September 5, 2025 • 21 mins
Governance, Risk, and Compliance (GRC) has undergone a remarkable transformation. What was once the "department of no" – characterized by manual checklists, endless audits, and rooms full of binders – has evolved into a strategic verification backbone powering trust across organizations.
This radical shift positions GRC at the center of Integrated Risk Management (IRM), where policies, controls, and compliance data flow dynamically through organizations to provide real-time assurance. The market reflects this evolution, with GRC projected to grow from $12.1 billion in 2025 to $25.1 billion by 2032 – not as an unavoidable cost, but as a strategic investment that builds market-enhancing trust and enables bolder innovation.
The IRM Navigator™ Vendor Compass for Governance, Risk and Compliance - 2025 Edition reveals how modern GRC anchors the policies integration point within a framework organized around Performance, Resilience, Assurance, and Compliance (PRAC). Acting as an organizational immune system, GRC provides auditable evidence linking Enterprise Risk Management (ERM), Operational Risk Management (ORM), and Technology Risk Management (TRM) into a cohesive ecosystem where information flows seamlessly across previously siloed functions.
Selecting the right solution requires evaluating platforms on solution coverage and integration capabilities. Vendors fall into three categories – Integrators, Accelerators, and Pacesetters – aligned with an organization's position on the maturity curve from Foundational (manual processes) to Autonomous (AI-driven sensing with real-time assurance). Leadership perspectives have expanded beyond traditional risk leaders to include Legal, Finance, HR, and Data executives, all shaping requirements and demanding specific evidence types.
The future of GRC hinges on continuous assurance, robust AI governance, and seamless integration. Ask yourself: Is your organization still ticking compliance boxes, or building an adaptive, intelligent assurance system capable of navigating tomorrow's complex risk landscape? Transform your GRC function into the foundation of enterprise trust that empowers your organization to thrive amid uncertainty.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ori Wellington (00:00):
What if the very systems designed for rules and
regulations you know, the onesoften seen as just a necessary
burden could actually become theengine of innovation and trust
for an entire organization?
For years governance, risk andcompliance, grc it felt like the
department of no right.
Sam Jones (00:18):
Oh, absolutely.
Ori Wellington (00:18):
All those manual checklists, the endless audits.
I remember one client theyliterally had a room full of
binders just for compliancestuff.
Sam Jones (00:25):
That's a perfect image.
Binders and spreadsheets.
Ori Wellington (00:28):
Exactly.
But today we're going to unpackhow GRC is undergoing this
really radical transformation.
It's becoming the verificationbackbone of something even
bigger integrated riskmanagement, or IRM.
Sam Jones (00:40):
That's right.
The shift is monumental.
While you'll still hear GRCdiscussed in terms of audits and
policies, the conversation hasdramatically shifted from those
physical binders and reactivegotcha audits.
Ori Wellington (00:52):
Right.
Sam Jones (00:52):
Our deep dive today.
It's based on the 2025 IRMNavigator, vendor Compass for
Governance, risk and ComplianceReport by Wheelhouse Advisors,
and it really reveals GRC as atruly strategic asset.
Strategic, okay, yeah, it'sabout how policies, controls and
compliance data now flowdynamically through an
organization, providingreal-time assurance to
(01:14):
leadership and buildingmeasurable trust with
stakeholders.
Ori Wellington (01:18):
So our mission for you today is to cut through
any lingering jargon, reallyshow you not just what GRC is
now, but why this evolutiontruly matters.
We'll explore how it fits intothat broader IRM landscape, what
capabilities are absolutelynon-negotiable for modern
businesses and how leaders areactually using it to navigate
everything from cutting-edge AIgovernance to complex
(01:40):
sustainability disclosures.
Sam Jones (01:42):
It touches everything .
Ori Wellington (01:43):
Get ready for some genuine aha moments.
I think that will redefine yourunderstanding of risk and
compliance.
Sam Jones (01:48):
We'll do it.
Ori Wellington (01:49):
Okay, let's dive right into this transformation,
then.
The report makes it abundantlyclear GRC is no longer just
about record keeping.
It's truly shifted, hasn't it,from being a back office
function to something front andcenter.
Sam Jones (02:02):
Absolutely front and center, and what's truly
fascinating here is the sheerscale and complexity driving
this evolution.
Ori Wellington (02:08):
Tell us about that.
What are the big drivers?
Sam Jones (02:10):
Well, the report highlights escalating regulatory
demands, and these are global,now much more complex.
There's also the convergence ofassurance requirements across
different regions.
You can't just satisfy oneregulator anymore.
Ori Wellington (02:22):
Makes sense.
Sam Jones (02:23):
And there's a growing executive need, a real demand
for evidence-based oversight.
Boards want proof.
Ori Wellington (02:30):
Proof, not just promises.
Sam Jones (02:31):
Exactly.
Think about the intensepressures around, say, AI
governance.
That's huge right now.
Ori Wellington (02:37):
Oh yeah.
Sam Jones (02:37):
Critical sustainability disclosures, esg
reporting and cyber resilienceAlways cyber resilience.
These aren't just IT or legalissues anymore.
They're enterprise widechallenges demanding an
integrated response.
Ori Wellington (02:51):
And these aren't just abstract ideas floating
around.
There's real financial musclebehind this shift.
The report tells us the broaderIRM market is projected to
skyrocket.
Sam Jones (02:59):
Numbers are staggering.
Ori Wellington (03:00):
Right From $61.6 billion in 2025 to a whopping
$147.0 billion by 2032.
There's a compound annualgrowth rate of what 13.2 percent
13.2 percent, huge growth.
And GRC itself.
It accounts for a significantchunk of that an estimated $12.1
billion in 2025, forecasted toreach $25.1 billion by 2032.
