August 28, 2025 • 21 mins
Risk management evolution isn't just about new acronyms—it's about organizational survival in an increasingly complex world. When we examine the journey from checkbox compliance to genuine integration, we uncover profound lessons about how businesses navigate danger and why some approaches fundamentally fail when pressure hits.
This deep dive traces the fascinating progression from Governance, Risk and Compliance (GRC) through Enterprise Risk Management (ERM) to today's Integrated Risk Management (IRM) framework. Drawing from John Wheeler's powerful "Risk Ignored" series, we explore how GRC emerged after Sarbanes-Oxley as an elegant solution on paper that quickly collapsed under its own weight. As Norman Marks memorably quipped, GRC often stood for "Governance, Risk Management, and Confusion."
The consequences of failed risk management approaches come vividly alive through Wheeler's own experience at SunTrust Bank. Despite warning leadership about dangerously loosened mortgage controls, he found himself "exiled" to an empty office before eventually leaving. What followed was devastating: SunTrust required nearly $5 billion in bailout funds during the financial crisis and paid another billion in settlements specifically for the failures Wheeler had warned about. This cautionary tale perfectly illustrates academic research findings that risk frameworks often lack the critical "management lens"—an understanding of organizational culture, incentives, and how change actually happens.
The market eventually drove its own solution as vendors evolved their offerings beyond compliance toward integration. Wheeler's work at Gartner formalized this shift with the introduction of IRM in 2016, creating a framework that genuinely connects risk to decision-making through four key integration points: organizational goals, core processes, critical assets, and governing policies. The difference is profound—replacing the appearance of integration with actual decision-influencing integration that changes behavior and improves outcomes.
Try this revealing test in your organization: trace a recent significant business decision and determine when risk information entered the process. Was it part of initial strategic discussions, or merely a validation step at the end? The answer reveals whether you're dealing with true integration or just another siloed exercise that might leave you vulnerable when pressure hits.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sam Jones (00:00):
Have you ever looked at a really big business
decision, you know, one of thoseones that could genuinely make
or break a company and justthought how can we be absolutely
certain we're not sailingstraight into an iceberg here?
How do you actually spot thosehidden risks, the ones lurking
just beneath the surface, maybewaiting to sink the whole
(00:20):
enterprise?
Today we're diving into a topicthat well.
It often gets a reputation forbeing a bit dry, but I promise
you what we're about to uncoveris anything but we're talking
about risk management, and it'sactually a gripping story,
really, of how organizationshave tried and often stumbled
quite badly in their efforts tonavigate danger.
It reveals why some of theearly approaches just well fell
(00:40):
short.
So our mission for this deepdive is pretty clear Cut through
all the acronyms, all thejargon, and trace this
fascinating evolution.
We'll start with GRC, that's,governance, risk and compliance
Then we'll move through ERMenterprise risk management and
finally land on what seems likea truly transformative approach
integrated risk management, orIRM.
Get ready for some hopefullyserious aha moments and maybe
(01:03):
some practical insights you canactually apply.
Ori Wellington (01:06):
Absolutely, and our main guide through this
critical landscape is John AWheeler.
He's the founder and CEO ofWheelhouse Advisors and really a
recognized thought leader inintegrated risk management.
We're drawn quite heavily fromhis insightful the Risk Ignored
series, particularly a piececalled the Academic Reckoning of
Risk Management, the insightfulthe risk-ignored series,
particularly a piece called theAcademic Reckoning of Risk
Management.
And what's great is he weavestogether his own personal
(01:28):
experiences, which were oftenquite challenging, with his
really pivotal work later atGartner, where he actually
helped define these marketcategories we're talking about.
So, yeah, we're going to unpacknot just what happened in this
whole evolution but why it's so,so relevant for pretty much
every organization today.
Sam Jones (01:42):
Okay, right, let's kick things off.
Then we're going back to theearly 2000s, right after the
Sarbanes-Oxley Act reallyfundamentally changed the game
for corporate governance.
Now for anyone who might need aquick refresher SOX, as it's
known, that was that landmark USlegislation enacted to protect
investors from well fraudulentaccounting, pushing companies
towards much greateraccountability.
(02:03):
And this is really where GRCgovernance risk, risk and
compliance.
This is where it emerged as thekind of dominant framework.
So what was GRC actually meantto achieve when it first arrived
on the scene, and why did itget so much traction so quickly?
Ori Wellington (02:16):
Well, grc was a direct response to a very real
and quite urgent need forcoherence.
You see, post-tarvane Soxleycompanies suddenly found
themselves just swamped swampedby this proliferation of new
regulations.
So there was this desperatedesire really to bring all these
different compliance efforts,risk management, governance
(02:36):
activities under one unifiedroof.
You had big players like Archer, pwc and Michael Rasmussen who
were really instrumental incodifying it and GRC that
acronym.
It quickly became the definingterm for a whole market that
promised these integratedsolutions.
The core idea, I mean itsounded elegant, right
Streamline compliance,proactively manage risks, ensure
(02:58):
good governance all at once,maybe from a single software
platform.
Sam Jones (03:01):
Yeah, it sounds incredibly logical on paper,
like you said, elegant, almostlike a silver bullet for all
those corporate headaches from asingle software platform.
