August 13, 2025 • 20 mins
The fog of risk management is lifting. What was once a checkbox exercise has transformed into a strategic imperative that drives enterprise resilience and competitive advantage.
Dive deep with us as we explore the groundbreaking 2025 IRM Navigator™ Vendor Compass for Risk Management Consulting Report from Wheelhouse Advisors. This essential analysis maps the dramatic evolution underway in how organizations operationalize Integrated Risk Management (IRM) and the crucial role expert consulting now plays in this landscape.
We unpack the fundamental shift from traditional Governance, Risk, and Compliance (GRC) to a holistic IRM approach organized around four key enterprise objectives: Performance, Resilience, Assurance, and Compliance (PRAC). The numbers are staggering – the IRM market is projected to grow from $61.6 billion to $147 billion by 2032, with Risk Management Consulting emerging as the fastest-growing segment at a 16.9% CAGR.
Artificial Intelligence has become a game-changer, but comes with critical caveats. While leading firms develop enterprise-grade multi-agent platforms with auditable trust layers, the market remains "long on ambition, short on verifiable delivery." We provide practical guidance on how to evaluate AI claims beyond marketing hype, demanding production use cases, documented trust controls, and clear outcome metrics.
The Vendor Compass framework helps navigate the provider landscape, categorizing firms into Integrators (like the Big Four), Accelerators (specialized domain experts), and Pacesetters (agile niche players). Whether you lead a global enterprise or a growing mid-market company, you'll gain concrete, actionable advice for selecting the right partner, structuring effective contracts, and implementing a practical 12-week proof of value approach.
Risk management has transformed from protecting against pitfalls to actively propelling performance. How is your organization integrating risk to build lasting resilience in our increasingly unpredictable world? Listen now to chart your course through the shifting risk landscape.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ori Wellington (00:00):
Have you ever felt like navigating risk in
your organization is like tryingto sail through a constantly
shifting fog?
Sam Jones (00:08):
Yeah, it's definitely complex.
Ori Wellington (00:10):
It's gone far beyond just checking boxes for
compliance, hasn't it?
It's now about embeddingresilience and well, strategic
advantage directly into the DNAof your business.
Sam Jones (00:20):
Exactly, it's a fundamental shift.
Ori Wellington (00:22):
Today we're embarking on a deep dive into a
really insightful piece the 2025IRM Navigator Vendor Compass
for Risk Management ConsultingReport from Wheelhouse Advisors.
Sam Jones (00:33):
A very useful report.
Ori Wellington (00:35):
This report isn't just a survey.
It's more like a detailed mapshowing us how risk management
is dramatically evolving andwhere expert consulting fits
into that rapidly changinglandscape.
Sam Jones (00:45):
That's a good way to put it.
It provides clarity.
Ori Wellington (00:47):
Our mission today is to help you understand
why risk management consultingRMC, is no longer just a support
function.
It's really become a centralstrategic force in how
enterprises operationalizewhat's called integrated risk
management or IRM.
We'll unpack why this shiftmatters now more than ever,
(01:10):
highlight the key playersdriving this change and,
crucially, provide somepractical guidance for how
businesses, large or small, canstrategically select the right
partners.
Sam Jones (01:16):
Yeah, that practical guidance is key.
Ori Wellington (01:18):
Over the next few minutes we'll explore the
evolution from traditional GRCthat's, governance, risk and
compliance to this more holisticIRM approach.
Sam Jones (01:27):
A necessary evolution .
Ori Wellington (01:28):
We'll dive into the surprising growth of the RMC
segment, how cutting-edge AI isshaping this field and, perhaps
most importantly, get into someconcrete advice for choosing a
consulting provider that trulydelivers.
Sam Jones (01:40):
Sounds good, let's dig in.
Ori Wellington (01:42):
Okay, that idea of embedding risk really brings
us to the core shift this reporthighlights.
For years, many organizationsapproached risk through the
familiar lens of GRC, but thisreport points to a fundamental,
well almost a reinvention of howrisk is perceived and managed.
Sam Jones (01:58):
Yeah.
What's truly transformativehere, I think, is that risk
management consulting, RMC, hasmoved beyond merely implementing
software solutions.
It's now the centralorchestrator of integrated risk
management.
Ori Wellington (02:09):
Orchestrator.
I like that.
Sam Jones (02:10):
Think of it this way Technology provides the
instruments right, but RMC firmswrite the score, conduct the
orchestra and make sureeveryone's playing in harmony to
achieve real enterpriseoutcomes not just outputs, but
outcomes.
Ori Wellington (02:23):
OK, so how does the report define that harmony,
that IRM?
Sam Jones (02:27):
Well, it lays out IRM around four key enterprise
objectives, what it calls PRACPerformance, resilience,
assurance and Compliance.
Ori Wellington (02:35):
PRAC Exactly.
Sam Jones (02:37):
And these aren't just buzzwords.
They're activated through fourintegration points goals,
processes, assets and policies.
Ori Wellington (02:44):
Goals processes, assets and policies.
Goals processes, assets,policies.
Sam Jones (02:46):
Right.
So when we talk about RMC'srole, it's about making this
blueprint a reality, forinstance, linking enterprise
risk management ERM directly toyour strategic goals.
Makes sense, or connectingoperational risk management ORM
to your core business processes.
It means tying technology riskmanagement TRM to your critical
assets and even your AIoversight.
Ori Wellington (03:07):
AI oversight, that's new.