Sam Jones (03:24):
Still growing strong at 11.1% CAGR.
Ori Wellington (03:27):
That's serious growth, showing how vital it's
become.
But you know, those aren't justbig numbers.
They speak to a fundamentalshift in how organizations value
risk and compliance.
Expert.
What does this massivefinancial growth really signal?
Is it just an unavoidable costor is it a strategic investment
now?
Sam Jones (03:45):
It's definitely the latter.
It's strategic.
What we're seeing is a marketrecognizing that effective GRC
isn't just about avoidingpenalties anymore, it's about
unlocking competitive advantage.
It's building trust that drivesmarket cap, allows for bolder
innovation.
Honestly, the cost of notinvesting is what's truly
skyrocketing now.
Ori Wellington (04:00):
That's a great point.
Sam Jones (04:01):
Precisely.
But despite that growth, grc'sshare of the total IRM market is
expected to slightly decline,actually from about 19.5 percent
down to 17.0 percent.
Ori Wellington (04:10):
OK, wait, growing fast, but its share is
declining.
How does that work?
Sam Jones (04:14):
Yeah, it sounds counterintuitive, but it isn't a
negative sign for GRC.
It reflects a larger structuralshift.
The market is moving away fromsort of compliance-first siloed
investments towards moreintegrated, ai-enabled
resilience and assurance acrossthe board.
Ori Wellington (04:31):
So the whole pie is getting much bigger and
other areas, like maybe AI, riskor operational resilience tech,
are growing even faster,pulling up the average.
Sam Jones (04:40):
Exactly.
The whole IRM space isexpanding rapidly.
As John A Wheeler, the founderof Wheelhouse Advisors, puts it,
and I think this sums it upnicely modern GRC earns its
place when assurance andcompliance data flows upward to
the board, across operations andinto technology signals.
Ori Wellington (04:57):
Integration, that's the key word.
Sam Jones (04:58):
That's the integration standard we're
talking about.
It has to connect.
Ori Wellington (05:01):
So the big takeaway for you listening is
that GRC platforms are now theverification backbone, the sort
of central truth source forintegrated risk management.
Sam Jones (05:11):
That's a good way to put it.
Verification backbone.
Ori Wellington (05:13):
Their ability to connect policies and controls
with actual enterpriseobjectives is absolutely
essential now for navigatingregulatory scrutiny, building
resilience.
It's a complete flip from thatgrudging expense to being an
engine that genuinely fuelsenterprise trust.
Sam Jones (05:30):
Couldn't agree more.
Ori Wellington (05:31):
I found this next part particularly
illuminating.
If GRC is now our verificationbackbone, how does it physically
connect to the wider nervoussystem of integrated risk
management?
Sam Jones (05:42):
Right, how does it plug in?
Ori Wellington (05:44):
Yeah, the report's IRM navigigator model
offers this brilliant frameworkfor understanding that
architecture.
Can you walk us through itscore structure?
Sam Jones (05:52):
Absolutely so.
If we connect this to thebigger picture, the IRM
Navigator model gives us ablueprint for this integration.
It organizes everything aroundfour core enterprise objectives
performance, resilience,assurance and compliance, or
PRAs.
Ori Wellington (06:06):
P-A-Z.
Sam Jones (06:07):
Think of PRAs as the ultimate goals, the outcomes you
want for any healthyorganization.
Ori Wellington (06:12):
Performance, resilience, assurance,
compliance, got it.
Sam Jones (06:14):
These goals are then activated through four key
integration points goals,processes, assets and policies.
Ori Wellington (06:20):
Goals processes assets policies.
Sam Jones (06:23):
And this is where GRC steps in.
It specifically anchors thepolicies integration point.
Ori Wellington (06:28):
Okay, grc anchors policies, but doesn't
that risk making it seem likeit's still just about documents
and rules, maybe?
How does it shed that olderperception within this IRM
framework?
Sam Jones (06:40):
That's a really crucial distinction to make.
While policies are foundational, yes, GRC's role here is to
make those policies livingdocuments, not spatic ones.
Ori Wellington (06:49):
Living documents how so?
Sam Jones (06:51):
Think of GRC as maybe the immune system for your
entire organization's integratedrisk management.
Ori Wellington (06:56):
Okay, interesting analogy.
Sam Jones (06:57):
Just as your immune system verifies threats and
defends your body, grc providesthe auditable evidence, the
verified passports.
If you will, that link all yourrisk management efforts.
That means across enterpriserisk management ERM, operational
risk management ORM andtechnology risk management TRM.
Ori Wellington (07:15):
Ah, linking them all together.
Sam Jones (07:16):
Exactly Linking them to accountable policies,
certifiable controls andreliable disclosures.
So, for example, your ERMefforts, the ones aimed at
strategic risks for the board.
Ori Wellington (07:26):
Right the big picture stuff.
Sam Jones (07:27):
They consume GRC outputs for that board
confidence and disclosures andcertifications.
Your ORM teams focused on dailyoperations.
Ori Wellington (07:36):
Keeping the lights on.
Sam Jones (07:37):
They leverage GRC control data to strengthen those
processes, improve resilienceagainst disruptions and TRM,
which handles your technologyand cyber risks.
Ori Wellington (07:46):
Increasingly critical.
Sam Jones (07:48):
They integrate GRC attestations for validating
those controls.
This is especially crucial withcomplex things like AI
governance challenges.
Grc provides the proof it'sworking.
Ori Wellington (07:58):
That's incredibly clear.
Now.
Grc is the central nervoussystem, or maybe the circulatory
system, ensuring consistent,verifiable information flows to
all the other risk functions,providing that stamp of
legitimacy.
Sam Jones (08:10):
That's it.
