June 4, 2025 • 17 mins
A single boardroom confrontation at SunTrust Bank in 2007 serves as the dramatic starting point for understanding a critical business blindspot. When a senior risk executive warned leadership about their reckless mortgage expansion strategy, he wasn't just ignored—he was exiled. Within months, his predictions came tragically true as the global financial crisis erupted, eventually costing SunTrust a billion-dollar settlement with the Department of Justice.
This compelling narrative unveils a stunning parallel between corporate risk blindness and a fundamental flaw in the risk management technology industry. For years, Governance, Risk and Compliance (GRC) software promised to help organizations manage risk effectively, but its architecture betrayed its purpose. These systems excelled at organizing documents and compliance checklists while marketing themselves as providing "risk intelligence," yet they systematically failed to deliver the strategic insights needed for genuinely informed decision-making.
The watershed moment arrived in 2018 with the emergence of Integrated Risk Management (IRM)—not as the natural evolution of GRC but as a necessary correction to its architectural limitations. Where GRC connected documents, IRM connects decisions. Where GRC supported compliance checklists, IRM supports strategic choices in navigating uncertainty. The distinction isn't semantic; it's fundamental to organizational resilience. SunTrust's post-crisis implementation of yet another GRC solution predictably failed, highlighting the episode's most profound takeaway: true risk intelligence isn't a product you purchase—it's a capability you must architect and integrate into your organization's very fabric. Have you examined whether your risk management systems are truly providing intelligence or merely organizing ignorance?
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ori Wellington (00:00):
Welcome to a Deep Dive where we take a stack
of sources and extract theknowledge you need to be
well-informed fast.
Today we're cracking open afascinating piece from an
article series called the RiskIgnored, specifically Part 1,
chapter 4, titled the Irony ofRisk Intelligence, by John A
Wheeler.
Sam Jones (00:18):
It's a really powerful look at something
fundamental how organizationsdeal with risk, maybe more often
how they don't.
Ori Wellington (00:26):
Exactly, and our mission in this deep dive is
pretty clear we're going totrace the well, the messy
evolution of risk managementtechnology.
Sam Jones (00:34):
Right and try to understand why what many call
risk intelligence is often wellanything but.
Ori Wellington (00:40):
And see what a really dramatic corporate
collapse reveals about whetheryou can truly buy this
capability, this riskintelligence, or if you
absolutely have to build it fromthe ground up.
Sam Jones (00:49):
Yeah, and the author gives us a great starting point,
a story, a real world example,right at the beginning.
Ori Wellington (00:54):
Let's dive into that.
Then we're talking about amoment in time back in early
2007 at SunTrust.
Sam Jones (00:59):
SunTrust, yeah, a major player, especially after
an acquisition that left itreally heavily invested in
mortgage banking, and the authorwas right there in the thick of
it.
Ori Wellington (01:08):
He was a senior executive right.
Sam Jones (01:10):
Yeah.
Ori Wellington (01:10):
Overseeing internal audit, compliance, risk
management, the whole shebang.
Sam Jones (01:15):
Exactly.
And he sets the scene with anew CEO coming in, someone whose
perspective on risk soundsalmost backwards.
How so?
Ori Wellington (01:23):
perspective on risk sounds almost backwards.
Sam Jones (01:24):
How so Well, instead of seeing risk as a discipline,
something you manage carefully,this CEO apparently saw it as a
throttle, something to pushforward faster, right, okay,
that's an aggressive take, yeah,and the strategic move that
followed really showed thisimmediately.
They set a big, hairy,audacious goal a BHE.
Ori Wellington (01:42):
A BHE, isn't that from Jim Collins, built to
last.
Last kind of ironic, using thatterm deeply ironic.
Sam Jones (01:48):
Yeah, the goal itself more than double the mortgage
portfolio.
Double it within 12 months.
The idea was to compete head-onwith wall street securitization
giants okay, that is audaciousand incredibly risky, you'd
think you'd think, and the waythey went about hitting that
goal was alarming.
Underwriting controlssystematically dismantled.
Ori Wellington (02:08):
Dismantled.
Sam Jones (02:09):
Or weakened anyway, and at the same time incentives
for the mortgage originators,the people writing the loans.
They surged dramatically.
Ori Wellington (02:16):
Oh boy, so you weaken the guardrails and offer
huge rewards for driving faster.
Sam Jones (02:21):
Precisely.
You create an environment, asthe author puts it, that's just
ripe for aggressive lending, forcutting corners, for disaster
basically.
Ori Wellington (02:30):
And the author sitting in his role overseeing
risk.
He must have seen this cominghe says he did.
Sam Jones (02:36):
He foresaw the inevitable crash.
I mean the writing was on thewall right In bold letters
reckless policies, crazyincentives.
Ori Wellington (02:43):
So what did he do?
Did he try to stop it?
Sam Jones (02:45):
He confronted them describes a very tense meeting
Him, the CEO and the head ofmortgage banking.
Ori Wellington (02:50):
I bet that went over well.
Sam Jones (02:51):
There's this detail in the piece that just jumps out
.
The head of mortgage bankingliterally writhed in his seat
with anger during the meeting.
