The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S5E5: Why GRC Stabilized And IRM Took The Lead
The latest episode of The Risk Wheelhouse tackles one of the strangest sights in this year’s risk technology landscape. The 2025 Gartner Magic Quadrant for Governance, Risk, and Compliance arrives with an empty Visionaries quadrant. No challengers, no upstarts, just silence where innovation used to live. Rather than treating this as a warning sign, Ori Wellington and Sam Jones explain why the quiet is a signal that GRC has finally stabilized into what it was always best suited to be: the institutional assurance backbone that proves what happened, preserves the evidence, and keeps auditors, regulators, and boards on solid ground.
From there, they draw a clear line between GRC’s retrospective role and the forward-looking mandate of Integrated Risk Management. The conversation traces how GRC has narrowed to serve assurance leaders, why verification alone cannot answer questions about resilience and performance, and how IRM steps in as the unifying management layer that connects ERM, ORM, TRM, and GRC. Along the way, Ori and Sam unpack the PRAC model, position technology risk as the binding agent across the stack, and introduce “assurance intelligence” as the capability that turns static audit results into real-time decision input. A concrete firewall example shows what it looks like to move from “48 of 50 passed last quarter” to “our resilience score just dropped and we need action today.”
If you own risk, audit, compliance, or technology strategy, this episode will help you reframe GRC as essential infrastructure rather than a silver bullet platform. You will come away with a clearer understanding of why the Visionaries disappeared, how IRM now carries the integration agenda, and what it will take to move from evidence on paper to assurance that actually shapes decisions. For greater insights, read Wheelhouse Advisors’ IRM Navigator™ Vendor Compass for Governance, Risk and Compliance (GRC) - 2025 Edition.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Welcome back to the deep dive. We are uh starting today with some news out of the risk technology sector that is truly raising eyebrows. And frankly, it's causing a lot of confusion for leaders who are you know trying to navigate their vendor landscape.
Ori Wellington:It really is.
Sam Jones:The 2025 Gartner Magic Quadrant for Governance, Risk, and Compliance GRC, it just got released. And if you're tracking this market, you know that the MQ is usually this highly dynamic document. There's always movement.
Ori Wellington:Especially in the Visionaries Quadrant.
Sam Jones:Exactly. But this year, for the very first time, the entire Visionaries Quadrant is Well, it's empty.
Ori Wellington:Just blank.
Sam Jones:It's the equivalent of a loud industry-wide silence. In a market worth billions, an empty visionaries quadrant suggests one of two things. Either innovation has completely stalled out.
Ori Wellington:Or something else is going on.
Sam Jones:Or the market structure itself has fundamentally shifted. And we believe it's the latter. This signals a critical turning point for how organizations approach enterprise risk.
Ori Wellington:That structural shift is exactly what we need to unpack. Our mission today is to understand why this stillness happened and why it's actually a sign of maturity, not stagnation.
Sam Jones:Okay.
Ori Wellington:So we're going beyond just the surface vendor stuff. We're leveraging insights from the Risk Tech Journal and critically the framework from Wheelhouse Advisors IRM navigator model and their vendor compass for GRC.
Sam Jones:And what's the core idea we need to get?
Ori Wellington:The core insight to grasp immediately is this deliberate strategic narrowing of GRC's scope.
Sam Jones:A narrowing.
Ori Wellington:Yes, versus the necessary expansion of integrated risk management or IRM.
Sam Jones:Okay, let's unpack that concept of narrowing because the context it starts right there with the title of the new MQ itself.
Ori Wellington:It does.
Sam Jones:It's titled For GRC Tools Assurance Leaders. That is a massive qualifier. Trevor Burrus, Jr.
Ori Wellington:It is a giant flashing neon sign. It signals Gartner's acceptance of market reality. Which that GRC is no longer being positioned as that sprawling unifying category for all governance, risk, and compliance activities across the entire enterprise.
Sam Jones:Which was the original promise, right?
Ori Wellington:Back in the mid-2000s. That was the ambitious promise. The market has now dictated that GRC has to specialize.
Sam Jones:So when we talk about GRC specializing, what functional area does it own now? What are these assurance leaders actually using these tools for?
Ori Wellington:They're using it to build institutional maturity and consistency. GRC has really specialized into the set of tools focused entirely on enabling internal audit ethics, internal control programs, and compliance.
Sam Jones:Okay.
Ori Wellington:Essentially GRC delivers the verification layer of the modern risk technology stack.
Sam Jones:The verification layer.
Ori Wellington:Right. It provides traceability, repeatability, and confidence in your compliance evidence. I mean, think of GRC as the meticulous archivist. It's all about answering the retrospective question.
Sam Jones:Did we do what we said we would do?
Ori Wellington:Exactly. Did we follow the rule? And can we prove it with an auditable trail? That's GRC's job.