Sam Jones (03:08):
And then modernizing GRC to serve these broader
enterprise objectives, not justhitting regulatory marks.
Ori Wellington (03:14):
So, if we look back a bit, how did we get here?
The report traces GRC back tothe early 2000s.
Powerful for compliance, sure,but often resulted in a lot of
documentation over actualproactive management.
Sam Jones (03:28):
That's spot on.
It could become documentationheavy.
Irm really emerged as astructural response to that,
emphasizing enterprise-widecoordination, even predictive
analytics and really linkingrisk directly to performance.
Ori Wellington (03:41):
And you're saying this history still
matters now, in 2025.
Sam Jones (03:44):
Oh, absolutely.
This historical context isvital because, honestly, a
philosophical split is stillvery much alive in the market
today.
Ori Wellington (03:51):
How so.
Sam Jones (03:52):
Some firms now truly lead with an IRM narrative.
They see GRC tools as just oneenabler within a much larger
integrated strategy.
Ori Wellington (04:00):
Okay.
Sam Jones (04:00):
Others, though, still present IRM as simply GRC
modernization.
Ori Wellington (04:04):
Ah, so it's more of an upgrade than a
fundamental rethink for them.
Sam Jones (04:07):
Kind of, and for you the buyer, the first approach
the IRM led one tends to showstronger cross segment
integration and better alignmentwith your actual business
outcomes.
The latter, the GRCmodernization view, while often
excellent in control rigor,still risks kind of recreating
the very silos IRM is designedto break down.
Ori Wellington (04:26):
Yeah, you see, yeah, I get that.
Now, what really jumped out atme from this report were the
numbers on market growth.
The entire IRM market isestimated to soar from about
$61.6 billion in 2025 to a huge$147 billion by 2032.
Massive numbers, but withinthat, rmc, the consulting piece
is the fastest growing segment,projected to rise from 9.5
(04:49):
billion to 28.2 billion over thesame period.
That's a 16.9 percent CAGRcompound annual growth rate.
Sam Jones (04:56):
It's remarkable, isn't it?
Ori Wellington (04:57):
What do you think is the biggest driver
behind that unexpectedacceleration?
It seems counterintuitive,sometimes focusing on services
over tech.
Sam Jones (05:05):
Well, that explosive growth reflects a simple,
undeniable truth Enterprisesaren't just buying individual
controls or software anymore.
They're buying coordination.
They're buying resilience,they're buying tangible
performance improvements, andconsulting capacity is where
that comprehensive coordinationis actually engineered.
Think about it Boards nowdemand AI assurance.
(05:25):
Regulatory environments areconstantly shifting.
Ori Wellington (05:28):
Yeah, always volatile.
Sam Jones (05:29):
And digital interdependencies mean
everything is connected.
This forces buyers towardproviders who can genuinely
integrate strategy, process,assets and policies into one
cohesive IRM program.
It takes human expertise tostitch that together.
Ori Wellington (05:46):
And the report specifically calls out AI
assurance as a new baselinerequirement.
But it also gives a warningright.
It says the market is long onambition and short on verifiable
delivery for AI.
What does that actually meanfor someone trying to buy these
RMC solutions?
Sam Jones (06:00):
That's a really critical point and yeah, the
report is quite direct there.
Consulting firms are evolvingtheir delivery models
significantly.
We're moving beyond.
You know the one-off gen AIpilot right the shiny object
phase exactly.
We're moving towardsenterprise-grade multi-agent
platforms with auditable trustlayers.
Think of frameworks alignedwith ISO 40 2001.
That's becoming the benchmarkfor trustworthy AI, ensuring
(06:23):
decisions are transparent,accountable, like having a clear
audit trail for automatedactions.
Companies like KPMG with theirWorkbench, ey with their agentic
platform extensions, deloittewith Zora, aigovconnectai, pwc
with AI Factory they'reessentially productizing parts
of their delivery.
Ori Wellington (06:42):
So turning services into something more
like a product.
Sam Jones (06:45):
In a way, yes, and these shifts directly map to
those pure outcomes we talkedabout Faster analytics for
performance, autonomousresponses for resilience,
audible provenance for assurance, continuous monitoring for
compliance.
It all connects.
Ori Wellington (06:58):
But the warning yeah Long on ambition.
Sam Jones (07:00):
Right.
However, you, as the buyer,need to be disciplined.
Wheelhouse's analysis foundthat, while there's a lot of
impressive talk, most of theseplatforms still function more
like engagement scaffolding.
They require significantcustomization.
Ori Wellington (07:12):
So not quite plug and play.
Sam Jones (07:21):
Not usually.
No, Think of it like this Manyfirms offer you a beautiful
toolbox with advanced AI tools,but you still often have to
build the house yourself usingthose tools.
It's not a prefab solutiondropped on your doorstep.
Got it so setting?
clear verification gates, reallybudgeting for that integration
work, using those tools it's nota prefab solution dropped on
your doorstep, got it?
So setting clear verificationgates, really budgeting for that
integration work and favoringdesigns that preserve your
optionality, your ability toswitch things out later, are
absolutely key.
Don't get locked in too earlybased on promises.
Ori Wellington (07:43):
It really sounds like risk isn't just sitting in
a specific department anymore,like the risk office.
It's fundamentally becominginterwoven with every part of
the organization.
Sam Jones (07:54):
Precisely.
Risk is now integrated intoalgorithms.
It's embedded in your supplychains.
It even impacts how you accesscapital through disclosures.
Everywhere, basically Prettymuch, and this demands
orchestration across operationalrisk management, technology
risk management and GRC.
