May 15, 2025 • 14 mins
McKinsey's provocative May 2025 report on Governance, Risk and Compliance reveals a startling reality: despite massive investments, traditional GRC approaches are falling short in today's complex business environment. Their survey of nearly 200 corporate leaders uncovers five critical weaknesses that suggest nothing less than a fundamental paradigm shift is needed.
The first alarm bell rings when examining how risk functions are positioned within organizations. With 44% of risk leaders situated more than one level below the CEO and risk considerations often arriving too late in strategic discussions, companies make crucial decisions without proper risk evaluation. Meanwhile, technology investments create an "illusion of integration" – sophisticated systems that document the past but fail to provide the foresight needed for emerging threats. Perhaps most telling, 68% of organizations don't link executive compensation to compliance or ethical performance, revealing a profound disconnect between stated values and actual incentives.
What emerges from McKinsey's analysis points toward Integrated Risk Management (IRM) as a potential solution – breaking down silos to embed risk thinking across all decision-making processes. This approach transforms risk management from a checkbox exercise into a strategic advantage, connecting risk oversight with business execution through real-time data insights. The future demands organizations move beyond static risk registers toward dynamic, forward-looking capabilities like scenario planning and horizon scanning. The question for leaders becomes clear: is your approach to governance, risk and compliance genuinely integrated, or is an evolution needed to navigate tomorrow's uncertainties? Take this deep dive with us to discover what truly effective risk management looks like in a rapidly changing world.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ori Wellington (00:00):
Welcome to the Deep Dive.
Today we're digging into areally interesting, very current
piece from McKinsey Company.
It just came out this month,may 2025.
It's called Governance, riskand Compliance a new lens on
best practices.
Sam Jones (00:15):
Yeah, and our plan today isn't just to you know,
give you a summary.
We really want to unpackMcKinsey's view on where GRC
stands right now and maybe, moreimportantly, read between the
lines a bit.
View on where GRC stands rightnow and maybe, more importantly,
read between the lines a bit.
What are their findingssuggesting about the future?
How should organizations, maybelike yours, be thinking about
risk management to really getahead?
Ori Wellington (00:36):
Exactly so.
We've got the McKinsey articleand we also have a pretty sharp
analysis from wheelhouseadvisors to help frame it, and
the mission really is to pullout those critical insights.
And the starting point whichboth sources seem to agree on is
that even with huge investmentsin GRC, a lot of companies just
aren't getting the results theyexpect or need.
Sam Jones (00:51):
That's really the crux of it.
Mckinsey did this survey nearly200 corporate leaders and what
they found was well widespreadunderperformance across
governance, risk and compliance.
They've zoned in on fivespecific areas they think need
frankly, significant reform.
Ori Wellington (01:07):
Okay, so almost 200 leaders surveyed problems
across the board.
Let's get into those five areas.
What are these fundamentalweaknesses that McKinsey is
seeing?
Sam Jones (01:16):
Well, the sort of underlying message here and this
is where it gets quiteprovocative, I think is that the
traditional model, the waywe've historically done GRC, it
might just not be fit forpurpose anymore, not with how
fast things change, how complexthe business environment is
today.
Mckinsey doesn't explicitly sayGRC is dead, but the analysis
points very strongly towardsneeding a major shift in
(01:37):
thinking.
Ori Wellington (01:38):
Interesting.
So these five areas McKinseyhighlights, they're basically
the symptoms of why the old GRCmodel is struggling, the
limitations of how companies aredoing it now.
Sam Jones (01:47):
Precisely yeah, the first big one they point to is a
lack of strategic integration.
Just think about how it oftenworks on the ground.
Risk might report up throughthe CFO's office.
Compliance maybe sits under thegeneral counsel and the board
kind of interacts with theseareas separately, maybe
episodically.
Ori Wellington (02:06):
Right, so you've got these different functions
all dealing with related stuff,but kind of in their own little
worlds.
No unified strategic view.
Sam Jones (02:14):
Exactly that, and the big consequence McKinsey
stresses this is that risk justisn't at the table often enough.