Sam Jones:That makes the strategic distinction incredibly clear. GRC is fundamentally about verification, proving assurance after the fact.
Ori Wellington:Looking backward, yes.
Sam Jones:But if an organization needs to answer the question, how are we prepared for the future? Or how does this control failure impact our strategic resilience? That's beyond GRC's mandate.
Ori Wellington:That moves right into the realm of IRM. Precisely. GRC emerged with this promise of unification. But as the source material points out, by the mid-2010s, organizations realized something.
Sam Jones:What was that?
Ori Wellington:While they centralized all this control data, the GRC tools themselves, they really struggled to provide meaningful integration with performance management or strategic decision making.
Sam Jones:Right. It stayed in its silo.
Ori Wellington:It settled into its most successful role at the hub of assurance, this new MQ title. It just codifies that stability.
Sam Jones:Which brings us back to that empty visionary quadrant. I think for a skeptical listener, it still sounds like we're putting a positive spin on vendor inertia. If nobody's innovating, isn't that just a failure?
Ori Wellington:Not at all. And this is where it gets really interesting. If you study technology adoption cycles in market maturity models, the absence of visionaries actually signals the completion of the first innovation cycle. GRC has done its job. It has reached a stage of uh functional completeness and optimization, just like ERP or core HR systems did years ago.
Sam Jones:So the basics are all sorted out now.
Ori Wellington:Exactly. The core capabilities, policy management, control testing, issue remediation, reporting, they're all standardized. They're stable, they're widely available across all the leading platforms.
Sam Jones:Aaron Powell So differentiation isn't about some flashy new feature anymore.
Ori Wellington:Nope. It relies on integration, reliability, and scale.
Sam Jones:Aaron Powell So GRC has matured into a foundational utility. It's like the electricity or the plumbing in a modern building. You don't need radical visionary innovation for how the pipes work.
Ori Wellington:You just need them to work.
Sam Jones:You just need them to be reliable, standardized, and safe. So you can then layer the smart connected technology on top of it.
Ori Wellington:That is the perfect analogy. And because that foundation is stable, the innovation energy hasn't stalled. It has simply transferred.
Sam Jones:Transferred where?
Ori Wellington:It's a transfer of innovation energy from GRC, the stability layer, to IRM, which is the higher order management layer that unites that assurance with forward-looking strategy, performance, and resilience.
Sam Jones:And that distinction who the tool is designed for is so crucial. We mentioned the Gartner MQ is explicitly for assurance leaders. Yes. But you're suggesting that risk leaders, the executives who are responsible for strategic decision support, they need a much broader view.
Ori Wellington:Absolutely. The MQ is invaluable for the audit and compliance community, no question. However, if your job title is chief risk officer or you're managing risk at the executive level, which means connecting all the dots. All the dots. Constantly correlating compliance with business continuity and performance outcomes, you need a framework that manages risk, not just governs it.
Sam Jones:And that is why the perspective offered by the Wheelhouse Advisors IRM navigator is so important right now. It's designed specifically for that risk leader.
Ori Wellington:Precisely. The IRM Navigator sees IRM as the encompassing market. It integrates GRC along with enterprise risk management or ERM.
Sam Jones:And ORM and TRM.
Ori Wellington:Operational risk management and technology risk management. This framework is explicitly structured to manage risk, to connect that verifiable assurance data to strategic outcomes and anticipation.
Sam Jones:So what's fascinating here is the relationship you're describing. GRC isn't a parallel market to IRM. You're saying it's embedded within it.
Ori Wellington:It is embedded within it. GRC provides the essential component for assurance and compliance. If you're a risk leader trying to integrate all these disciplines into a coherent enterprise view, the IRM navigator is the perspective you need. It helps you understand how the foundational GRC tools fit into the larger strategic picture.
Sam Jones:So IRM is finally fulfilling that original promise of unification that the standalone GRC platforms focused on compliance they just couldn't deliver a decade ago.
Ori Wellington:That's the mandate. It's taking that centralized control data GRC provides and connecting it to the big picture. And we can use the IRM navigator model, specifically the PRA objectives, to show how it all fits.
Sam Jones:The PRAC objectives.
Ori Wellington:The model shows that enterprise confidence requires all four components to be managed holistically.
Sam Jones:Okay, let's walk through that PRAC framework because it really does illustrate how the stability GRC provides is used by the higher level functions of IRM.
Ori Wellington:Okay. So we start with the P for performance.
Sam Jones:Performance.
Ori Wellington:This is defined by Enterprise Risk Management, or ERM. It ensures risk management is tied directly to the organization's strategy and goals. It answers the question: how does this risk affect our shareholder value or our market position?
Sam Jones:Right, the big picture stuff.
Ori Wellington:Next is the R for resilience. This is driven by Operational Risk Management, ORM. This is all about maintaining business continuity, adaptive capacity, managing risks in your day-to-day processes, your supply chain.