It ensures integrity across thesystem.
Ori Wellington (08:13):
And the report notes that the boundaries
between these IRM segments ERM,orm, trm, grc and even risk
management consulting, rncthey're becoming increasingly
permeable.
There's a clear shift towardsunified cross-domain
orchestration.
Sam Jones (08:27):
Yeah, the silos are breaking down, or at least they
need to be.
Ori Wellington (08:30):
You simply can't have one truly effective
function without the othersanymore.
It's all interconnected.
Sam Jones (08:36):
Absolutely.
Integration is key.
Ori Wellington (08:38):
Okay, so understanding GRC's evolved role
is one thing.
Sam Jones (08:41):
Yeah.
Ori Wellington (08:42):
But for many of you listening, the real question
becomes how do I choose theright solution in this complex
landscape?
Sam Jones (08:49):
That's the practical challenge, isn't it?
Ori Wellington (08:51):
Thankfully the report doesn't just theorize.
It offers a practical vendorcompass to guide that decision.
How does it simplify thisevaluation?
Sam Jones (08:58):
Well, this raises an important question about how you
assess value and what's arapidly changing market.
The vendor compass evaluatesGRC platforms along two primary
dimensions.
Ori Wellington (09:09):
Okay, two dimensions.
What are they?
Sam Jones (09:10):
First solution coverage.
This is basically the breadthand depth of core GRC
functionality.
Things like obligationmanagement, control, testing,
audit management, ethics,reporting, disclosure, reporting
the basics, but done well.
Ori Wellington (09:24):
The what it does .
Sam Jones (09:25):
Exactly.
The second dimension is levelof integration.
This focuses on how deeply theplatform connects that assurance
data across the broader IRMframework.
Ori Wellington (09:34):
How well it connects.
Sam Jones (09:35):
Precisely.
This includes criticalcapabilities like
interoperability with ERM, ormand TRM systems.
It includes continuous control,monitoring or CCM.
Ori Wellington (09:46):
CCM.
Tell me more about that.
Sounds important.
Sam Jones (09:49):
Oh, it is.
Think of CCM as moving from,say, a quarterly audit snapshot
to a live, always-on diagnosticsystem for your policies and
controls.
Ori Wellington (09:59):
Like a real-time health check.
Sam Jones (10:01):
Exactly Catching issues as they happen not months
later in an audit, and robustsupport for AI governance is
also part of that integrationmeasure.
Now.
Ori Wellington (10:09):
Gotcha.
So it's not just what theplatform does, but how well it
connects to everything else.
And based on these twodimensions coverage and
integration vendors fall intothree categories integrators,
accelerators and pace setters.
Sam Jones (10:21):
That's right.
Ori Wellington (10:21):
Can you give us a quick overview of who these
players are, sort of the flavorof each category?
Sam Jones (10:25):
Certainly so.
Integrators these typicallyhave extensive coverage and a
proven ability to integrateacross multiple IRM domains.
They're usually best fororganizations already at the
extended stage of maturity.
We'll talk about maturity next.
Ori Wellington (10:39):
Okay, the big comprehensive players.
Sam Jones (10:41):
Right.
Think of vendors like ArcherAudit Board, risk Connect and
OneTrust in this space.
Then you have accelerators.
Ori Wellington (10:48):
Accelerators.
Sam Jones (10:48):
These demonstrate real innovation and strong
momentum, maybe in selected GRCareas, but they're moving fast.
They often serve as great entrypoints for rapid maturity gains
.
Ori Wellington (10:58):
Good for catching up or focusing.
Sam Jones (11:00):
Yeah, they typically fit embedded or coordinated
maturity programs.
Examples here would includeCorporater, Diligent,
MetricStream, NAVX, SAI360,ServiceNow and Workiva.
Ori Wellington (11:12):
Okay, and the third group.
Sam Jones (11:14):
Pacesetters.
These tend to offer narrowerscope or maybe targeted depth in
specific areas.
They're often well-suited forthe mid-market or for
specialized use cases, butgenerally have more limited,
broader IRM integrationcapabilities.
Ori Wellington (11:26):
today, so more focused solutions.
Sam Jones (11:28):
Exactly.
They align well withfoundational or coordinated
maturity levels.
Think of LogicGate, onspringProcessUnity Resolver and
Origami Risk in this category.
Ori Wellington (11:38):
And you mentioned, these categories
connect directly to the IRMNavigator Maturity Curve.
This curve describes howorganizations evolve from those
siloed spreadsheet-drivenpractices towards autonomous
assurance.
Sam Jones (11:51):
Right.
It maps the journey.
Ori Wellington (11:53):
What are the key stages on that journey for you,
the listener, to be aware of?
Sam Jones (11:56):
Yeah, the curve outlines five critical stages of
evolution.
It starts with one foundational.
This is where many still are,unfortunately, Manual siloed,
often heavily spreadsheet drivenprocesses, Very reactive.
Binder land, binder land,exactly.
Stage two is coordinated.
Here data starts to centralize,maybe in a single system, but
(12:17):
workflows are still quitefragmented across departments.
Ori Wellington (12:20):
Getting organized, but not connected.
Sam Jones (12:22):
Pretty much Stage three is embedded.
This is where risk andcompliance thinking starts to
integrate more deeply withoperational systems.
You see early continuouscontrol monitoring starting to
emerge here.
Ori Wellington (12:33):
Things are starting to talk to each other.
Sam Jones (12:35):
Right Stage four is extended.
This is a big leap here.
Taxonomies, risk language andplatforms are shared across
internal functions and evensometimes with third parties.
Grc data flows reliably intoERM dashboards, orm resilience
routines, trm telemetry.
Ori Wellington (12:52):
Real integration happening.