Yeah, it sounds incrediblylogical on paper, like you said,
elegant, almost like a silverbullet for all those corporate
headaches.
But then it seems it quicklybecame clear that GRC was maybe
collapsing under its own weight.
What was the fundamental flaw?
What led to its decline?
Ori Wellington (03:14):
Well, what's fascinating here is how quickly
people on the ground, thepractitioners and academics too,
spotted the cracks.
You mentioned Norman Marks, awell-known practitioner.
He famously quipped that GRCactually stood for governance,
risk management and confusion.
Sam Jones (03:29):
Confusion okay.
Ori Wellington (03:30):
Exactly, and even earlier Michael Power from
the London School of Economicshe'd issued this really
prescient warning.
He said the risk management ofeverything would inevitably
become the risk management ofnothing.
Sam Jones (03:43):
The risk management of nothing.
That's quite a statement.
Ori Wellington (03:46):
It is, and the critical insight there, I think,
is that when you try to manageeverything without genuine
operational integration, withoutconnecting it to how things
actually get done, you riskmanaging nothing of real
substance.
The fundamental issue was thishuge breadth, but without
operating leverage GRC promisedthe world, but in practice it
often delivered very little interms of real practical
(04:09):
integration that actuallyimpacted decisions.
Too often it just ended upbeing primarily a compliance
exercise, generating reports,ticking boxes but not truly
protecting against genuine risk.
Sam Jones (04:19):
Right.
So for you listening, that's areally crucial takeaway, isn't
it?
Just having a system, a pieceof software, doesn't
automatically mean it'seffective.
It needs to genuinely integratewith and actually influence
core business decisions.
Otherwise, like you said, it'sjust window dressing.
And to really drive this pointhome, the source material shares
this powerful real-worldanecdote from John Wheeler
(04:39):
himself from his time atSunTrust Bank.
Can you tell us about that,that pivotal meeting he
describes?
Ori Wellington (04:44):
Absolutely Quite a story.
Wheeler recounts this criticalmeeting he had with the new CEO
and also the head of mortgagebanking at SunTrust and he
pretty courageously, it soundslike outlined the substantial
exposures the bank was facing,Exposures created because they
were deliberately looseningmortgage controls, all in this
relentless chase for growth, formarket share.
(05:05):
He actually describes the headof mortgage banking physically
riding in his chair, as theserious implications of these
decisions landed.
You can just picture it rightthat palpable discomfort as the
truth of the risk in thatstrategy became undeniable in
the room.
Sam Jones (05:19):
Wow.
So he laid it out starkly,directly to the top leadership.
That takes guts.
How did his unwelcomeobjections, as the source calls
them, how did that affect himpersonally?
And then exile is the term usedparked in an empty office for
nearly a year before heeventually left in early 2008,
actually to launch his own firm,wheelhouse Advisors.
Ori Wellington (05:55):
So this personal experience, it just directly
underscores this huge cost ofseparating risk from decision
making.
You see the systems, the GRCtalk might have been there on
paper, but the incentives, theleadership culture, they were
pushing in a completelydifferent direction.
Sam Jones (06:10):
That's chilling, honestly, how precisely those
warnings, those concerns heraised played out later.
It really highlights that oldsaying, doesn't it?
The writing was on the wall,but maybe nobody was reading it,
or perhaps, more accurately,nobody wanted to read it when
short-term growth seemed soattractive.
So the financial consequencesfor SunTrust Did those loosened
(06:31):
controls eventually catch upwith them massively.
Ori Wellington (06:34):
Oh, absolutely.
What happened next was well,sadly predictable, and it serves
as such a stark warning.
The bank ended up requiringnearly $5 billion in TARP
funding.
That's the Troubled AssetRelief Program.
You know, the governmentbailout during the financial
crisis $5 billion just tosurvive just to survive.
And then later, in 2014, theyhad to pay almost another
(06:54):
billion dollars in settlementswith the Department of Justice
specifically for those veryloosened controls and the
massive failures in mortgageorigination and servicing he'd
warned about.
And ultimately, in 2019,suntrust combined with BB&T.
It was presented as a merger ofequals forming Truist, but many
observers really saw it as theculmination of this long risk
(07:16):
hangover from the crisis years.
The lesson seems crystal clear,doesn't it?
Governance frameworks, fancysoftware tools, they just cannot
run on separate tracks, whilethe actual business incentives
are driving behavior in acompletely different direction.
Sam Jones (07:29):
So SunTrust had the GRC tech, they had ERM programs
in place, apparently, butneither could hold back that
tide when the pressure reallyhit If the systems were there
but failed so catastrophically.
What's the most insidious partof that critical design flaw?
Was it fundamentally atechnology problem, people
problem or something elseentirely?
Ori Wellington (07:47):
That is such a crucial question and it really
points to a systemic issue.
I think it wasn't just thetechnology problem, although
maybe the tools were inadequatetoo.
Systemic issue.
I think it wasn't just thetechnology problem, although
maybe the tools were inadequatetoo, but fundamentally it was a
people and culture problem.
A failure of governance, yes,but also incentives to align
properly with genuine riskmanagement.