Sam Jones:And then we get to A and C Assurance and compliance. Which are the foundational pillars where GRC platforms are strongest.
Ori Wellington:That's the core GRC delivery. Assurance validates control integrity and effectiveness, proving the controls are working. And compliance is where the GRC tools codify all your internal policies and external regulatory obligations.
Sam Jones:So GRC provides the proof.
Ori Wellington:It provides the verifiable action and accountability that underpins the entire structure.
Sam Jones:And it's critical to note, since pretty much every organization is technology driven now, the sources emphasize that technology risk management, TRM, is woven throughout this whole thing.
Ori Wellington:Correct. It's not a separate pillar. TRM is the binding agent.
Sam Jones:I hope so.
Ori Wellington:It connects systems of control, the GRC layer, to the systems of execution. And escalating risk in your cloud environment isn't just an IT issue.
Sam Jones:No, it hits everything.
Ori Wellington:It immediately degrades your resilience, the R, exposes you to potential compliance fines, the C, and hurts your strategic performance, the P. IRM unites all four objectives into one model of enterprise confidence.
Sam Jones:Now this shift requires a new capability that kind of blends GRC's strengths in documentation with IRM's forward-looking analytics. What is that capability?
Ori Wellington:That future capability is being called assurance intelligence. It represents the continuous correlation of compliance, control, and risk data for decision impact. It moves assurance from being a static, periodic, retrospective reporting function.
Sam Jones:Right, a report you file every quarter.
Ori Wellington:Into a dynamic, embedded verification mechanism that actually informs daily operations.
Sam Jones:Can you give us a concrete example of that? I mean, how does assurance intelligence change the job of a risk leader?
Ori Wellington:Certainly. A GRC platform tells you we audited all 50 of our critical firewalls last quarter and 48 passed. That's verification.
Sam Jones:Okay.
Ori Wellington:Assurance intelligence takes that fact and correlates it instantly with current operational data. It says, those two firewall failures combined with the fact that we just accelerated our cloud migration by 30%. Wow. And have seen a 15% increase in phishing alerts, means our operational resilience score just dropped from green to yellow. It requires immediate strategic intervention. That's anticipation.
Sam Jones:I see. It turns control evidence into real-time business insight.
Ori Wellington:Exactly. It leverages GRC's stability for predictive analytics.
Sam Jones:So what does this whole tectonic shift mean for the strategic direction of GRC investment going forward?
Ori Wellington:It means GRC is cementing its role as essential infrastructure. It's moving toward a position that resembles, you know, standardized, highly reliable systems like core accounting or financial reporting.
Sam Jones:It's foundational to enterprise trust.
Ori Wellington:It is. And this means the investment focus is moving away from features and toward integration, standardization, and automation.
Sam Jones:And the sources suggest that GRC's newfound stability, which is exemplified by that empty visionary quadrant, is actually a necessary prerequisite for the next much bigger wave of transformation.
Ori Wellington:It absolutely is. The stillness we see in GRC in 2025 is not an endpoint. It's a necessary pause to establish stability.
Sam Jones:You need that solid ground first.
Ori Wellington:Without verifiable controls, defensible audit trails, and consistent compliance evidence, which GRC platforms excel at providing, any kind of autonomous decision-making in risk environments would be completely reckless.
Sam Jones:So that stability is the required foundation for the next wave, which we're hearing referred to as autonomous control ecosystems.
Ori Wellington:Yes. The forecast is that GRC assurance data will be the essential evidence backbone for AI agents.
Sam Jones:The evidence backbone.
Ori Wellington:GRC platforms will provide the verified control state, and IRM systems, powered by assurance intelligence, will allow AI agents to perform continuous control testing and automated remediation.
Sam Jones:So GRC doesn't get replaced.
Ori Wellington:Not at all. Its foundational function will be absorbed and executed automatically within these larger unified IRM and enterprise workflow platforms.
Sam Jones:That's a powerful conclusion. The future of risk management isn't post-GRC, but rather beyond GRC.
Ori Wellington:Well said.
Sam Jones:It's where that foundational assurance data, the predictive risk intelligence, and strategic performance outcomes all converge within a truly unified architecture.
Ori Wellington:And that unified architecture is integrated risk management. The market has finally matured enough for the strategic shift to really take hold.
Sam Jones:That structural distinction is critical for any leader trying to budget for or invest in the future of risk technology. If you are looking to manage risk, not just govern it, we highly recommend exploring the resources that take this strategic IRM-centric view. To explore this integrated architecture further and to understand how vendors align with the strategic integrated risk management approach, beyond just assurance, you can access the comprehensive GRC vendor compass and other IRM navigator research by visiting wheelhouseadvisors.com.
Ori Wellington:The ability to understand this transformation, it's really your shortcut to being well informed in this complex space.
Sam Jones:We'll see you on the next deep dive.