Sam Jones (12:53):
Yes, and organizations at this stage.
They expect measurable outcomeslike significantly shorter
audit cycles, faster reporting,disclosure-ready evidence packs
on demand.
Ori Wellington (13:03):
Value becomes tangible.
Sam Jones (13:05):
Definitely.
And finally, stage five, theultimate stage, is autonomous.
This is the future state,really AI-driven sensing,
continuous control, testing,automated mitigation, where
possible, with near real-timeassurance.
This includes sophisticated AIgovernance becoming baked in.
Well, moving from spreadsheetchaos to that sort of
(13:25):
supercomputer assurance wetalked about earlier, that's the
vision, but the reportemphasizes something important
True maturity isn't just aboutthe system you buy.
Ori Wellington (13:33):
It's more than tech.
Sam Jones (13:34):
Much more.
It's about a mindset with.
The report calls integratedrisk thinking that focuses on
cross-functional integration,proactive management,
enterprise-wide ownership andadaptability.
Ori Wellington (13:47):
Culture eats strategy right always that
autonomous stage soundsincredibly powerful, but, as we
know, platforms don't implementthemselves.
People do.
Sam Jones (13:56):
People process technology, in that order.
Ori Wellington (14:00):
So who are the key leadership personas driving
and influencing these GRCdecisions, and how does
understanding their perspectivesaffect your approach when
you're selecting solutions.
Sam Jones (14:11):
That's such a critical point.
The report identifies theprimary buyers the usual
suspects, if you like the chiefcompliance officer, cco, the
chief audit executive, cae, thechief risk officer, cro, and the
chief information securityofficer, cso.
They often hold the budget.
Ori Wellington (14:26):
Okay, the core risk and compliance leaders.
Sam Jones (14:28):
But there's a broader circle of really powerful
influencers.
Now Think about the chief legalofficer, clo.
The chief financial officer,cfo, demanding reliable numbers.
The chief human resourcesofficer, chro, concerned with
ethics and conduct.
Ori Wellington (14:41):
Right Risk touches everyone's domain.
Sam Jones (14:43):
And increasingly the chief data officer, cdo,
especially with the complexitiesaround AI governance and data
privacy.
These leaders don't justpassively consume GRC outputs.
They actively shaperequirements.
They demand specific kinds ofevidence.
Ori Wellington (14:59):
So GRC becomes their common ground.
Sam Jones (15:02):
Exactly Imagine the CLO ensuring regulatory
compliance, while the CDO isfocused on ethical AI usage.
Grc becomes the commonoperating language, the sort of
neutral territory where thesediverse needs get translated
into unified policies andverifiable actions.
Ori Wellington (15:17):
So understanding their individual pain points
and priorities is absolutely key.
Sam Jones (15:22):
It's essential for selecting a GRC solution that
truly serves the entireenterprise, not just one
department.
Ori Wellington (15:28):
This implies that for you, the listener,
understanding who needs whatfrom GRC is just as vital as
comparing feature lists.
Sam Jones (15:35):
Absolutely.
Context is everything.
Ori Wellington (15:37):
And the report offers very specific guidance,
doesn't it, for different typesof organizations trying to
navigate this landscape.
Sam Jones (15:42):
It does, it gets quite practical For large
enterprises.
The guidance is pretty clearFavor those integrator vendors
for true unification acrosscomplex global operations.
Ori Wellington (15:51):
Go big for big challenges.
Sam Jones (15:53):
Right Demand-proven cross domain integration.
Rigorously evaluate reportingand disclosure capabilities
that's key for investorconfidence and scrutinize AI
governance.
Readiness with a fine-toothcomb.
Ori Wellington (16:07):
Which vendors stand out there?
Sam Jones (16:08):
Well, integrators like Archer Audit Board and
OneTrust are traditionallystrong here, and some
accelerators like ServiceNow andWorkiva are really advancing
rapidly in their AI governancecapabilities too.
Ori Wellington (16:20):
Okay, what about for small and midsize
enterprises?
Smes different path.
Sam Jones (16:26):
Yeah, the path often differs slightly.
They might leverageaccelerators like NAVX or SEI
360 for getting fast breathacross core compliance and
ethics needs.
Ori Wellington (16:35):
To get foundational coverage quickly.
Sam Jones (16:37):
Or they might adopt pace setters such as LogicAid or
Onspring for very targetedneeds like automating the
internal audit functionspecifically, More focused
approach.
But crucially, SMEs should planfor scalability right from day
one.
Make sure the chosen platformsoffer robust ATIs, a clear
product roadmap for futuregrowth, because their integrated
risk needs will evolve as theygrow.
Ori Wellington (16:58):
Don't pee yourself into a corner.
Sam Jones (17:00):
Exactly.
Ori Wellington (17:00):
Hang a corner, exactly.
Sam Jones (17:01):
So, whether you're a global enterprise grappling with
immense complexity, or agrowing SME building your
foundation, the message seemsconsistent and powerful.
Don't evaluate GRC in isolation, please don't.
Its true value, its modernvalue, is in how well it
supplies that verifiableevidence across all IRM domains,
(17:22):
powering not just compliancebut really powering trust and
performance.
Ori Wellington (17:26):
That's the transformation in a nutshell.
We've seen how GRC hasdramatically evolved from that
simple, often burdensomecompliance tool, the binder room
, into the strategic policiesintegration point of integrated
risk management.
Yeah, it's really no longerjust about satisfying mandates
from regulators.
Sam Jones (17:43):
It's proactive, not reactive.
Ori Wellington (17:44):
Exactly.
It's about actively buildingtrust, enhancing organizational
resilience and fueling betterperformance by delivering
continuous, verifiable assurance.