The technology, in a way, justreflected that disconnect.
It didn't create it.
(08:07):
The truly insidious elementperhaps was this underlying
belief, this assumption thatrisk could somehow be managed
off to the side, in a siloseparate from the core business
decisions, which of course makesit incredibly easy to ignore
when those tempting short-termgains are on the line.
Sam Jones (08:23):
Right, that separation seems key.
This story really highlightsthat huge gap between aspiration
what GRC and ERM said they didand the reality on the ground, a
disconnect that technologyalone just couldn't bridge.
But okay, what were theacademics saying around this
time about the limitations ofthese approaches like ERM?
How did their research maybecomplement these kinds of real
(08:44):
world experiences and provide abroader diagnosis?
Ori Wellington (08:47):
Yeah, that's important because it raises the
question why weren't thesesystems working effectively,
despite all the investment andpresumably good intentions?
The source highlights a reallysignificant 2015 research paper.
It was published in a journalcalled Long Range Planning by
Bromley, McShane, Nair andRustambikoff, and they
(09:09):
specifically looked atenterprise risk management, ERM.
They did this meticulous reviewof the whole field and found
that, despite all the buzz, ERMdefinitions actually varied
wildly.
Any consensus was mostlysuperficial, you know, existing
mainly on paper, as they put itNow.
There was some agreement onmanaging risks as a portfolio
and including strategic risks,which was a step forward.
But the actual empirical record, the evidence of ERM's
(09:32):
effectiveness in practice, itwas decidedly mixed, often
aspirational but not trulyimpactful where it counted.
Sam Jones (09:38):
Okay, so the academics were seeing
inconsistencies and mixedresults, but you mentioned this
missing management lens.
That sounds critical.
Before we get to that.
I wonder, though was thereanything that ERM did get right,
or was it just fundamentallyflawed from the start, despite
those good intentions youmentioned?
Kelsey Hutchinson (09:52):
That's a fair question.
Erm certainly had the rightaspiration.
That idea of viewing riskholistically as a portfolio was
important and definitely tryingto consider strategic risks,
moving beyond, just say,insurable risks or purely
financial ones.
That broadened the conversation, no doubt, but the research
really highlighted its you couldsay fatal flaw, this profound
(10:12):
missing management lens, aspectsthat are absolutely critical to
how organizations actuallyoperate day-to-day.
Things like the prevailingculture, the incentive
structures, who has decisionrights, how organizational
change happens.
These were largely absent fromthe academic literature on ERM.
So in essence, erm described anaspiration, what companies
should do ideally, but it didn'treally explain performance or,
(10:33):
crucially, how to actuallyachieve that integrated state
and this diagnosis.
It just perfectly mashedWheeler's lived experience at
SunTrust right, that two tracksproblem.
It wasn't just about technologyrunning separately, it extended
to the very way organizationsthought about and tried to
implement risk management itself.
Ori Wellington (10:48):
So the collapse of GRC, or at least its
reputation, and then the clearinadequacy of this kind of
compliance-first ERM.
It created a pretty significantvoid.
The big question for bothscholars and practitioners
became quite simply okay, whatcomes next?
And what's really fascinatingis that the market itself
actually started to close thisgap almost organically, before
(11:08):
any new labels or acronymsreally emerged to describe the
shift.
Sam Jones (11:12):
Okay, so this structural correction, as the
source calls it, thisfundamental shift we're talking
about, how did it actually beginto take shape in the real world
, on the ground?
What did that look like inpractice?
Ori Wellington (11:24):
Well, you started seeing companies like
Mitratech, metrixtreme, archersome of the original GRC
pioneers actually starting toevolve their offerings, but they
were evolving in response togenuine market demands, what
customers were asking for.
Mitratech, for example, starteddemonstrating how legal risk
beta wasn't just for the legaldepartment's compliance.
(11:45):
It needed to be integrated intostrategic oversight.
Metricstream began pushing itscapabilities beyond pure
compliance risk, moving moreinto IT risk management or TRM,
focusing on things like assetownership and security
vulnerabilities.
Archer, which already had astrong foothold in IT risk, then
positioned itself more towardsoperational risk management, orm
(12:05):
, which is all about the risksin an organization's day-to-day
operations and processes.
And this wasn't just, you know,clever rebranding or marketing
spin.
It really signaled that boththe buyers, the companies
needing solutions, and thesellers, the software vendors
they were already moving towardsa more integrated model.
They were recognizing thenecessity of connecting these
(12:26):
previously disparate risk areas,simply because that's where
risk actually happens in abusiness.
Sam Jones (12:31):
And this, then, is where John Wheeler's role at
Gartner becomes absolutelycrucial Not just observing the
shift, but actually putting aname to it, naming this new,
more integrated approach and,importantly, making it an
official market category thatGartner would track.
Ori Wellington (12:46):
Precisely Exactly right.
When Gartner approached himwanting to reinvigorate their
technology coverage, he made avery conscious, very deliberate
choice.
He decided not to simply extendthe existing GRC coverage
because he'd seen its flawsfirsthand.
Instead, he chose to focus onwhat he called the adjacencies,
where risk is managed inpractice and, crucially, adding
(13:08):
the management evidence at scale, the real-world data that
academic research sometimeslacked.