Ori Wellington (02:59):
Writhed.
Wow, just pure refusal to hearit.
Sam Jones (03:02):
Total denial and the consequences for the author were
well swift and predictable.
Ori Wellington (03:08):
Let me guess Sidelined.
Sam Jones (03:10):
Immediately excluded from key discussions, key
meetings, strategy sessions Gone.
Ori Wellington (03:15):
And physically.
Sam Jones (03:16):
Physically relocated, Exiled, essentially to an empty
office somewhere else.
Ori Wellington (03:20):
The message couldn't be clearer they wanted
him gone.
Sam Jones (03:23):
Absolutely Hoping he'd just resign, and disappear
quietly.
Ori Wellington (03:27):
But he didn't.
Sam Jones (03:27):
He held on, say, just long enough to vest his equity
and severance package Smart move.
Ori Wellington (03:33):
So he walked away with capital in hand.
Sam Jones (03:35):
Right, Just a month, literally months before the
whole house of cards camecrashing down in the global
financial crisis.
Everything he warned abouthappened.
Ori Wellington (03:43):
And SunTrust what happened there.
Sam Jones (03:45):
Devastating but, you know, entirely predictable,
given the path they took.
As mortgage problems exploded,their stock price just plummeted
.
Ori Wellington (03:52):
And they ended up needing a bailout.
Sam Jones (03:54):
Yep, one of the largest recipients of federal
TARP funds.
Ori Wellington (03:57):
And those executives the CEO, the mortgage
head who was writhing.
Sam Jones (04:01):
They eventually faced federal investigations.
Justice caught up.
Ori Wellington (04:05):
Which led to.
Sam Jones (04:06):
A nearly $1 billion settlement with the Department
of Justice for mortgageorigination abuses.
Ori Wellington (04:12):
A billion dollars Wow.
Sam Jones (04:14):
And get this.
Internal audit findings, whichthe DOJ later highlighted,
confirmed everything Systemicfailures, inconsistent
underwriter oversight, undefinedloan standards, not enough
quality control, things theauthor probably tried to warn
them about in that meeting.
Almost certainly and this isthe critical point he makes
(04:34):
these weren't just accidentaloversights.
These red flags weren't missed.
They were intentionally ignored, sacrificed for those rapid
growth targets.
Ori Wellington (04:43):
So the SunTrust story is really a case study in
deliberate risk ignorance at thevery top.
Sam Jones (04:48):
Exactly, and the consequences were catastrophic,
rippling way beyond just thebank itself.
Ori Wellington (04:54):
OK.
So that sets the stagedramatically.
But the author then pivotsright.
He connects this internal bankfailure to something broader
happening in the tech world.
Sam Jones (05:02):
Yeah, it's a fascinating connection.
He points out that around thesame time these bank controls
were collapsing, the softwareindustry, which was supposed to
help manage risk, was kind ofcultivating its own form of
systemic risk ignorance.
Ori Wellington (05:13):
How, so Through what?
Sam Jones (05:15):
Through the rise of GRC software Governance risk and
compliance.
Ori Wellington (05:21):
Ah, GRC.
Okay, I've heard that.
Sam Jones (05:23):
Right, it was a burgeoning industry then.
Vendors like Archer were reallydefining the early days.
Their approach was very modular, focused on documenting
compliance tasks, auditworkflows, that sort of thing.
Ori Wellington (05:35):
Okay, sounds useful on the surface
Documenting things, making sureyou're compliant.
Sam Jones (05:38):
Useful, yes, but here's the catch the author
highlights Behind this promiseof integration, of bringing
everything together.
Ori Wellington (05:46):
It wasn't really integrated.
Sam Jones (05:48):
Often.
No, they were fragmented tools,great at organizing documents,
creating records, checklists,but they didn't actually enable
strategic risk management.
They didn't help you trulyunderstand or prioritize risk
across the entire business.
Ori Wellington (06:03):
So lots of organized information, but not
necessarily real insights.
Sam Jones (06:05):
Exactly and the market eventually started to
catch on.
It took time, but there was ashift.
You could maybe market withGartner's first magic quadrant
for integrated risk managementIRM back in 2018.
Ori Wellington (06:16):
IRM integrated risk management and the author
helped define that category.
Sam Jones (06:21):
He did, and the fact that Archer, a major GRC player,
showed up as a leader in thatfirst IRM quadrant, well, that
was telling.
Ori Wellington (06:31):
How so.
Sam Jones (06:31):
It was almost like an admission right that GRC, as it
had been sold and built, hadn'tactually delivered on that core
promise of integration.
Ori Wellington (06:39):
So the move to IRM wasn't just a new feature
set.
It was a recognition thatsomething fundamental was
missing.
Sam Jones (06:44):
Precisely Managing risk effectively needed more
than just documenting compliance.
Ori Wellington (06:49):
And the author finds a real irony here, doesn't
he about how GRC was marketed?
Sam Jones (06:53):
Oh, absolutely.
For years, he says, vendorssold features like you know,
tracking regulatory changes orfancy compliance dashboards.
Ori Wellington (07:00):
And called it risk intelligence.