Sam Jones (17:53):
And this leads us beautifully to our final thought
for you to ponder as you goabout your day.
The report emphasizes three keyimperatives for the future of
GRC and IRM.
Ori Wellington (18:02):
Three crucial takeaways Continuous assurance,
moving beyond point-in-timechecks.
Ai governance is a first-class,non-negotiable requirement.
And integration, integration,integration as the true measure
of relevance.
Sam Jones (18:15):
If it's not integrated, it's not modern GRC.
Ori Wellington (18:18):
So the question for you is what will you do to
ensure your organization's GRCisn't just ticking boxes anymore
, but is truly transforming intothat adaptive, intelligent
assurance operating system thatwill be absolutely critical for
navigating the complexities oftomorrow's risk landscape?
Sam Jones (18:34):
It's a journey, but a necessary one.
Ori Wellington (18:36):
The road to integrated risk excellence, it
seems, begins with reframing GRCas the very foundation of
enterprise trust.
What if the very systems designed for rules and
regulations you know, the onesoften seen as just a necessary
burden could actually become theengine of innovation and trust
for an entire organization?
For years governance, risk andcompliance, grc it felt like the
department of no right.
Sam Jones (00:18):
Oh, absolutely.
Ori Wellington (00:18):
All those manual checklists, the endless audits.
I remember one client theyliterally had a room full of
binders just for compliancestuff.
Sam Jones (00:25):
That's a perfect image.
Binders and spreadsheets.
Ori Wellington (00:28):
Exactly.
But today we're going to unpackhow GRC is undergoing this
really radical transformation.
It's becoming the verificationbackbone of something even
bigger integrated riskmanagement, or IRM.
Sam Jones (00:40):
That's right.
The shift is monumental.
While you'll still hear GRCdiscussed in terms of audits and
policies, the conversation hasdramatically shifted from those
physical binders and reactivegotcha audits.
Ori Wellington (00:52):
Right.
Sam Jones (00:52):
Our deep dive today.
It's based on the 2025 IRMNavigator, vendor Compass for
Governance, risk and ComplianceReport by Wheelhouse Advisors,
and it really reveals GRC as atruly strategic asset.
Strategic, okay, yeah, it'sabout how policies, controls and
compliance data now flowdynamically through an
organization, providingreal-time assurance to
(01:14):
leadership and buildingmeasurable trust with
stakeholders.
Ori Wellington (01:18):
So our mission for you today is to cut through
any lingering jargon, reallyshow you not just what GRC is
now, but why this evolutiontruly matters.
We'll explore how it fits intothat broader IRM landscape, what
capabilities are absolutelynon-negotiable for modern
businesses and how leaders areactually using it to navigate
everything from cutting-edge AIgovernance to complex
(01:40):
sustainability disclosures.
Sam Jones (01:42):
It touches everything .
Ori Wellington (01:43):
Get ready for some genuine aha moments.
I think that will redefine yourunderstanding of risk and
compliance.
Sam Jones (01:48):
We'll do it.
Ori Wellington (01:49):
Okay, let's dive right into this transformation,
then.
The report makes it abundantlyclear GRC is no longer just
about record keeping.
It's truly shifted, hasn't it,from being a back office
function to something front andcenter.
Sam Jones (02:02):
Absolutely front and center, and what's truly
fascinating here is the sheerscale and complexity driving
this evolution.
Ori Wellington (02:08):
Tell us about that.
What are the big drivers?
Sam Jones (02:10):
Well, the report highlights escalating regulatory
demands, and these are global,now much more complex.
There's also the convergence ofassurance requirements across
different regions.
You can't just satisfy oneregulator anymore.
Ori Wellington (02:22):
Makes sense.
Sam Jones (02:23):
And there's a growing executive need, a real demand
for evidence-based oversight.
Boards want proof.
Ori Wellington (02:30):
Proof, not just promises.
Sam Jones (02:31):
Exactly.
Think about the intensepressures around, say, AI
governance.
That's huge right now.
Ori Wellington (02:37):
Oh yeah.
Sam Jones (02:37):
Critical sustainability disclosures, esg
reporting and cyber resilienceAlways cyber resilience.
These aren't just IT or legalissues anymore.
They're enterprise widechallenges demanding an
integrated response.
Ori Wellington (02:51):
And these aren't just abstract ideas floating
around.
There's real financial musclebehind this shift.
The report tells us the broaderIRM market is projected to
skyrocket.
Sam Jones (02:59):
Numbers are staggering.
Ori Wellington (03:00):
Right From $61.6 billion in 2025 to a whopping
$147.0 billion by 2032.
There's a compound annualgrowth rate of what 13.2 percent
13.2 percent, huge growth.
And GRC itself.
It accounts for a significantchunk of that an estimated $12.1
billion in 2025, forecasted toreach $25.1 billion by 2032.
Sam Jones (03:24):
Still growing strong at 11.1% CAGR.
Ori Wellington (03:27):
That's serious growth, showing how vital it's
become.
But you know, those aren't justbig numbers.
They speak to a fundamentalshift in how organizations value
risk and compliance.
Expert.
What does this massivefinancial growth really signal?
Is it just an unavoidable costor is it a strategic investment
now?
Sam Jones (03:45):
It's definitely the latter.
It's strategic.
What we're seeing is a marketrecognizing that effective GRC
isn't just about avoidingpenalties anymore, it's about
unlocking competitive advantage.
It's building trust that drivesmarket cap, allows for bolder
innovation.
Honestly, the cost of notinvesting is what's truly
skyrocketing now.
Ori Wellington (04:00):
That's a great point.
Sam Jones (04:01):
Precisely.
But despite that growth, grc'sshare of the total IRM market is
expected to slightly decline,actually from about 19.5 percent
down to 17.0 percent.