During those really crucialhigh level strategy discussions
it gets treated like a well, aseparate checkbox exercise, not
something fundamental to how thebusiness plans its path forward
.
You might see a company make ahuge strategic bet and only
(02:35):
really dig into the potentialrisks afterwards.
Ori Wellington (02:38):
That definitely paints a clear picture of a
disconnect.
Okay, what's the secondsystemic weakness they flagged?
Sam Jones (02:44):
Technology under utilization and this one might
feel a bit strange, right,because companies have spent so
much on GRC platforms, right?
Ori Wellington (02:50):
huge investments there.
Sam Jones (02:51):
But McKinsey's data.
It shows that, surprisingly,42% of companies feel their GRC
systems actually needimprovement.
Ori Wellington (02:59):
Wow, 42%.
So all that investment andnearly half feel the tech isn't
quite cutting it.
Sam Jones (03:06):
Well, the analysis from Wheelhouse calls this the
illusion of integration.
You know these platforms theypromise this connected, holistic
view, but in practice theyoften end up being more like
very sophisticated digitalfiling cabinets.
They're great for documentingthings that have already
happened, ticking boxes, butthey don't always give you that
foresight, that agility you needto actually respond proactively
(03:28):
to risks as they're emerging.
It's a bit like having a fancyalarm system that only goes off
after the break in.
Ori Wellington (03:35):
I get it.
So lots of data maybe getscollected, but it's not
necessarily translating intosmarter, forward looking
decisions or spotting problemsbefore they happen.
What's area number three?
Sam Jones (03:44):
This one's about leadership, the undervaluing of
risk leadership.
And here's a stat that reallyjumped out McKinsey found 44
percent of heads of risk arepositioned more than one level
below the CEO 44 percent, morethan one level down.
Ori Wellington (03:58):
That says a lot about where risk sits in the
banking order, doesn't it?
Sam Jones (04:01):
It absolutely does.
When your top risk person ismultiple layers away from the
CEO, from the ultimate decisionmaker, it almost automatically
frames risk as more of anoperational thing, a detail,
rather than a core strategicelement that should be shaping
the company's direction.
It suggests that, well, maybethe insights from the risk team
aren't getting the airtime orthe weight they need at the very
(04:23):
top.
Ori Wellington (04:24):
Okay.
Lack of strategic connectiontech falling short, risk
leadership too far down thechain.
What are the last twoweaknesses, McKinsey points out.
Sam Jones (04:32):
The fourth one is weak alignment with incentives,
and this is quite telling, Ithink 68% of organizations,
according to McKinsey, do notlink executive compensation to
things like compliance, cultureor ethical performance 68%.
Ori Wellington (04:47):
That seems like a massive disconnect.
I mean you hear so much abouttone at the top and the
importance of ethics.
Sam Jones (04:53):
Exactly.
But if it doesn't actually hitthe bottom line for the leaders
themselves, how much bite doesthat message really have?
You know, organizations talk agood game about tone at the top,
the idea that ethicalleadership sets the standard.
But if the structure, theincentives don't back that up,
if there's no direct consequencefor ethical slips or weak
(05:14):
compliance, culture and howleaders are actually paid, well,
it suggests maybe financialresults are still the primary
driver, perhaps above all else.
Ori Wellington (05:22):
That's a powerful point.
And the fifth and finalweakness.
Sam Jones (05:26):
It's the failure to advance from tactical to
strategic.
What McKinsey saw was a reallack of forward-looking
capabilities built into most GRCmodels.
Things like robust scenarioplanning really thinking through
the what-ifs or stress testinghow resilient is the
organization really and horizonscanning actively looking out
for those emerging over thehorizon risks.
(05:47):
These things are often missing.
Ori Wellington (05:49):
So, instead of proactively looking ahead,
mapping out possibilities,preparing, the focus tends to be
more on looking backward,periodic reviews, ticking off
items on a static risk register.
Sam Jones (05:59):
Precisely, it fosters a reactive stance right when
the environment demandsproactivity, demands agility and
the ability to adapt to newthreats and uncertainties really
quickly.