Sam Jones (07:01):
They did Strategic risk intelligence.
Ori Wellington (07:04):
Yeah.
Sam Jones (07:05):
But was it really intelligence?
Ori Wellington (07:06):
Probably not, based on what you're saying.
Sam Jones (07:08):
He also calls it structured awareness, which is a
great term.
You're aware of things, you'vedocumented them neatly in boxes,
but you don't have theconnected insight to make truly
informed strategic decisionsabout risk trade-offs.
Ori Wellington (07:22):
So these GRC tools, while maybe helping with
compliance audits.
Sam Jones (07:26):
They inadvertently institutionalized a kind of
superficial understanding ofrisk what the author bluntly
calls risk ignorance at thestrategic level.
Ori Wellington (07:35):
Wow, okay, so this pivot towards IRM becomes
less of an evolution and more ofa reckoning for the GRC
industry.
Sam Jones (07:41):
That's exactly how the author frames it.
A moment of reckoning, archermoved towards IRM and then boom.
Others followed quickly.
Ori Wellington (07:48):
Like who.
Sam Jones (07:49):
Well, you see ServiceNow repositioning its
platform as an integrated systemof action Audit Board.
Which started more in the auditspace, expanded out into
full-scale IRM, calling itConnected Risk.
Ori Wellington (08:00):
Okay.
Sam Jones (08:01):
And others too Diligent, metricstream, logicate
, riskconnect they all startedembracing this IRM architecture.
The focus shifted to unifyingdata, aligning workflows,
embedding risk into actualbusiness decisions.
Ori Wellington (08:15):
And the author's point is that this wasn't just
GRC version 2.0.
Sam Jones (08:23):
Yeah, it was a forced correction.
Yes, because the market finallyrealized GRC wasn't really
delivering strategic value.
Ori Wellington (08:25):
It couldn't.
Why not?
What was the fundamentallimitation?
Sam Jones (08:27):
It goes back to the architecture, the way these
systems were built.
Grc platforms were typicallydesigned around static
frameworks.
Think COSO for internalcontrols, COVID for IT
governance, ISO 20A01 forsecurity.
Ori Wellington (08:42):
Data frameworks yeah.
Sam Jones (08:43):
Right.
Their core design was reallyabout supporting compliance
documentation against thoseframeworks.
They weren't built for dynamicintegration of different types
of MISC data from across thebusiness.
They weren't built to drivestrategic choices.
Ori Wellington (08:56):
Which is the promise of IRM.
Sam Jones (08:58):
Exactly IRM.
Exactly.
Irm was conceived differentlyfrom the start.
The goal was explicitly tounify data, align workflows
across different departments andmake risk visible and relevant
when actual business decisionsare being made.
Ori Wellington (09:10):
So what can these modern IRM solutions do
that GRC couldn't?
Sam Jones (09:14):
They empower the chief risk officer, the CRO, to
do much more than just report oncompliance status using simple
red, yellow, green trafficlights.
Ori Wellington (09:23):
Marc Thiessen.
Sam Jones (09:24):
Like what Danielle Pletka Like actually quantifying
risk exposure in meaningfulbusiness terms, engaging the
executive team with scenarioanalysis.
If this risk happens, what'sthe potential dollar impact?
It connects risk to strategy,to financial outcomes.
Ori Wellington (09:39):
That sounds like a huge leap forward.
Sam Jones (09:41):
It is, and you see this reflected in the real world
.
Deloitte did a global surveyshowing that in basically all
major financial services firms,the CRO is now deeply involved
in driving enterprise strategy,and that model is spreading fast
to other industries too.
Ori Wellington (09:56):
So it really comes down to the plumbing.
The underlying system designdictates whether you're just
organizing documents or enablingstrategic decisions.
Sam Jones (10:03):
That's the core argument Architecture dictates
capability Documentation versusgenuine strategic insight.
Ori Wellington (10:10):
Okay, let's bring this back to Centrust.
After the crash, after thebailout, they obviously needed
to fix their risk management.
Sam Jones (10:16):
They certainly tried.
After the bailout, theyobviously needed to fix their
risk management.
They certainly tried, and thesource mentions that part of
their effort involvedimplementing a new GRC solution,
specifically MetricStream.
Ori Wellington (10:24):
And how did that go?
Based on everything we've justdiscussed, Predictably it failed
.
Failed.
Why Was the?
Sam Jones (10:31):
software itself bad.
The author argues it wasn'tnecessarily about that specific
software package beinginherently flawed.
The failure was morefundamental.
It failed because theunderlying architecture still
rooted in that GRC philosophy oforganizing compliance documents
just wasn't sufficient.
It couldn't provide the unifiedintegrated risk intelligence
they desperately needed torebuild trust and make better
(10:54):
decisions.
Ori Wellington (10:55):
So putting a new GRC system on top of the old
problems didn't fix the coreissue.
Sam Jones (10:59):
Exactly.
You can't solve an integrationproblem with a tool not designed
for integration.
Ori Wellington (11:04):
The author then uses a really interesting piece
of symbolism.
Doesn't he Tied back to thatfateful year 2007.
Sam Jones (11:10):
He does.
