Resilience isn’t a binder anymore. It’s a live system that has to perform under pressure. We pull apart the 2025 IRM Navigator™ Vendor Compass for Operational Risk Management (ORM) to show how ORM moved from back-office compliance to the execution engine of enterprise resilience. The stakes are massive. They include billions in spend, tighter regulations across the US, UK, and EU, and a rising demand for continuous, auditable proof that controls actually work when services fail.
We break down where ORM sits inside integrated risk management and how it turns risk appetite into daily action across business continuity, incident and loss event operations, KRIs, EHS, and deep third-party and supply chain risk. Then we unpack the four structural drivers forcing change: buyers rewarding measurable outcomes over feature checklists, resilience defined as end-to-end service delivery, assurance-grade automation with transparent trust layers and data lineage, and the hard convergence of TPRM with continuity and incident response as vendor failures directly hit customer experience. If one in three major incidents involves an external partner, vendor monitoring can’t live on the sidelines.
To make this practical, we map the vendor landscape across two dimensions—solution coverage and level of integration—and explain three categories that align to your maturity curve. Integrators like Riskonnect and IBM OpenPages centralize claims, continuity, RCSAs, KRIs, and loss events under strong governance for complex enterprises. Accelerators such as ServiceNow, Hyperproof, and Safe Security embed controls and monitoring into existing workflows fast, moving teams from coordinated to embedded. Pace setters like Fusion Risk Management, ProcessUnity, and Origami Risk deliver targeted wins in resilience mapping, third-party risk, and incident-to-claims operations.
The takeaway is simple: aim for defensible operational assurance without drowning in manual work. As AI-native runbooks evolve by simulating impacts, selecting responses, and triggering mitigation with audit-ready evidence the question becomes whether your current telemetry and control data will meet disclosure-grade standards. Subscribe, share with your risk and operations teams, and leave a review with your biggest challenge. Where are you on the maturity curve, and what proof do you still need?
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Episode Transcript
Welcome back to the deep dive.
We're here again digging intothe complex research so you
don't have to.
Today, uh, we're tackling the2025 IRM Navigator Vendor
Compass.
Specifically, we're zeroing inon operational risk management.
You'll hear us call it ORM.
Yeah, and it's a really timelydiscussion because ORM, well,
it's changed a lot.
It's definitely not just thatuh back office compliance
(00:23):
function anymore.
The sources we're looking atare clear.
ORM is now basically theexecution engine for enterprise
resilience.
Execution engine.
Okay.
So our mission today is reallyto understand what's driving
this shift, the market forces,and then look at the vendors,
the actual technology playersenabling this.
Exactly.
And this isn't just, you know,a theoretical shift.
It's strategic.
(00:43):
And the money involved tellsthat story.
Aaron Powell Right.
The financial stakes are just staggering, the
spending projections alone.
We're talking operational riskmanagement hitting an estimated
$13.8 billion this year, thisyear alone.
And that's projected to climbpast $31.5 billion by 2032.
Yeah, it's huge.
That's a what, 12.6% compoundannual growth rate?
(01:05):
It just shows this massivereprioritization in how
companies are dealing withinstability.
And remember, that ORM piece ispart of the bigger integrated
risk management market, IRM.
That whole market is expectedto more than double.
But the money's flowing intoORM specifically because, well,
organizations learn the hard waythat static controls, you know,
checklists, annual reviews,they just don't cut it when a
(01:28):
real crisis hits.
That really feels like the coreidea here, doesn't it?
The report hammers this point.
Regulators, whether it's theUS, UK, EU, they're moving
beyond just ticking boxes.
They're demanding uhdemonstrable impact tolerances,
continuous service assurance.
You can't just have a plananymore.
Sam Jones (01:47):
No, you have to prove it works continuously, in real
time.
Prove you can execute underpressure.
Ori Wellington (01:53):
It's a complete flip from policy documents to
actual operational readiness.
Sam Jones (01:57):
Totally.
There was a great quote in thesources from Wheelhouse Advisor
CEO.
They called operational riskthe connective tissue that keeps
performance and resiliencealigned in real time.
Ori Wellington (02:06):
Connective tissue.
I really like that phrase.
Okay, so if I integrated riskmanagement is the whole nervous
system, what's ORM's specificjob?
Where does it fit?