Through extensive practitionersurveys, lots of meticulous
field research, they documentedhow GRC tools were actually
being used on the ground, howERM programs were really
structured, where thatintegration consistently broke
down and, maybe most importantly, what buyers actually needed to
get real work done to managerisk effectively.
(13:31):
And all this wealth of evidence,this data it ultimately led to
the creation of the 2016 MarketGuide for Integrated Risk
Management IRM.
Ah, okay, so that's where IRMformally enters the picture.
That's the formal beginning,yes, and that market guide was
then followed by the very firstIRM Magic Quadrant in 2018.
So the point Wheeler makes isthey weren't trying to create a
fashion or dictate a trend.
(13:52):
They were simply giving a nameand, importantly, a framework to
what the market was alreadyorganically doing, recognizing a
fundamental structuralcorrection that was, frankly,
long overdue, danielle.
Sam Jones (14:03):
Pletka.
Okay, that context is reallyhelpful, but given the, let's
say, ambitious promises andsubsequent failures of GRC, and
then the academic critiques ofERM not going far enough, the
bar for any new approach has gotto be incredibly high, right?
So when we talk aboutintegrated risk management, irm
are we genuinely talking about afundamental shift in philosophy
, a different way of thinking,or is it maybe just a more
(14:23):
refined iteration, a version 2.0of what came before?
Ori Wellington (14:27):
That's the million-dollar question, isn't
it?
And if we connect this back tothe bigger picture, the source
is emphatic.
Irm is not just a new coat ofpaint for GRC, nor is it merely
a modest tune-up of ERM.
It's truly described as astructural correction in how
organizations need to thinkabout and manage risk, and the
IRM Navigator Framework, whichWheeler helped develop, isn't
(14:50):
just a vague concept.
It's intended as a detailedblueprint.
It provides organizations witha concrete operating model for
how to actually do thisintegration effectively, rather
than just talking about it inmeetings organization actually
manages risk day to day.
Sam Jones (15:04):
How does it integrate these different, often siloed
aspects like IT risk,operational risk, compliance
into a cohesive whole?
And maybe, more importantly foryou listening, what's a
tangible way you can assess ifyour own organization is
achieving actual integrationwith IRM, rather than just the
(15:26):
appearance of integration wetalked about with GRC?
What's maybe one question youcould ask yourself or your team
tomorrow morning?
Ori Wellington (15:31):
Great questions.
Essentially, irm is aboutbringing together all those
critical components thathistorically, have often
operated in isolation.
So it integrates ERM EnterpriseRisk Management, which still
provides the overall strategicgoals and governance structure.
It integrates ORM OperationalRisk Management for handling
specific process risks andclarifying ownership within
those processes.
(15:52):
It integrates TRM technologyrisk management for securing
assets and managing all thosetechnology-related risks which
are huge today.
And then it weaves in the keynecessary elements of GRC,
things like policies, controlsand assurance activities across
the board.
The framework organizesobjectives into four key areas
performance, resilience,assurance and compliance.
You need all four.
And Performance, resilience,assurance and compliance you
(16:13):
need all four.
And, crucially, it aligns theactual work, the activities, at
four essential integrationpoints the organization's goals,
its core processes, itscritical assets and its
governing policies.
The intent here is profoundlypractical.
It's designed to replace thatappearance of integration, which
GRC often delivered throughsiloed reports or dashboards,
with actual integration,integration that genuinely
(16:34):
changes decisions, affectsbehavior and improves outcomes,
rather than just producingartifacts that get filed away.
And as to your question abouthow listeners can assess this, a
really great way to start is totrace a recent significant
business decision made in yourorganization.
Ask how early, howfundamentally decision made in
your organization.
(16:54):
Ask how early, howfundamentally, was relevant risk
information, relevant risk data, integrated into that
decision-making process?
Was risk part of the initialstrategic discussion, genuinely
influencing the optionsconsidered right from the outset
?
Or was it brought in much later, maybe as a validation step
near the end, a final check boxsign-off, or, worse, only
discussed in the post-mortemafter something went wrong?
Sam Jones (17:13):
Ah, that's a great litmus test.
Ori Wellington (17:14):
Yeah, If risk is still just a separate sign-off
at the end or largely anafterthought, then you're likely
still dealing with theappearance of integration, not
the actual embedded kind thatIRM really champions.
Sam Jones (17:25):
Wow, what an incredible journey we've taken
today really.
We've traveled all the way fromthose lofty, maybe sometimes
over-promised ambitions of GRCthrough the stark and, frankly,
quite painful realities exposedby the global financial crisis
and those sharp academiccritiques of ERM, and finally
landing on this much-neededstructural correction offered by
(17:46):
integrated risk management, irm.
It seems abundantly clear thisis about so much more than just,
you know, checking boxes orsatisfying regulators.
It's really about embeddingrisk awareness, risk thinking,
into the very fabric of anorganization's decision-making
process, making it an integralpart of how work gets done every
day, not just some separatecompliance exercise off to the
(18:06):
side.
Ori Wellington (18:07):
Absolutely.
