Modern risk management stands at a precipice of transformation where AI-driven platforms are causing what ServiceNow's CEO Bill McDermott calls an "extinction-level event" for traditional software vendors. This profound shift is reshaping how organizations approach enterprise resilience, with implications for businesses across all sectors.
The evolution from conventional Governance, Risk, and Compliance (GRC) to autonomous Integrated Risk Management (IRM) represents a fundamental leap forward. Today's cutting-edge platforms don't merely collect data—they leverage artificial intelligence to predict emerging risks, automate policy enforcement, and suggest real-time solutions. The analogy of moving from manual spreadsheets to a self-driving car for risk management aptly captures this transformation, highlighting how these new systems break down organizational silos and enable proactive rather than reactive approaches.
Market validation for this shift is substantial, with major institutional players like Goldman Sachs and Blackstone making significant investments in the IRM space. Their recent NAVEX acquisition signals that IRM has moved from a specialized niche to an essential business function. Meanwhile, vulnerabilities exposed within cyber insurance providers themselves—as seen in the Lions Life data breach—reveal that even risk experts face critical gaps in their own defenses. This paradox underscores the importance of comprehensive approaches addressing Performance, Resilience, Assurance, and Compliance (PRAC) objectives.
As traditional market reports struggle to keep pace with these rapid changes, organizations must carefully evaluate their information sources to ensure their insights remain forward-looking and actionable. The question becomes not just how to adapt to these changes, but how to strategically position yourself in this new reality. We encourage you to reflect on how these profound shifts in risk management connect to your own work and to consider what steps you might take to ensure your organization's resilience in an increasingly complex risk landscape.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Episode Transcript
Okay, how do you keep up, seriously, how do you
keep up with the sheer speed ofchange, especially when it's
something as critical asmanaging risk and cybersecurity?
It feels like the groundbeneath us is constantly
shifting, doesn't?
Sam Jones (00:15):
it.
Ori Wellington (00:15):
Wait, let's unpack this a bit, because the
whole world of risk managementtechnology it's going through
this immense transformation.
It's almost overwhelming.
Sam Jones (00:25):
It really is seismic, yeah, and our focus today it's
integrated risk management, irm,how it's being fundamentally
reshaped.
We're talking advanced AI, bigshifts and what investors are
looking for and, yeah, thosecyber threats that just keep
evolving.
The toughest part for a lot offolks in risk isn't getting
information, it's findinginsights that are like truly
actionable, that look forward.
Ori Wellington (00:48):
Most of the general reports out there, they
just scratch the surface, oftenfeels like yesterday's news
Exactly, and that's why we'redoing this team dive today.
Our mission really is to giveyou a shortcut, help you get
properly informed by pulling outthe key nuggets from some
really exclusive analysis.
We're tapping into the RTJBridge by Wheelhouse Advisors.
This is stuff usually kept forwell, a very specific audience,
so you're about to get a sneakpeek into what's driving top
(01:09):
industrial decisions and thefuture of enterprise resilience.
Sam Jones (01:14):
Yeah, and these insights.
They cover some pretty dramaticshifts in software, major
investment trends that arereally validating this whole IRM
market and maybe, surprisingly,some growing vulnerabilities in
a place you might not expectcyber insurance providers
themselves.
We'll also dig into why some ofthe, let's say, common industry
reports might be well missingthe mark a bit on who the real
(01:35):
leaders are here.
Ori Wellington (01:36):
Right, we promised some surprising facts,
maybe just enough humor to keepit interesting.
We want to make this complextopic clear, engaging and
actually useful.
So yeah, you're about to get areally unique perspective on
something impacting pretty muchevery modern business.
Okay, let's dive right in.
There's a pretty bluntassessment floating around about
risk management tech right now.
Bill McDermott, servicenow'sCEO.
(01:58):
He recently warned that theseadvanced AI-centric platforms
they're causing what he calledan extinction level event for
older software players.
That's a powerful phrase for aCEO.
What exactly is going extincthere?