Ori Wellington (04:10):
OK, wait, growing fast, but its share is
declining.
How does that work?
Sam Jones (04:14):
Yeah, it sounds counterintuitive, but it isn't a
negative sign for GRC.
It reflects a larger structuralshift.
The market is moving away fromsort of compliance-first siloed
investments towards moreintegrated, ai-enabled
resilience and assurance acrossthe board.
Ori Wellington (04:31):
So the whole pie is getting much bigger and
other areas, like maybe AI, riskor operational resilience tech,
are growing even faster,pulling up the average.
Sam Jones (04:40):
Exactly.
The whole IRM space isexpanding rapidly.
As John A Wheeler, the founderof Wheelhouse Advisors, puts it,
and I think this sums it upnicely modern GRC earns its
place when assurance andcompliance data flows upward to
the board, across operations andinto technology signals.
Ori Wellington (04:57):
Integration, that's the key word.
Sam Jones (04:58):
That's the integration standard we're
talking about.
It has to connect.
Ori Wellington (05:01):
So the big takeaway for you listening is
that GRC platforms are now theverification backbone, the sort
of central truth source forintegrated risk management.
Sam Jones (05:11):
That's a good way to put it.
Verification backbone.
Ori Wellington (05:13):
Their ability to connect policies and controls
with actual enterpriseobjectives is absolutely
essential now for navigatingregulatory scrutiny, building
resilience.
It's a complete flip from thatgrudging expense to being an
engine that genuinely fuelsenterprise trust.
Sam Jones (05:30):
Couldn't agree more.
Ori Wellington (05:31):
I found this next part particularly
illuminating.
If GRC is now our verificationbackbone, how does it physically
connect to the wider nervoussystem of integrated risk
management?
Sam Jones (05:42):
Right, how does it plug in?
Ori Wellington (05:44):
Yeah, the report's IRM navigigator model
offers this brilliant frameworkfor understanding that
architecture.
Can you walk us through itscore structure?
Sam Jones (05:52):
Absolutely so.
If we connect this to thebigger picture, the IRM
Navigator model gives us ablueprint for this integration.
It organizes everything aroundfour core enterprise objectives
performance, resilience,assurance and compliance, or
PRAs.
Ori Wellington (06:06):
P-A-Z.
Sam Jones (06:07):
Think of PRAs as the ultimate goals, the outcomes you
want for any healthyorganization.
Ori Wellington (06:12):
Performance, resilience, assurance,
compliance, got it.
Sam Jones (06:14):
These goals are then activated through four key
integration points goals,processes, assets and policies.
Ori Wellington (06:20):
Goals processes assets policies.
Sam Jones (06:23):
And this is where GRC steps in.
It specifically anchors thepolicies integration point.
Ori Wellington (06:28):
Okay, grc anchors policies, but doesn't
that risk making it seem likeit's still just about documents
and rules, maybe?
How does it shed that olderperception within this IRM
framework?
Sam Jones (06:40):
That's a really crucial distinction to make.
While policies are foundational, yes, GRC's role here is to
make those policies livingdocuments, not spatic ones.
Ori Wellington (06:49):
Living documents how so?
Sam Jones (06:51):
Think of GRC as maybe the immune system for your
entire organization's integratedrisk management.
Ori Wellington (06:56):
Okay, interesting analogy.
Sam Jones (06:57):
Just as your immune system verifies threats and
defends your body, grc providesthe auditable evidence, the
verified passports.
If you will, that link all yourrisk management efforts.
That means across enterpriserisk management ERM, operational
risk management ORM andtechnology risk management TRM.
Ori Wellington (07:15):
Ah, linking them all together.
Sam Jones (07:16):
Exactly Linking them to accountable policies,
certifiable controls andreliable disclosures.
So, for example, your ERMefforts, the ones aimed at
strategic risks for the board.
Ori Wellington (07:26):
Right the big picture stuff.
Sam Jones (07:27):
They consume GRC outputs for that board
confidence and disclosures andcertifications.
Your ORM teams focused on dailyoperations.
Ori Wellington (07:36):
Keeping the lights on.
Sam Jones (07:37):
They leverage GRC control data to strengthen those
processes, improve resilienceagainst disruptions and TRM,
which handles your technologyand cyber risks.
Ori Wellington (07:46):
Increasingly critical.
Sam Jones (07:48):
They integrate GRC attestations for validating
those controls.
This is especially crucial withcomplex things like AI
governance challenges.
Grc provides the proof it'sworking.
Ori Wellington (07:58):
That's incredibly clear.
Now.
Grc is the central nervoussystem, or maybe the circulatory
system, ensuring consistent,verifiable information flows to
all the other risk functions,providing that stamp of
legitimacy.
Sam Jones (08:10):
That's it.
It ensures integrity across thesystem.
Ori Wellington (08:13):
And the report notes that the boundaries
between these IRM segments ERM,orm, trm, grc and even risk
management consulting, rncthey're becoming increasingly
permeable.
There's a clear shift towardsunified cross-domain
orchestration.
Sam Jones (08:27):
Yeah, the silos are breaking down, or at least they
need to be.
Ori Wellington (08:30):
You simply can't have one truly effective
function without the othersanymore.
It's all interconnected.
Sam Jones (08:36):
Absolutely.
Integration is key.
Ori Wellington (08:38):
Okay, so understanding GRC's evolved role
is one thing.
Sam Jones (08:41):
Yeah.
Ori Wellington (08:42):
But for many of you listening, the real question
becomes how do I choose theright solution in this complex
landscape?
Sam Jones (08:49):
That's the practical challenge, isn't it?
Ori Wellington (08:51):
Thankfully the report doesn't just theorize.
