The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S5E6: Build An Emerging Risk Reflex Before The Next Shock Hits
A hard truth drives this conversation: leaders are seeing the risks but not making the moves. We unpack the 76–42–22 drop-off, visibility to engagement to action, and show why the real bottleneck isn’t data, it’s decision architecture. If your board keeps asking for tighter numbers and firmer timelines, you’re living the reporting plateau. Precision can be counterproductive for emerging risks: it invites model debates, signals high-cost commitments, and rationalizes delay.
We walk through a better path built on solution options. Instead of fear-based dashboards, bring low regret actions that borrow existing budgets, quantify the cost of waiting, and sequence work across quarters. A simple shift to training three cross-functional leads on new AI rules, wiring KRIs to a pilot, and setting a Q3 decision point turns a vague threat into a paced plan. Boards respond to choices and trade-offs, not speculative confidence intervals.
To make this repeatable, we use the IRM Navigator model: GRC, ERM, ORM, and TRM working in balance. ERM ties risks to growth, margin, and launch timelines so decisions map to value. ORM surfaces real-time KRIs and near misses to anchor action in reality. TRM connects controls to live telemetry, enabling continuous monitoring and swift technical adjustments. GRC provides the rigor to document, test, and assure. Together, the four domains deliver PRAC: performance, resilience, assurance, and compliance without sacrificing speed.
We share a concrete action plan: audit your investment asymmetry, kill problem-precision packets, adopt solution-options reporting, wire ORM and TRM into analysis, and measure success by decision velocity. Vendors and advisors are shifting too, judged by how quickly they convert a signal into a board-approved step. If you want your organization to move when the stakes are highest, build the emerging risk reflex now.
If this resonated, follow the show, share it with a colleague who owns risk or strategy, and leave a quick review with your biggest takeaway. What low regret move will you make this quarter?
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Welcome to the deep dive. We are uh jumping straight into a figure that should honestly alarm every single person involved in strategic planning, in corporate governance, because it describes this just dangerous disconnect in modern business. So get this 76% of boards, the vast majority, are getting these detailed, comprehensive reports. They're about the most volatile emerging risks of our time. You know, think sophisticated cyber threats, the rapid integration of AI, third-party fragility, geopolitical chaos, they see the threats, they're informed.
Sam Jones:But and this is the entire point of our conversation today, here is the structural flaw, the number that really defines the problem. Okay. Of that 76% who are seeing the risk, only 22% are actually likely to act on it.
Kelsey Hutchinson:Wow.
Sam Jones:To change their strategy, or even just allocate resources accordingly.
Ori Wellington:That's the drop. 76% visibility, 22% action, that massive gap, that's what the research from Wheelhouse Advisors calls the funnel of inaction. And it is the subject of our deep dive today. We're calling this the 22% problem. And our mission is, I think, simple, but really crucial. Why are organizations, even when they're fully informed, well resourced, why are they structurally unable to move? Why the inaction? Right. So we're gonna use the IRM navigator model and all this detailed research to really dissect the fundamental, the structural reasons for this failure.
Sam Jones:And this is so much more than just, you know, a reporting issue. If you're a risk leader, if you are wrestling with how to get strategic commitment for your programs, or if you report to the board, you're living this problem. You're living this. You need to understand this model. This is really about shifting from merely seeing risk to building what we call an emerging risk reflex.
Ori Wellington:An emerging risk reflex, I like that.
Sam Jones:It's a capability that automatically translates threats into timely, low regret action. And the IRM navigator model, it explains the investment path required to achieve that reflex. It's how you get out of that debilitating 22% action band.
Ori Wellington:Okay, let's unpack this funnel of inaction then, because the visual presented in the research notes, you know, all that input going into this tiny little nozzle of output, it is so powerful. Let's just confirm the structure of the problem with those three key figures 76, 42, and 22.
Sam Jones:The structure is so telling. It really is. Because it immediately debunks the common excuses.
Ori Wellington:Like what?
