June 10, 2025 • 18 mins
Autonomous Integrated Risk Management (IRM) is becoming a reality with AI-powered tools providing real value, but many implementations suffer from disconnected systems that prevent true strategic alignment.
• Automated risk management tools often operate in isolation within the middle validation layer
• Wheelhouse Advisors' IRM Navigator™ Model identifies five interconnected layers: strategic oversight, business orchestration, threat intelligence/validation, remediation/response, and verification/audit
• Most automation is happening in layer three (threat intelligence/validation) but lacks strategic input from layer one and verification feedback from layer five
• Toyota's 2022 credential exposure incident demonstrates how disconnected layers can miss critical risks for years
• Effective autonomous IRM requires a two-way flow of information – strategy flowing down and validation results flowing back up
• Risk leaders should map their systems to the five layers, tag strategic assets, feed audit data back to validation tools, and measure business impact rather than just technical metrics
• The sequence for improvement should be: simplify, automate, integrate – don't automate broken processes
To maximize the value of autonomous IRM in your organization, focus on connecting your technical capabilities with strategic priorities and verification processes to create a living, learning system that protects what matters most to the business.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sam Jones (00:00):
Welcome to the Deep Dive.
Today we're really getting intosomething that's moving fast in
risk management.
Ori Wellington (00:05):
That's right.
Autonomous integrated riskmanagement.
Autonomous IRM.
Sam Jones (00:10):
Exactly.
We've been looking at a recentarticle that well.
It digs into how this isactually becoming a reality, but
, more importantly, what's oftenmissing.
Ori Wellington (00:19):
Yeah, the pieces that stop it from delivering
what it potentially could.
We see all this promise with AIand automation and risk, but
the analysis we reviewed itpoints out that the tech, while
it's getting good in specificspots, it's often running kind
of disconnected.
Sam Jones (00:36):
Isolated, that's the word and that isolation it's
holding back what trueautonomous IRM could be Right,
what true autonomous IRM couldbe.
So our mission here, in thisdeep dive, we want to cut
through some of that hype,unpack this emerging
architecture and really pinpointwhere that disconnection is
happening.
The article even calls it akind of starvation.
Ori Wellington (00:54):
A starvation of context.
Essentially, yeah.
Sam Jones (00:56):
And we want to show you why, linking that top-level
strategy with the validationinsurance parts, why that
connection is absolutely key.
Ori Wellington (01:04):
So you can leave understanding this complex area
better, maybe spot whereautomation efforts in your world
might be falling a bit short.
Sam Jones (01:11):
And see how connecting the dots strategy and
assurance really makes riskmanagement work for the business
.
Ori Wellington (01:16):
Okay, so let's dive in.
The article makes it clear thisautonomous IRM stuff it isn't
just theory anymore.
No, it's happening now.
Ai platforms are actuallyproviding value today.
Think about tools simulatingattacker behavior, for instance.
Sam Jones (01:31):
Or validating if controls actually work in the
real world.
Ori Wellington (01:34):
Exactly and recommending actions, sometimes
even triggering themautomatically.
Sam Jones (01:38):
Yeah.
Ori Wellington (01:38):
Less manual step-by-step needed.
Sam Jones (01:41):
The source highlighted a really concrete
example, didn't it that?
June 5th announcement Toscura.
Ori Wellington (01:46):
Yeah Toscura, integrating with ServiceNow's
vulnerability response andCCOP's modules.
Sam Jones (01:53):
And that's not just spitting out reports, it's
embedding real-timesimulation-backed intelligence
right into the workflows peopleuse every day.
Ori Wellington (02:00):
That's the key Intelligence in real time where
the work gets done.
Sam Jones (02:03):
But what was interesting, the Piskura
announcement itself.
It didn't actually mention IRM,did it.
Ori Wellington (02:09):
No, not at all.
And the analysis we readsuggests that silence, well, is
pretty significant.
It tells us something.
Sam Jones (02:15):
Tells us where this automation is popping up.
First, it's in what the source,citing Wheelhouse Advisors,
calls layer three intelligenceand validation.
Ori Wellington (02:25):
Right, smack dab in the middle of the typical
risk architecture stack.
Sam Jones (02:29):
So automation is getting strong there.
But the article's point is thatlots of companies are managing
that middle layer well on itsown.
Ori Wellington (02:35):
In isolation, and that's the core issue
identified these powerfulautonomous IRM capabilities.
They're emerging from themiddle, from layer three.
Sam Jones (02:44):
The threat validation layer.
Ori Wellington (02:45):
Exactly, but to be truly successful, to really
add enterprise value, theyabsolutely have to get strategic
input from the layers above.
Sam Jones (02:53):
The business strategy side.
Ori Wellington (02:55):
And they need to push validated outputs down for
assurance to the layers below.
Without that connection, thatflow.
Sam Jones (03:00):
Well, the automation ends up optimizing for
potentially the wrong things.
Ori Wellington (03:03):
Okay.
So to really grasp this and whythat isolation is such a
problem, we need to look at theframework.
The article uses this IRMnavigator model from Wheelhouse
Advisors right.
It breaks it down into fiveinterconnected decision layers.
Sam Jones (03:17):
And, importantly, these aren't maturity levels,
right?
Not like step one, step two.
Ori Wellington (03:21):
No, not at all.
Think of them as functionallayers that need to talk to each
other.
They're aligned to specific IRMobjectives.
Sam Jones (03:27):
Which the article summarizes with that acronym
P-E-R-E Pre yeah.
Ori Wellington (03:32):
Pronounced like practical Stands for performance
, resilience, assurance andcompliance.