It offers a practical vendorcompass to guide that decision.
How does it simplify thisevaluation?
Sam Jones (08:58):
Well, this raises an important question about how you
assess value and what's arapidly changing market.
The vendor compass evaluatesGRC platforms along two primary
dimensions.
Ori Wellington (09:09):
Okay, two dimensions.
What are they?
Sam Jones (09:10):
First solution coverage.
This is basically the breadthand depth of core GRC
functionality.
Things like obligationmanagement, control, testing,
audit management, ethics,reporting, disclosure, reporting
the basics, but done well.
Ori Wellington (09:24):
The what it does .
Sam Jones (09:25):
Exactly.
The second dimension is levelof integration.
This focuses on how deeply theplatform connects that assurance
data across the broader IRMframework.
Ori Wellington (09:34):
How well it connects.
Sam Jones (09:35):
Precisely.
This includes criticalcapabilities like
interoperability with ERM, ormand TRM systems.
It includes continuous control,monitoring or CCM.
Ori Wellington (09:46):
CCM.
Tell me more about that.
Sounds important.
Sam Jones (09:49):
Oh, it is.
Think of CCM as moving from,say, a quarterly audit snapshot
to a live, always-on diagnosticsystem for your policies and
controls.
Ori Wellington (09:59):
Like a real-time health check.
Sam Jones (10:01):
Exactly Catching issues as they happen not months
later in an audit, and robustsupport for AI governance is
also part of that integrationmeasure.
Now.
Ori Wellington (10:09):
Gotcha.
So it's not just what theplatform does, but how well it
connects to everything else.
And based on these twodimensions coverage and
integration vendors fall intothree categories integrators,
accelerators and pace setters.
Sam Jones (10:21):
That's right.
Ori Wellington (10:21):
Can you give us a quick overview of who these
players are, sort of the flavorof each category?
Sam Jones (10:25):
Certainly so.
Integrators these typicallyhave extensive coverage and a
proven ability to integrateacross multiple IRM domains.
They're usually best fororganizations already at the
extended stage of maturity.
We'll talk about maturity next.
Ori Wellington (10:39):
Okay, the big comprehensive players.
Sam Jones (10:41):
Right.
Think of vendors like ArcherAudit Board, risk Connect and
OneTrust in this space.
Then you have accelerators.
Ori Wellington (10:48):
Accelerators.
Sam Jones (10:48):
These demonstrate real innovation and strong
momentum, maybe in selected GRCareas, but they're moving fast.
They often serve as great entrypoints for rapid maturity gains
.
Ori Wellington (10:58):
Good for catching up or focusing.
Sam Jones (11:00):
Yeah, they typically fit embedded or coordinated
maturity programs.
Examples here would includeCorporater, Diligent,
MetricStream, NAVX, SAI360,ServiceNow and Workiva.
Ori Wellington (11:12):
Okay, and the third group.
Sam Jones (11:14):
Pacesetters.
These tend to offer narrowerscope or maybe targeted depth in
specific areas.
They're often well-suited forthe mid-market or for
specialized use cases, butgenerally have more limited,
broader IRM integrationcapabilities.
Ori Wellington (11:26):
today, so more focused solutions.
Sam Jones (11:28):
Exactly.
They align well withfoundational or coordinated
maturity levels.
Think of LogicGate, onspringProcessUnity Resolver and
Origami Risk in this category.
Ori Wellington (11:38):
And you mentioned, these categories
connect directly to the IRMNavigator Maturity Curve.
This curve describes howorganizations evolve from those
siloed spreadsheet-drivenpractices towards autonomous
assurance.
Sam Jones (11:51):
Right.
It maps the journey.
Ori Wellington (11:53):
What are the key stages on that journey for you,
the listener, to be aware of?
Sam Jones (11:56):
Yeah, the curve outlines five critical stages of
evolution.
It starts with one foundational.
This is where many still are,unfortunately, Manual siloed,
often heavily spreadsheet drivenprocesses, Very reactive.
Binder land, binder land,exactly.
Stage two is coordinated.
Here data starts to centralize,maybe in a single system, but
(12:17):
workflows are still quitefragmented across departments.
Ori Wellington (12:20):
Getting organized, but not connected.
Sam Jones (12:22):
Pretty much Stage three is embedded.
This is where risk andcompliance thinking starts to
integrate more deeply withoperational systems.
You see early continuouscontrol monitoring starting to
emerge here.
Ori Wellington (12:33):
Things are starting to talk to each other.
Sam Jones (12:35):
Right Stage four is extended.
This is a big leap here.
Taxonomies, risk language andplatforms are shared across
internal functions and evensometimes with third parties.
Grc data flows reliably intoERM dashboards, orm resilience
routines, trm telemetry.
Ori Wellington (12:52):
Real integration happening.
Sam Jones (12:53):
Yes, and organizations at this stage.
They expect measurable outcomeslike significantly shorter
audit cycles, faster reporting,disclosure-ready evidence packs
on demand.
Ori Wellington (13:03):
Value becomes tangible.
Sam Jones (13:05):
Definitely.
And finally, stage five, theultimate stage, is autonomous.
This is the future state,really AI-driven sensing,
continuous control, testing,automated mitigation, where
possible, with near real-timeassurance.
This includes sophisticated AIgovernance becoming baked in.
Well, moving from spreadsheetchaos to that sort of
(13:25):
supercomputer assurance wetalked about earlier, that's the
vision, but the reportemphasizes something important
True maturity isn't just aboutthe system you buy.
Ori Wellington (13:33):
It's more than tech.
Sam Jones (13:34):
Much more.
It's about a mindset with.
The report calls integratedrisk thinking that focuses on
cross-functional integration,proactive management,
enterprise-wide ownership andadaptability.