Ori Wellington (06:09):
Okay, so those are the five big weaknesses
McKinsey identified.
Now the wheelhouse analysisconnects us really interestingly
, suggesting that all thesefindings are maybe implicitly
pointing towards something likeintegrated risk management or
IRM.
Sam Jones (06:23):
For anyone listening who maybe isn't deep in this
terminology, could you justbriefly explain what IRM is
about and how it links to theseweaknesses we've just discussed.
Yeah, absolutely so.
Integrated risk management.
Irm really, at its core, it'sabout breaking down those silos
we talked about earlier.
It's a philosophy, a set ofpractices aimed at embedding
risk thinking into all parts ofhow an organization makes
(06:44):
decisions, how it sets strategy,how it operates day to day.
It's about viewing risk not asthis separate police function
but as just an inherent part ofdoing business.
And what's really striking ishow neatly McKinsey's five big
recommendations, theirimperatives for reform, line up
almost perfectly with the coreprinciples of IRM.
Ori Wellington (07:04):
So it's almost like McKinsey diagnosed the
problems, the symptoms, and IRMrepresents a kind of
comprehensive solution, even ifMcKinsey themselves didn't
explicitly label it that way.
Sam Jones (07:14):
That's a great way to put it.
Yeah, let's just walk throughit quickly.
Take McKinsey's first pointabout tone from the top.
Wheelhouse points out that IRMaddresses this head on how?
By making risk accountability anon-negotiable part of
strategic dialogue at everylevel.
It means clear C-suiteownership for different risk
domains and regular holisticreporting to the board covering
(07:35):
all kinds of risk, not just, youknow, reporting on financial
risk separately from compliancerisk.
Ori Wellington (07:40):
Makes sense, so truly embedding it at the top.
What about the strategic lenspoint from McKinsey?
Sam Jones (07:45):
Well, irm frameworks are all about creating that
enterprise wide view of riskappetite.
But, crucially, these aren'tjust dusty policy documents.
In an IRM world, your riskappetite is actively,
dynamically linked to your KPIs,your key performance indicators
, and it directly informs thingslike scenario planning, capital
allocation, business resiliencestrategies.
It makes risk appetite a livingpart of strategic decision
(08:07):
making.
Ori Wellington (08:08):
Okay, and how does IRM approach McKinsey's
call to fix fundamentals?
Sam Jones (08:13):
So traditional GRC often looks at controls in
isolation right, or analyzesincidents after the fact.
Irm tries to connect the dots.
It links your policies, youridentified risks, the controls
you put in place, any incidentsthat happen in your actual
performance data.
All together this allows formuch richer, more predictive
insights.
You start moving beyond justreacting to yesterday's problems
(08:34):
and begin to see patterns,anticipate potential future
issues, based on that connecteddata.
Ori Wellington (08:39):
Very interesting Using that connected data to
get ahead of problems, not justclean them up.
What about the tech pieceMcKinsey's embrace tech plus AI?
Sam Jones (08:47):
This is really where modern IRM shines.
It's built for this.
Irm platforms today areincreasingly leveraging AI and
machine learning for things thatwere, frankly, science fiction
and older GRC systems.
Think about continuous controls, monitoring AI, automatically
testing if your controls areworking 24-7, real-time risk
monitoring across huge data sets, even much smarter data-driven
(09:10):
third-party risk assessments.
These are the kinds ofcapabilities that IRM enables.
Ori Wellington (09:15):
And the last one , McKinsey's point about revised
incentives.
How does IRM speak to that?
Sam Jones (09:19):
Because IRM promotes this holistic view, this idea
that risk management iseveryone's job, it naturally
flows into rethinking incentives.
It supports tying executiveperformance metrics not just to
hitting financial targets, butalso to operating within agreed
upon risk boundaries, especiallyfor big decisions like major
capital projects or large scaletransformations.
Ori Wellington (09:41):
Right.
Sam Jones (09:42):
It helps build a system where managing risk well
is seen as integral to, andrewarded as part of, successful
leadership.