And as we close out this deepdive, it feels right to circle
back just briefly to JohnWheeler's pivotal meeting at
SunTrust all those years ago.
Remember his warning wasn'treally about a specific control
box on a spreadsheet somewhere.
It was fundamentally aboutdeeply ingrained behavior.
It was about powerfulincentives driving risky actions
and the very real, devastatingconsequences that he saw coming.
(18:29):
The financial crisis didn'tjust expose financial
vulnerabilities.
It revealed what all thosecompliance reports and executive
dashboards had managed to hideor at least obscure.
So this deep dive, I hope, hasshown us how GRC, despite its
initial promise, kind of lostits way and how IRM emerged, not
as a fan, but as the necessarypractical integration that
effective business execution hasreally required all along.
(18:51):
So for you, the listener, thefinal question perhaps becomes
where in your organization, ormaybe in your field, are
critical decisions still beingmade in silos, still separate
from a truly integrated,holistic understanding of risk
and its potential real-worldimplications?
What happens when the pressureinevitably hits your two tracks?
Have you ever looked at a really big business
decision, you know, one of thoseones that could genuinely make
or break a company and justthought how can we be absolutely
certain we're not sailingstraight into an iceberg here?
How do you actually spot thosehidden risks, the ones lurking
just beneath the surface, maybewaiting to sink the whole
(00:20):
enterprise?
Today we're diving into a topicthat well.
It often gets a reputation forbeing a bit dry, but I promise
you what we're about to uncoveris anything but we're talking
about risk management, and it'sactually a gripping story,
really, of how organizationshave tried and often stumbled
quite badly in their efforts tonavigate danger.
It reveals why some of theearly approaches just well fell
(00:40):
short.
So our mission for this deepdive is pretty clear Cut through
all the acronyms, all thejargon, and trace this
fascinating evolution.
We'll start with GRC, that's,governance, risk and compliance
Then we'll move through ERMenterprise risk management and
finally land on what seems likea truly transformative approach
integrated risk management, orIRM.
Get ready for some hopefullyserious aha moments and maybe
(01:03):
some practical insights you canactually apply.
Ori Wellington (01:06):
Absolutely, and our main guide through this
critical landscape is John AWheeler.
He's the founder and CEO ofWheelhouse Advisors and really a
recognized thought leader inintegrated risk management.
We're drawn quite heavily fromhis insightful the Risk Ignored
series, particularly a piececalled the Academic Reckoning of
Risk Management, the insightfulthe risk-ignored series,
particularly a piece called theAcademic Reckoning of Risk
Management.
And what's great is he weavestogether his own personal
(01:28):
experiences, which were oftenquite challenging, with his
really pivotal work later atGartner, where he actually
helped define these marketcategories we're talking about.
So, yeah, we're going to unpacknot just what happened in this
whole evolution but why it's so,so relevant for pretty much
every organization today.
Sam Jones (01:42):
Okay, right, let's kick things off.
Then we're going back to theearly 2000s, right after the
Sarbanes-Oxley Act reallyfundamentally changed the game
for corporate governance.
Now for anyone who might need aquick refresher SOX, as it's
known, that was that landmark USlegislation enacted to protect
investors from well fraudulentaccounting, pushing companies
towards much greateraccountability.
(02:03):
And this is really where GRCgovernance risk, risk and
compliance.
This is where it emerged as thekind of dominant framework.
So what was GRC actually meantto achieve when it first arrived
on the scene, and why did itget so much traction so quickly?
Ori Wellington (02:16):
Well, grc was a direct response to a very real
and quite urgent need forcoherence.
You see, post-tarvane Soxleycompanies suddenly found
themselves just swamped swampedby this proliferation of new
regulations.
So there was this desperatedesire really to bring all these
different compliance efforts,risk management, governance
(02:36):
activities under one unifiedroof.
You had big players like Archer, pwc and Michael Rasmussen who
were really instrumental incodifying it and GRC that
acronym.
It quickly became the definingterm for a whole market that
promised these integratedsolutions.
The core idea, I mean itsounded elegant, right
Streamline compliance,proactively manage risks, ensure
(02:58):
good governance all at once,maybe from a single software
platform.
Sam Jones (03:01):
Yeah, it sounds incredibly logical on paper,
like you said, elegant, almostlike a silver bullet for all
those corporate headaches from asingle software platform.
Yeah, it sounds incrediblylogical on paper, like you said,
elegant, almost like a silverbullet for all those corporate
headaches.
But then it seems it quicklybecame clear that GRC was maybe
collapsing under its own weight.
What was the fundamental flaw?
What led to its decline?
Ori Wellington (03:14):
Well, what's fascinating here is how quickly
people on the ground, thepractitioners and academics too,
spotted the cracks.
You mentioned Norman Marks, awell-known practitioner.
He famously quipped that GRCactually stood for governance,
risk management and confusion.
Sam Jones (03:29):
Confusion okay.
Ori Wellington (03:30):
Exactly, and even earlier Michael Power from
the London School of Economicshe'd issued this really
prescient warning.
He said the risk management ofeverything would inevitably
become the risk management ofnothing.
Sam Jones (03:43):
The risk management of nothing.
That's quite a statement.