Sam Jones:Like the problem isn't apathy. It's not secrecy. We know 76% of risk leaders are successfully synthesizing and presenting emerging risk intelligence to their boards. So the function is, you know, it's executing its core duty of alerting the enterprise.
Ori Wellington:And crucially the engagement isn't terrible either, right? Yeah. Which suggests the board is at least willing to listen.
Sam Jones:That's right. The first drop is significant, but it's not catastrophic. Roughly 42% of risk leaders report that the risk committees or the full board actually engage meaningfully with that information.
Ori Wellington:So they're having conversations.
Sam Jones:They're having robust discussions. They're challenging the assumptions, they're processing the implications of, say, a geopolitical shift or a new regulatory requirement. They are doing the cognitive work.
Ori Wellington:But that's where it all breaks down. Despite all this high input, despite respectable engagement, the action just collapses. It plummets from 42% meaningful engagement down to just 22% likelihood of action.
Sam Jones:Or even just a tangible change in strategic perspective.
Ori Wellington:Right.
Sam Jones:The breakdown is massive and it happens right at the point of decision. The emerging risk updates are noted, they're discussed, and then for the vast majority of cases, they are simply filed away until the next quarterly cycle.
Ori Wellington:So that 22% output really proves that the organizations have the, let's say, the eye to observe the problem, but they lack the structural legs to actually move in response. The capability gap is what's preventing them from translating that information into a command.
Sam Jones:100%. It's an observation machine, not an action machine.
Ori Wellington:Now, when organizations realize they have this action gap, the default human impulse is to panic and what demand more information. They seek what the research calls problem precision. Their assumption is always, well, if the board isn't acting, it must mean the data isn't convincing enough.
Sam Jones:We need a better chart.
Ori Wellington:You need a better chart. If only the impact model were tighter, if only we could nail down a more precise probability, then the board would be forced to commit.
Sam Jones:And this leads directly to what the research calls the failed fix. The analysis here is just stark. Organizations that poured significant resources, I'm talking consultant fees, complex modeling tools, additional headcount into tightening those probability ranges, refining impact estimates, really seeking that problem precision. Yeah. They saw only a marginal, statistically insignificant uplift in board action. How much? The increase was about three percentage points.
Ori Wellington:Three. After potentially sinking millions into high fidelity modeling and detailed scenario mapping. Now wait a minute, I have to challenge that, just playing devil's advocate for a second. We pay firms, we invest in technology precisely to get better numbers.
Sam Jones:Of course.
Ori Wellington:Are you saying this conventional wisdom, this decades-long focus on forensic risk quantification, is fundamentally misplaced when it comes to emerging risk?
Sam Jones:When it comes to emerging risk, yes. The research suggests that seeking hyper precision is often counterproductive. It actually works against you.
Kelsey Hutchinson:How?
Sam Jones:Well, emerging risks are, by their very definition, inherently noisy and uncertain. They haven't fully matured yet. So when a risk leader presents a board with a highly granular, precise dollar figure for a novel risk, let's say, the precise cost of an AI-driven intellectual property theft, that precision often invites skepticism.
Ori Wellington:Because it feels made up.
Sam Jones:It feels made up. The board knows the number is based on speculative models, so they feel empowered to challenge the assumptions rather than address the underlying threat.
Ori Wellington:So you give them a precise number and they spend the entire meeting dissecting your inputs, not deciding on the required output.
Sam Jones:Exactly. You give them a reason to debate the analysis, not the action. And there's a darker psychological effect, too.
Ori Wellington:Okay.
Sam Jones:Those detailed, precise impact scenarios, they almost always imply huge, costly, multi-year mitigation programs. And since the numbers themselves are perceived as soft and the implied cost is hard.
Ori Wellington:The board's instinct is to wait.
Sam Jones:It's rational. Defer the expensive response until the risk is clearer. So that demand for problem precision, it actually introduces friction and delays the organizational response. It does the opposite of what you want.