Ori Wellington (09:48):
When you lay it out like that, comparing them
side by side, it really doesfeel like McKinsey's critique of
current GRC practicesimplicitly makes a very strong
case for shifting towardssomething much more integrated
like IRM.
Sam Jones (10:00):
Exactly and the wheelhouse analysis really
drives this home.
It argues that McKinsey'sfindings aren't just suggestions
for minor improvements.
They represent a prettyfundamental critique of the
traditional GRC paradigm itself,present a pretty fundamental
critique of the traditional GRCparadigm itself.
It's basically saying that GRC,as often practiced, hasn't
successfully made the leap tobecoming the truly strategic
(10:20):
value-adding function thatbusinesses today desperately
need it to be, especially withregulations constantly changing
and business getting ever morecomplex.
Ori Wellington (10:29):
And that key missing ingredient, the thing
that keeps coming up inMcKinsey's findings and the IRM
response seems to be integration.
Sam Jones (10:46):
Integration across so many different dimensions
strategy and the organization'sreal appetite for risk, moving
way beyond static lists.
It's the integration ofpowerful technology with human
expertise and judgment, ratherthan relying on clunky manual
processes.
And maybe, just maybe, the mostimportant integration of all,
weaving risk awareness deep intothe company culture by aligning
(11:08):
incentives and makingaccountability clear.
Ori Wellington (11:11):
So the message isn't just buy a new GRC tool or
add another compliance layer.
It sounds much more fundamentalthan that.
It's about potentiallyrethinking how the whole
organization approaches risk,from top to bottom.
Sam Jones (11:22):
That's precisely it.
These aren't surface-leveltweaks McKinsey's hinting at.
They point towards fundamentalshifts in the operating model
and, as the analysis highlights,irm is a framework specifically
designed to support and enableexactly those kinds of deep
systemic changes.
Ori Wellington (11:36):
So, wrapping this up, then, the big takeaway
for you listening, is that thisrecent analysis from McKinsey
strongly suggests that thosetraditional GRC approaches the
ones many organizations arestill using well, they might be
hitting their limits.
They may not be enough fortoday's world.
Sam Jones (11:52):
That's right.
It looks like the future.
If you want truly effectiverisk management probably
involves embracing these moreintegrated strategies strategies
like IRM that are better atconnecting the dots between risk
oversight and actuallyexecuting the business strategy,
and better at using real-timedata to get insights you can
actually act on.
Ori Wellington (12:11):
So maybe the question to leave you with is
this Take a hard look at yourown organization.
Is your current approach togovernance, risk and compliance
genuinely integrated?
Is it having a real strategicimpact, or do these points from
McKinsey, this whole discussion,suggest maybe an evolution is
needed?
What would that trueintegration actually look like
in your specific context, andperhaps what's one step you
(12:34):
could take towards getting there?
That feels like a reallycrucial question for leaders to
be asking right now.
Welcome to the Deep Dive.
Today we're digging into areally interesting, very current
piece from McKinsey Company.
It just came out this month,may 2025.
It's called Governance, riskand Compliance a new lens on
best practices.
Sam Jones (00:15):
Yeah, and our plan today isn't just to you know,
give you a summary.
We really want to unpackMcKinsey's view on where GRC
stands right now and maybe, moreimportantly, read between the
lines a bit.
View on where GRC stands rightnow and maybe, more importantly,
read between the lines a bit.
What are their findingssuggesting about the future?
How should organizations, maybelike yours, be thinking about
risk management to really getahead?
Ori Wellington (00:36):
Exactly so.
We've got the McKinsey articleand we also have a pretty sharp
analysis from wheelhouseadvisors to help frame it, and
the mission really is to pullout those critical insights.
And the starting point whichboth sources seem to agree on is
that even with huge investmentsin GRC, a lot of companies just
aren't getting the results theyexpect or need.
Sam Jones (00:51):
That's really the crux of it.
Mckinsey did this survey nearly200 corporate leaders and what
they found was well widespreadunderperformance across
governance, risk and compliance.
They've zoned in on fivespecific areas they think need
frankly, significant reform.
Ori Wellington (01:07):
Okay, so almost 200 leaders surveyed problems
across the board.