Ori Wellington (03:46):
It is, and the critical insight there, I think,
is that when you try to manageeverything without genuine
operational integration, withoutconnecting it to how things
actually get done, you riskmanaging nothing of real
substance.
The fundamental issue was thishuge breadth, but without
operating leverage GRC promisedthe world, but in practice it
often delivered very little interms of real practical
(04:09):
integration that actuallyimpacted decisions.
Too often it just ended upbeing primarily a compliance
exercise, generating reports,ticking boxes but not truly
protecting against genuine risk.
Sam Jones (04:19):
Right.
So for you listening, that's areally crucial takeaway, isn't
it?
Just having a system, a pieceof software, doesn't
automatically mean it'seffective.
It needs to genuinely integratewith and actually influence
core business decisions.
Otherwise, like you said, it'sjust window dressing.
And to really drive this pointhome, the source material shares
this powerful real-worldanecdote from John Wheeler
(04:39):
himself from his time atSunTrust Bank.
Can you tell us about that,that pivotal meeting he
describes?
Ori Wellington (04:44):
Absolutely Quite a story.
Wheeler recounts this criticalmeeting he had with the new CEO
and also the head of mortgagebanking at SunTrust and he
pretty courageously, it soundslike outlined the substantial
exposures the bank was facing,Exposures created because they
were deliberately looseningmortgage controls, all in this
relentless chase for growth, formarket share.
(05:05):
He actually describes the headof mortgage banking physically
riding in his chair, as theserious implications of these
decisions landed.
You can just picture it rightthat palpable discomfort as the
truth of the risk in thatstrategy became undeniable in
the room.
Sam Jones (05:19):
Wow.
So he laid it out starkly,directly to the top leadership.
That takes guts.
How did his unwelcomeobjections, as the source calls
them, how did that affect himpersonally?
And then exile is the term usedparked in an empty office for
nearly a year before heeventually left in early 2008,
actually to launch his own firm,wheelhouse Advisors.
Ori Wellington (05:55):
So this personal experience, it just directly
underscores this huge cost ofseparating risk from decision
making.
You see the systems, the GRCtalk might have been there on
paper, but the incentives, theleadership culture, they were
pushing in a completelydifferent direction.
Sam Jones (06:10):
That's chilling, honestly, how precisely those
warnings, those concerns heraised played out later.
It really highlights that oldsaying, doesn't it?
The writing was on the wall,but maybe nobody was reading it,
or perhaps, more accurately,nobody wanted to read it when
short-term growth seemed soattractive.
So the financial consequencesfor SunTrust Did those loosened
(06:31):
controls eventually catch upwith them massively.
Ori Wellington (06:34):
Oh, absolutely.
What happened next was well,sadly predictable, and it serves
as such a stark warning.
The bank ended up requiringnearly $5 billion in TARP
funding.
That's the Troubled AssetRelief Program.
You know, the governmentbailout during the financial
crisis $5 billion just tosurvive just to survive.
And then later, in 2014, theyhad to pay almost another
(06:54):
billion dollars in settlementswith the Department of Justice
specifically for those veryloosened controls and the
massive failures in mortgageorigination and servicing he'd
warned about.
And ultimately, in 2019,suntrust combined with BB&T.
It was presented as a merger ofequals forming Truist, but many
observers really saw it as theculmination of this long risk
(07:16):
hangover from the crisis years.
The lesson seems crystal clear,doesn't it?
Governance frameworks, fancysoftware tools, they just cannot
run on separate tracks, whilethe actual business incentives
are driving behavior in acompletely different direction.
Sam Jones (07:29):
So SunTrust had the GRC tech, they had ERM programs
in place, apparently, butneither could hold back that
tide when the pressure reallyhit If the systems were there
but failed so catastrophically.
What's the most insidious partof that critical design flaw?
Was it fundamentally atechnology problem, people
problem or something elseentirely?
Ori Wellington (07:47):
That is such a crucial question and it really
points to a systemic issue.
I think it wasn't just thetechnology problem, although
maybe the tools were inadequatetoo.
Systemic issue.
I think it wasn't just thetechnology problem, although
maybe the tools were inadequatetoo, but fundamentally it was a
people and culture problem.
A failure of governance, yes,but also incentives to align
properly with genuine riskmanagement.
The technology, in a way, justreflected that disconnect.
It didn't create it.
(08:07):
The truly insidious elementperhaps was this underlying
belief, this assumption thatrisk could somehow be managed
off to the side, in a siloseparate from the core business
decisions, which of course makesit incredibly easy to ignore
when those tempting short-termgains are on the line.
Sam Jones (08:23):
Right, that separation seems key.
This story really highlightsthat huge gap between aspiration
what GRC and ERM said they didand the reality on the ground, a
disconnect that technologyalone just couldn't bridge.
But okay, what were theacademics saying around this
time about the limitations ofthese approaches like ERM?
How did their research maybecomplement these kinds of real
(08:44):
world experiences and provide abroader diagnosis?
Ori Wellington (08:47):
Yeah, that's important because it raises the
question why weren't thesesystems working effectively,
despite all the investment andpresumably good intentions?
The source highlights a reallysignificant 2015 research paper.