Those are exactly theinterfaces where RMC firms
design the governance, collectthe data or telemetry and set up
the escalation pathways.
This integration is alsoleading to an emerging model,
(08:17):
sometimes called services assoftware or even digital FTEs in
RMC.
Ori Wellington (08:23):
Digital FTEs.
Sam Jones (08:24):
Yeah, where providers offer subscription-based access
to AI agents for continuouscontrol operations.
Imagine having AI-powered teammembers constantly monitoring
and managing certain controls.
247.
Ori Wellington (08:37):
Wow Okay, that's a big shift.
Sam Jones (08:39):
It is.
Ori Wellington (08:39):
This all sounds potentially very complex, though
.
So if a business understandsthis fundamental shift, the
growth, the AI aspect, how doesthe Wheelhouse Advisors Report
help them cut through the noiseand actually choose the right
partner?
It mentions a vendor compass.
Sam Jones (08:51):
Yes, the vendor compass.
It's a brilliant tool really.
It evaluates firms along twocrucial axes.
First is integration level,basically how well a provider
connects IRM across differentdomains like ERM, orm, trm, grc.
Ori Wellington (09:05):
Okay, the breadth of connection.
Sam Jones (09:06):
Exactly.
And the second is servicesolution coverage.
How much of the whole IRMlifecycle a provider can truly
deliver, from strategy tooperations, to technology?
Ori Wellington (09:16):
The depth Makes sense.
Sam Jones (09:17):
Right Firms are then categorized into three tiers
integrator, accelerator andpacesetter based on a weighted
scoring model across sixcriteria.
Ori Wellington (09:26):
And AI is weighted heavily.
Sam Jones (09:27):
It is Notably AI-enabled.
Delivery and innovation gets a20% weighting and for any AI
claims, the report emphasizesrigorous verification.
You need active client use of afunctioning multi-agent
platform.
Ori Wellington (09:41):
Not just a pilot .
Sam Jones (09:42):
Not just a pilot Documented governance like ISO
42001, demonstrableinteroperability with existing
systems and at least one outcomemetric directly tied back to
PREAC.
They really stress Show me,don't just tell me.
Ori Wellington (09:57):
Evidence-based.
Okay, so who are some of thetop players you see in each of
these tiers, according to thereport?
Sam Jones (10:01):
Well, the integrator tier, the ones really dominating
in cross-segment program designand global scale, includes the
big four firms EY, kpmg, pwc andDeloitte.
Ori Wellington (10:11):
No big surprise there, maybe.
Sam Jones (10:12):
Perhaps not, but the report notes an interesting
philosophical difference amongthem.
Ey and KPMG tend to lead withan IRM-first narrative, where
GRC is seen as an enabler withinthat broader context.
Pwc and Deloitte maybe moreoften frame IRM as GRC
modernization, although theiractual delivery is increasingly
spanning the full IRM lifecycletoo.
They're all making crediblemoves towards that agentic AI
(10:36):
delivery we discussed, likeKPMG's Workbench or EYAI.
Ori Wellington (10:40):
Got it.
And the other tiersaccelerators and pacesetters.
Sam Jones (10:43):
Right.
Then you have the acceleratorsFirms like FTI Consulting, ds
Plus Pet Pertability.
They deliver really strongvalue.
In more targeted domains maybecomplex investigations or
specific areas like industrialsafety they accelerate progress
in a particular area.
Ori Wellington (10:58):
Makes sense.
Specialized power.
Sam Jones (10:59):
Precisely.
And finally, the pace setters.
This includes firms like GrantThornton, JS, Held and RSM.
These often offer strong nichestrengths and are very credible,
especially for the mid-marketor for more fit-for-purpose
goals where maybe you don't needthe full global scale of an
integrator.
The report's advice is prettyclear Think about using
integrators for that broadenterprise scale orchestration.
(11:20):
Look to accelerators to fillspecific capability gaps and
consider pace setters for morefocused programs where maybe
agility or specific nicheexpertise is key.
So tailoring the choice to thespecific need.
Ori Wellington (11:28):
Absolutely for more focused programs where
maybe agility or specific nicheexpertise is key, so tailoring
the choice to the specific need.
Sam Jones (11:32):
Absolutely.
Ori Wellington (11:33):
Okay, this is incredibly helpful context.
So what does this all mean foryou, the listener?
Whether you're leading a largeenterprise grappling with these
huge, complex systems, or maybea growing midsize company trying
to build resilience from theground up, this report gives
concrete guidance.
What are the absolute top say,two or three pieces of advice
(11:55):
for large enterprises looking tonavigate this RMC space?
Sam Jones (11:59):
Yeah, great question For large enterprises.
If I had to boil it down, themost critical takeaways are
first, aligning your partnerselection very closely with your
overall change agenda and,second, demanding measurable
outcomes, especially when itcomes to AI.
Ori Wellington (12:12):
OK.
Outcomes and evidence.
Sam Jones (12:14):
Exactly so.
First, the report stronglyemphasizes contract for outcomes
, not just hours.
Ori Wellington (12:20):
That sounds simple, but probably isn't easy.
Sam Jones (12:22):
It requires discipline, but it's a strategic
imperative.
Tie the fees directly tomeasurable business outcomes
things like reducing time toassurance, speeding up incident
recovery, cutting down auditexceptions.
Ori Wellington (12:33):
Real business metrics.
Sam Jones (12:35):
Real business metrics .
Why is that shift so vital?