Sam Jones (03:37):
Key R-A-C.
Ori Wellington (03:41):
Performance, resilience, assurance,
compliance and a really keypoint, the article stresses
Compliance isn't the main driverhere it's an outcome.
Sam Jones (03:47):
Ah, okay.
Ori Wellington (03:47):
You get compliance when performance,
resilience and assurance aremanaged well.
It's not about just tickingboxes.
It's about building real,evidence-backed confidence.
Sam Jones (03:57):
Got it.
So, prc in mind, let's quicklywalk through these five layers.
What does each one do?
Ori Wellington (04:02):
Okay, Layer one, that's strategic oversight.
This is the top thinkenterprise risk management, ERM.
Sam Jones (04:08):
Big picture stuff.
Ori Wellington (04:09):
Exactly Business goals, growth plans, risk
appetite, strategic thresholds.
The main objectives here areperformance and resilience.
Layer one provides that crucialstrategic lens.
It tells the rest of the systemwhat actually matters to the
business.
Sam Jones (04:24):
So layer one is the why it sets the direction.
What's layer two then?
Ori Wellington (04:28):
Layer two is business orchestration.
This is often where operationalrisk management, ORM, plays a
big role.
It's like the connective tissue.
Sam Jones (04:36):
Connecting strategy to operations.
Ori Wellington (04:38):
Pretty much.
Its main goals are resilienceand performance.
Right, it takes the strategyfrom layer one and works out how
to normalize signals, routeinformation, coordinate
activities across differentsystems and functions.
It translates strategy intowell operational reality.
Sam Jones (04:52):
Okay, layer one points the way.
Layer two coordinates based onthat.
Then we hit that middle layeragain.
Ori Wellington (04:56):
layer three Right Layer three threat
intelligence and validation.
This is where technology riskmanagement TRM really shines.
Sam Jones (05:03):
The tech engine room.
Ori Wellington (05:05):
That's a good way to put it.
Objectives here are resilienceand assurance.
This is where you're usingtelemetry, threat intel
simulations, all that stuff tovalidate if controls actually
work against real threats and toscore exposures based on
potential impact.
Sam Jones (05:21):
And this is where that Tuskegee example fits in
the automation hub.
Ori Wellington (05:24):
Precisely this is where a lot of that exciting
automation is happening today.
Sam Jones (05:28):
So what happens after ?
Layer three finds something.
Ori Wellington (05:31):
That flows into layer four, remediation and
response.
This layer is all about actiontriggering or automating
mitigations based on what layerthree found Objectives are
resilience and compliance.
Trm drives the fast incidentresponse, but ORM helps
coordinate the broadercorrective actions across the
business, making sure thingsactually get fixed properly.
Sam Jones (05:51):
And the last layer, layer five.
Ori Wellington (05:53):
Layer five is verification and audit.
I think assurance andcompliance is the main goals
here.
This is often the home turf fortraditional GRC tools.
Sam Jones (06:00):
Governance risk compliance.
Ori Wellington (06:02):
Right, it's about verifying outcomes,
auditing the overall riskposture reporting attestation.
It looks backward, in a sense,to confirm things worked and
provides the proof needed forcompliance.
Sam Jones (06:16):
So if we map the domains again, ERM is layer one
strategy.
Orm connects and coordinates inlayers two and four.
Ori Wellington (06:23):
The connective tissue.
Sam Jones (06:24):
TRM is the real-time validation and response engine
in three and four.
Ori Wellington (06:28):
The technical core.
Sam Jones (06:29):
In GRC.
Ori Wellington (06:30):
GRC is essential , mostly in layer five for that
documentation, the proof, thecompliance record.
But the article argues it'sless about guiding real-time
decisions, which happens more inthose middle layers, it's the
verification piece.
Sam Jones (06:43):
Okay, that framework lays it out clearly, the
different pieces.
But let's circle back to thatcore problem.
You mentioned managing in themiddle, starving from the edges.
How does that look in thisfive-layer model?
Ori Wellington (06:53):
Yeah, the article really hammers this home
.
You've got these increasinglysophisticated platforms doing
great work in layer three.
Sam Jones (06:59):
Yeah.
Ori Wellington (07:00):
Simulating attacks, validating controls,
scoring risks.
Sam Jones (07:03):
But they disconnected .
Ori Wellington (07:05):
They're isolated powerful engines, sure, but
running without the full contextthey need from the rest of the
business.
Sam Jones (07:11):
Specifically, they aren't getting that strategic
input from layer one.
Ori Wellington (07:15):
Exactly so that smart simulation engine in layer
three.
It might prioritize fixing avulnerability with a high
technical score, a high CVSSscore, let's say which sounds
important.
Ess score, let's say, whichsounds important.
Technically, yes, but layerthree on its own doesn't know if
that vulnerability is on somelegacy, unimportant system or if
(07:35):
it's on the critical systemunderpinning a major new product
launch.
Sam Jones (07:39):
Ah, because layer one didn't tell it what's
strategically critical.
Ori Wellington (07:43):
Right, so it might spend resources fixing
something technically severe butstrategically irrelevant.
It's basically automating noise, not value, chasing the wrong
fires.
Sam Jones (07:53):
And it's also not getting feedback from the other
end, from layer five, the auditlayer.
Ori Wellington (07:56):
Correct Findings from audits, confirmation that
certain controls failed.
Verification in layer five,that information often isn't
systematically fed back into thelayer three, simulation logic.
Sam Jones (08:06):
So the engine might keep testing controls that are
known to be broken.