Let's get into those five areas.
What are these fundamentalweaknesses that McKinsey is
seeing?
Sam Jones (01:16):
Well, the sort of underlying message here and this
is where it gets quiteprovocative, I think is that the
traditional model, the waywe've historically done GRC, it
might just not be fit forpurpose anymore, not with how
fast things change, how complexthe business environment is
today.
Mckinsey doesn't explicitly sayGRC is dead, but the analysis
points very strongly towardsneeding a major shift in
(01:37):
thinking.
Ori Wellington (01:38):
Interesting.
So these five areas McKinseyhighlights, they're basically
the symptoms of why the old GRCmodel is struggling, the
limitations of how companies aredoing it now.
Sam Jones (01:47):
Precisely yeah, the first big one they point to is a
lack of strategic integration.
Just think about how it oftenworks on the ground.
Risk might report up throughthe CFO's office.
Compliance maybe sits under thegeneral counsel and the board
kind of interacts with theseareas separately, maybe
episodically.
Ori Wellington (02:06):
Right, so you've got these different functions
all dealing with related stuff,but kind of in their own little
worlds.
No unified strategic view.
Sam Jones (02:14):
Exactly that, and the big consequence McKinsey
stresses this is that risk justisn't at the table often enough.
During those really crucialhigh level strategy discussions
it gets treated like a well, aseparate checkbox exercise, not
something fundamental to how thebusiness plans its path forward
.
You might see a company make ahuge strategic bet and only
(02:35):
really dig into the potentialrisks afterwards.
Ori Wellington (02:38):
That definitely paints a clear picture of a
disconnect.
Okay, what's the secondsystemic weakness they flagged?
Sam Jones (02:44):
Technology under utilization and this one might
feel a bit strange, right,because companies have spent so
much on GRC platforms, right?
Ori Wellington (02:50):
huge investments there.
Sam Jones (02:51):
But McKinsey's data.
It shows that, surprisingly,42% of companies feel their GRC
systems actually needimprovement.
Ori Wellington (02:59):
Wow, 42%.
So all that investment andnearly half feel the tech isn't
quite cutting it.
Sam Jones (03:06):
Well, the analysis from Wheelhouse calls this the
illusion of integration.
You know these platforms theypromise this connected, holistic
view, but in practice theyoften end up being more like
very sophisticated digitalfiling cabinets.
They're great for documentingthings that have already
happened, ticking boxes, butthey don't always give you that
foresight, that agility you needto actually respond proactively
(03:28):
to risks as they're emerging.
It's a bit like having a fancyalarm system that only goes off
after the break in.
Ori Wellington (03:35):
I get it.
So lots of data maybe getscollected, but it's not
necessarily translating intosmarter, forward looking
decisions or spotting problemsbefore they happen.
What's area number three?
Sam Jones (03:44):
This one's about leadership, the undervaluing of
risk leadership.
And here's a stat that reallyjumped out McKinsey found 44
percent of heads of risk arepositioned more than one level
below the CEO 44 percent, morethan one level down.
Ori Wellington (03:58):
That says a lot about where risk sits in the
banking order, doesn't it?
Sam Jones (04:01):
It absolutely does.
When your top risk person ismultiple layers away from the
CEO, from the ultimate decisionmaker, it almost automatically
frames risk as more of anoperational thing, a detail,
rather than a core strategicelement that should be shaping
the company's direction.
It suggests that, well, maybethe insights from the risk team
aren't getting the airtime orthe weight they need at the very
(04:23):
top.
Ori Wellington (04:24):
Okay.
Lack of strategic connectiontech falling short, risk
leadership too far down thechain.
What are the last twoweaknesses, McKinsey points out.
Sam Jones (04:32):
The fourth one is weak alignment with incentives,
and this is quite telling, Ithink 68% of organizations,
according to McKinsey, do notlink executive compensation to
things like compliance, cultureor ethical performance 68%.
Ori Wellington (04:47):
That seems like a massive disconnect.
I mean you hear so much abouttone at the top and the
importance of ethics.
Sam Jones (04:53):
Exactly.