Because it forces theconsultant to be deeply invested
in your success, not just theirbillable hours.
It requires them to deliver awritten operating model that
clearly maps their work to thoseIRM integration points we
discussed Goals, processes,assets and policies.
It forces clarity.
Ori Wellington (12:55):
Makes sense.
What's the second key piece?
Sam Jones (12:57):
Second, regarding AI, adopt an evidence-first posture
.
You mentioned thatlong-on-ambition,
short-on-verifiable deliveryline.
The report is blunt Demandproof that goes way beyond
marketing claims Al what kind ofproof?
Insist on seeing at least twoproduction use cases working
live, examples relevant to yourbusiness, not just generic demos
.
Ask for documented trustcontrols, like that ISO 42001
(13:21):
alignment we mentioned.
Get proof of interoperabilitywith your existing risk tech
stack.
You need clear outcome metricstied back to Priyak.
If they can't show you tangibleproof, honestly, you should be
very skeptical.
Ori Wellington (13:31):
Okay, be demanding on proof for AI Got it
.
Anything else for largeenterprises?
Sam Jones (13:36):
And third I'd say prioritize modular managed
services.
Look for contracts that offerflexibility, use open connectors
and have clear data portabilityplans.
You really want to avoid vendorlock-in down the road.
Ori Wellington (13:49):
Future proofing.
Sam Jones (13:50):
Exactly.
This also connects to thereport's recommendation for a
practical 12-week proof of value.
Don't try to boil the ocean.
Scope two material use cases.
Run a design workshop.
Implement a minimal telemetrybackbone.
Basically Get the basic dataflows working and then decide on
a larger scale up based onmeasurable improvements.
Prove the value quickly beforecommitting huge resources.
Ori Wellington (14:12):
Start small, prove it, then scale.
Very practical.
That makes a lot of sense forlarge organizations.
But what about small andmid-sized enterprises?
Smes Do they just fall in thesame path, or are there
important nuances in how theyshould approach selecting an RMC
partner?
Sam Jones (14:27):
That's a really important distinction.
While the core principles,outcomes, evidence are
definitely the same, theapproach for SMEs needs to be
optimized for speed, costpredictability and, frankly,
minimizing the internal liftrequired from their potentially
smaller teams.
Ori Wellington (14:42):
Okay, so efficiency and practicality are
paramount.
Sam Jones (14:45):
Absolutely so.
First, when it comes torightsizing the partner, those
accelerators and selected pacesetters we talked about are
often the natural first choicesfor SMEs.
They're usually excellent atpackaging IRM capabilities
effectively for a leanerorganization.
Ori Wellington (15:00):
So maybe not automatically jumping to a big
four form.
Sam Jones (15:08):
Generally engaging the big four is probably
reserved for SMEs in highlyregulated industries or those
facing really complexmulti-country transformations.
For many SMEs, an acceleratoror pace setter might offer a
better fit and value.
Ori Wellington (15:17):
Okay, what about contracting and AI?
Sam Jones (15:20):
Second, just like larger companies, contract for
outcomes or pace setter mightoffer a better fit and value.
Okay, what about contractingand AI?
Second, just like largercompanies, contract for outcomes
, but for SMEs, fixed fee orclear milestone structures tied
to those PR-equally metrics areoften even more critical for
budget predictability.
You need that clarity up front.
Ori Wellington (15:33):
Makes sense.
Predictable costs.
Sam Jones (15:35):
Third, maintain that same rigorous, evidence-first AI
posture.
The verification gates don'tchange just because you're
smaller you still need workingproduction, use cases relevant
to you, documented trustcontrols and proof of
interoperability.
For SMEs, it's maybe especiallyimportant to prioritize
multi-agent designs withexplicit trust layers and open
(15:56):
connectors to simplifyintegration with whatever
systems you already have.
Ori Wellington (16:00):
Keep it manageable.
Sam Jones (16:01):
Right and finally consider modular managed
services.
This can be a verycost-effective option for SMEs
who might lack deep internalexpertise in certain areas, but
again, always ensure dataportability and actively avoid
proprietary lock-ins.
You don't want to be trapped.
Ori Wellington (16:17):
Okay, any quick start advice for SMEs.
Sam Jones (16:19):
Yeah, the report suggests a similar practical
12-week quick start, but maybeeven more focus for SMEs.
Pick just one or two reallycritical business use cases.
Define the decision rights veryclearly up front and implement
a minimal telemetry backboneusing your existing platforms
plus the consultant'saccelerators.
Then scale up based on thosemeasurable improvements.
Keep it focused, keep it fast.
Ori Wellington (16:41):
So the key RFP prompts for SMEs should focus on
Optimize for package scope andprice.
Sam Jones (16:46):
Definitely look for lightweight integrations and
explore robust managed servicesoptions.
Insist on clear cost controls,strong ongoing support and,
importantly, useful templates ortools that reduce your team's
internal burden, make it easierfor your team.
Ori Wellington (17:02):
Excellent, very clear distinctions there.
Sam Jones (17:04):
So if we just zoom out for a second, connect this
back to the bigger picture.
What's crystal clear from thisdeep dive, I think, is that risk
is no longer just some backoffice control function.
It's not just about complianceanymore.
It has fundamentally evolvedinto a strategic force that
profoundly shapes the veryperformance, the resilience and,
ultimately, the future successof an enterprise.
(17:25):
Fragmented oversight, those oldcompliance silos, they're
simply unsustainable in today'scomplex, interconnected world.