Ori Wellington:So the solution isn't to polish the reports, but to completely redesign the process. If more data isn't the answer, then the solution has to lie in changing the conversation from abstract risk awareness to what, concrete action architecture?
Sam Jones:This is the critical insight. It really is. And it moves the entire conversation from how bad is the problem to what are the viable next steps. The data is just overwhelming on this point. Boards that are designed to make concrete choices that focus on generating and evaluating what the model calls solution options, they boost board action by a massive 67%. That is the true multiplier, not that failed 3% uplift from trying to get more precise.
Ori Wellington:Let's take a hypothetical emerging risk, say aggressive AI regulatory governance coming down the pike, and contrast a problem precision report with a solution options report.
Sam Jones:Perfect. That's an excellent way to illustrate the difference.
Ori Wellington:So in a problem precision report on aggressive AI regulation, what would I see? Detailed charts, maybe a Monte Carlo simulation showing the range of potential fines, you know, up to $500 million, and a timeline for when the risk matures.
Sam Jones:And the conclusion is always something like high risk. Monitor closely requires significant undefined investment.
Ori Wellington:Exactly. And the board responds by saying, we agree it's high risk, but come back next quarter when you have a firmer cost figure and can tell us exactly when the law drops. They differ every time. Aaron Powell Okay.
Sam Jones:Now let's contrast that with the solution options approach for the exact same AI governance risk. What does that board material look like?
Ori Wellington:It looks radically different. It's engineered for movement from the ground up. It has four key components. First, it presents a short list of concrete low regret actions that can be initiated quickly.
Sam Jones:Low regret. What does that mean in practice?
Ori Wellington:Instead of asking for a $10 million platform overhaul, it might propose, option one. Allocate $75,000 from the existing audit budget this quarter to train three cross-functional leads. One from legal, one from IT, one from marketing on the new European AI Act requirements.
Sam Jones:Oh, okay.
Ori Wellington:And their job is to focus specifically on inventorying our high-risk internal AI models. It's actionable, it's low cost, and it improves your posture immediately. Low regret means minimal upfront commitment, but you get a high informational or capability return on it. What's the second component?
Sam Jones:The second is defining the loss of delaying action. This is so important. It's not just about the potential fine way down the road, it frames the risk in terms of opportunity cost.
Kelsey Hutchinson:Okay.
Sam Jones:So it might say if we delay implementing option one, we risk foreclosing the ability to launch our new automated customer service bot next quarter, which is projected to boost margin by 2%. You shift the entire focus from loss avoidance to value preservation.
Ori Wellington:So risk management suddenly becomes a tool for achieving goals, not just preventing disaster.
Sam Jones:Precisely. Third, the report proposes targeted adjustments to existing programs, leveraging budgets that are already approved.
Ori Wellington:So no new budget battles.
Sam Jones:You avoid the budget battle. Instead of a new project, it suggests adjusting the scope of the current third-party risk management program, the PPRM program, to include a specific AI governance clause for vendors. You're just maximizing your existing infrastructure.
Ori Wellington:Smart. And finally, the fourth component you mentioned, pacing.
Sam Jones:Pacing and clear sequencing across quarters. This is key. Emerging risks evolve, and the response should too. You present a multi-quarter roadmap. Q1 is low regret discovery. Q2 is a pilot implementation focused on one high-risk product line. Q3 is a decision point for a broader investment.
Ori Wellington:So you remove that paralyzing now or never decision.
Sam Jones:You remove it completely. And you introduce structured, sequenced movement. And what you find is that the board responds to choices, pacing, and tangible trade-offs, not to fear.
Ori Wellington:That reframing is clearly effective, but it brings us back to the core structural problem. How does an organization even become capable of consistently generating those high-quality paced solution options?
Kelsey Hutchinson:Yes.
Ori Wellington:This is where the IRM Navigator model, the framework from Wheelhouse Advisors, comes into play. It explains that capability progression.