But if it doesn't actually hitthe bottom line for the leaders
themselves, how much bite doesthat message really have?
You know, organizations talk agood game about tone at the top,
the idea that ethicalleadership sets the standard.
But if the structure, theincentives don't back that up,
if there's no direct consequencefor ethical slips or weak
(05:14):
compliance, culture and howleaders are actually paid, well,
it suggests maybe financialresults are still the primary
driver, perhaps above all else.
Ori Wellington (05:22):
That's a powerful point.
And the fifth and finalweakness.
Sam Jones (05:26):
It's the failure to advance from tactical to
strategic.
What McKinsey saw was a reallack of forward-looking
capabilities built into most GRCmodels.
Things like robust scenarioplanning really thinking through
the what-ifs or stress testinghow resilient is the
organization really and horizonscanning actively looking out
for those emerging over thehorizon risks.
(05:47):
These things are often missing.
Ori Wellington (05:49):
So, instead of proactively looking ahead,
mapping out possibilities,preparing, the focus tends to be
more on looking backward,periodic reviews, ticking off
items on a static risk register.
Sam Jones (05:59):
Precisely, it fosters a reactive stance right when
the environment demandsproactivity, demands agility and
the ability to adapt to newthreats and uncertainties really
quickly.
Ori Wellington (06:09):
Okay, so those are the five big weaknesses
McKinsey identified.
Now the wheelhouse analysisconnects us really interestingly
, suggesting that all thesefindings are maybe implicitly
pointing towards something likeintegrated risk management or
IRM.
Sam Jones (06:23):
For anyone listening who maybe isn't deep in this
terminology, could you justbriefly explain what IRM is
about and how it links to theseweaknesses we've just discussed.
Yeah, absolutely so.
Integrated risk management.
Irm really, at its core, it'sabout breaking down those silos
we talked about earlier.
It's a philosophy, a set ofpractices aimed at embedding
risk thinking into all parts ofhow an organization makes
(06:44):
decisions, how it sets strategy,how it operates day to day.
It's about viewing risk not asthis separate police function
but as just an inherent part ofdoing business.
And what's really striking ishow neatly McKinsey's five big
recommendations, theirimperatives for reform, line up
almost perfectly with the coreprinciples of IRM.
Ori Wellington (07:04):
So it's almost like McKinsey diagnosed the
problems, the symptoms, and IRMrepresents a kind of
comprehensive solution, even ifMcKinsey themselves didn't
explicitly label it that way.
Sam Jones (07:14):
That's a great way to put it.
Yeah, let's just walk throughit quickly.
Take McKinsey's first pointabout tone from the top.
Wheelhouse points out that IRMaddresses this head on how?
By making risk accountability anon-negotiable part of
strategic dialogue at everylevel.
It means clear C-suiteownership for different risk
domains and regular holisticreporting to the board covering
(07:35):
all kinds of risk, not just, youknow, reporting on financial
risk separately from compliancerisk.
Ori Wellington (07:40):
Makes sense, so truly embedding it at the top.
What about the strategic lenspoint from McKinsey?
Sam Jones (07:45):
Well, irm frameworks are all about creating that
enterprise wide view of riskappetite.
But, crucially, these aren'tjust dusty policy documents.
In an IRM world, your riskappetite is actively,
dynamically linked to your KPIs,your key performance indicators
, and it directly informs thingslike scenario planning, capital
allocation, business resiliencestrategies.
It makes risk appetite a livingpart of strategic decision
(08:07):
making.
Ori Wellington (08:08):
Okay, and how does IRM approach McKinsey's
call to fix fundamentals?
Sam Jones (08:13):
So traditional GRC often looks at controls in
isolation right, or analyzesincidents after the fact.
Irm tries to connect the dots.
It links your policies, youridentified risks, the controls
you put in place, any incidentsthat happen in your actual
performance data.
All together this allows formuch richer, more predictive
insights.
You start moving beyond justreacting to yesterday's problems
(08:34):
and begin to see patterns,anticipate potential future
issues, based on that connecteddata.