Ori Wellington (17:33):
Yeah, the stakes seem much higher now.
It's not just about avoidingbad things, but enabling good
things too.
Sam Jones (17:39):
Precisely.
It's about performance andresilience working hand in hand.
Ori Wellington (17:42):
So the real question for you, our listener,
reflecting on all this, is howis your organization integrating
risk?
Is it just to protect itselffrom potential pitfalls, or are
you actively using it to propelperformance and build true,
lasting resilience in what feelslike an increasingly
unpredictable world?
That's the challenge resiliencein what feels like an
increasingly unpredictable world.
That's the challenge.
(18:02):
This deep dive into the 2025IRM Navigator Vendor Compass for
RMC report has laid out apowerful framework and some
really practical steps.
We invite you to consider whatpart of this integrated risk
management evolution, this shiftfrom GRC to IRM, resonates most
deeply with your ownorganizational challenges and,
importantly, your opportunities.
Have you ever felt like navigating risk in
your organization is like tryingto sail through a constantly
shifting fog?
Sam Jones (00:08):
Yeah, it's definitely complex.
Ori Wellington (00:10):
It's gone far beyond just checking boxes for
compliance, hasn't it?
It's now about embeddingresilience and well, strategic
advantage directly into the DNAof your business.
Sam Jones (00:20):
Exactly, it's a fundamental shift.
Ori Wellington (00:22):
Today we're embarking on a deep dive into a
really insightful piece the 2025IRM Navigator Vendor Compass
for Risk Management ConsultingReport from Wheelhouse Advisors.
Sam Jones (00:33):
A very useful report.
Ori Wellington (00:35):
This report isn't just a survey.
It's more like a detailed mapshowing us how risk management
is dramatically evolving andwhere expert consulting fits
into that rapidly changinglandscape.
Sam Jones (00:45):
That's a good way to put it.
It provides clarity.
Ori Wellington (00:47):
Our mission today is to help you understand
why risk management consultingRMC, is no longer just a support
function.
It's really become a centralstrategic force in how
enterprises operationalizewhat's called integrated risk
management or IRM.
We'll unpack why this shiftmatters now more than ever,
(01:10):
highlight the key playersdriving this change and,
crucially, provide somepractical guidance for how
businesses, large or small, canstrategically select the right
partners.
Sam Jones (01:16):
Yeah, that practical guidance is key.
Ori Wellington (01:18):
Over the next few minutes we'll explore the
evolution from traditional GRCthat's, governance, risk and
compliance to this more holisticIRM approach.
Sam Jones (01:27):
A necessary evolution .
Ori Wellington (01:28):
We'll dive into the surprising growth of the RMC
segment, how cutting-edge AI isshaping this field and, perhaps
most importantly, get into someconcrete advice for choosing a
consulting provider that trulydelivers.
Sam Jones (01:40):
Sounds good, let's dig in.
Ori Wellington (01:42):
Okay, that idea of embedding risk really brings
us to the core shift this reporthighlights.
For years, many organizationsapproached risk through the
familiar lens of GRC, but thisreport points to a fundamental,
well almost a reinvention of howrisk is perceived and managed.
Sam Jones (01:58):
Yeah.
What's truly transformativehere, I think, is that risk
management consulting, RMC, hasmoved beyond merely implementing
software solutions.
It's now the centralorchestrator of integrated risk
management.
Ori Wellington (02:09):
Orchestrator.
I like that.
Sam Jones (02:10):
Think of it this way Technology provides the
instruments right, but RMC firmswrite the score, conduct the
orchestra and make sureeveryone's playing in harmony to
achieve real enterpriseoutcomes not just outputs, but
outcomes.
Ori Wellington (02:23):
OK, so how does the report define that harmony,
that IRM?
Sam Jones (02:27):
Well, it lays out IRM around four key enterprise
objectives, what it calls PRACPerformance, resilience,
assurance and Compliance.
Ori Wellington (02:35):
PRAC Exactly.
Sam Jones (02:37):
And these aren't just buzzwords.
They're activated through fourintegration points goals,
processes, assets and policies.
Ori Wellington (02:44):
Goals processes, assets and policies.
Goals processes, assets,policies.
Sam Jones (02:46):
Right.
So when we talk about RMC'srole, it's about making this
blueprint a reality, forinstance, linking enterprise
risk management ERM directly toyour strategic goals.
Makes sense, or connectingoperational risk management ORM
to your core business processes.
It means tying technology riskmanagement TRM to your critical
assets and even your AIoversight.
Ori Wellington (03:07):
AI oversight, that's new.
Sam Jones (03:08):
And then modernizing GRC to serve these broader
enterprise objectives, not justhitting regulatory marks.
Ori Wellington (03:14):
So, if we look back a bit, how did we get here?
The report traces GRC back tothe early 2000s.
Powerful for compliance, sure,but often resulted in a lot of
documentation over actualproactive management.
Sam Jones (03:28):
That's spot on.
It could become documentationheavy.
Irm really emerged as astructural response to that,
emphasizing enterprise-widecoordination, even predictive
analytics and really linkingrisk directly to performance.
Ori Wellington (03:41):
And you're saying this history still
matters now, in 2025.
Sam Jones (03:44):
Oh, absolutely.
This historical context isvital because, honestly, a
philosophical split is stillvery much alive in the market
today.
Ori Wellington (03:51):
How so.
Sam Jones (03:52):
Some firms now truly lead with an IRM narrative.
They see GRC tools as just oneenabler within a much larger
integrated strategy.