Ori Wellington (08:09):
Potentially yes, or it doesn't adjust its
assumptions based on theverified reality coming out of
layer five.
It's not learning from theassurance process.
Sam Jones (08:19):
Wow, so automating layer three by itself it doesn't
just miss opportunities, itcould actually sort of lock in
bad assumptions or misalignment.
Ori Wellington (08:27):
That's exactly the danger the article points
out.
Layer three becomes this echochamber technically busy but
disconnected from businesspriorities and real world
verification.
Sam Jones (08:36):
It's doing stuff, but not necessarily the right stuff
.
Ori Wellington (08:39):
Precisely Real.
Autonomous IRM isn't just aboutfaster simulation in the middle
.
It needs to be about connecteddecision-making guided by
strategy from layer one,confirmed by assurance from
layer one, confirmed byassurance from layer five.
Sam Jones (08:51):
So the answer isn't just a better layer three engine
, it's connecting it.
The article called it a two-waystreet.
Ori Wellington (08:56):
Yes, a two-way flow of information.
That's the crucialarchitectural piece missing in
many setups today.
Current tools might be good atmanaging threats within layers
three and four.
Sam Jones (09:05):
The operational workflows.
Ori Wellington (09:06):
Right, but very few are built to actively ingest
the signals from layer one, thestrategic priorities, or
systematically incorporatefeedback from layer five, the
verification results.
That's the gap.
Sam Jones (09:19):
So what does this two-way architecture actually
look like?
How should it flow?
Ori Wellington (09:22):
Okay, First strategy has to flow downward
from layer one.
Sam Jones (09:25):
Top down.
Ori Wellington (09:26):
Top down strategic context from ERM.
This tells the simulationresponse layers three and four
what to focus on, which assetsmatter most, which scenarios
align with key business risks orgoals.
Sam Jones (09:38):
Okay, strategy flows down, what flows out?
Or up?
Ori Wellington (09:41):
Validated intelligence needs to flow
outward from layer three.
Sam Jones (09:44):
Outward.
Ori Wellington (09:45):
Yeah, meaning.
The verified findings from thelayer three engine should feed
dashboards, clarify who ownswhat action across ORM and TRM
and, crucially, provideconsolidated, credible
information for Layer 5reporting and board oversight.
Sam Jones (09:58):
So Layer 3 informs decisions and reporting, and
then there's the loop back fromLayer 5.
Ori Wellington (10:03):
Absolutely critical.
Audit and verification fromLayer 5 closes the loop.
It confirms if the actionstaken in Layer 4 actually worked
.
Sam Jones (10:09):
So did we fix the thing.
Ori Wellington (10:10):
And, just as importantly, were those actions
aligned with the strategicpriorities set way back in Layer
1?
Did we fix the right thingeffectively?
Sam Jones (10:19):
That connection seems vital.
Ori Wellington (10:21):
It is.
But the article notes manyfirms have powerful automation
in Layer 3, but no systematicway to get layer one strategy in
or layer five verification back.
That's not integrated riskmanagement, it's just scaled up
isolation.
Sam Jones (10:36):
The Toyota case study you mentioned from 2022, that
really highlights what happenswhen that flow breaks down,
doesn't it?
Ori Wellington (10:43):
It really does.
A stark example Toyota admitteda supplier accidentally put API
credentials for their T-Connectservice on a public GitHub repo
.
Sam Jones (10:52):
And they were exposed for years.
Ori Wellington (10:54):
Over five years yeah, Putting data for almost
300,000 customers at risk.
And the article's analysis isthat this wasn't just a
technical slip-up.
It was a failure in thatstrategic information flow.
Sam Jones (11:05):
Okay, let's map it to the layers.
Where did it break down?
Ori Wellington (11:07):
Well, fundamentally, layer one
strategy failed.
Okay, let's map it to thelayers.
Where did it break down?
Well, fundamentally, layer onestrategy failed Telematics.
This customer-facing servicewith sensitive data apparently
wasn't given the top-tierstrategic importance it deserved
.
Sam Jones (11:15):
It wasn't flagged as critical enough.
Ori Wellington (11:18):
It seems the connection to customer trust, to
their digital services strategywasn't fully recognized and
cascaded down from the top thattier one classification was
missing.
Sam Jones (11:30):
Which means layer three, the simulation and
validation layer.
Ori Wellington (11:31):
It wasn't looking hard enough in the right
places Because the systemwasn't flagged as top strategic
priority from layer one.
The layer three logic likelydidn't prioritize scanning that
specific code repository forthat specific type of risk stale
embedded credentials.
The strategic guidance wasmissing.
Sam Jones (11:49):
So it missed the needle in the haystack because
it wasn't told which haystackmattered most.
Ori Wellington (11:53):
A good analogy.
And then layer four response.
Their actions seemed focused onstandard stuff like patching
speed.
Sam Jones (11:59):
Normal security hygiene.
Ori Wellington (12:01):
Right, but not necessarily on the specific risk
of long lived hard codedsecrets and third party code.
The actual problem here theresponse wasn't tailored because
the strategic context wasn'tthere.
Sam Jones (12:11):
And layer five audit.
Ori Wellington (12:13):
Layer five, verification and audit, didn't
catch it until it blew uppublicly, which suggests the
verification processes weren'teffectively checking the
controls around this let's callit strategically vital system,
before it became an incident.
Sam Jones (12:27):
So the article's conclusion is pretty clear.
Ori Wellington (12:29):
Yeah, if layer one had pushed down the
strategic importance and iflayer five had fed back
verification data, maybeflagging weak code scanning
controls, into layer three'slogic.