Ori Wellington (08:39):
Very interesting Using that connected data to
get ahead of problems, not justclean them up.
What about the tech pieceMcKinsey's embrace tech plus AI?
Sam Jones (08:47):
This is really where modern IRM shines.
It's built for this.
Irm platforms today areincreasingly leveraging AI and
machine learning for things thatwere, frankly, science fiction
and older GRC systems.
Think about continuous controls, monitoring AI, automatically
testing if your controls areworking 24-7, real-time risk
monitoring across huge data sets, even much smarter data-driven
(09:10):
third-party risk assessments.
These are the kinds ofcapabilities that IRM enables.
Ori Wellington (09:15):
And the last one , McKinsey's point about revised
incentives.
How does IRM speak to that?
Sam Jones (09:19):
Because IRM promotes this holistic view, this idea
that risk management iseveryone's job, it naturally
flows into rethinking incentives.
It supports tying executiveperformance metrics not just to
hitting financial targets, butalso to operating within agreed
upon risk boundaries, especiallyfor big decisions like major
capital projects or large scaletransformations.
Ori Wellington (09:41):
Right.
Sam Jones (09:42):
It helps build a system where managing risk well
is seen as integral to, andrewarded as part of, successful
leadership.
Ori Wellington (09:48):
When you lay it out like that, comparing them
side by side, it really doesfeel like McKinsey's critique of
current GRC practicesimplicitly makes a very strong
case for shifting towardssomething much more integrated
like IRM.
Sam Jones (10:00):
Exactly and the wheelhouse analysis really
drives this home.
It argues that McKinsey'sfindings aren't just suggestions
for minor improvements.
They represent a prettyfundamental critique of the
traditional GRC paradigm itself,present a pretty fundamental
critique of the traditional GRCparadigm itself.
It's basically saying that GRC,as often practiced, hasn't
successfully made the leap tobecoming the truly strategic
(10:20):
value-adding function thatbusinesses today desperately
need it to be, especially withregulations constantly changing
and business getting ever morecomplex.
Ori Wellington (10:29):
And that key missing ingredient, the thing
that keeps coming up inMcKinsey's findings and the IRM
response seems to be integration.
Sam Jones (10:46):
Integration across so many different dimensions
strategy and the organization'sreal appetite for risk, moving
way beyond static lists.
It's the integration ofpowerful technology with human
expertise and judgment, ratherthan relying on clunky manual
processes.
And maybe, just maybe, the mostimportant integration of all,
weaving risk awareness deep intothe company culture by aligning
(11:08):
incentives and makingaccountability clear.
Ori Wellington (11:11):
So the message isn't just buy a new GRC tool or
add another compliance layer.
It sounds much more fundamentalthan that.
It's about potentiallyrethinking how the whole
organization approaches risk,from top to bottom.
Sam Jones (11:22):
That's precisely it.
These aren't surface-leveltweaks McKinsey's hinting at.
They point towards fundamentalshifts in the operating model
and, as the analysis highlights,irm is a framework specifically
designed to support and enableexactly those kinds of deep
systemic changes.
Ori Wellington (11:36):
So, wrapping this up, then, the big takeaway
for you listening, is that thisrecent analysis from McKinsey
strongly suggests that thosetraditional GRC approaches the
ones many organizations arestill using well, they might be
hitting their limits.
They may not be enough fortoday's world.
Sam Jones (11:52):
That's right.
It looks like the future.
If you want truly effectiverisk management probably
involves embracing these moreintegrated strategies strategies
like IRM that are better atconnecting the dots between risk
oversight and actuallyexecuting the business strategy,
and better at using real-timedata to get insights you can
actually act on.
Ori Wellington (12:11):
So maybe the question to leave you with is
this Take a hard look at yourown organization.
Is your current approach togovernance, risk and compliance
genuinely integrated?
Is it having a real strategicimpact, or do these points from
McKinsey, this whole discussion,suggest maybe an evolution is
needed?
What would that trueintegration actually look like
in your specific context, andperhaps what's one step you
(12:34):
could take towards getting there?
That feels like a reallycrucial question for leaders to
be asking right now.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!