The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S4E7: The Academic Reckoning of Risk Management
Risk management evolution isn't just about new acronyms—it's about organizational survival in an increasingly complex world. When we examine the journey from checkbox compliance to genuine integration, we uncover profound lessons about how businesses navigate danger and why some approaches fundamentally fail when pressure hits.
This deep dive traces the fascinating progression from Governance, Risk and Compliance (GRC) through Enterprise Risk Management (ERM) to today's Integrated Risk Management (IRM) framework. Drawing from John Wheeler's powerful "Risk Ignored" series, we explore how GRC emerged after Sarbanes-Oxley as an elegant solution on paper that quickly collapsed under its own weight. As Norman Marks memorably quipped, GRC often stood for "Governance, Risk Management, and Confusion."
The consequences of failed risk management approaches come vividly alive through Wheeler's own experience at SunTrust Bank. Despite warning leadership about dangerously loosened mortgage controls, he found himself "exiled" to an empty office before eventually leaving. What followed was devastating: SunTrust required nearly $5 billion in bailout funds during the financial crisis and paid another billion in settlements specifically for the failures Wheeler had warned about. This cautionary tale perfectly illustrates academic research findings that risk frameworks often lack the critical "management lens"—an understanding of organizational culture, incentives, and how change actually happens.
The market eventually drove its own solution as vendors evolved their offerings beyond compliance toward integration. Wheeler's work at Gartner formalized this shift with the introduction of IRM in 2016, creating a framework that genuinely connects risk to decision-making through four key integration points: organizational goals, core processes, critical assets, and governing policies. The difference is profound—replacing the appearance of integration with actual decision-influencing integration that changes behavior and improves outcomes.
Try this revealing test in your organization: trace a recent significant business decision and determine when risk information entered the process. Was it part of initial strategic discussions, or merely a validation step at the end? The answer reveals whether you're dealing with true integration or just another siloed exercise that might leave you vulnerable when pressure hits.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Have you ever looked at a really big business decision, you know, one of those ones that could genuinely make or break a company and just thought how can we be absolutely certain we're not sailing straight into an iceberg here? How do you actually spot those hidden risks, the ones lurking just beneath the surface, maybe waiting to sink the whole enterprise? Today we're diving into a topic that well. It often gets a reputation for being a bit dry, but I promise you what we're about to uncover is anything but we're talking about risk management, and it's actually a gripping story, really, of how organizations have tried and often stumbled quite badly in their efforts to navigate danger. It reveals why some of the early approaches just well fell short.
Sam Jones:So our mission for this deep dive is pretty clear Cut through all the acronyms, all the jargon, and trace this fascinating evolution. We'll start with GRC, that's, governance, risk and compliance Then we'll move through ERM enterprise risk management and finally land on what seems like a truly transformative approach integrated risk management, or IRM. Get ready for some hopefully serious aha moments and maybe some practical insights you can actually apply.
Ori Wellington:Absolutely, and our main guide through this critical landscape is John A Wheeler. He's the founder and CEO of Wheelhouse Advisors and really a recognized thought leader in integrated risk management. We're drawn quite heavily from his insightful the Risk Ignored series, particularly a piece called the Academic Reckoning of Risk Management, the insightful the risk-ignored series, particularly a piece called the Academic Reckoning of Risk Management. And what's great is he weaves together his own personal experiences, which were often quite challenging, with his really pivotal work later at Gartner, where he actually helped define these market categories we're talking about. So, yeah, we're going to unpack not just what happened in this whole evolution but why it's so, so relevant for pretty much every organization today.
Sam Jones:Okay, right, let's kick things off. Then we're going back to the early 2000s, right after the Sarbanes-Oxley Act really fundamentally changed the game for corporate governance. Now for anyone who might need a quick refresher SOX, as it's known, that was that landmark US legislation enacted to protect investors from well fraudulent accounting, pushing companies towards much greater accountability. And this is really where GRC governance risk, risk and compliance. This is where it emerged as the kind of dominant framework. So what was GRC actually meant to achieve when it first arrived on the scene, and why did it get so much traction so quickly?
Ori Wellington:Well, grc was a direct response to a very real and quite urgent need for coherence. You see, post-tarvane Soxley companies suddenly found themselves just swamped swamped by this proliferation of new regulations. So there was this desperate desire really to bring all these different compliance efforts, risk management, governance activities under one unified roof. You had big players like Archer, pwc and Michael Rasmussen who were really instrumental in codifying it and GRC that acronym. It quickly became the defining term for a whole market that promised these integrated solutions. The core idea, I mean it sounded elegant, right Streamline compliance, proactively manage risks, ensure good governance all at once, maybe from a single software platform.