Sam Jones (12:40):
They might have caught it much, much sooner.
Ori Wellington (12:42):
Years sooner potentially.
It's a powerful example of thecost of that strategic
starvation we talked about.
Sam Jones (12:48):
Definitely.
And it brings us back to thosePRAC objectives performance,
resilience, assurance,compliance exactly when the
layers are connected.
Ori Wellington (12:56):
You can see how PRAC works across them.
Performance starts in layer one, aligning risk with strategy
okay resilience is built acrossthe middle layers two, three and
four that connectedorchestration, the real-time
validation, the coordinatedresponse right assurance comes
from layer threes validation andlayer fives verification.
And four that connectedorchestration, the real-time
validation, the coordinatedresponse Right Assurance comes
from layer three's validationand layer five's verification.
You need both Proving controlshould work and confirming they
(13:17):
did work.
Sam Jones (13:18):
And compliance.
Ori Wellington (13:19):
Compliance is the result.
It flows naturally when thewhole system strategy informing,
action, outcomes being verifiedis working.
It's not just about layer fivechecklists.
Sam Jones (13:30):
So without that connectivity, you risk
automating stuff that doesn'tmatter strategically, or you
institutionalize blind spotsbecause assurance isn't feeding
back, you optimize for the wrongthings.
Ori Wellington (13:42):
That's the core message.
Sam Jones (13:43):
So what should risk leaders actually do about this?
Based on the source, what arethe actionable steps?
Ori Wellington (13:49):
Okay, the article lays out a few key
things.
First, map your own systems,your risk tools, your security
platforms.
Map them to these five layers.
Sam Jones (13:57):
See where things fit.
Ori Wellington (13:58):
And critically see where the gaps are.
Where are the connectionsmissing, especially between that
middle layer three and theedges, layers one and five?
Sam Jones (14:05):
And where middle isn't talking to the top or the
bottom Exactly.
Ori Wellington (14:08):
Okay.
Second, you need to activelypush strategic context down from
layer one into layer three.
Sam Jones (14:14):
How do you do that practically?
Ori Wellington (14:15):
Tagging, Flag systems, data processes that are
linked to your company's bigstrategic bets, your critical
customer interactions, yourcrown jewels.
Make sure your Layer 3 toolsknow what the business values
most so they can prioritizeaccordingly.
Sam Jones (14:29):
Get the why into the what.
Ori Wellington (14:31):
Precisely.
Third, reverse the flow Feedassurance data back from Layer 5
into Layer 3.
Sam Jones (14:37):
Use audit findings.
Ori Wellington (14:38):
Yes.
Audit results, compliancechecks, control, test failures
from layer five.
Use that data to make yourlayer three simulations and
validation rules smarter, morerealistic.
Don't let audit findings justsit in a report.
Make them improve your realtime validation.
Sam Jones (14:53):
Close that loop.
Make layer three.
Learn from layer five.
Ori Wellington (14:56):
Fourth, look at your metrics.
Shift away from just measuringtechnical activity like time to
patch.
Sam Jones (15:01):
Velocity metric.
Ori Wellington (15:02):
Right Move towards measuring relevance and
impact Like are we reducingvalue at risk?
Are we better protecting thethings?
Layer one identified ascritical Focus on outcomes, not
just output.
Sam Jones (15:11):
And the final piece of advice.
Ori Wellington (15:13):
Remember the sequence Simplify, automate,
integrate.
Sam Jones (15:16):
Simplify automate, integrate.
Ori Wellington (15:18):
Automation is an amplifier.
It makes whatever process youhave run faster and bigger.
So if your underlying riskmodel the flow between the
layers is broken or disconnected, Automating.
Sam Jones (15:29):
It just makes the problem worse faster.
Ori Wellington (15:31):
Exactly.
Get the model right.
First Ensure that informationis flowing correctly between the
layers before you go all in onautomating pieces of it.
Sam Jones (15:40):
That makes perfect sense.
Don't automate a mess.
Ori Wellington (15:42):
Pretty much and you know the final word from the
source really reinforces thisTrue autonomous IRM.
Its real value isn't aboutgetting rid of people.
Sam Jones (15:52):
No, it's about helping them.
Ori Wellington (15:53):
It's about giving them better context,
clearer priorities, actions thatare based on validated reality,
not just assumptions.
Sam Jones (16:00):
But that only happens if the middle layer, layer
three, gets those inputs.
Strategy from the top,assurance from the bottom.
Ori Wellington (16:07):
That connection is everything, and the tech is
arriving.
We see pieces of autonomous IRMemerging now.
Sam Jones (16:12):
Like the Toscira example.
Ori Wellington (16:14):
Right.
The next big step, the crucialone, is knitting those pieces
together, connecting strategydown and assurance back up,
creating what the article calleda living learning system.
Sam Jones (16:20):
Yeah, one is knitting those pieces together,
connecting strategy down andassurance back up, creating what
the article called a livinglearning system?
Ori Wellington (16:24):
Yeah, one that actually reflects what the
business cares about and canprove it's protected.
Sam Jones (16:28):
And when you achieve that connection, IRM moves
beyond just compliance.
Ori Wellington (16:33):
It becomes about managing real consequence.
It becomes really strategy inaction.
Sam Jones (16:41):
Wow, this has really shifted how I think about it.
That idea of layer threeautomation being starved.
Without the connection, it justclicks, it reframes the whole
challenge.
Ori Wellington (16:48):
Yeah, it moves the goalpost from just buying
more tech for the middle toactually building the bridges,
connecting functions, connectingobjectives across the whole
enterprise.