Ori Wellington (04:00):
Okay.
Sam Jones (04:00):
Others, though, still present IRM as simply GRC
modernization.
Ori Wellington (04:04):
Ah, so it's more of an upgrade than a
fundamental rethink for them.
Sam Jones (04:07):
Kind of, and for you the buyer, the first approach
the IRM led one tends to showstronger cross segment
integration and better alignmentwith your actual business
outcomes.
The latter, the GRCmodernization view, while often
excellent in control rigor,still risks kind of recreating
the very silos IRM is designedto break down.
Ori Wellington (04:26):
Yeah, you see, yeah, I get that.
Now, what really jumped out atme from this report were the
numbers on market growth.
The entire IRM market isestimated to soar from about
$61.6 billion in 2025 to a huge$147 billion by 2032.
Massive numbers, but withinthat, rmc, the consulting piece
is the fastest growing segment,projected to rise from 9.5
(04:49):
billion to 28.2 billion over thesame period.
That's a 16.9 percent CAGRcompound annual growth rate.
Sam Jones (04:56):
It's remarkable, isn't it?
Ori Wellington (04:57):
What do you think is the biggest driver
behind that unexpectedacceleration?
It seems counterintuitive,sometimes focusing on services
over tech.
Sam Jones (05:05):
Well, that explosive growth reflects a simple,
undeniable truth Enterprisesaren't just buying individual
controls or software anymore.
They're buying coordination.
They're buying resilience,they're buying tangible
performance improvements, andconsulting capacity is where
that comprehensive coordinationis actually engineered.
Think about it Boards nowdemand AI assurance.
(05:25):
Regulatory environments areconstantly shifting.
Ori Wellington (05:28):
Yeah, always volatile.
Sam Jones (05:29):
And digital interdependencies mean
everything is connected.
This forces buyers towardproviders who can genuinely
integrate strategy, process,assets and policies into one
cohesive IRM program.
It takes human expertise tostitch that together.
Ori Wellington (05:46):
And the report specifically calls out AI
assurance as a new baselinerequirement.
But it also gives a warningright.
It says the market is long onambition and short on verifiable
delivery for AI.
What does that actually meanfor someone trying to buy these
RMC solutions?
Sam Jones (06:00):
That's a really critical point and yeah, the
report is quite direct there.
Consulting firms are evolvingtheir delivery models
significantly.
We're moving beyond.
You know the one-off gen AIpilot right the shiny object
phase exactly.
We're moving towardsenterprise-grade multi-agent
platforms with auditable trustlayers.
Think of frameworks alignedwith ISO 40 2001.
That's becoming the benchmarkfor trustworthy AI, ensuring
(06:23):
decisions are transparent,accountable, like having a clear
audit trail for automatedactions.
Companies like KPMG with theirWorkbench, ey with their agentic
platform extensions, deloittewith Zora, aigovconnectai, pwc
with AI Factory they'reessentially productizing parts
of their delivery.
Ori Wellington (06:42):
So turning services into something more
like a product.
Sam Jones (06:45):
In a way, yes, and these shifts directly map to
those pure outcomes we talkedabout Faster analytics for
performance, autonomousresponses for resilience,
audible provenance for assurance, continuous monitoring for
compliance.
It all connects.
Ori Wellington (06:58):
But the warning yeah Long on ambition.
Sam Jones (07:00):
Right.
However, you, as the buyer,need to be disciplined.
Wheelhouse's analysis foundthat, while there's a lot of
impressive talk, most of theseplatforms still function more
like engagement scaffolding.
They require significantcustomization.
Ori Wellington (07:12):
So not quite plug and play.
Sam Jones (07:21):
Not usually.
No, Think of it like this Manyfirms offer you a beautiful
toolbox with advanced AI tools,but you still often have to
build the house yourself usingthose tools.
It's not a prefab solutiondropped on your doorstep.
Got it so setting?
clear verification gates, reallybudgeting for that integration
work, using those tools it's nota prefab solution dropped on
your doorstep, got it?
So setting clear verificationgates, really budgeting for that
integration work and favoringdesigns that preserve your
optionality, your ability toswitch things out later, are
absolutely key.
Don't get locked in too earlybased on promises.
Ori Wellington (07:43):
It really sounds like risk isn't just sitting in
a specific department anymore,like the risk office.
It's fundamentally becominginterwoven with every part of
the organization.
Sam Jones (07:54):
Precisely.
Risk is now integrated intoalgorithms.
It's embedded in your supplychains.
It even impacts how you accesscapital through disclosures.
Everywhere, basically Prettymuch, and this demands
orchestration across operationalrisk management, technology
risk management and GRC.
Those are exactly theinterfaces where RMC firms
design the governance, collectthe data or telemetry and set up
the escalation pathways.
This integration is alsoleading to an emerging model,
(08:17):
sometimes called services assoftware or even digital FTEs in
RMC.
Ori Wellington (08:23):
Digital FTEs.
Sam Jones (08:24):
Yeah, where providers offer subscription-based access
to AI agents for continuouscontrol operations.
Imagine having AI-powered teammembers constantly monitoring
and managing certain controls.
247.
Ori Wellington (08:37):
Wow Okay, that's a big shift.
Sam Jones (08:39):
It is.
Ori Wellington (08:39):
This all sounds potentially very complex, though
.
So if a business understandsthis fundamental shift, the
growth, the AI aspect, how doesthe Wheelhouse Advisors Report
help them cut through the noiseand actually choose the right
partner?