He points out that in 2007, thesame year, suntrust set itself
on that reckless growth path.
Ori Wellington (11:16):
Yes.
Sam Jones (11:16):
The bank sold its long-held shares in the
Coca-Cola company and doing so,returned the iconic secret
formula back to Coke Huh.
Ori Wellington (11:25):
Okay, interesting timing.
Sam Jones (11:27):
And for the author the symbolism was profound he
felt that in relinquishing theCoke formula, suntrust had also
in a way lost another crucialformula.
Ori Wellington (11:35):
Which was.
Sam Jones (11:36):
The emerging architecture for integrated risk
management, the very blueprinthe had actually started
developing internally atSunTrust before he was
effectively pushed out.
Ori Wellington (11:45):
Wow.
So they didn't just lose Koch'ssecret formula, they lost the
potential formula for fixingtheir own risk problems.
Sam Jones (11:52):
That's his perspective and his personal
takeaway.
Walking out of SunTrust withhis severance and equity, it
wasn't just capital he carriedout.
Ori Wellington (12:00):
It was an insight.
Sam Jones (12:01):
A profound one.
You cannot buy riskintelligence off the shelf like
a software package.
It absolutely has to bearchitected, owned and deeply
integrated within theorganization itself.
Ori Wellington (12:12):
And that insight became foundational for him.
Sam Jones (12:14):
Absolutely.
That capital became seed moneyfor his advisory firm Wheelhouse
Advisors and those insightslearned the hard way at SunTrust
, directly informed the IRMmodels and approaches they
developed, like their IRMNavigator model.
Ori Wellington (12:28):
So we really come full circle.
Then the GRC vendors, whostarted it all, are now
promoting IRM.
Sam Jones (12:33):
Heavily.
But the author insists weshouldn't see IRM as just the
natural successor to GRC likethe next logical step.
Ori Wellington (12:40):
He sees it as a correction.
Sam Jones (12:42):
A necessary correction, because the core
issue wasn't that GRC wasmissing an integration module or
some feature.
Ori Wellington (12:50):
The problem was deeper.
Sam Jones (12:51):
The problem was foundational.
Integration wasn't a featureGRC lacked, it was a capability.
It's fundamental architecturenever possessed, never aimed for
.
Ori Wellington (13:00):
So IRM isn't just GRC+ no.
Sam Jones (13:03):
It represents the strategic capability that GRC
implicitly promised butstructurally couldn't deliver.
It ignored the need for trueintegration.
Ori Wellington (13:12):
It's a redefinition then, not just a
repackaging.
Sam Jones (13:14):
Absolutely.
Think about the difference whenGRC connected documents.
Ori Wellington (13:18):
IRM connects decisions.
Sam Jones (13:19):
Right when GRC supported compliance checklists.
Ori Wellington (13:22):
IRM supports strategic choices navigating
uncertainty.
Sam Jones (13:26):
And where GRC primarily created records of
past activities.
Ori Wellington (13:30):
IRM aims to create genuine organizational
readiness to face future risksstrategically and dynamically.
Sam Jones (13:36):
That's the shift.
Ori Wellington (13:37):
So the core takeaway from all this, the
message that comes through soclearly, is Risk.
Sam Jones (13:42):
Intelligence isn't a product you acquire.
It's not something you just buyand plug in and poof you're
intelligent about risk.
Ori Wellington (13:47):
It's something you have to build, architect it,
integrate it into theoperations, the culture, the
very fabric of the organization.
Sam Jones (13:55):
SunTrust learned that lesson in the most painful way
possible, costing them billionsand nearly their existence.
Ori Wellington (14:01):
And the software vendors.
Sam Jones (14:03):
They learned it too, eventually Forced by the market,
demanding something more thanjust documentation, demanding
real strategic capabilitythrough a unified architecture.
Ori Wellington (14:13):
So IRM overcomes GRC's limitations, not because
GRC somehow gracefully evolvedinto it.
Sam Jones (14:21):
But because GRC's inherent limitations finally
forced a surrender to what themarket, what businesses actually
needed from the very beginningGenuine strategic integration.
Ori Wellington (14:31):
Wow, thinking about that whole journey, you
know, from that intense sunfrustboardroom drama all the way to
the evolution of an entiresoftware industry, it really is
quite a story.
Sam Jones (14:41):
It really is and it highlights some critical lessons
.
Yeah we've definitely seen thedevastating consequences of
ignoring risk, sometimesdeliberately, and how tools
marketed as intelligence canactually paradoxically
institutionalize a form ofignorance if they just focus on
documentation instead of real,connected insight.
Ori Wellington (15:00):
Right and understanding that fundamental
difference, the shift to IRMrepresenting a move from just
connecting documents to trulyconnecting decisions.
That's huge.
Sam Jones (15:10):
It requires a completely different kind of
system built for that purpose.
Ori Wellington (15:13):
So this deep dive, drawing on John Wheeler's
experiences and analysis, itmakes it incredibly clear,
doesn't it?
True risk intelligence isn'tsomething you just purchase.
Sam Jones (15:23):
No, it's a capability .
You have to architect it, youhave to cultivate it, you have
to build it right into the DNAof your organization.