Sam Jones (16:56):
So here's a final thought for you listening across
the whole enterprise.
So here's a final thought foryou listening how could applying
this five-layer model, thinkingabout that two-way street, how
might that reveal blind spots inyour own work, even if it's not
traditional risk management,where might you have
sophisticated analysis orautomation happening in a silo,
maybe starved of the strategiccontext it needs or disconnected
(17:19):
from the feedback that wouldmake it truly effective?
Ori Wellington (17:22):
That's a really interesting question to ponder.
Sam Jones (17:24):
Indeed Well, thank you for joining us on this deep
dive into autonomous integratedrisk management.
Welcome to the Deep Dive.
Today we're really getting intosomething that's moving fast in
risk management.
Ori Wellington (00:05):
That's right.
Autonomous integrated riskmanagement.
Autonomous IRM.
Sam Jones (00:10):
Exactly.
We've been looking at a recentarticle that well.
It digs into how this isactually becoming a reality, but
, more importantly, what's oftenmissing.
Ori Wellington (00:19):
Yeah, the pieces that stop it from delivering
what it potentially could.
We see all this promise with AIand automation and risk, but
the analysis we reviewed itpoints out that the tech, while
it's getting good in specificspots, it's often running kind
of disconnected.
Sam Jones (00:36):
Isolated, that's the word and that isolation it's
holding back what trueautonomous IRM could be Right,
what true autonomous IRM couldbe.
So our mission here, in thisdeep dive, we want to cut
through some of that hype,unpack this emerging
architecture and really pinpointwhere that disconnection is
happening.
The article even calls it akind of starvation.
Ori Wellington (00:54):
A starvation of context.
Essentially, yeah.
Sam Jones (00:56):
And we want to show you why, linking that top-level
strategy with the validationinsurance parts, why that
connection is absolutely key.
Ori Wellington (01:04):
So you can leave understanding this complex area
better, maybe spot whereautomation efforts in your world
might be falling a bit short.
Sam Jones (01:11):
And see how connecting the dots strategy and
assurance really makes riskmanagement work for the business
.
Ori Wellington (01:16):
Okay, so let's dive in.
The article makes it clear thisautonomous IRM stuff it isn't
just theory anymore.
No, it's happening now.
Ai platforms are actuallyproviding value today.
Think about tools simulatingattacker behavior, for instance.
Sam Jones (01:31):
Or validating if controls actually work in the
real world.
Ori Wellington (01:34):
Exactly and recommending actions, sometimes
even triggering themautomatically.
Sam Jones (01:38):
Yeah.
Ori Wellington (01:38):
Less manual step-by-step needed.
Sam Jones (01:41):
The source highlighted a really concrete
example, didn't it that?
June 5th announcement Toscura.
Ori Wellington (01:46):
Yeah Toscura, integrating with ServiceNow's
vulnerability response andCCOP's modules.
Sam Jones (01:53):
And that's not just spitting out reports, it's
embedding real-timesimulation-backed intelligence
right into the workflows peopleuse every day.
Ori Wellington (02:00):
That's the key Intelligence in real time where
the work gets done.
Sam Jones (02:03):
But what was interesting, the Piskura
announcement itself.
It didn't actually mention IRM,did it.
Ori Wellington (02:09):
No, not at all.
And the analysis we readsuggests that silence, well, is
pretty significant.
It tells us something.
Sam Jones (02:15):
Tells us where this automation is popping up.
First, it's in what the source,citing Wheelhouse Advisors,
calls layer three intelligenceand validation.
Ori Wellington (02:25):
Right, smack dab in the middle of the typical
risk architecture stack.
Sam Jones (02:29):
So automation is getting strong there.
But the article's point is thatlots of companies are managing
that middle layer well on itsown.
Ori Wellington (02:35):
In isolation, and that's the core issue
identified these powerfulautonomous IRM capabilities.
They're emerging from themiddle, from layer three.
Sam Jones (02:44):
The threat validation layer.
Ori Wellington (02:45):
Exactly, but to be truly successful, to really
add enterprise value, theyabsolutely have to get strategic
input from the layers above.
Sam Jones (02:53):
The business strategy side.
Ori Wellington (02:55):
And they need to push validated outputs down for
assurance to the layers below.
Without that connection, thatflow.
Sam Jones (03:00):
Well, the automation ends up optimizing for
potentially the wrong things.
Ori Wellington (03:03):
Okay.
So to really grasp this and whythat isolation is such a
problem, we need to look at theframework.
The article uses this IRMnavigator model from Wheelhouse
Advisors right.
It breaks it down into fiveinterconnected decision layers.
Sam Jones (03:17):
And, importantly, these aren't maturity levels,
right?
Not like step one, step two.
Ori Wellington (03:21):
No, not at all.
Think of them as functionallayers that need to talk to each
other.
They're aligned to specific IRMobjectives.
Sam Jones (03:27):
Which the article summarizes with that acronym
P-E-R-E Pre yeah.
Ori Wellington (03:32):
Pronounced like practical Stands for performance
, resilience, assurance andcompliance.
Sam Jones (03:37):
Key R-A-C.
Ori Wellington (03:41):
Performance, resilience, assurance,
compliance and a really keypoint, the article stresses
Compliance isn't the main driverhere it's an outcome.
Sam Jones (03:47):
Ah, okay.
Ori Wellington (03:47):
You get compliance when performance,
resilience and assurance aremanaged well.
It's not about just tickingboxes.
It's about building real,evidence-backed confidence.
Sam Jones (03:57):
Got it.
So, prc in mind, let's quicklywalk through these five layers.
What does each one do?