Sam Jones (02:16):
So ORM is basically the process backbone.
Think of it like this IRM setsthe strategy, the risk appetite.
ORM is what translates thatinto, well, actual functioning
processes on the ground.
In the IRM navigator model theytalk about, it sits right at
the process's integration point.
It takes the high-level stuffand makes sure operations stay
resilient.
Okay, makes sense.
(02:37):
Can you walk us through thespecific things covered by
modern ORM?
Because I think a lot of peoplestill just think, you know, I
key failures.
Trevor Burrus, Jr.
Right.
And it's much, much broadernow.
We're talking of businesscontinuity and crisis
management, BCM, incident andloss event management, uh
monitoring key risk indicators,KRIs, environmental health and
safety, EHS, and this iscritical, vendor and supply
(02:57):
chain risk management.
See how those are all aboutactions, people, physical
processes, not just data logs.
Ori Wellington (03:03):
Yeah, absolutely.
That's where risk becomes realdisruption.
And you mentioned connectivity.
The report talks aboutsomething called PRAs, PRA-C.
What's that about?
How does ORM tie into it?
Sam Jones (03:15):
Ah, PRAC.
Okay, so that defines the fourmain goals of IRM: performance,
resilience, assurance, andcompliance.
ORM is absolutely fundamentalto hitting all four.
It drives resilience,obviously, through continuity
and recovery plans that actuallywork, and it drives assurance
by constantly gatheringverifiable proof that controls
(03:35):
are effective.
So it connects daily process,success, or failure directly to
those big enterprise outcomes.
Exactly.
It's where the theory of riskmanagement meets the reality of
operations.
Okay.
So ORM is critical.
It's where the rubber meets theroad.
Before we get into the vendors,though, the source material
mentions this IRM navigatormaturity curve.
Foundational, coordinated,embedded, extended, autonomous.
(03:58):
Where are most organizationsnow?
Well the report suggests mostare kind of clustered between
coordinated and embedded.
Ori Wellington (04:04):
Coordinated and embedded.
Okay, what does that meanpractically?
Sam Jones (04:06):
It means they might have pulled their risk data
together.
Maybe they've even got a singleplatform.
But that next step, embeddingrisk management identification,
monitoring, fixing things rightinto the core business services,
into the supply chains, that'sstill the big hurdle for many.
The systems talk to each other,maybe, but it's not seamless,
not yet automated riskmanagement woven into the fabric
(04:28):
of the business.
Ori Wellington (04:29):
Right.
That gap between justcoordinating data and truly
embedding the process that leadsus perfectly into the next part
of the report.
This is where it gets reallyinteresting.
Because this whole shift, itisn't random.
It's being pushed by four bigstructural drivers in the
market.
Let's unpack why ORM matters somuch right now.
Sam Jones (04:48):
Okay, driver number one.
And this one probably stings abit for traditional IT and risk
teams.
Ori Wellington (04:53):
Yeah.
Sam Jones (04:54):
The market has shifted decisively.
It's moved from rewardingvendors for software features to
rewarding them for deliveringmeasurable business outcomes.
Buyers are just tired offragmented systems that take
tons of manual work just to spitout a compliance report.
Ori Wellington (05:07):
And there's data on that frustration, isn't
there?
I saw that risk.net finding.
Fewer than half of banks ratetheir current GRC vendor as
good.
That's pretty damning.
Sam Jones (05:18):
It really is.
It shows that fragmentation,you know, having one system for
compliance, another forthird-party risk, another for
BCM, it's just too expensive.
Yeah.
Not just in licenses, but inactual operational failures.
So now buyers are saying, proveit.
Prove you can cut my recoverytime by X percent.
Show me how you reduce incidentloss severity because you
connect claims and incidentdata.
Ori Wellington (05:41):
So the conversation shifts from do you
have this button to can youguarantee my SLA?
Sam Jones (05:46):
Precisely.
And that leads right into thesecond driver.
Resilience is operational now.
It's not just an IT thinganymore.
For years, resilience meantkeeping the servers humming.
But now, regulators, themarket, they define resilience
as delivering the criticalbusiness service end-to-end.
Ori Wellington (06:01):
Which means the perimeter just exploded, right?
It's just just the data centerwall.
Sam Jones (06:05):
Exactly.
Think about, say, a bigretailer.