Sam Jones:It is the map. The IRM navigator model describes the necessary progression of risk capability investment that's required to build that automatic emerging risk reflex. It shows that maturity is not some monolithic effort. It requires balancing investment across four distinct but interconnected domains.
Ori Wellington:Okay, let's walk through those domains and the maturity stages they drive.
Sam Jones:So the model defines four domains and four subsequent maturity stages. The first domain where almost everyone starts is governance, risk, and compliance, or GRC. Right. This focuses on control definition, documentation, policy management, audit rigor. Investment here moves organizations from the initial foundational state, which is usually chaos, to a coordinated state where processes are standardized.
Ori Wellington:So GRC gives us the necessary foundation and structure. The second domain then must be about layering in strategy.
Sam Jones:That's enterprise risk management, or ERM. This is where we start to link risks to strategic objectives, quantify risk exposure in relation to value drivers, and run sophisticated top-down scenario analysis. Investment in ERM moves organizations from that coordinated GRC focus to an embedded state where risk becomes inseparable from strategic planning.
Ori Wellington:Okay, moving from abstract strategy down to day-to-day reality, we hit the operational layer.
Sam Jones:Which is operational risk management, ORM. This is the domain of the front line. We're talking about surfacing real-time indicators, managing near misses and loss events, and adapting processes on the fly. Investment in ORM moves organizations from embedded to extended. Risk management extends deeply into the daily business processes.
Ori Wellington:And finally, the digital foundation, the nervous system of the company.
Sam Jones:Technology risk management, or TRM. This encompasses everything from security analytics and continuous control monitoring to vulnerability management and automated evidence collection. Investment in TRM moves organizations from extended to the most sophisticated stage. Autonomous, where the systems themselves can start to sense risk and trigger near real-time responses.
Ori Wellington:GRC, ERM, or RM, TRM, four critical strands. Now, the research highlights the critical structural flaw here, this current investment asymmetry. Most enterprises are not balanced across these four domains at all.
Sam Jones:And this is the structural root of the 22% problem. The vast majority of investment dollars, historically, have gone into GRC. This asymmetry is crystal clear in the market data, and it's reflected in things like the IRM Navigator Annual Viewpoint 2025 and the various vendor indices. Why? Companies prioritize the need for compliance avoiding fines and assurance proving compliance first. It's a defensive posture.
Ori Wellington:So they've built this enormous GRC muscle capability for seeing and reporting, but they've essentially starved the other three.
Sam Jones:Exactly. They are trying to elicit a full body reflex, a coordinated strategic and operational response using only one muscle group GRC.
Kelsey Hutchinson:I see.
Sam Jones:The strong GRC investment allows them to see and report risks with forensic discipline. But the lack of balance investment in ERM, ORM, and TRM leaves them strategically paralyzed.
Ori Wellington:Let's break down that paralysis. If I only have GRC, what capabilities am I missing to actually make a move?
Sam Jones:You're missing three critical abilities. The ability to strategically frame risks against your goals, that's ERM. The ability to sense how the risks are evolving in real-time operations and processes, that's ORM. And the ability to connect those risks to real-time technical signals, that's TRM.
Ori Wellington:So GRC tells me what the risk is.
Sam Jones:Yes, and if you have a control for it. But without the others, it can't tell you why it matters strategically, where it's hitting you operationally, or what technical adjustments you need to make right now. The output remains observation, not actionable movement.
Ori Wellington:Okay, so GRC is the center of gravity. Let's really drill into its strengths and why it became so dominant, but also why it is the domain that leads directly to what the research calls the reporting plateau for emerging risks.
Sam Jones:Well, GRC platforms are undeniably essential. I want to be clear about that, particularly in moving organizations from that chaotic foundational state to a coordinated state. Yeah. They deliver profound initial value because they solve core governance issues. Before GRC, organizations were just drowning in fragmented audit efforts. Control testing was spread across thousands of documents, inconsistent incident tracking systems. It was a nightmare.