Ori Wellington (04:02):
Okay, Layer one, that's strategic oversight.
This is the top thinkenterprise risk management, ERM.
Sam Jones (04:08):
Big picture stuff.
Ori Wellington (04:09):
Exactly Business goals, growth plans, risk
appetite, strategic thresholds.
The main objectives here areperformance and resilience.
Layer one provides that crucialstrategic lens.
It tells the rest of the systemwhat actually matters to the
business.
Sam Jones (04:24):
So layer one is the why it sets the direction.
What's layer two then?
Ori Wellington (04:28):
Layer two is business orchestration.
This is often where operationalrisk management, ORM, plays a
big role.
It's like the connective tissue.
Sam Jones (04:36):
Connecting strategy to operations.
Ori Wellington (04:38):
Pretty much.
Its main goals are resilienceand performance.
Right, it takes the strategyfrom layer one and works out how
to normalize signals, routeinformation, coordinate
activities across differentsystems and functions.
It translates strategy intowell operational reality.
Sam Jones (04:52):
Okay, layer one points the way.
Layer two coordinates based onthat.
Then we hit that middle layeragain.
Ori Wellington (04:56):
layer three Right Layer three threat
intelligence and validation.
This is where technology riskmanagement TRM really shines.
Sam Jones (05:03):
The tech engine room.
Ori Wellington (05:05):
That's a good way to put it.
Objectives here are resilienceand assurance.
This is where you're usingtelemetry, threat intel
simulations, all that stuff tovalidate if controls actually
work against real threats and toscore exposures based on
potential impact.
Sam Jones (05:21):
And this is where that Tuskegee example fits in
the automation hub.
Ori Wellington (05:24):
Precisely this is where a lot of that exciting
automation is happening today.
Sam Jones (05:28):
So what happens after ?
Layer three finds something.
Ori Wellington (05:31):
That flows into layer four, remediation and
response.
This layer is all about actiontriggering or automating
mitigations based on what layerthree found Objectives are
resilience and compliance.
Trm drives the fast incidentresponse, but ORM helps
coordinate the broadercorrective actions across the
business, making sure thingsactually get fixed properly.
Sam Jones (05:51):
And the last layer, layer five.
Ori Wellington (05:53):
Layer five is verification and audit.
I think assurance andcompliance is the main goals
here.
This is often the home turf fortraditional GRC tools.
Sam Jones (06:00):
Governance risk compliance.
Ori Wellington (06:02):
Right, it's about verifying outcomes,
auditing the overall riskposture reporting attestation.
It looks backward, in a sense,to confirm things worked and
provides the proof needed forcompliance.
Sam Jones (06:16):
So if we map the domains again, ERM is layer one
strategy.
Orm connects and coordinates inlayers two and four.
Ori Wellington (06:23):
The connective tissue.
Sam Jones (06:24):
TRM is the real-time validation and response engine
in three and four.
Ori Wellington (06:28):
The technical core.
Sam Jones (06:29):
In GRC.
Ori Wellington (06:30):
GRC is essential , mostly in layer five for that
documentation, the proof, thecompliance record.
But the article argues it'sless about guiding real-time
decisions, which happens more inthose middle layers, it's the
verification piece.
Sam Jones (06:43):
Okay, that framework lays it out clearly, the
different pieces.
But let's circle back to thatcore problem.
You mentioned managing in themiddle, starving from the edges.
How does that look in thisfive-layer model?
Ori Wellington (06:53):
Yeah, the article really hammers this home
.
You've got these increasinglysophisticated platforms doing
great work in layer three.
Sam Jones (06:59):
Yeah.
Ori Wellington (07:00):
Simulating attacks, validating controls,
scoring risks.
Sam Jones (07:03):
But they disconnected .
Ori Wellington (07:05):
They're isolated powerful engines, sure, but
running without the full contextthey need from the rest of the
business.
Sam Jones (07:11):
Specifically, they aren't getting that strategic
input from layer one.
Ori Wellington (07:15):
Exactly so that smart simulation engine in layer
three.
It might prioritize fixing avulnerability with a high
technical score, a high CVSSscore, let's say which sounds
important.
Ess score, let's say, whichsounds important.
Technically, yes, but layerthree on its own doesn't know if
that vulnerability is on somelegacy, unimportant system or if
(07:35):
it's on the critical systemunderpinning a major new product
launch.
Sam Jones (07:39):
Ah, because layer one didn't tell it what's
strategically critical.
Ori Wellington (07:43):
Right, so it might spend resources fixing
something technically severe butstrategically irrelevant.
It's basically automating noise, not value, chasing the wrong
fires.
Sam Jones (07:53):
And it's also not getting feedback from the other
end, from layer five, the auditlayer.
Ori Wellington (07:56):
Correct Findings from audits, confirmation that
certain controls failed.
Verification in layer five,that information often isn't
systematically fed back into thelayer three, simulation logic.
Sam Jones (08:06):
So the engine might keep testing controls that are
known to be broken.
Ori Wellington (08:09):
Potentially yes, or it doesn't adjust its
assumptions based on theverified reality coming out of
layer five.
It's not learning from theassurance process.
Sam Jones (08:19):
Wow, so automating layer three by itself it doesn't
just miss opportunities, itcould actually sort of lock in
bad assumptions or misalignment.
Ori Wellington (08:27):
That's exactly the danger the article points
out.
Layer three becomes this echochamber technically busy but
disconnected from businesspriorities and real world
verification.
Sam Jones (08:36):
It's doing stuff, but not necessarily the right stuff
.
Ori Wellington (08:39):
Precisely Real.