Sam Jones:Yeah, it sounds incredibly logical on paper, like you said, elegant, almost like a silver bullet for all those corporate headaches from a single software platform. Yeah, it sounds incredibly logical on paper, like you said, elegant, almost like a silver bullet for all those corporate headaches. But then it seems it quickly became clear that GRC was maybe collapsing under its own weight. What was the fundamental flaw? What led to its decline?
Ori Wellington:Well, what's fascinating here is how quickly people on the ground, the practitioners and academics too, spotted the cracks. You mentioned Norman Marks, a well-known practitioner. He famously quipped that GRC actually stood for governance, risk management and confusion.
Sam Jones:Confusion okay.
Ori Wellington:Exactly, and even earlier Michael Power from the London School of Economics he'd issued this really prescient warning. He said the risk management of everything would inevitably become the risk management of nothing.
Sam Jones:The risk management of nothing. That's quite a statement.
Ori Wellington:It is, and the critical insight there, I think, is that when you try to manage everything without genuine operational integration, without connecting it to how things actually get done, you risk managing nothing of real substance. The fundamental issue was this huge breadth, but without operating leverage GRC promised the world, but in practice it often delivered very little in terms of real practical integration that actually impacted decisions. Too often it just ended up being primarily a compliance exercise, generating reports, ticking boxes but not truly protecting against genuine risk.
Sam Jones:Right. So for you listening, that's a really crucial takeaway, isn't it? Just having a system, a piece of software, doesn't automatically mean it's effective. It needs to genuinely integrate with and actually influence core business decisions. Otherwise, like you said, it's just window dressing. And to really drive this point home, the source material shares this powerful real-world anecdote from John Wheeler himself from his time at SunTrust Bank. Can you tell us about that, that pivotal meeting he describes?
Ori Wellington:Absolutely Quite a story. Wheeler recounts this critical meeting he had with the new CEO and also the head of mortgage banking at SunTrust and he pretty courageously, it sounds like outlined the substantial exposures the bank was facing, Exposures created because they were deliberately loosening mortgage controls, all in this relentless chase for growth, for market share. He actually describes the head of mortgage banking physically riding in his chair, as the serious implications of these decisions landed. You can just picture it right that palpable discomfort as the truth of the risk in that strategy became undeniable in the room.
Sam Jones:Wow. So he laid it out starkly, directly to the top leadership. That takes guts. How did his unwelcome objections, as the source calls them, how did that affect him personally? And then exile is the term used parked in an empty office for nearly a year before he eventually left in early 2008, actually to launch his own firm, wheelhouse Advisors.
Ori Wellington:So this personal experience, it just directly underscores this huge cost of separating risk from decision making. You see the systems, the GRC talk might have been there on paper, but the incentives, the leadership culture, they were pushing in a completely different direction.
Sam Jones:That's chilling, honestly, how precisely those warnings, those concerns he raised played out later. It really highlights that old saying, doesn't it? The writing was on the wall, but maybe nobody was reading it, or perhaps, more accurately, nobody wanted to read it when short-term growth seemed so attractive. So the financial consequences for SunTrust Did those loosened controls eventually catch up with them massively.
Ori Wellington:Oh, absolutely. What happened next was well, sadly predictable, and it serves as such a stark warning. The bank ended up requiring nearly $5 billion in TARP funding. That's the Troubled Asset Relief Program. You know, the government bailout during the financial crisis $5 billion just to survive just to survive.
Ori Wellington:And then later, in 2014, they had to pay almost another billion dollars in settlements with the Department of Justice specifically for those very loosened controls and the massive failures in mortgage origination and servicing he'd warned about. And ultimately, in 2019, suntrust combined with BB&T. It was presented as a merger of equals forming Truist, but many observers really saw it as the culmination of this long risk hangover from the crisis years. The lesson seems crystal clear, doesn't it? Governance frameworks, fancy software tools, they just cannot run on separate tracks, while the actual business incentives are driving behavior in a completely different direction.
Sam Jones:So SunTrust had the GRC tech, they had ERM programs in place, apparently, but neither could hold back that tide when the pressure really hit If the systems were there but failed so catastrophically. What's the most insidious part of that critical design flaw? Was it fundamentally a technology problem, people problem or something else entirely?
Ori Wellington:That is such a crucial question and it really points to a systemic issue. I think it wasn't just the technology problem, although maybe the tools were inadequate too. Systemic issue. I think it wasn't just the technology problem, although maybe the tools were inadequate too, but fundamentally it was a people and culture problem. A failure of governance, yes, but also incentives to align properly with genuine risk management. The technology, in a way, just reflected that disconnect. It didn't create it. The truly insidious element perhaps was this underlying belief, this assumption that risk could somehow be managed off to the side, in a silo separate from the core business decisions, which of course makes it incredibly easy to ignore when those tempting short-term gains are on the line.