Ori Wellington:So GRC standardized that necessary plumbing of compliance and control tracking.
Sam Jones:Precisely. And the IRM Navigator Vendor Compass for GRC 2025, which profiles leaders in this space like Archer, ServiceNow, OneTrust, confirms their core strengths. They are fantastic at robust control documentation and testing, streamlined issue and incident management that pulls data into one central view, and sophisticated policy management linked to regulatory maps. GRC is excellent at structuring the environment we already understand and making it auditable.
Ori Wellington:But the challenge emerges when these new emerging novel risks are forced into this very rigid structure. Why does GRC, which is designed for discipline and auditability, struggle so much with the agility and ambiguity required by emerging risks?
Sam Jones:Because GRC is fundamentally optimized for static risk. It treats risks as items to be governed, cataloged, rated, and escalated based on predefined control structures. Emerging risks, however, require management, adaptation, and constant strategic reframing. So when you funnel an emerging risk, let's say the mass adoption of defake technology into a GRC system, it gets shoehorned into existing categories. That dilutes its novelty and it forces it into a rigid quarterly or annual review cycle that was designed for long established risks, not fast-moving ones.
Ori Wellington:So GRC is designed to confirm that your existing processes are being followed, not to dynamically suggest new paths for threats that have never existed before. And that that leads us to the reporting plateau.
Sam Jones:It does. The research flags three specific functional limitations in GRC systems when they're used as the primary engine for emerging risk action. First, a lack of maturity and scenario analysis that's linked to enterprise objectives and value drivers.
Ori Wellington:What does that mean?
Sam Jones:GRC excels at measuring the risk score in isolation. It often fails to connect that risk directly to whether the organization will hit its Q3 revenue target.
Ori Wellington:Yeah.
Sam Jones:You need ERM to build that critical link to strategic value.
Ori Wellington:That's the difference between saying this risk score is an eight out of ten and saying this risk score is an eight out of ten, which means we are projecting a 10% lower operating margin by December.
Sam Jones:Exactly. One is a score, the other is a business conversation. Second, GRC systems typically lack robust executive decision workflows that frame clear options and trade-offs. GRC is brilliant at issue tracking, documenting who owns a finding and when it must be remediated.
Ori Wellington:Right.
Sam Jones:But it doesn't naturally support strategic decision making presenting option A versus option B for board approval. The leap from a high-rated risk on the register to a structured solution option for the executive committee is often a painful manual journey that happens outside the system in PowerPoint.
Ori Wellington:And the third limitation, which seems crucial for moving toward that autonomous stage you mentioned.
Sam Jones:The insufficient integration of real-time operational or technology telemetry. GRC looks at controls on the books, the policies, the documentation, the audit evidence. It often struggles to ingest and interpret real-time data from operational systems, which is ORM, or security logs, which is TRM.
Ori Wellington:So it sees the required control, but not the control in action.
Sam Jones:Or how technical stress might be degrading that control in real time. It's looking at a blueprint, not a live feed.
Ori Wellington:The reporting plateau, then, is that state where we have achieved maximum reporting efficiency. We catalog everything, we rate everything. But because the system lacks that strategic framing, the decision workflows, and the real-time connectivity, the ability to act is structurally constrained. We solved visibility, but in doing so, we just made the action problem much, much louder.
Sam Jones:That's a perfect summary.
Ori Wellington:So the only way out of this plateau is to structurally rebalance the investment across all four of the IRM navigator domains, GRC, ERM, ORR, and TRM, to build the full emerging risk reflex. The sources explicitly tie this balanced capability to achieving four critical business outcomes known as PRAC.
Sam Jones:PRAC. Performance, resilience, assurance, and compliance.
Ori Wellington:Okay, let's dedicate some serious time to this section because this seems to be how risk leaders can actually drive organizational movement. We start with P for performance.
Sam Jones:Performance is, I think, the most challenging outcome for many risk organizations because it demands a proactive, value-anchored conversation. It's what shifts risk from being a cost-centered to a strategic enabler. And performance is driven by the dynamic pairing of ERM and ORM.