Sam Jones (02:10):
It is powerful and it highlights a critical truth.
Really Traditional GRC vendorsgovernance, risk compliance, the
ones still stuck on staticcompliance models, lots of
manual processes they're facingrapid obsolescence.
The market's moving clearlytowards autonomous IRM, and when
we say autonomous, we meanAI-native platforms, integrated
(02:32):
systems that don't just holddata, they actively use machine
learning, they predict emergingrisks, automate policy
enforcement, maybe even suggesthow to fix things in real time.
It fundamentally breaks downthose old organizational silos.
It pushes towards proactiverisk mitigation, not just
reactive compliance checks.
Think of it like moving from amanual spreadsheet to a
(02:54):
self-driving car, but for risk.
Ori Wellington (02:55):
It's a great analogy a self-driving car for
risk.
These new systems are justfaster.
They're fundamentally wellsmarter, more predictive, and it
looks like the big money isnoticing.
You talk about institutionalvalidation.
That recent NEVX acquisitionled by Goldman Sachs, with
Blackstone jumping in too, thatreally stands out.
This isn't just pocket change.
It feels like majorinstitutional confidence in
(03:17):
where IRM software is heading.
What does that kind of hugebuy-in from top-tier private
equity mean for the wider IRMworld, especially for, say,
smaller vendors or companiesthinking about adopting this?
Kelsey Hutchinson (03:29):
stuff.
It's fascinating, yeah, thatdeal.
It really marks a milestone.
It shows confidence, not justin ADVX but in the whole IRM
sector, as our source,wheelhouse Advisors, puts it,
and this is a good quote.
When top tier investors likeGoldman and Blackstone commit at
this scale, it's a clear voteof confidence that IRM is no
longer a nice to have butessential for enterprise
(03:50):
resilience.
For smaller players, well, itlikely means more competition,
but also a bigger, morevalidated market to play in, and
for companies thinking aboutadopting IRM it's a loud signal
IRM isn't niche anymore, it'smainstream.
It's critical for modernbusiness ops.
Ori Wellington (04:02):
It just legitimizes the whole space,
draws in more innovation, moretalent Right, okay, you also
mentioned an unexpectedvulnerability in cyber insurance
providers.
That seems like a worryingparadox.
The companies meant to protectothers are becoming targets.
The Alliance Life data exposureyou mentioned is a stark
example.
Wait, so even the insurers arevulnerable.
How does that happen?
(04:23):
Their whole business is riskmitigation.
Sam Jones (04:26):
It really is a paradox, isn't it?
Like you said, the firedepartment catching fire, the
Lions Life breach, which was ahuge vendor-related data leak.
It just starkly highlightsthese critical gaps that even
providers can have.
We're talking about gaps intheir own third-party risk, tech
risk, GRC with strategic PROCobjectives.
Ori Wellington (04:54):
Okay, PROC objectives.
You dropped that term in.
Can you unpack PRC for us?
What does it mean and why is itso crucial, especially for
insurers?
Sam Jones (05:02):
Absolutely so.
Prc stands for performance,resilience, assurance and
compliance.
For an insurer, performancecould be about using real-time
risk data to allocate resourcesbetter, you know, be more
efficient.
Resilience is prettystraightforward Can they
withstand an attack and keepoperating?
Business continuity Assuranceis about having automated audit
trails, verifiable controls forthe regulators super critical in
(05:24):
their heavily regulated world.
And compliance is well meetingall those legal and industry
standards which are alwayschanging.
So by proactively aligningtheir IRM using this pure coffee
framework, insurers don't justmanage risks better and reduce
their own exposure.
They can actually positionthemselves as genuinely
resilient market leaders.
It's really about practicingwhat they preach.
Ori Wellington (05:45):
Makes sense.
It sounds like a much moreholistic view is needed,
especially when the stakes arethat high.
And speaking of approaches,let's talk about how the market
actually evaluates thesecompanies.
You suggested some industryreports are kind of missing the
mark on the IRM vendor landscape, like IDC's latest marketscape
for GRC.