It was published in a journalcalled Long Range Planning by
Bromley, McShane, Nair andRustambikoff, and they
(09:09):
specifically looked atenterprise risk management, ERM.
They did this meticulous reviewof the whole field and found
that, despite all the buzz, ERMdefinitions actually varied
wildly.
Any consensus was mostlysuperficial, you know, existing
mainly on paper, as they put itNow.
There was some agreement onmanaging risks as a portfolio
and including strategic risks,which was a step forward.
But the actual empirical record, the evidence of ERM's
(09:32):
effectiveness in practice, itwas decidedly mixed, often
aspirational but not trulyimpactful where it counted.
Sam Jones (09:38):
Okay, so the academics were seeing
inconsistencies and mixedresults, but you mentioned this
missing management lens.
That sounds critical.
Before we get to that.
I wonder, though was thereanything that ERM did get right,
or was it just fundamentallyflawed from the start, despite
those good intentions youmentioned?
Kelsey Hutchinson (09:52):
That's a fair question.
Erm certainly had the rightaspiration.
That idea of viewing riskholistically as a portfolio was
important and definitely tryingto consider strategic risks,
moving beyond, just say,insurable risks or purely
financial ones.
That broadened the conversation, no doubt, but the research
really highlighted its you couldsay fatal flaw, this profound
(10:12):
missing management lens, aspectsthat are absolutely critical to
how organizations actuallyoperate day-to-day.
Things like the prevailingculture, the incentive
structures, who has decisionrights, how organizational
change happens.
These were largely absent fromthe academic literature on ERM.
So in essence, erm described anaspiration, what companies
should do ideally, but it didn'treally explain performance or,
(10:33):
crucially, how to actuallyachieve that integrated state
and this diagnosis.
It just perfectly mashedWheeler's lived experience at
SunTrust right, that two tracksproblem.
It wasn't just about technologyrunning separately, it extended
to the very way organizationsthought about and tried to
implement risk management itself.
Ori Wellington (10:48):
So the collapse of GRC, or at least its
reputation, and then the clearinadequacy of this kind of
compliance-first ERM.
It created a pretty significantvoid.
The big question for bothscholars and practitioners
became quite simply okay, whatcomes next?
And what's really fascinatingis that the market itself
actually started to close thisgap almost organically, before
(11:08):
any new labels or acronymsreally emerged to describe the
shift.
Sam Jones (11:12):
Okay, so this structural correction, as the
source calls it, thisfundamental shift we're talking
about, how did it actually beginto take shape in the real world
, on the ground?
What did that look like inpractice?
Ori Wellington (11:24):
Well, you started seeing companies like
Mitratech, metrixtreme, archersome of the original GRC
pioneers actually starting toevolve their offerings, but they
were evolving in response togenuine market demands, what
customers were asking for.
Mitratech, for example, starteddemonstrating how legal risk
beta wasn't just for the legaldepartment's compliance.
(11:45):
It needed to be integrated intostrategic oversight.
Metricstream began pushing itscapabilities beyond pure
compliance risk, moving moreinto IT risk management or TRM,
focusing on things like assetownership and security
vulnerabilities.
Archer, which already had astrong foothold in IT risk, then
positioned itself more towardsoperational risk management, orm
(12:05):
, which is all about the risksin an organization's day-to-day
operations and processes.
And this wasn't just, you know,clever rebranding or marketing
spin.
It really signaled that boththe buyers, the companies
needing solutions, and thesellers, the software vendors
they were already moving towardsa more integrated model.
They were recognizing thenecessity of connecting these
(12:26):
previously disparate risk areas,simply because that's where
risk actually happens in abusiness.
Sam Jones (12:31):
And this, then, is where John Wheeler's role at
Gartner becomes absolutelycrucial Not just observing the
shift, but actually putting aname to it, naming this new,
more integrated approach and,importantly, making it an
official market category thatGartner would track.
Ori Wellington (12:46):
Precisely Exactly right.
When Gartner approached himwanting to reinvigorate their
technology coverage, he made avery conscious, very deliberate
choice.
He decided not to simply extendthe existing GRC coverage
because he'd seen its flawsfirsthand.
Instead, he chose to focus onwhat he called the adjacencies,
where risk is managed inpractice and, crucially, adding
(13:08):
the management evidence at scale, the real-world data that
academic research sometimeslacked.
Through extensive practitionersurveys, lots of meticulous
field research, they documentedhow GRC tools were actually
being used on the ground, howERM programs were really
structured, where thatintegration consistently broke
down and, maybe most importantly, what buyers actually needed to
get real work done to managerisk effectively.
(13:31):
And all this wealth of evidence,this data it ultimately led to
the creation of the 2016 MarketGuide for Integrated Risk
Management IRM.
Ah, okay, so that's where IRMformally enters the picture.
That's the formal beginning,yes, and that market guide was
then followed by the very firstIRM Magic Quadrant in 2018.
So the point Wheeler makes isthey weren't trying to create a
fashion or dictate a trend.
(13:52):
They were simply giving a nameand, importantly, a framework to
what the market was alreadyorganically doing, recognizing a
fundamental structuralcorrection that was, frankly,
long overdue, danielle.
Sam Jones (14:03):
Pletka.