Ori Wellington:Okay, let's start with the strategic frame that IRM provides. How does a mature ERM capability redefine an emerging risk?
Sam Jones:When ERM is strong, and this is going to be the focus of the forthcoming IRM Navigator Vendor Compass for ERM, which is publishing this December, when ERM is strong, emerging risks are no longer seen in isolation. They're anchored to core enterprise goals, like achieving 8% growth in a specific market or maintaining a 15% operating margin. Right. The ERM system enables this robust scenario analysis that models the risk against the strategy.
Ori Wellington:Give me a concrete ERM example of that.
Sam Jones:Okay, take the risk of sudden, severe supply chain constraints due to geopolitical tension. A GRC approach just lists the risk and gives it a score. An ERM approach models how scenario A say a 30% reduction in a critical component supply specifically impacts the launch timeline of product X, which happens to be the flagship initiative for your Q3 revenue growth.
Kelsey Hutchinson:Ah.
Sam Jones:The board conversation immediately shifts to how do we adjust our growth strategy, not how do we document this risk? ERM provides the strategic frame for that choice.
Ori Wellington:And then ORM provides the operational connection. This seems essential for translating those high-level ERM scenarios into real-world action signals.
Sam Jones:It is the translator. ORM links the strategy to the street, so to speak. And the IRM Navigator Vendor Compass for ORM 2025 highlights platforms that excel at this, often leveraging technology from profile vendors like Risk Connect and ServiceNow.
Kelsey Hutchinson:How do they do it?
Sam Jones:ORM achieves this by aggregating crucial real-time operational data, key risk indicators, or KRIs, loss events, and near misses.
Ori Wellington:Let's get specific about a KRI in ORM. What does that look like in practice?
Sam Jones:Creeks are the vital signs of the business. So if the ERM scenario highlights operational fragility in our global distribution hubs, an ORM CRER might be defined as this. If the average time to clear customs for shipments in region Y exceeds 72 hours for three consecutive days, that immediately flags a medium severity risk exposure in our ORM system.
Ori Wellington:And GRC would only see this when? In a quarterly audit.
Sam Jones:Maybe. ORM sees it in real time. It surfaces stress points and anticipates potential loss events before they become financially material.
Ori Wellington:So that pairing of ER and ORM is the engine for the performance outcome. It answers the questions does this matter for our strategic agenda and where specifically do we need to move first? This is the core capability required to generate those solution options we talked about earlier.
Sam Jones:Without that dual focus, risk management is just a quarterly check the box exercise. With it, it becomes integral to management decisions, allowing the organization to actually adjust its course in time to preserve performance and margin.
Ori Wellington:Okay, next, let's tackle R for resilience. Resilience requires the ability to absorb shocks and adapt quickly. In the pre-ARP model, this is driven by the partnership between ORM and TRM.
Sam Jones:Resilience has two necessary dimensions. You need process adaptation and you need digital adaptation. ORM handles the process side, how your frontline teams respond to stress.
Kelsey Hutchinson:Okay.
Sam Jones:Mature ORM gives those teams the visibility and crucially the delegated authority to adjust controls or shift resources without requiring central approval for every minor deviation. It essentially creates localized decision loops that are based on those real-time KRIs.
Kelsey Hutchinson:That decentralized authority is key to speed in a crisis.
Sam Jones:Absolutely. And TRM provides the digital foundation for that. Resilience in the modern enterprise relies entirely on the observable and adjustable technology environment. The forthcoming IRM navigator vendor compass for TRM will examine platforms that integrate deeply into the technology stack. We're talking continuous control monitoring, advanced security analytics, and the ability to automate evidence collection.
Ori Wellington:What's a practical connection between ORM and TRM that really drives resilience?