If a key supplier's truckbreaks down 500 miles out, or a
logistics partner has a strike,that's an operational risk
event.
It hits business continuityjust as hard as a server outage.
Modern ORM has to map thosecritical services, stress test
the entire playbook, measure ourtorpo across everything,
(06:26):
including suppliers way down thechain.
Ori Wellington (06:28):
So BCM moves from being a dusty binder to a
live, dynamic dependency map.
Sam Jones (06:33):
Okay.
Ori Wellington (06:34):
Driver three feels crucial for that assurance
goal you mentioned earlier.
Assurance grade automation isthe new baseline.
Yeah.
Not optional.
Sam Jones (06:41):
Yes.
We're past basic automation.
Things like continuous controlmonitoring, CCM, that's just
table stakes now.
But the keyword is assurancegrade.
What does assurance gradereally mean, though?
Sounds technical, but I guessit's about auditability.
That's exactly it.
It means if automation makes adecision, maybe AI flags
something weird or analyticstriggers a workflow.
You need proof, govern proof.
(07:02):
It has to operate undertransparent trust layers.
You can't just tell the auditorthe AI did it.
You need verifiable evidence, aclear data lineage.
Think frameworks like ISO42001.
That's what provides thetransparent, provable trail.
The automation output has tostand up in court, basically, or
you know, in front of theboard.
Ori Wellington (07:19):
Got it.
So it's not just about beingfast, it's about trusting the
evidence the automationproduces.
That seems huge, especially asAI gets more complex.
It's the foundation for futurerisk management, which actually
brings us neatly to drivernumber four third-party risk
convergence.
Supply chain fragility,everyone felt that during the
pandemic, right?
It forced third-party riskmanagement, TPRM, out of the
(07:41):
procurement back office and intothe live operational spotlight.
It's not just about contractsanymore.
And the numbers back that upstarkly.
That Verizon report for 2025said third-party involvement in
data breaches doubled to 30%.
Sam Jones (07:55):
Doubled.
To 30%.
One in three major securityincidents involves an external
vendor.
Ori Wellington (08:01):
Wow.
Sam Jones (08:02):
So you just cannot treat vendor monitoring as
separate from your internal BCMor your incident response and
claims.
The risk is immediate, it'soperational.
If your vendor hiccups, yourservice hiccups, ORM is
increasingly becoming thatcentral point, that
orchestration layer that pullsTPRM, incident response, BCM all
together, making sure thoseexternal dependencies are
watched continuously.
Ori Wellington (08:23):
Okay, so we've got the why.
Market dynamics, forcingconvergence, demanding real
outcomes.
That context is perfect forlooking at the vendor landscape
itself.
The IRM navigator vendorcompass uses two main dimensions
to plot these players.
Sam Jones (08:36):
That's right.
It's all about utility andintegration.
First dimension, solutioncoverage.
Basically, how broad and deepare their ORM capabilities?
Do they cover resilience, EHS,vendor risk well?
Second dimension, level ofintegration.
How well do these platformsactually connect ORM into the
rest of the enterprise riskworld, ERM, TRM, GRC?
Are they playing nice or arethey another silo?
Ori Wellington (08:57):
And based on those two axes, the report puts
vendors into three categories,which kind of map to where an
organization might be in itsmaturity journey.
Sam Jones (09:07):
Let's start at the top.
The integrators.
Who are they for?
Ori Wellington (09:11):
Integrators are the uh the heavyweights,
comprehensive coverage, deepintegration across different
risk domains.
They're really aimed at largeenterprises, the ones shooting
for or already at that extendedmaturity level, think complex
global companies needing seriousorchestration.
Gotcha.
Can you give an example or two?
What makes them an integrator?
Sure.
Risk onnect is a prime examplementioned.
(09:32):
Their big strength is unifyingthings like claims data,
continuity planning, and riskassessment.
Really good for industrieswhere an operational slip
immediately becomes a liabilityissue.
They close that loop fast.
Then there's IBM open pages.
They're known for centralizingthings like risk and control
self-assessments, RCSAs, lossevents, KRIs pulling it all into
one unified assurance modelacross the enterprise risk
(09:54):
structure.
Consistency and centralgovernance are key there.
Okay.
Integrators for the big,complex players.
Now, what about theaccelerators?
These sound like they're strongin specific areas or driving
innovation.