It mentions a vendor compass.
Sam Jones (08:51):
Yes, the vendor compass.
It's a brilliant tool really.
It evaluates firms along twocrucial axes.
First is integration level,basically how well a provider
connects IRM across differentdomains like ERM, orm, trm, grc.
Ori Wellington (09:05):
Okay, the breadth of connection.
Sam Jones (09:06):
Exactly.
And the second is servicesolution coverage.
How much of the whole IRMlifecycle a provider can truly
deliver, from strategy tooperations, to technology?
Ori Wellington (09:16):
The depth Makes sense.
Sam Jones (09:17):
Right Firms are then categorized into three tiers
integrator, accelerator andpacesetter based on a weighted
scoring model across sixcriteria.
Ori Wellington (09:26):
And AI is weighted heavily.
Sam Jones (09:27):
It is Notably AI-enabled.
Delivery and innovation gets a20% weighting and for any AI
claims, the report emphasizesrigorous verification.
You need active client use of afunctioning multi-agent
platform.
Ori Wellington (09:41):
Not just a pilot .
Sam Jones (09:42):
Not just a pilot Documented governance like ISO
42001, demonstrableinteroperability with existing
systems and at least one outcomemetric directly tied back to
PREAC.
They really stress Show me,don't just tell me.
Ori Wellington (09:57):
Evidence-based.
Okay, so who are some of thetop players you see in each of
these tiers, according to thereport?
Sam Jones (10:01):
Well, the integrator tier, the ones really dominating
in cross-segment program designand global scale, includes the
big four firms EY, kpmg, pwc andDeloitte.
Ori Wellington (10:11):
No big surprise there, maybe.
Sam Jones (10:12):
Perhaps not, but the report notes an interesting
philosophical difference amongthem.
Ey and KPMG tend to lead withan IRM-first narrative, where
GRC is seen as an enabler withinthat broader context.
Pwc and Deloitte maybe moreoften frame IRM as GRC
modernization, although theiractual delivery is increasingly
spanning the full IRM lifecycletoo.
They're all making crediblemoves towards that agentic AI
(10:36):
delivery we discussed, likeKPMG's Workbench or EYAI.
Ori Wellington (10:40):
Got it.
And the other tiersaccelerators and pacesetters.
Sam Jones (10:43):
Right.
Then you have the acceleratorsFirms like FTI Consulting, ds
Plus Pet Pertability.
They deliver really strongvalue.
In more targeted domains maybecomplex investigations or
specific areas like industrialsafety they accelerate progress
in a particular area.
Ori Wellington (10:58):
Makes sense.
Specialized power.
Sam Jones (10:59):
Precisely.
And finally, the pace setters.
This includes firms like GrantThornton, JS, Held and RSM.
These often offer strong nichestrengths and are very credible,
especially for the mid-marketor for more fit-for-purpose
goals where maybe you don't needthe full global scale of an
integrator.
The report's advice is prettyclear Think about using
integrators for that broadenterprise scale orchestration.
(11:20):
Look to accelerators to fillspecific capability gaps and
consider pace setters for morefocused programs where maybe
agility or specific nicheexpertise is key.
So tailoring the choice to thespecific need.
Ori Wellington (11:28):
Absolutely for more focused programs where
maybe agility or specific nicheexpertise is key, so tailoring
the choice to the specific need.
Sam Jones (11:32):
Absolutely.
Ori Wellington (11:33):
Okay, this is incredibly helpful context.
So what does this all mean foryou, the listener?
Whether you're leading a largeenterprise grappling with these
huge, complex systems, or maybea growing midsize company trying
to build resilience from theground up, this report gives
concrete guidance.
What are the absolute top say,two or three pieces of advice
(11:55):
for large enterprises looking tonavigate this RMC space?
Sam Jones (11:59):
Yeah, great question For large enterprises.
If I had to boil it down, themost critical takeaways are
first, aligning your partnerselection very closely with your
overall change agenda and,second, demanding measurable
outcomes, especially when itcomes to AI.
Ori Wellington (12:12):
OK.
Outcomes and evidence.
Sam Jones (12:14):
Exactly so.
First, the report stronglyemphasizes contract for outcomes
, not just hours.
Ori Wellington (12:20):
That sounds simple, but probably isn't easy.
Sam Jones (12:22):
It requires discipline, but it's a strategic
imperative.
Tie the fees directly tomeasurable business outcomes
things like reducing time toassurance, speeding up incident
recovery, cutting down auditexceptions.
Ori Wellington (12:33):
Real business metrics.
Sam Jones (12:35):
Real business metrics .
Why is that shift so vital?
Because it forces theconsultant to be deeply invested
in your success, not just theirbillable hours.
It requires them to deliver awritten operating model that
clearly maps their work to thoseIRM integration points we
discussed Goals, processes,assets and policies.
It forces clarity.
Ori Wellington (12:55):
Makes sense.
What's the second key piece?
Sam Jones (12:57):
Second, regarding AI, adopt an evidence-first posture
.
You mentioned thatlong-on-ambition,
short-on-verifiable deliveryline.
The report is blunt Demandproof that goes way beyond
marketing claims Al what kind ofproof?
Insist on seeing at least twoproduction use cases working
live, examples relevant to yourbusiness, not just generic demos
.
Ask for documented trustcontrols, like that ISO 42001
(13:21):
alignment we mentioned.
Get proof of interoperabilitywith your existing risk tech
stack.
You need clear outcome metricstied back to Priyak.