Sam Jones:Okay, think about a third-party cyber incident involving a data processor. ORM sees the process failure, the contract clauses that were breached, the human steps that led to the data exposure. Right. TRM, through tools often profiled in this kind of research, sees the system impact, what data was accessed, which access controls failed, and where the immediate remediation needs to happen in the network. The ability of the ORM system to talk to the TRM system means the organization can correlate the business impact with the technical fix in minutes, not days.
Ori Wellington:And that's resilience.
Sam Jones:That turns resilience from a vague corporate slogan into a reliable, repeatable capability to absorb both operational and digital shocks.
Ori Wellington:Okay, let's move to A for assurance, which is powered by ERM and GRC. Assurance is about verification, right? Confirming that the systems and controls we think we have are actually operating effectively.
Sam Jones:It is the quality check. ERM ensures that assurance resources, your internal audit, your external reviewers, are focused on verifying the controls that are most critical to the enterprise strategy. GRC provides the tools to document the control definitions, track the testing evidence, and manage the remediation plans. It validates the quality of what the organization is built or adjusted in response to risk.
Ori Wellington:But the research gives a really strong warning about assurance. It says it cannot generate action. In fact, if your ERM, RMM, and TRM are weak, assurance can become a very expensive distraction.
Sam Jones:That is the essential structural warning for companies that are stuck at the 22% problem. If you are GRC centric, your assurance teams might be confirming that every single control is documented and tested with high fidelity. But if those controls were designed for a static known risk environment, they are completely ineffective against novel emerging risks.
Ori Wellington:So what's the team doing?
Sam Jones:The assurance team is simply documenting that the organization is diligently following processes that are failing to protect the strategy. It's a costly validation of a systemic failure.
Ori Wellington:It's the difference between assuring that the steering wheel is attached correctly and assuring that the car can actually navigate a patch of black ice.
Sam Jones:What a great analogy.
Ori Wellington:One is necessary, but only the latter addresses the emerging risk environment.
Sam Jones:Exactly. You need the performance and resilience capability to define and execute the right actions before assurance can come in and verify their effectiveness.
Ori Wellington:Okay, finally, we have C for compliance, driven by GRC and TRM. This pairing seems pretty intuitive because it addresses the legal and regulatory mandate.
Sam Jones:It's the foundation of staying out of jail. GRC excels at defining the policies and identifying the obligations that arise from new regulations. For instance, new ESG reporting requirements or stricter data localization rules.
Ori Wellington:Right.
Sam Jones:TRM, utilizing its connectivity to the technology stack, is then responsible for the technical enforcement. It implements the necessary changes like mandatory access controls or specific data encryption methods to make sure the organization is compliant in its systems and services.
Ori Wellington:But again, there's a big caveat here. An organization can have top-tier, compliance-strong GRC and TRM and still be strategically fragile.
Sam Jones:That is the ultimate risk management paradox of the 22% problem. Compliance is about meeting a minimum threshold of required behavior. An enterprise can be 100% compliant with all current cyber reporting rules, yet be strategically exposed to an emerging non-regulated risk that fundamentally threatens its business model.
Ori Wellington:Like what?
Sam Jones:Like the erosion of trust due to AI transparency failures. The performance capabilities from ERM and ORM and the resilience capabilities from ORM and TRM are what keep the business running and competitive. Compliance and assurance just keep it legal and auditable. You need all four.
Ori Wellington:The IRM navigator model provides a clear roadmap, but it also gives a forecast of what organizations can expect based on their current investment posture. Let's look ahead. What does the research predict for the majority of organizations that remain stuck in that GRC-centric world?
Sam Jones:The forecast is, unfortunately, a persistent problem. Reporting stagnation. Most organizations will remain firmly in that 22% action ban through at least 2027.
Ori Wellington:For years.
Sam Jones:Yes. They'll continue to optimize for reporting visibility better charts, more precise scores, rather than for decision architecture. They will solve the visibility problem repeatedly, but the reflex won't fire because the necessary investment balance just isn't there.
Ori Wellington:So the funnel of inaction persists for the average company. Where does the necessary structural change begin then?