Okay, that context is reallyhelpful, but given the, let's
say, ambitious promises andsubsequent failures of GRC, and
then the academic critiques ofERM not going far enough, the
bar for any new approach has gotto be incredibly high, right?
So when we talk aboutintegrated risk management, irm
are we genuinely talking about afundamental shift in philosophy
, a different way of thinking,or is it maybe just a more
(14:23):
refined iteration, a version 2.0of what came before?
Ori Wellington (14:27):
That's the million-dollar question, isn't
it?
And if we connect this back tothe bigger picture, the source
is emphatic.
Irm is not just a new coat ofpaint for GRC, nor is it merely
a modest tune-up of ERM.
It's truly described as astructural correction in how
organizations need to thinkabout and manage risk, and the
IRM Navigator Framework, whichWheeler helped develop, isn't
(14:50):
just a vague concept.
It's intended as a detailedblueprint.
It provides organizations witha concrete operating model for
how to actually do thisintegration effectively, rather
than just talking about it inmeetings organization actually
manages risk day to day.
Sam Jones (15:04):
How does it integrate these different, often siloed
aspects like IT risk,operational risk, compliance
into a cohesive whole?
And maybe, more importantly foryou listening, what's a
tangible way you can assess ifyour own organization is
achieving actual integrationwith IRM, rather than just the
(15:26):
appearance of integration wetalked about with GRC?
What's maybe one question youcould ask yourself or your team
tomorrow morning?
Ori Wellington (15:31):
Great questions.
Essentially, irm is aboutbringing together all those
critical components thathistorically, have often
operated in isolation.
So it integrates ERM EnterpriseRisk Management, which still
provides the overall strategicgoals and governance structure.
It integrates ORM OperationalRisk Management for handling
specific process risks andclarifying ownership within
those processes.
(15:52):
It integrates TRM technologyrisk management for securing
assets and managing all thosetechnology-related risks which
are huge today.
And then it weaves in the keynecessary elements of GRC,
things like policies, controlsand assurance activities across
the board.
The framework organizesobjectives into four key areas
performance, resilience,assurance and compliance.
You need all four.
And Performance, resilience,assurance and compliance you
(16:13):
need all four.
And, crucially, it aligns theactual work, the activities, at
four essential integrationpoints the organization's goals,
its core processes, itscritical assets and its
governing policies.
The intent here is profoundlypractical.
It's designed to replace thatappearance of integration, which
GRC often delivered throughsiloed reports or dashboards,
with actual integration,integration that genuinely
(16:34):
changes decisions, affectsbehavior and improves outcomes,
rather than just producingartifacts that get filed away.
And as to your question abouthow listeners can assess this, a
really great way to start is totrace a recent significant
business decision made in yourorganization.
Ask how early, howfundamentally decision made in
your organization.
(16:54):
Ask how early, howfundamentally, was relevant risk
information, relevant risk data, integrated into that
decision-making process?
Was risk part of the initialstrategic discussion, genuinely
influencing the optionsconsidered right from the outset
?
Or was it brought in much later, maybe as a validation step
near the end, a final check boxsign-off, or, worse, only
discussed in the post-mortemafter something went wrong?
Sam Jones (17:13):
Ah, that's a great litmus test.
Ori Wellington (17:14):
Yeah, If risk is still just a separate sign-off
at the end or largely anafterthought, then you're likely
still dealing with theappearance of integration, not
the actual embedded kind thatIRM really champions.
Sam Jones (17:25):
Wow, what an incredible journey we've taken
today really.
We've traveled all the way fromthose lofty, maybe sometimes
over-promised ambitions of GRCthrough the stark and, frankly,
quite painful realities exposedby the global financial crisis
and those sharp academiccritiques of ERM, and finally
landing on this much-neededstructural correction offered by
(17:46):
integrated risk management, irm.
It seems abundantly clear thisis about so much more than just,
you know, checking boxes orsatisfying regulators.
It's really about embeddingrisk awareness, risk thinking,
into the very fabric of anorganization's decision-making
process, making it an integralpart of how work gets done every
day, not just some separatecompliance exercise off to the
(18:06):
side.
Ori Wellington (18:07):
Absolutely.
And as we close out this deepdive, it feels right to circle
back just briefly to JohnWheeler's pivotal meeting at
SunTrust all those years ago.
Remember his warning wasn'treally about a specific control
box on a spreadsheet somewhere.
It was fundamentally aboutdeeply ingrained behavior.
It was about powerfulincentives driving risky actions
and the very real, devastatingconsequences that he saw coming.
(18:29):
The financial crisis didn'tjust expose financial
vulnerabilities.
It revealed what all thosecompliance reports and executive
dashboards had managed to hideor at least obscure.
So this deep dive, I hope, hasshown us how GRC, despite its
initial promise, kind of lostits way and how IRM emerged, not
as a fan, but as the necessarypractical integration that
effective business execution hasreally required all along.
(18:51):
So for you, the listener, thefinal question perhaps becomes
where in your organization, ormaybe in your field, are
critical decisions still beingmade in silos, still separate
from a truly integrated,holistic understanding of risk
and its potential real-worldimplications?
What happens when the pressureinevitably hits your two tracks?
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!