That's a strong claimsuggesting a major analyst firm
(06:07):
is off target.
Is there any situation wheretheir current evaluation might
still be useful or is itgenuinely a miss?
Sam Jones (06:14):
Well, complete miss might be too strong.
It's more like they're evolvingtoo slowly.
They haven't quite caught upwith how fast the market is
changing.
Idc's latest GRC marketscape,for example.
It still uses definitions andcriteria that just feel outdated
for this autonomous, ai-drivenfuture of IRM we're talking
about and this you know.
It can lead to somequestionable conclusions about
who the real leaders are.
(06:34):
By contrast, the research we'redrawing on, the IRM Navigator
series from Wheelhouse it usesvery clearly defined maturity
curves and functional IRM layers.
Ori Wellington (06:42):
Maturity curves and functional IRM layers.
Ok, sounds important, but maybea bit technical.
Can you give us a quick sort ofconceptual breakdown?
Why is that approach better?
Sam Jones (06:52):
Sure, sure.
Think of maturity curves likelevels in a video game for risk
management.
You start at basic compliancelevel, one maybe, and you aim
for higher levels, proactivestrategy, resilience, that sort
of thing.
It's a roadmap for howcompanies evolve.
And functional IRM layers.
That refers to the distinctcapabilities like threat
intelligence, automating,controls, risk analytics.
(07:15):
So this lets us assess vendors,not just on if they have a
feature, but how deeply andeffectively they integrate these
functions Makes sense.
Ori Wellington (07:23):
Yeah, okay, so it's more granular.
Sam Jones (07:25):
Exactly.
It's much more granular, moresophisticated.
It helps buyers pick vendorsthat really align with their
strategic goals, not justsomeone sitting in a generic
leader box that might lumptogether old legacy systems and
cutting edge AI as IRM movestowards this autonomous future.
Those simplistic charts, theones without strategic depth,
they just don't cut it anymore.
It's like trying to judge aFormula One car based on its
(07:47):
paint job you miss what's underthe hood.
Ori Wellington (07:49):
Okay.
So wrapping this up a bit, whatdoes this all mean For you, the
listener?
And just the broader risklandscape?
We've hit some major pointsthat extinction-level event for
legacy GRC, the huge validationof IRM from big investors like
Goldman and Blackstone, thecritical vulnerabilities even
cyber insurers face like withthe lion's life and the limits
(08:10):
of some traditional analystreports.
It's quite a lot to digest,right.
Sam Jones (08:14):
It absolutely is, and the bottom line IRM isn't a
nice-to-have anymore.
It's essential essential forenterprise resilience.
It's being driven hard by AI,by data-centric approaches,
breaking down silos, pushing forproactive mitigation and the
kind of research we discussedtoday.
Using those maturity curves andfunctional layers, it offers a
much more sophisticated way toassess who's doing what, giving
(08:35):
you a deeper, more accuratepicture of what really counts in
this space.
Ori Wellington (08:39):
And that really highlights the value, doesn't it
?
Getting access to distinctinsights like these.
It's a sharp contrast to ageneral market reports that can
sometimes feel like they're justrepeating what everyone already
knows.
We really hope this deep divehas got you thinking,
considering the implications foryour own understanding of risk
and tech.
Whatever field you're in.
It's a complex world out thereand staying ahead is pretty
(09:01):
crucial.
Sam Jones (09:01):
Which really brings up an important question, I
think In a world where even theexperts meant to protect us are
targets, like the insurers, andwhere widely accepted reports
might miss critical shifts, howdo you critically evaluate the
information you consume?
How do you make sure yourinsights are truly
forward-looking, trulyactionable, especially as we
(09:22):
head towards a more autonomousfuture?
Ori Wellington (09:24):
That is a powerful thought to chew on.
We definitely encourage you toreflect on how these pretty
profound shifts in integratedrisk management might connect to
your own work, your owninterests.
Hopefully it sparks somefurther curiosity and
exploration.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.