Ori Wellington (15:30):
Okay, so here's a thought to maybe leave you,
our listener, with drawing fromwhere this source material seems
to be headed.
The whole article series iscalled the Risk Ignored Right.
The whole article series iscalled the Risk Ignored Right,
and the next part apparentlytalks about how the global
financial crisis shatteredillusions and forced people to
connect dots that GRC just nevercould.
Sam Jones (15:48):
Crisis is a catalyst.
Ori Wellington (15:50):
Exactly so.
The question to Ponder is howoften do major failures, major
crises, become these reallyharsh teachers?
How often do they brutallyreveal fundamental truths about
our complex systems, truths thatwere maybe conveniently
overlooked or papered over, orjust plain ignored when time
seemed easier?
Welcome to a Deep Dive where we take a stack
of sources and extract theknowledge you need to be
well-informed fast.
Today we're cracking open afascinating piece from an
article series called the RiskIgnored, specifically Part 1,
chapter 4, titled the Irony ofRisk Intelligence, by John A
Wheeler.
Sam Jones (00:18):
It's a really powerful look at something
fundamental how organizationsdeal with risk, maybe more often
how they don't.
Ori Wellington (00:26):
Exactly, and our mission in this deep dive is
pretty clear we're going totrace the well, the messy
evolution of risk managementtechnology.
Sam Jones (00:34):
Right and try to understand why what many call
risk intelligence is often wellanything but.
Ori Wellington (00:40):
And see what a really dramatic corporate
collapse reveals about whetheryou can truly buy this
capability, this riskintelligence, or if you
absolutely have to build it fromthe ground up.
Sam Jones (00:49):
Yeah, and the author gives us a great starting point,
a story, a real world example,right at the beginning.
Ori Wellington (00:54):
Let's dive into that.
Then we're talking about amoment in time back in early
2007 at SunTrust.
Sam Jones (00:59):
SunTrust, yeah, a major player, especially after
an acquisition that left itreally heavily invested in
mortgage banking, and the authorwas right there in the thick of
it.
Ori Wellington (01:08):
He was a senior executive right.
Sam Jones (01:10):
Yeah.
Ori Wellington (01:10):
Overseeing internal audit, compliance, risk
management, the whole shebang.
Sam Jones (01:15):
Exactly.
And he sets the scene with anew CEO coming in, someone whose
perspective on risk soundsalmost backwards.
How so?
Ori Wellington (01:23):
perspective on risk sounds almost backwards.
Sam Jones (01:24):
How so Well, instead of seeing risk as a discipline,
something you manage carefully,this CEO apparently saw it as a
throttle, something to pushforward faster, right, okay,
that's an aggressive take, yeah,and the strategic move that
followed really showed thisimmediately.
They set a big, hairy,audacious goal a BHE.
Ori Wellington (01:42):
A BHE, isn't that from Jim Collins, built to
last.
Last kind of ironic, using thatterm deeply ironic.
Sam Jones (01:48):
Yeah, the goal itself more than double the mortgage
portfolio.
Double it within 12 months.
The idea was to compete head-onwith wall street securitization
giants okay, that is audaciousand incredibly risky, you'd
think you'd think, and the waythey went about hitting that
goal was alarming.
Underwriting controlssystematically dismantled.
Ori Wellington (02:08):
Dismantled.
Sam Jones (02:09):
Or weakened anyway, and at the same time incentives
for the mortgage originators,the people writing the loans.
They surged dramatically.
Ori Wellington (02:16):
Oh boy, so you weaken the guardrails and offer
huge rewards for driving faster.
Sam Jones (02:21):
Precisely.
You create an environment, asthe author puts it, that's just
ripe for aggressive lending, forcutting corners, for disaster
basically.
Ori Wellington (02:30):
And the author sitting in his role overseeing
risk.
He must have seen this cominghe says he did.
Sam Jones (02:36):
He foresaw the inevitable crash.
I mean the writing was on thewall right In bold letters
reckless policies, crazyincentives.
Ori Wellington (02:43):
So what did he do?
Did he try to stop it?
Sam Jones (02:45):
He confronted them describes a very tense meeting
Him, the CEO and the head ofmortgage banking.
Ori Wellington (02:50):
I bet that went over well.
Sam Jones (02:51):
There's this detail in the piece that just jumps out
.
The head of mortgage bankingliterally writhed in his seat
with anger during the meeting.
Ori Wellington (02:59):
Writhed.
Wow, just pure refusal to hearit.
Sam Jones (03:02):
Total denial and the consequences for the author were
well swift and predictable.
Ori Wellington (03:08):
Let me guess Sidelined.
Sam Jones (03:10):
Immediately excluded from key discussions, key
meetings, strategy sessions Gone.
Ori Wellington (03:15):
And physically.
Sam Jones (03:16):
Physically relocated, Exiled, essentially to an empty
office somewhere else.
Ori Wellington (03:20):
The message couldn't be clearer they wanted
him gone.
Sam Jones (03:23):
Absolutely Hoping he'd just resign, and disappear
quietly.
Ori Wellington (03:27):
But he didn't.