Maybe for companies moving upthat maturity curve.
Sam Jones (10:10):
Exactly.
Perfect for organizationsmoving from coordinated towards
embedded.
This category includes uhServiceNow.
Now, ServiceNow is a hugeplatform, right?
But the report puts them herelikely because they accelerate
specific ORM processes, RCSA,control assurance, incident
capture, by plugging themdirectly into the existing
(10:30):
workflow engine of the Nowplatform.
It's about speed and leveragingexisting workflows.
Ori Wellington (10:34):
Hmm.
That's interesting.
So even though ServiceNow ismassive, it's an accelerator
here, not an integrator.
Does that suggest maybenarrower ORM specific coverage
compared to Risk Connect or IBM?
Or is it more about theirgo-to-market focus on workflow
acceleration?
Sam Jones (10:47):
That's a really good question.
It likely reflects how thereport is weighing things.
While they have broadcapabilities, their superpower
is embedding risk tasks intoexisting IT and operational
workflows very quickly.
That speed of embedding isoften the biggest bottleneck for
those mid to large firms tryingto mature.
So accelerator fits thatimpact.
We also see others here likehyper-proof, extending
(11:09):
compliance work with reallystrong continuous control
monitoring, and safe security,which is important for bringing
risk quantification using modelslike FAIR into operational
decisions.
Ori Wellington (11:19):
That makes sense.
Finally, the pace setters,niche capabilities, targeted
solutions.
Who needs these?
Sam Jones (11:25):
These often hit the spot for mid-market companies or
maybe programs just startingout.
They need a quick win on aspecific critical pain point.
I think best in breed for aspecific function.
Fusion risk management, forexample, is very
resilience-focused, top-notchBCM dependency mapping.
Process Unity nails third-partyrisk management.
Origami Risk comes from an RMISbackground, so they're
(11:47):
excellent with claims andincident operations.
Ori Wellington (11:49):
Okay, so let's tie this back to you, the
listener.
You're looking at this compass.
What's the practical advice?
How do you choose?
Sam Jones (11:56):
Well, the guidance is pretty pragmatic.
Match the tool to where you arenow.
If you're a large enterprisedrowning in complexity,
especially with claims or lotsof incidents, you probably need
an integrator.
You need that unifiedorchestration across different
risk areas.
Ori Wellington (12:12):
And for the SMEs, the small to mid-sized
folks, or those just startingtheir journey.
Sam Jones (12:17):
For SMEs, look hard at the pace setters if you have
one burning issue like gettingTPRM under control fast.
They offer quick, targetedvalue.
Then as you mature past thatfoundational stage, maybe look
to the accelerators to scale up,perhaps embed continuous
monitoring more broadly.
But the goal for everyonereally is defensible operational
(12:37):
assurance without creating amountain of manual work.
Right.
Ori Wellington (12:40):
That brings us towards the end of this deep
dive on the ORM vendor compass.
The big takeaway scene iscrystal clear.
ORM isn't just a compliancetask anymore.
It's moved right to the center.
It's about resilience.
Sam Jones (12:52):
Absolutely.
It's acting as both theorganization's sensor, picking
up problems, and its stabilizer,helping orchestrate the
response.
It turns what's happening onthe ground into genuine
enterprise readiness.
Ori Wellington (13:03):
And looking ahead, the report hints at the
next stage.
Autonomous IRM.
Sounds futuristic, but it'swhere things are heading.
Sam Jones (13:11):
Yeah.
Think AI native run books.
Systems that don't just detectissues, but instantly simulate
the impact, figure out the bestresponse, and kick off
mitigation all with minimalhuman touch.
That's the North Star.
Ori Wellington (13:23):
Okay, so here's the final thought to leave you
with, building on everythingwe've discussed.
Sam Jones (13:26):
If ORM truly is becoming the core process
architecture for achievingassurance, and if leaders are
going to be judged on theirability to prove outcomes, you
really have to ask yourselfthis.
The evidence your currentsystems are capturing right now,
from vendor checks to incidentlogs, will that evidence meet
the coming demand for disclosuregrade proof?
The kind boards and regulatorswill require.
(13:48):
Because the standard isshifting fast.
It's moving away fromchecklists towards continuous,
auditable, trustworthy evidence.
That's the challenge ahead.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!