Ori Wellington (13:47):
Culture eats strategy right always that
autonomous stage soundsincredibly powerful, but, as we
know, platforms don't implementthemselves.
People do.
Sam Jones (13:56):
People process technology, in that order.
Ori Wellington (14:00):
So who are the key leadership personas driving
and influencing these GRCdecisions, and how does
understanding their perspectivesaffect your approach when
you're selecting solutions.
Sam Jones (14:11):
That's such a critical point.
The report identifies theprimary buyers the usual
suspects, if you like the chiefcompliance officer, cco, the
chief audit executive, cae, thechief risk officer, cro, and the
chief information securityofficer, cso.
They often hold the budget.
Ori Wellington (14:26):
Okay, the core risk and compliance leaders.
Sam Jones (14:28):
But there's a broader circle of really powerful
influencers.
Now Think about the chief legalofficer, clo.
The chief financial officer,cfo, demanding reliable numbers.
The chief human resourcesofficer, chro, concerned with
ethics and conduct.
Ori Wellington (14:41):
Right Risk touches everyone's domain.
Sam Jones (14:43):
And increasingly the chief data officer, cdo,
especially with the complexitiesaround AI governance and data
privacy.
These leaders don't justpassively consume GRC outputs.
They actively shaperequirements.
They demand specific kinds ofevidence.
Ori Wellington (14:59):
So GRC becomes their common ground.
Sam Jones (15:02):
Exactly Imagine the CLO ensuring regulatory
compliance, while the CDO isfocused on ethical AI usage.
Grc becomes the commonoperating language, the sort of
neutral territory where thesediverse needs get translated
into unified policies andverifiable actions.
Ori Wellington (15:17):
So understanding their individual pain points
and priorities is absolutely key.
Sam Jones (15:22):
It's essential for selecting a GRC solution that
truly serves the entireenterprise, not just one
department.
Ori Wellington (15:28):
This implies that for you, the listener,
understanding who needs whatfrom GRC is just as vital as
comparing feature lists.
Sam Jones (15:35):
Absolutely.
Context is everything.
Ori Wellington (15:37):
And the report offers very specific guidance,
doesn't it, for different typesof organizations trying to
navigate this landscape.
Sam Jones (15:42):
It does, it gets quite practical For large
enterprises.
The guidance is pretty clearFavor those integrator vendors
for true unification acrosscomplex global operations.
Ori Wellington (15:51):
Go big for big challenges.
Sam Jones (15:53):
Right Demand-proven cross domain integration.
Rigorously evaluate reportingand disclosure capabilities
that's key for investorconfidence and scrutinize AI
governance.
Readiness with a fine-toothcomb.
Ori Wellington (16:07):
Which vendors stand out there?
Sam Jones (16:08):
Well, integrators like Archer Audit Board and
OneTrust are traditionallystrong here, and some
accelerators like ServiceNow andWorkiva are really advancing
rapidly in their AI governancecapabilities too.
Ori Wellington (16:20):
Okay, what about for small and midsize
enterprises?
Smes different path.
Sam Jones (16:26):
Yeah, the path often differs slightly.
They might leverageaccelerators like NAVX or SEI
360 for getting fast breathacross core compliance and
ethics needs.
Ori Wellington (16:35):
To get foundational coverage quickly.
Sam Jones (16:37):
Or they might adopt pace setters such as LogicAid or
Onspring for very targetedneeds like automating the
internal audit functionspecifically, More focused
approach.
But crucially, SMEs should planfor scalability right from day
one.
Make sure the chosen platformsoffer robust ATIs, a clear
product roadmap for futuregrowth, because their integrated
risk needs will evolve as theygrow.
Ori Wellington (16:58):
Don't pee yourself into a corner.
Sam Jones (17:00):
Exactly.
Ori Wellington (17:00):
Hang a corner, exactly.
Sam Jones (17:01):
So, whether you're a global enterprise grappling with
immense complexity, or agrowing SME building your
foundation, the message seemsconsistent and powerful.
Don't evaluate GRC in isolation, please don't.
Its true value, its modernvalue, is in how well it
supplies that verifiableevidence across all IRM domains,
(17:22):
powering not just compliancebut really powering trust and
performance.
Ori Wellington (17:26):
That's the transformation in a nutshell.
We've seen how GRC hasdramatically evolved from that
simple, often burdensomecompliance tool, the binder room
, into the strategic policiesintegration point of integrated
risk management.
Yeah, it's really no longerjust about satisfying mandates
from regulators.
Sam Jones (17:43):
It's proactive, not reactive.
Ori Wellington (17:44):
Exactly.
It's about actively buildingtrust, enhancing organizational
resilience and fueling betterperformance by delivering
continuous, verifiable assurance.
Sam Jones (17:53):
And this leads us beautifully to our final thought
for you to ponder as you goabout your day.
The report emphasizes three keyimperatives for the future of
GRC and IRM.
Ori Wellington (18:02):
Three crucial takeaways Continuous assurance,
moving beyond point-in-timechecks.
Ai governance is a first-class,non-negotiable requirement.
And integration, integration,integration as the true measure
of relevance.
Sam Jones (18:15):
If it's not integrated, it's not modern GRC.
Ori Wellington (18:18):
So the question for you is what will you do to
ensure your organization's GRCisn't just ticking boxes anymore
, but is truly transforming intothat adaptive, intelligent
assurance operating system thatwill be absolutely critical for
navigating the complexities oftomorrow's risk landscape?
Sam Jones (18:34):
It's a journey, but a necessary one.
Ori Wellington (18:36):
The road to integrated risk excellence, it
seems, begins with reframing GRCas the very foundation of
enterprise trust.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!