Sam Jones (03:27):
He held on, say, just long enough to vest his equity
and severance package Smart move.
Ori Wellington (03:33):
So he walked away with capital in hand.
Sam Jones (03:35):
Right, Just a month, literally months before the
whole house of cards camecrashing down in the global
financial crisis.
Everything he warned abouthappened.
Ori Wellington (03:43):
And SunTrust what happened there.
Sam Jones (03:45):
Devastating but, you know, entirely predictable,
given the path they took.
As mortgage problems exploded,their stock price just plummeted
.
Ori Wellington (03:52):
And they ended up needing a bailout.
Sam Jones (03:54):
Yep, one of the largest recipients of federal
TARP funds.
Ori Wellington (03:57):
And those executives the CEO, the mortgage
head who was writhing.
Sam Jones (04:01):
They eventually faced federal investigations.
Justice caught up.
Ori Wellington (04:05):
Which led to.
Sam Jones (04:06):
A nearly $1 billion settlement with the Department
of Justice for mortgageorigination abuses.
Ori Wellington (04:12):
A billion dollars Wow.
Sam Jones (04:14):
And get this.
Internal audit findings, whichthe DOJ later highlighted,
confirmed everything Systemicfailures, inconsistent
underwriter oversight, undefinedloan standards, not enough
quality control, things theauthor probably tried to warn
them about in that meeting.
Almost certainly and this isthe critical point he makes
(04:34):
these weren't just accidentaloversights.
These red flags weren't missed.
They were intentionally ignored, sacrificed for those rapid
growth targets.
Ori Wellington (04:43):
So the SunTrust story is really a case study in
deliberate risk ignorance at thevery top.
Sam Jones (04:48):
Exactly, and the consequences were catastrophic,
rippling way beyond just thebank itself.
Ori Wellington (04:54):
OK.
So that sets the stagedramatically.
But the author then pivotsright.
He connects this internal bankfailure to something broader
happening in the tech world.
Sam Jones (05:02):
Yeah, it's a fascinating connection.
He points out that around thesame time these bank controls
were collapsing, the softwareindustry, which was supposed to
help manage risk, was kind ofcultivating its own form of
systemic risk ignorance.
Ori Wellington (05:13):
How, so Through what?
Sam Jones (05:15):
Through the rise of GRC software Governance risk and
compliance.
Ori Wellington (05:21):
Ah, GRC.
Okay, I've heard that.
Sam Jones (05:23):
Right, it was a burgeoning industry then.
Vendors like Archer were reallydefining the early days.
Their approach was very modular, focused on documenting
compliance tasks, auditworkflows, that sort of thing.
Ori Wellington (05:35):
Okay, sounds useful on the surface
Documenting things, making sureyou're compliant.
Sam Jones (05:38):
Useful, yes, but here's the catch the author
highlights Behind this promiseof integration, of bringing
everything together.
Ori Wellington (05:46):
It wasn't really integrated.
Sam Jones (05:48):
Often.
No, they were fragmented tools,great at organizing documents,
creating records, checklists,but they didn't actually enable
strategic risk management.
They didn't help you trulyunderstand or prioritize risk
across the entire business.
Ori Wellington (06:03):
So lots of organized information, but not
necessarily real insights.
Sam Jones (06:05):
Exactly and the market eventually started to
catch on.
It took time, but there was ashift.
You could maybe market withGartner's first magic quadrant
for integrated risk managementIRM back in 2018.
Ori Wellington (06:16):
IRM integrated risk management and the author
helped define that category.
Sam Jones (06:21):
He did, and the fact that Archer, a major GRC player,
showed up as a leader in thatfirst IRM quadrant, well, that
was telling.
Ori Wellington (06:31):
How so.
Sam Jones (06:31):
It was almost like an admission right that GRC, as it
had been sold and built, hadn'tactually delivered on that core
promise of integration.
Ori Wellington (06:39):
So the move to IRM wasn't just a new feature
set.
It was a recognition thatsomething fundamental was
missing.
Sam Jones (06:44):
Precisely Managing risk effectively needed more
than just documenting compliance.
Ori Wellington (06:49):
And the author finds a real irony here, doesn't
he about how GRC was marketed?
Sam Jones (06:53):
Oh, absolutely.
For years, he says, vendorssold features like you know,
tracking regulatory changes orfancy compliance dashboards.
Ori Wellington (07:00):
And called it risk intelligence.
Sam Jones (07:01):
They did Strategic risk intelligence.
Ori Wellington (07:04):
Yeah.
Sam Jones (07:05):
But was it really intelligence?
Ori Wellington (07:06):
Probably not, based on what you're saying.
Sam Jones (07:08):
He also calls it structured awareness, which is a
great term.
You're aware of things, you'vedocumented them neatly in boxes,
but you don't have theconnected insight to make truly
informed strategic decisionsabout risk trade-offs.
Ori Wellington (07:22):
So these GRC tools, while maybe helping with
compliance audits.
Sam Jones (07:26):
They inadvertently institutionalized a kind of
superficial understanding ofrisk what the author bluntly
calls risk ignorance at thestrategic level.
