The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S4E3: An Extinction Level Event - Risk in the Digital Age
Modern risk management stands at a precipice of transformation where AI-driven platforms are causing what ServiceNow's CEO Bill McDermott calls an "extinction-level event" for traditional software vendors. This profound shift is reshaping how organizations approach enterprise resilience, with implications for businesses across all sectors.
The evolution from conventional Governance, Risk, and Compliance (GRC) to autonomous Integrated Risk Management (IRM) represents a fundamental leap forward. Today's cutting-edge platforms don't merely collect data—they leverage artificial intelligence to predict emerging risks, automate policy enforcement, and suggest real-time solutions. The analogy of moving from manual spreadsheets to a self-driving car for risk management aptly captures this transformation, highlighting how these new systems break down organizational silos and enable proactive rather than reactive approaches.
Market validation for this shift is substantial, with major institutional players like Goldman Sachs and Blackstone making significant investments in the IRM space. Their recent NAVEX acquisition signals that IRM has moved from a specialized niche to an essential business function. Meanwhile, vulnerabilities exposed within cyber insurance providers themselves—as seen in the Lions Life data breach—reveal that even risk experts face critical gaps in their own defenses. This paradox underscores the importance of comprehensive approaches addressing Performance, Resilience, Assurance, and Compliance (PRAC) objectives.
As traditional market reports struggle to keep pace with these rapid changes, organizations must carefully evaluate their information sources to ensure their insights remain forward-looking and actionable. The question becomes not just how to adapt to these changes, but how to strategically position yourself in this new reality. We encourage you to reflect on how these profound shifts in risk management connect to your own work and to consider what steps you might take to ensure your organization's resilience in an increasingly complex risk landscape.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Okay, how do you keep up, seriously, how do you keep up with the sheer speed of change, especially when it's something as critical as managing risk and cybersecurity? It feels like the ground beneath us is constantly shifting, doesn't?
Sam Jones:it.
Ori Wellington:Wait, let's unpack this a bit, because the whole world of risk management technology it's going through this immense transformation. It's almost overwhelming.
Sam Jones:It really is seismic, yeah, and our focus today it's integrated risk management, irm, how it's being fundamentally reshaped. We're talking advanced AI, big shifts and what investors are looking for and, yeah, those cyber threats that just keep evolving. The toughest part for a lot of folks in risk isn't getting information, it's finding insights that are like truly actionable, that look forward.
Ori Wellington:Most of the general reports out there, they just scratch the surface, often feels like yesterday's news Exactly, and that's why we're doing this team dive today. Our mission really is to give you a shortcut, help you get properly informed by pulling out the key nuggets from some really exclusive analysis. We're tapping into the RTJ Bridge by Wheelhouse Advisors. This is stuff usually kept for well, a very specific audience, so you're about to get a sneak peek into what's driving top industrial decisions and the future of enterprise resilience.
Sam Jones:Yeah, and these insights. They cover some pretty dramatic shifts in software, major investment trends that are really validating this whole IRM market and maybe, surprisingly, some growing vulnerabilities in a place you might not expect cyber insurance providers themselves. We'll also dig into why some of the, let's say, common industry reports might be well missing the mark a bit on who the real leaders are here.
Ori Wellington:Right, we promised some surprising facts, maybe just enough humor to keep it interesting. We want to make this complex topic clear, engaging and actually useful. So yeah, you're about to get a really unique perspective on something impacting pretty much every modern business. Okay, let's dive right in. There's a pretty blunt assessment floating around about risk management tech right now. Bill McDermott, servicenow's CEO. He recently warned that these advanced AI-centric platforms they're causing what he called an extinction level event for older software players. That's a powerful phrase for a CEO. What exactly is going extinct here?
Sam Jones:It is powerful and it highlights a critical truth. Really Traditional GRC vendors governance, risk compliance, the ones still stuck on static compliance models, lots of manual processes they're facing rapid obsolescence. The market's moving clearly towards autonomous IRM, and when we say autonomous, we mean AI-native platforms, integrated systems that don't just hold data, they actively use machine learning, they predict emerging risks, automate policy enforcement, maybe even suggest how to fix things in real time. It fundamentally breaks down those old organizational silos. It pushes towards proactive risk mitigation, not just reactive compliance checks. Think of it like moving from a manual spreadsheet to a self-driving car, but for risk.
Ori Wellington:It's a great analogy a self-driving car for risk. These new systems are just faster. They're fundamentally well smarter, more predictive, and it looks like the big money is noticing. You talk about institutional validation. That recent NEVX acquisition led by Goldman Sachs, with Blackstone jumping in too, that really stands out. This isn't just pocket change. It feels like major institutional confidence in where IRM software is heading. What does that kind of huge buy-in from top-tier private equity mean for the wider IRM world, especially for, say, smaller vendors or companies thinking about adopting this?
Kelsey Hutchinson:stuff. It's fascinating, yeah, that deal. It really marks a milestone. It shows confidence, not just in ADVX but in the whole IRM sector, as our source, wheelhouse Advisors, puts it, and this is a good quote. When top tier investors like Goldman and Blackstone commit at this scale, it's a clear vote of confidence that IRM is no longer a nice to have but essential for enterprise resilience. For smaller players, well, it likely means more competition, but also a bigger, more validated market to play in, and for companies thinking about adopting IRM it's a loud signal IRM isn't niche anymore, it's mainstream. It's critical for modern business ops.