If they can't show you tangibleproof, honestly, you should be
very skeptical.
Ori Wellington (13:31):
Okay, be demanding on proof for AI Got it
.
Anything else for largeenterprises?
Sam Jones (13:36):
And third I'd say prioritize modular managed
services.
Look for contracts that offerflexibility, use open connectors
and have clear data portabilityplans.
You really want to avoid vendorlock-in down the road.
Ori Wellington (13:49):
Future proofing.
Sam Jones (13:50):
Exactly.
This also connects to thereport's recommendation for a
practical 12-week proof of value.
Don't try to boil the ocean.
Scope two material use cases.
Run a design workshop.
Implement a minimal telemetrybackbone.
Basically Get the basic dataflows working and then decide on
a larger scale up based onmeasurable improvements.
Prove the value quickly beforecommitting huge resources.
Ori Wellington (14:12):
Start small, prove it, then scale.
Very practical.
That makes a lot of sense forlarge organizations.
But what about small andmid-sized enterprises?
Smes Do they just fall in thesame path, or are there
important nuances in how theyshould approach selecting an RMC
partner?
Sam Jones (14:27):
That's a really important distinction.
While the core principles,outcomes, evidence are
definitely the same, theapproach for SMEs needs to be
optimized for speed, costpredictability and, frankly,
minimizing the internal liftrequired from their potentially
smaller teams.
Ori Wellington (14:42):
Okay, so efficiency and practicality are
paramount.
Sam Jones (14:45):
Absolutely so.
First, when it comes torightsizing the partner, those
accelerators and selected pacesetters we talked about are
often the natural first choicesfor SMEs.
They're usually excellent atpackaging IRM capabilities
effectively for a leanerorganization.
Ori Wellington (15:00):
So maybe not automatically jumping to a big
four form.
Sam Jones (15:08):
Generally engaging the big four is probably
reserved for SMEs in highlyregulated industries or those
facing really complexmulti-country transformations.
For many SMEs, an acceleratoror pace setter might offer a
better fit and value.
Ori Wellington (15:17):
Okay, what about contracting and AI?
Sam Jones (15:20):
Second, just like larger companies, contract for
outcomes or pace setter mightoffer a better fit and value.
Okay, what about contractingand AI?
Second, just like largercompanies, contract for outcomes
, but for SMEs, fixed fee orclear milestone structures tied
to those PR-equally metrics areoften even more critical for
budget predictability.
You need that clarity up front.
Ori Wellington (15:33):
Makes sense.
Predictable costs.
Sam Jones (15:35):
Third, maintain that same rigorous, evidence-first AI
posture.
The verification gates don'tchange just because you're
smaller you still need workingproduction, use cases relevant
to you, documented trustcontrols and proof of
interoperability.
For SMEs, it's maybe especiallyimportant to prioritize
multi-agent designs withexplicit trust layers and open
(15:56):
connectors to simplifyintegration with whatever
systems you already have.
Ori Wellington (16:00):
Keep it manageable.
Sam Jones (16:01):
Right and finally consider modular managed
services.
This can be a verycost-effective option for SMEs
who might lack deep internalexpertise in certain areas, but
again, always ensure dataportability and actively avoid
proprietary lock-ins.
You don't want to be trapped.
Ori Wellington (16:17):
Okay, any quick start advice for SMEs.
Sam Jones (16:19):
Yeah, the report suggests a similar practical
12-week quick start, but maybeeven more focus for SMEs.
Pick just one or two reallycritical business use cases.
Define the decision rights veryclearly up front and implement
a minimal telemetry backboneusing your existing platforms
plus the consultant'saccelerators.
Then scale up based on thosemeasurable improvements.
Keep it focused, keep it fast.
Ori Wellington (16:41):
So the key RFP prompts for SMEs should focus on
Optimize for package scope andprice.
Sam Jones (16:46):
Definitely look for lightweight integrations and
explore robust managed servicesoptions.
Insist on clear cost controls,strong ongoing support and,
importantly, useful templates ortools that reduce your team's
internal burden, make it easierfor your team.
Ori Wellington (17:02):
Excellent, very clear distinctions there.
Sam Jones (17:04):
So if we just zoom out for a second, connect this
back to the bigger picture.
What's crystal clear from thisdeep dive, I think, is that risk
is no longer just some backoffice control function.
It's not just about complianceanymore.
It has fundamentally evolvedinto a strategic force that
profoundly shapes the veryperformance, the resilience and,
ultimately, the future successof an enterprise.
(17:25):
Fragmented oversight, those oldcompliance silos, they're
simply unsustainable in today'scomplex, interconnected world.
Ori Wellington (17:33):
Yeah, the stakes seem much higher now.
It's not just about avoidingbad things, but enabling good
things too.
Sam Jones (17:39):
Precisely.
It's about performance andresilience working hand in hand.
Ori Wellington (17:42):
So the real question for you, our listener,
reflecting on all this, is howis your organization integrating
risk?
Is it just to protect itselffrom potential pitfalls, or are
you actively using it to propelperformance and build true,
lasting resilience in what feelslike an increasingly
unpredictable world?
That's the challenge resiliencein what feels like an
increasingly unpredictable world.
That's the challenge.
(18:02):
This deep dive into the 2025IRM Navigator Vendor Compass for
RMC report has laid out apowerful framework and some
really practical steps.
We invite you to consider whatpart of this integrated risk
management evolution, this shiftfrom GRC to IRM, resonates most
deeply with your ownorganizational challenges and,
importantly, your opportunities.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.