Ori Wellington (07:35):
Wow, okay, so this pivot towards IRM becomes
less of an evolution and more ofa reckoning for the GRC
industry.
Sam Jones (07:41):
That's exactly how the author frames it.
A moment of reckoning, archermoved towards IRM and then boom.
Others followed quickly.
Ori Wellington (07:48):
Like who.
Sam Jones (07:49):
Well, you see ServiceNow repositioning its
platform as an integrated systemof action Audit Board.
Which started more in the auditspace, expanded out into
full-scale IRM, calling itConnected Risk.
Ori Wellington (08:00):
Okay.
Sam Jones (08:01):
And others too Diligent, metricstream, logicate
, riskconnect they all startedembracing this IRM architecture.
The focus shifted to unifyingdata, aligning workflows,
embedding risk into actualbusiness decisions.
Ori Wellington (08:15):
And the author's point is that this wasn't just
GRC version 2.0.
Sam Jones (08:23):
Yeah, it was a forced correction.
Yes, because the market finallyrealized GRC wasn't really
delivering strategic value.
Ori Wellington (08:25):
It couldn't.
Why not?
What was the fundamentallimitation?
Sam Jones (08:27):
It goes back to the architecture, the way these
systems were built.
Grc platforms were typicallydesigned around static
frameworks.
Think COSO for internalcontrols, COVID for IT
governance, ISO 20A01 forsecurity.
Ori Wellington (08:42):
Data frameworks yeah.
Sam Jones (08:43):
Right.
Their core design was reallyabout supporting compliance
documentation against thoseframeworks.
They weren't built for dynamicintegration of different types
of MISC data from across thebusiness.
They weren't built to drivestrategic choices.
Ori Wellington (08:56):
Which is the promise of IRM.
Sam Jones (08:58):
Exactly IRM.
Exactly.
Irm was conceived differentlyfrom the start.
The goal was explicitly tounify data, align workflows
across different departments andmake risk visible and relevant
when actual business decisionsare being made.
Ori Wellington (09:10):
So what can these modern IRM solutions do
that GRC couldn't?
Sam Jones (09:14):
They empower the chief risk officer, the CRO, to
do much more than just report oncompliance status using simple
red, yellow, green trafficlights.
Ori Wellington (09:23):
Marc Thiessen.
Sam Jones (09:24):
Like what Danielle Pletka Like actually quantifying
risk exposure in meaningfulbusiness terms, engaging the
executive team with scenarioanalysis.
If this risk happens, what'sthe potential dollar impact?
It connects risk to strategy,to financial outcomes.
Ori Wellington (09:39):
That sounds like a huge leap forward.
Sam Jones (09:41):
It is, and you see this reflected in the real world
.
Deloitte did a global surveyshowing that in basically all
major financial services firms,the CRO is now deeply involved
in driving enterprise strategy,and that model is spreading fast
to other industries too.
Ori Wellington (09:56):
So it really comes down to the plumbing.
The underlying system designdictates whether you're just
organizing documents or enablingstrategic decisions.
Sam Jones (10:03):
That's the core argument Architecture dictates
capability Documentation versusgenuine strategic insight.
Ori Wellington (10:10):
Okay, let's bring this back to Centrust.
After the crash, after thebailout, they obviously needed
to fix their risk management.
Sam Jones (10:16):
They certainly tried.
After the bailout, theyobviously needed to fix their
risk management.
They certainly tried, and thesource mentions that part of
their effort involvedimplementing a new GRC solution,
specifically MetricStream.
Ori Wellington (10:24):
And how did that go?
Based on everything we've justdiscussed, Predictably it failed
.
Failed.
Why Was the?
Sam Jones (10:31):
software itself bad.
The author argues it wasn'tnecessarily about that specific
software package beinginherently flawed.
The failure was morefundamental.
It failed because theunderlying architecture still
rooted in that GRC philosophy oforganizing compliance documents
just wasn't sufficient.
It couldn't provide the unifiedintegrated risk intelligence
they desperately needed torebuild trust and make better
(10:54):
decisions.
Ori Wellington (10:55):
So putting a new GRC system on top of the old
problems didn't fix the coreissue.
Sam Jones (10:59):
Exactly.
You can't solve an integrationproblem with a tool not designed
for integration.
Ori Wellington (11:04):
The author then uses a really interesting piece
of symbolism.
Doesn't he Tied back to thatfateful year 2007.
Sam Jones (11:10):
He does.
He points out that in 2007, thesame year, suntrust set itself
on that reckless growth path.
Ori Wellington (11:16):
Yes.
Sam Jones (11:16):
The bank sold its long-held shares in the
Coca-Cola company and doing so,returned the iconic secret
formula back to Coke Huh.
Ori Wellington (11:25):
Okay, interesting timing.
Sam Jones (11:27):
And for the author the symbolism was profound he
felt that in relinquishing theCoke formula, suntrust had also
in a way lost another crucialformula.
Ori Wellington (11:35):
Which was.
Sam Jones (11:36):
The emerging architecture for integrated risk
management, the very blueprinthe had actually started
developing internally atSunTrust before he was
effectively pushed out.
Ori Wellington (11:45):
Wow.