Sam Jones:Right, that separation seems key. This story really highlights that huge gap between aspiration what GRC and ERM said they did and the reality on the ground, a disconnect that technology alone just couldn't bridge. But okay, what were the academics saying around this time about the limitations of these approaches like ERM? How did their research maybe complement these kinds of real world experiences and provide a broader diagnosis?
Ori Wellington:Yeah, that's important because it raises the question why weren't these systems working effectively, despite all the investment and presumably good intentions? The source highlights a really significant 2015 research paper. It was published in a journal called Long Range Planning by Bromley, McShane, Nair and Rustambikoff, and they specifically looked at enterprise risk management, ERM. They did this meticulous review of the whole field and found that, despite all the buzz, ERM definitions actually varied wildly. Any consensus was mostly superficial, you know, existing mainly on paper, as they put it Now. There was some agreement on managing risks as a portfolio and including strategic risks, which was a step forward. But the actual empirical record, the evidence of ERM's effectiveness in practice, it was decidedly mixed, often aspirational but not truly impactful where it counted.
Sam Jones:Okay, so the academics were seeing inconsistencies and mixed results, but you mentioned this missing management lens. That sounds critical. Before we get to that. I wonder, though was there anything that ERM did get right, or was it just fundamentally flawed from the start, despite those good intentions you mentioned?
Kelsey Hutchinson:That's a fair question. Erm certainly had the right aspiration. That idea of viewing risk holistically as a portfolio was important and definitely trying to consider strategic risks, moving beyond, just say, insurable risks or purely financial ones. That broadened the conversation, no doubt, but the research really highlighted its you could say fatal flaw, this profound missing management lens, aspects that are absolutely critical to how organizations actually operate day-to-day. Things like the prevailing culture, the incentive structures, who has decision rights, how organizational change happens. These were largely absent from the academic literature on ERM. So in essence, erm described an aspiration, what companies should do ideally, but it didn't really explain performance or, crucially, how to actually achieve that integrated state and this diagnosis. It just perfectly mashed Wheeler's lived experience at SunTrust right, that two tracks problem. It wasn't just about technology running separately, it extended to the very way organizations thought about and tried to implement risk management itself.
Ori Wellington:So the collapse of GRC, or at least its reputation, and then the clear inadequacy of this kind of compliance-first ERM. It created a pretty significant void. The big question for both scholars and practitioners became quite simply okay, what comes next? And what's really fascinating is that the market itself actually started to close this gap almost organically, before any new labels or acronyms really emerged to describe the shift.
Sam Jones:Okay, so this structural correction, as the source calls it, this fundamental shift we're talking about, how did it actually begin to take shape in the real world, on the ground? What did that look like in practice?
Ori Wellington:Well, you started seeing companies like Mitratech, metrixtreme, archer some of the original GRC pioneers actually starting to evolve their offerings, but they were evolving in response to genuine market demands, what customers were asking for. Mitratech, for example, started demonstrating how legal risk beta wasn't just for the legal department's compliance. It needed to be integrated into strategic oversight. Metricstream began pushing its capabilities beyond pure compliance risk, moving more into IT risk management or TRM, focusing on things like asset ownership and security vulnerabilities. Archer, which already had a strong foothold in IT risk, then positioned itself more towards operational risk management, orm, which is all about the risks in an organization's day-to-day operations and processes. And this wasn't just, you know, clever rebranding or marketing spin. It really signaled that both the buyers, the companies needing solutions, and the sellers, the software vendors they were already moving towards a more integrated model. They were recognizing the necessity of connecting these previously disparate risk areas, simply because that's where risk actually happens in a business.
Sam Jones:And this, then, is where John Wheeler's role at Gartner becomes absolutely crucial Not just observing the shift, but actually putting a name to it, naming this new, more integrated approach and, importantly, making it an official market category that Gartner would track.
Ori Wellington:Precisely Exactly right. When Gartner approached him wanting to reinvigorate their technology coverage, he made a very conscious, very deliberate choice. He decided not to simply extend the existing GRC coverage because he'd seen its flaws firsthand. Instead, he chose to focus on what he called the adjacencies, where risk is managed in practice and, crucially, adding the management evidence at scale, the real-world data that academic research sometimes lacked. Through extensive practitioner surveys, lots of meticulous field research, they documented how GRC tools were actually being used on the ground, how ERM programs were really structured, where that integration consistently broke down and, maybe most importantly, what buyers actually needed to get real work done to manage risk effectively.
Ori Wellington:And all this wealth of evidence, this data it ultimately led to the creation of the 2016 Market Guide for Integrated Risk Management IRM. Ah, okay, so that's where IRM formally enters the picture. That's the formal beginning, yes, and that market guide was then followed by the very first IRM Magic Quadrant in 2018. So the point Wheeler makes is they weren't trying to create a fashion or dictate a trend. They were simply giving a name and, importantly, a framework to what the market was already organically doing, recognizing a fundamental structural correction that was, frankly, long overdue, danielle.