Ori Wellington:It just legitimizes the whole space, draws in more innovation, more talent Right, okay, you also mentioned an unexpected vulnerability in cyber insurance providers. That seems like a worrying paradox. The companies meant to protect others are becoming targets. The Alliance Life data exposure you mentioned is a stark example. Wait, so even the insurers are vulnerable. How does that happen? Their whole business is risk mitigation.
Sam Jones:It really is a paradox, isn't it? Like you said, the fire department catching fire, the Lions Life breach, which was a huge vendor-related data leak. It just starkly highlights these critical gaps that even providers can have. We're talking about gaps in their own third-party risk, tech risk, GRC with strategic PROC objectives.
Ori Wellington:Okay, PROC objectives. You dropped that term in. Can you unpack PRC for us? What does it mean and why is it so crucial, especially for insurers?
Sam Jones:Absolutely so. Prc stands for performance, resilience, assurance and compliance. For an insurer, performance could be about using real-time risk data to allocate resources better, you know, be more efficient. Resilience is pretty straightforward Can they withstand an attack and keep operating? Business continuity Assurance is about having automated audit trails, verifiable controls for the regulators super critical in their heavily regulated world. And compliance is well meeting all those legal and industry standards which are always changing. So by proactively aligning their IRM using this pure coffee framework, insurers don't just manage risks better and reduce their own exposure. They can actually position themselves as genuinely resilient market leaders. It's really about practicing what they preach.
Ori Wellington:Makes sense. It sounds like a much more holistic view is needed, especially when the stakes are that high. And speaking of approaches, let's talk about how the market actually evaluates these companies. You suggested some industry reports are kind of missing the mark on the IRM vendor landscape, like IDC's latest marketscape for GRC. That's a strong claim suggesting a major analyst firm is off target. Is there any situation where their current evaluation might still be useful or is it genuinely a miss?
Sam Jones:Well, complete miss might be too strong. It's more like they're evolving too slowly. They haven't quite caught up with how fast the market is changing. Idc's latest GRC marketscape, for example. It still uses definitions and criteria that just feel outdated for this autonomous, ai-driven future of IRM we're talking about and this you know. It can lead to some questionable conclusions about who the real leaders are. By contrast, the research we're drawing on, the IRM Navigator series from Wheelhouse it uses very clearly defined maturity curves and functional IRM layers.
Ori Wellington:Maturity curves and functional IRM layers. Ok, sounds important, but maybe a bit technical. Can you give us a quick sort of conceptual breakdown? Why is that approach better?
Sam Jones:Sure, sure. Think of maturity curves like levels in a video game for risk management. You start at basic compliance level, one maybe, and you aim for higher levels, proactive strategy, resilience, that sort of thing. It's a roadmap for how companies evolve. And functional IRM layers. That refers to the distinct capabilities like threat intelligence, automating, controls, risk analytics. So this lets us assess vendors, not just on if they have a feature, but how deeply and effectively they integrate these functions Makes sense.
Ori Wellington:Yeah, okay, so it's more granular.
Sam Jones:Exactly. It's much more granular, more sophisticated. It helps buyers pick vendors that really align with their strategic goals, not just someone sitting in a generic leader box that might lump together old legacy systems and cutting edge AI as IRM moves towards this autonomous future. Those simplistic charts, the ones without strategic depth, they just don't cut it anymore. It's like trying to judge a Formula One car based on its paint job you miss what's under the hood.
Ori Wellington:Okay. So wrapping this up a bit, what does this all mean For you, the listener? And just the broader risk landscape? We've hit some major points that extinction-level event for legacy GRC, the huge validation of IRM from big investors like Goldman and Blackstone, the critical vulnerabilities even cyber insurers face like with the lion's life and the limits of some traditional analyst reports. It's quite a lot to digest, right.
Sam Jones:It absolutely is, and the bottom line IRM isn't a nice-to-have anymore. It's essential essential for enterprise resilience. It's being driven hard by AI, by data-centric approaches, breaking down silos, pushing for proactive mitigation and the kind of research we discussed today. Using those maturity curves and functional layers, it offers a much more sophisticated way to assess who's doing what, giving you a deeper, more accurate picture of what really counts in this space.
Ori Wellington:And that really highlights the value, doesn't it? Getting access to distinct insights like these. It's a sharp contrast to a general market reports that can sometimes feel like they're just repeating what everyone already knows. We really hope this deep dive has got you thinking, considering the implications for your own understanding of risk and tech. Whatever field you're in. It's a complex world out there and staying ahead is pretty crucial.
Sam Jones:Which really brings up an important question, I think In a world where even the experts meant to protect us are targets, like the insurers, and where widely accepted reports might miss critical shifts, how do you critically evaluate the information you consume? How do you make sure your insights are truly forward-looking, truly actionable, especially as we head towards a more autonomous future?
Ori Wellington:That is a powerful thought to chew on. We definitely encourage you to reflect on how these pretty profound shifts in integrated risk management might connect to your own work, your own interests. Hopefully it sparks some further curiosity and exploration.