So they didn't just lose Koch'ssecret formula, they lost the
potential formula for fixingtheir own risk problems.
Sam Jones (11:52):
That's his perspective and his personal
takeaway.
Walking out of SunTrust withhis severance and equity, it
wasn't just capital he carriedout.
Ori Wellington (12:00):
It was an insight.
Sam Jones (12:01):
A profound one.
You cannot buy riskintelligence off the shelf like
a software package.
It absolutely has to bearchitected, owned and deeply
integrated within theorganization itself.
Ori Wellington (12:12):
And that insight became foundational for him.
Sam Jones (12:14):
Absolutely.
That capital became seed moneyfor his advisory firm Wheelhouse
Advisors and those insightslearned the hard way at SunTrust
, directly informed the IRMmodels and approaches they
developed, like their IRMNavigator model.
Ori Wellington (12:28):
So we really come full circle.
Then the GRC vendors, whostarted it all, are now
promoting IRM.
Sam Jones (12:33):
Heavily.
But the author insists weshouldn't see IRM as just the
natural successor to GRC likethe next logical step.
Ori Wellington (12:40):
He sees it as a correction.
Sam Jones (12:42):
A necessary correction, because the core
issue wasn't that GRC wasmissing an integration module or
some feature.
Ori Wellington (12:50):
The problem was deeper.
Sam Jones (12:51):
The problem was foundational.
Integration wasn't a featureGRC lacked, it was a capability.
It's fundamental architecturenever possessed, never aimed for
.
Ori Wellington (13:00):
So IRM isn't just GRC+ no.
Sam Jones (13:03):
It represents the strategic capability that GRC
implicitly promised butstructurally couldn't deliver.
It ignored the need for trueintegration.
Ori Wellington (13:12):
It's a redefinition then, not just a
repackaging.
Sam Jones (13:14):
Absolutely.
Think about the difference whenGRC connected documents.
Ori Wellington (13:18):
IRM connects decisions.
Sam Jones (13:19):
Right when GRC supported compliance checklists.
Ori Wellington (13:22):
IRM supports strategic choices navigating
uncertainty.
Sam Jones (13:26):
And where GRC primarily created records of
past activities.
Ori Wellington (13:30):
IRM aims to create genuine organizational
readiness to face future risksstrategically and dynamically.
Sam Jones (13:36):
That's the shift.
Ori Wellington (13:37):
So the core takeaway from all this, the
message that comes through soclearly, is Risk.
Sam Jones (13:42):
Intelligence isn't a product you acquire.
It's not something you just buyand plug in and poof you're
intelligent about risk.
Ori Wellington (13:47):
It's something you have to build, architect it,
integrate it into theoperations, the culture, the
very fabric of the organization.
Sam Jones (13:55):
SunTrust learned that lesson in the most painful way
possible, costing them billionsand nearly their existence.
Ori Wellington (14:01):
And the software vendors.
Sam Jones (14:03):
They learned it too, eventually Forced by the market,
demanding something more thanjust documentation, demanding
real strategic capabilitythrough a unified architecture.
Ori Wellington (14:13):
So IRM overcomes GRC's limitations, not because
GRC somehow gracefully evolvedinto it.
Sam Jones (14:21):
But because GRC's inherent limitations finally
forced a surrender to what themarket, what businesses actually
needed from the very beginningGenuine strategic integration.
Ori Wellington (14:31):
Wow, thinking about that whole journey, you
know, from that intense sunfrustboardroom drama all the way to
the evolution of an entiresoftware industry, it really is
quite a story.
Sam Jones (14:41):
It really is and it highlights some critical lessons
.
Yeah we've definitely seen thedevastating consequences of
ignoring risk, sometimesdeliberately, and how tools
marketed as intelligence canactually paradoxically
institutionalize a form ofignorance if they just focus on
documentation instead of real,connected insight.
Ori Wellington (15:00):
Right and understanding that fundamental
difference, the shift to IRMrepresenting a move from just
connecting documents to trulyconnecting decisions.
That's huge.
Sam Jones (15:10):
It requires a completely different kind of
system built for that purpose.
Ori Wellington (15:13):
So this deep dive, drawing on John Wheeler's
experiences and analysis, itmakes it incredibly clear,
doesn't it?
True risk intelligence isn'tsomething you just purchase.
Sam Jones (15:23):
No, it's a capability .
You have to architect it, youhave to cultivate it, you have
to build it right into the DNAof your organization.
Ori Wellington (15:30):
Okay, so here's a thought to maybe leave you,
our listener, with drawing fromwhere this source material seems
to be headed.
The whole article series iscalled the Risk Ignored Right.
The whole article series iscalled the Risk Ignored Right,
and the next part apparentlytalks about how the global
financial crisis shatteredillusions and forced people to
connect dots that GRC just nevercould.
Sam Jones (15:48):
Crisis is a catalyst.
Ori Wellington (15:50):
Exactly so.
The question to Ponder is howoften do major failures, major
crises, become these reallyharsh teachers?
How often do they brutallyreveal fundamental truths about
our complex systems, truths thatwere maybe conveniently
overlooked or papered over, orjust plain ignored when time
seemed easier?
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.