Autonomous IRM isn't just aboutfaster simulation in the middle
.
It needs to be about connecteddecision-making guided by
strategy from layer one,confirmed by assurance from
layer one, confirmed byassurance from layer five.
Sam Jones (08:51):
So the answer isn't just a better layer three engine
, it's connecting it.
The article called it a two-waystreet.
Ori Wellington (08:56):
Yes, a two-way flow of information.
That's the crucialarchitectural piece missing in
many setups today.
Current tools might be good atmanaging threats within layers
three and four.
Sam Jones (09:05):
The operational workflows.
Ori Wellington (09:06):
Right, but very few are built to actively ingest
the signals from layer one, thestrategic priorities, or
systematically incorporatefeedback from layer five, the
verification results.
That's the gap.
Sam Jones (09:19):
So what does this two-way architecture actually
look like?
How should it flow?
Ori Wellington (09:22):
Okay, First strategy has to flow downward
from layer one.
Sam Jones (09:25):
Top down.
Ori Wellington (09:26):
Top down strategic context from ERM.
This tells the simulationresponse layers three and four
what to focus on, which assetsmatter most, which scenarios
align with key business risks orgoals.
Sam Jones (09:38):
Okay, strategy flows down, what flows out?
Or up?
Ori Wellington (09:41):
Validated intelligence needs to flow
outward from layer three.
Sam Jones (09:44):
Outward.
Ori Wellington (09:45):
Yeah, meaning.
The verified findings from thelayer three engine should feed
dashboards, clarify who ownswhat action across ORM and TRM
and, crucially, provideconsolidated, credible
information for Layer 5reporting and board oversight.
Sam Jones (09:58):
So Layer 3 informs decisions and reporting, and
then there's the loop back fromLayer 5.
Ori Wellington (10:03):
Absolutely critical.
Audit and verification fromLayer 5 closes the loop.
It confirms if the actionstaken in Layer 4 actually worked
.
Sam Jones (10:09):
So did we fix the thing.
Ori Wellington (10:10):
And, just as importantly, were those actions
aligned with the strategicpriorities set way back in Layer
1?
Did we fix the right thingeffectively?
Sam Jones (10:19):
That connection seems vital.
Ori Wellington (10:21):
It is.
But the article notes manyfirms have powerful automation
in Layer 3, but no systematicway to get layer one strategy in
or layer five verification back.
That's not integrated riskmanagement, it's just scaled up
isolation.
Sam Jones (10:36):
The Toyota case study you mentioned from 2022, that
really highlights what happenswhen that flow breaks down,
doesn't it?
Ori Wellington (10:43):
It really does.
A stark example Toyota admitteda supplier accidentally put API
credentials for their T-Connectservice on a public GitHub repo
.
Sam Jones (10:52):
And they were exposed for years.
Ori Wellington (10:54):
Over five years yeah, Putting data for almost
300,000 customers at risk.
And the article's analysis isthat this wasn't just a
technical slip-up.
It was a failure in thatstrategic information flow.
Sam Jones (11:05):
Okay, let's map it to the layers.
Where did it break down?
Ori Wellington (11:07):
Well, fundamentally, layer one
strategy failed.
Okay, let's map it to thelayers.
Where did it break down?
Well, fundamentally, layer onestrategy failed Telematics.
This customer-facing servicewith sensitive data apparently
wasn't given the top-tierstrategic importance it deserved
.
Sam Jones (11:15):
It wasn't flagged as critical enough.
Ori Wellington (11:18):
It seems the connection to customer trust, to
their digital services strategywasn't fully recognized and
cascaded down from the top thattier one classification was
missing.
Sam Jones (11:30):
Which means layer three, the simulation and
validation layer.
Ori Wellington (11:31):
It wasn't looking hard enough in the right
places Because the systemwasn't flagged as top strategic
priority from layer one.
The layer three logic likelydidn't prioritize scanning that
specific code repository forthat specific type of risk stale
embedded credentials.
The strategic guidance wasmissing.
Sam Jones (11:49):
So it missed the needle in the haystack because
it wasn't told which haystackmattered most.
Ori Wellington (11:53):
A good analogy.
And then layer four response.
Their actions seemed focused onstandard stuff like patching
speed.
Sam Jones (11:59):
Normal security hygiene.
Ori Wellington (12:01):
Right, but not necessarily on the specific risk
of long lived hard codedsecrets and third party code.
The actual problem here theresponse wasn't tailored because
the strategic context wasn'tthere.
Sam Jones (12:11):
And layer five audit.
Ori Wellington (12:13):
Layer five, verification and audit, didn't
catch it until it blew uppublicly, which suggests the
verification processes weren'teffectively checking the
controls around this let's callit strategically vital system,
before it became an incident.
Sam Jones (12:27):
So the article's conclusion is pretty clear.
Ori Wellington (12:29):
Yeah, if layer one had pushed down the
strategic importance and iflayer five had fed back
verification data, maybeflagging weak code scanning
controls, into layer three'slogic.
Sam Jones (12:40):
They might have caught it much, much sooner.
Ori Wellington (12:42):
Years sooner potentially.
It's a powerful example of thecost of that strategic
starvation we talked about.
Sam Jones (12:48):
Definitely.
And it brings us back to thosePRAC objectives performance,
resilience, assurance,compliance exactly when the
layers are connected.
Ori Wellington (12:56):
You can see how PRAC works across them.
Performance starts in layer one, aligning risk with strategy
okay resilience is built acrossthe middle layers two, three and
four that connectedorchestration, the real-time
validation, the coordinatedresponse right assurance comes
from layer threes validation andlayer fives verification.