Sam Jones:Pletka. Okay, that context is really helpful, but given the, let's say, ambitious promises and subsequent failures of GRC, and then the academic critiques of ERM not going far enough, the bar for any new approach has got to be incredibly high, right? So when we talk about integrated risk management, irm are we genuinely talking about a fundamental shift in philosophy, a different way of thinking, or is it maybe just a more refined iteration, a version 2.0 of what came before?
Ori Wellington:That's the million-dollar question, isn't it? And if we connect this back to the bigger picture, the source is emphatic. Irm is not just a new coat of paint for GRC, nor is it merely a modest tune-up of ERM. It's truly described as a structural correction in how organizations need to think about and manage risk, and the IRM Navigator Framework, which Wheeler helped develop, isn't just a vague concept. It's intended as a detailed blueprint. It provides organizations with a concrete operating model for how to actually do this integration effectively, rather than just talking about it in meetings organization actually manages risk day to day.
Sam Jones:How does it integrate these different, often siloed aspects like IT risk, operational risk, compliance into a cohesive whole? And maybe, more importantly for you listening, what's a tangible way you can assess if your own organization is achieving actual integration with IRM, rather than just the appearance of integration we talked about with GRC? What's maybe one question you could ask yourself or your team tomorrow morning?
Ori Wellington:Great questions. Essentially, irm is about bringing together all those critical components that historically, have often operated in isolation. So it integrates ERM Enterprise Risk Management, which still provides the overall strategic goals and governance structure. It integrates ORM Operational Risk Management for handling specific process risks and clarifying ownership within those processes. It integrates TRM technology risk management for securing assets and managing all those technology-related risks which are huge today. And then it weaves in the key necessary elements of GRC, things like policies, controls and assurance activities across the board.
Ori Wellington:The framework organizes objectives into four key areas performance, resilience, assurance and compliance. You need all four. And Performance, resilience, assurance and compliance you need all four. And, crucially, it aligns the actual work, the activities, at four essential integration points the organization's goals, its core processes, its critical assets and its governing policies. The intent here is profoundly practical. It's designed to replace that appearance of integration, which GRC often delivered through siloed reports or dashboards, with actual integration, integration that genuinely changes decisions, affects behavior and improves outcomes, rather than just producing artifacts that get filed away.
Ori Wellington:And as to your question about how listeners can assess this, a really great way to start is to trace a recent significant business decision made in your organization. Ask how early, how fundamentally decision made in your organization. Ask how early, how fundamentally, was relevant risk information, relevant risk data, integrated into that decision-making process? Was risk part of the initial strategic discussion, genuinely influencing the options considered right from the outset? Or was it brought in much later, maybe as a validation step near the end, a final check box sign-off, or, worse, only discussed in the post-mortem after something went wrong?
Sam Jones:Ah, that's a great litmus test.
Ori Wellington:Yeah, If risk is still just a separate sign-off at the end or largely an afterthought, then you're likely still dealing with the appearance of integration, not the actual embedded kind that IRM really champions.
Sam Jones:Wow, what an incredible journey we've taken today really. We've traveled all the way from those lofty, maybe sometimes over-promised ambitions of GRC through the stark and, frankly, quite painful realities exposed by the global financial crisis and those sharp academic critiques of ERM, and finally landing on this much-needed structural correction offered by integrated risk management, irm. It seems abundantly clear this is about so much more than just, you know, checking boxes or satisfying regulators. It's really about embedding risk awareness, risk thinking, into the very fabric of an organization's decision-making process, making it an integral part of how work gets done every day, not just some separate compliance exercise off to the side.
Ori Wellington:Absolutely. And as we close out this deep dive, it feels right to circle back just briefly to John Wheeler's pivotal meeting at SunTrust all those years ago. Remember his warning wasn't really about a specific control box on a spreadsheet somewhere. It was fundamentally about deeply ingrained behavior. It was about powerful incentives driving risky actions and the very real, devastating consequences that he saw coming. The financial crisis didn't just expose financial vulnerabilities. It revealed what all those compliance reports and executive dashboards had managed to hide or at least obscure. So this deep dive, I hope, has shown us how GRC, despite its initial promise, kind of lost its way and how IRM emerged, not as a fan, but as the necessary practical integration that effective business execution has really required all along. So for you, the listener, the final question perhaps becomes where in your organization, or maybe in your field, are critical decisions still being made in silos, still separate from a truly integrated, holistic understanding of risk and its potential real-world implications? What happens when the pressure inevitably hits your two tracks?