:26):
So the big strategic takeaway, according to the
article, is that integrationacross these different IRM areas
GRC, erm, orm, trm that's thekey to real resilience.
Speaker 2 (13:35):
Makes sense.
Silos don't work anymore.
Speaker 1 (13:37):
And it highlights vendors like Diligent,
ServiceNow, RiskConnect as beingwell-positioned because they
offer that breadth andintegration.
Speaker 2 (13:44):
Yeah, their ability to connect the dots across
different risk domains givesthem an edge in navigating this
volatility and meeting whatorganizations actually need now.
Speaker 1 (13:54):
Ultimately, the article concludes, irm is moving
beyond just being an extensionof GRC.
It's becoming this more dynamicmodular adaptive framework.
Speaker 2 (14:02):
A way to manage uncertainty across the whole
business strategy operationscompliance tech.
All interconnected the wholebusiness strategy operations
compliance tech allinterconnected.
Speaker 1 (14:09):
It's a necessary evolution towards a more
holistic approach, given howcomplex and uncertain everything
feels right now.
Speaker 2 (14:15):
Absolutely.
Speaker 1 (14:16):
So bringing it all back, that Q1 2025 turbulence,
especially the reaction topotential CSRD delays, it really
was a wake-up call.
A clear signal.
The IRM market is definitelyshifting, moving beyond just
compliance.
Speaker 2 (14:29):
It demands a more strategic, more integrated view
of risk.
Resilience and adaptability arethe name of the game now.
Speaker 1 (14:36):
So we'd encourage you , the listener, to think about
how these shifts impact yourworld, your understanding of
risk, your tech investments.
How are you seeing these trendsplay out?
Speaker 2 (14:47):
Yeah, reflecting on these dynamics is really
important for anyone in risktech or strategic planning.
Speaker 1 (14:52):
And it leaves us with a big question, doesn't it?
As regulations get moreunpredictable, how do
organizations strike thatbalance the need to comply
versus the absolute imperativeto build real operational and
technological resilience forwhatever comes next?
Speaker 2 (15:07):
That's the core challenge, isn't it?
Balancing compliance withgenuine future-proof resilience
definitely helped me to chew on.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!