And four that connectedorchestration, the real-time
validation, the coordinatedresponse Right Assurance comes
from layer three's validationand layer five's verification.
You need both Proving controlshould work and confirming they
(13:17):
did work.
Sam Jones (13:18):
And compliance.
Ori Wellington (13:19):
Compliance is the result.
It flows naturally when thewhole system strategy informing,
action, outcomes being verifiedis working.
It's not just about layer fivechecklists.
Sam Jones (13:30):
So without that connectivity, you risk
automating stuff that doesn'tmatter strategically, or you
institutionalize blind spotsbecause assurance isn't feeding
back, you optimize for the wrongthings.
Ori Wellington (13:42):
That's the core message.
Sam Jones (13:43):
So what should risk leaders actually do about this?
Based on the source, what arethe actionable steps?
Ori Wellington (13:49):
Okay, the article lays out a few key
things.
First, map your own systems,your risk tools, your security
platforms.
Map them to these five layers.
Sam Jones (13:57):
See where things fit.
Ori Wellington (13:58):
And critically see where the gaps are.
Where are the connectionsmissing, especially between that
middle layer three and theedges, layers one and five?
Sam Jones (14:05):
And where middle isn't talking to the top or the
bottom Exactly.
Ori Wellington (14:08):
Okay.
Second, you need to activelypush strategic context down from
layer one into layer three.
Sam Jones (14:14):
How do you do that practically?
Ori Wellington (14:15):
Tagging, Flag systems, data processes that are
linked to your company's bigstrategic bets, your critical
customer interactions, yourcrown jewels.
Make sure your Layer 3 toolsknow what the business values
most so they can prioritizeaccordingly.
Sam Jones (14:29):
Get the why into the what.
Ori Wellington (14:31):
Precisely.
Third, reverse the flow Feedassurance data back from Layer 5
into Layer 3.
Sam Jones (14:37):
Use audit findings.
Ori Wellington (14:38):
Yes.
Audit results, compliancechecks, control, test failures
from layer five.
Use that data to make yourlayer three simulations and
validation rules smarter, morerealistic.
Don't let audit findings justsit in a report.
Make them improve your realtime validation.
Sam Jones (14:53):
Close that loop.
Make layer three.
Learn from layer five.
Ori Wellington (14:56):
Fourth, look at your metrics.
Shift away from just measuringtechnical activity like time to
patch.
Sam Jones (15:01):
Velocity metric.
Ori Wellington (15:02):
Right Move towards measuring relevance and
impact Like are we reducingvalue at risk?
Are we better protecting thethings?
Layer one identified ascritical Focus on outcomes, not
just output.
Sam Jones (15:11):
And the final piece of advice.
Ori Wellington (15:13):
Remember the sequence Simplify, automate,
integrate.
Sam Jones (15:16):
Simplify automate, integrate.
Ori Wellington (15:18):
Automation is an amplifier.
It makes whatever process youhave run faster and bigger.
So if your underlying riskmodel the flow between the
layers is broken or disconnected, Automating.
Sam Jones (15:29):
It just makes the problem worse faster.
Ori Wellington (15:31):
Exactly.
Get the model right.
First Ensure that informationis flowing correctly between the
layers before you go all in onautomating pieces of it.
Sam Jones (15:40):
That makes perfect sense.
Don't automate a mess.
Ori Wellington (15:42):
Pretty much and you know the final word from the
source really reinforces thisTrue autonomous IRM.
Its real value isn't aboutgetting rid of people.
Sam Jones (15:52):
No, it's about helping them.
Ori Wellington (15:53):
It's about giving them better context,
clearer priorities, actions thatare based on validated reality,
not just assumptions.
Sam Jones (16:00):
But that only happens if the middle layer, layer
three, gets those inputs.
Strategy from the top,assurance from the bottom.
Ori Wellington (16:07):
That connection is everything, and the tech is
arriving.
We see pieces of autonomous IRMemerging now.
Sam Jones (16:12):
Like the Toscira example.
Ori Wellington (16:14):
Right.
The next big step, the crucialone, is knitting those pieces
together, connecting strategydown and assurance back up,
creating what the article calleda living learning system.
Sam Jones (16:20):
Yeah, one is knitting those pieces together,
connecting strategy down andassurance back up, creating what
the article called a livinglearning system?
Ori Wellington (16:24):
Yeah, one that actually reflects what the
business cares about and canprove it's protected.
Sam Jones (16:28):
And when you achieve that connection, IRM moves
beyond just compliance.
Ori Wellington (16:33):
It becomes about managing real consequence.
It becomes really strategy inaction.
Sam Jones (16:41):
Wow, this has really shifted how I think about it.
That idea of layer threeautomation being starved.
Without the connection, it justclicks, it reframes the whole
challenge.
Ori Wellington (16:48):
Yeah, it moves the goalpost from just buying
more tech for the middle toactually building the bridges,
connecting functions, connectingobjectives across the whole
enterprise.
Sam Jones (16:56):
So here's a final thought for you listening across
the whole enterprise.
So here's a final thought foryou listening how could applying
this five-layer model, thinkingabout that two-way street, how
might that reveal blind spots inyour own work, even if it's not
traditional risk management,where might you have
sophisticated analysis orautomation happening in a silo,
maybe starved of the strategiccontext it needs or disconnected
(17:19):
from the feedback that wouldmake it truly effective?
Ori Wellington (17:22):
That's a really interesting question to ponder.
Sam Jones (17:24):
Indeed Well, thank you for joining us on this deep
dive into autonomous integratedrisk management.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!