Sam Jones:A subset of forward-thinking leaders will initiate what's called the reflex building stage between 2025 and 2029. These are the ones who realize they have to shift from auditing the past to preparing for the future.
Ori Wellington:And what do they do?
Sam Jones:They'll deliberately follow the IRM navigator roadmap. They will prioritize strengthening ERM and ORM first to unlock performance and then harden TRM to build out resilience. And they will measure their success not by risk scores, but by decision velocity. Decision velocity. How fast can they convert an emerging threat into a board-approved course correction? That's the metric that matters.
Ori Wellington:That moves them past the embedded state and toward the extended state. And what is the ultimate maturity aspiration we see emerging toward the end of the decade?
Sam Jones:That is the autonomous IRM stage, which is projected to emerge between 2027 and 2032. This isn't just integrated systems, this is automated sensing and response.
Kelsey Hutchinson:Wow.
Sam Jones:It combines the continuous telemetry and digital evidence collection of TRM with a process monitoring of ORM. This will allow early adopters to use AI-assisted workflows to sense specific emerging risks, like a rapid surge in malicious insider behavior or a highly targeted third-party vulnerability and automatically propose low regret response options in near real time.
Ori Wellington:That sounds like moving beyond just building the reflex to making the reflex run continuously in the background. It frees up human bandwidth for high-level strategy.
Sam Jones:Precisely. Human strategy and decision making will always remain paramount. But the daily burden of sensing and framing these risks is largely automated, which ensures the organization is always poised for movement.
Ori Wellington:Okay, for the risk leaders and senior executives listening right now, this is the action plan. Based on this entire structural analysis, what are the mandatory steps they must take today to start shifting their investment curve and get out of this trap?
Sam Jones:First, they have to perform an investment on it. Use the IRM Navigator Maturity Curve Foundational, Coordinated, Embedded, Extended, Autonomous as a benchmark. Understand where your spending is actually distributed across GRC, ERM, ORM. And TRM.
Ori Wellington:And what are they looking for?
Sam Jones:If your GRC technology investment absolutely dwarfs the combined investment in the other three, you have identified the structural root of your 22% problem. And resources like the IRM Navigator Annual Viewpoint 2025 and the IRM 50 Vendor Index 2025 can provide the market context needed to benchmark that spending asymmetry.
Ori Wellington:So once they know their position, they have to change the output. They have to kill the problem precision report.
Sam Jones:Absolutely. Redesign reporting. From this point forward, every emerging risk item presented to the board must adhere to the solution options framework. You have to frame risks in terms of goals, present paced trade-offs, and define the cost of inaction. Never again report an abstract risk score without connecting it to a specific strategic goal and a recommended low regret action plan.
Ori Wellington:And the practical integration of the operational teams seems vital for grounding those options in reality.
Sam Jones:It's non-negotiable. Include operational teams. Leaders must ensure that their ORM and TRM teams, the people who deal with real-time process integrity and technical performance, are fully wired into the risk analysis and the solution design process. They are the source of the high fidelity KRIs and the telemetry data you need to make your solution options realistic and effective.
Ori Wellington:And finally, changing how they define success.
Sam Jones:Measure action, not visibility. Success can no longer be measured by the comprehensiveness of the risk catalog or the clarity of the presentation charts. Leaders must start measuring the effectiveness of their program by the number of meaningful decisions, course corrections, and low regret actions taken by the executive team and the board as a direct result of their emerging risk reports.
Ori Wellington:This research is critical not just for the internal leaders, but for the entire ecosystem supporting them. I'm talking about the technology vendors and the advisory firms.
Sam Jones:That's right. For vendors profiled in the research like Riskonnect, ServiceNow, OneTrust, Archer, and even the big advisory firms like KPMG and EY, the focus has to shift from enhancing visibility to enabling movement. Future platform competitiveness will be judged on how effectively they can unify data across the four IRM navigator domains and provide decision support workflows that shorten the path from a signal coming from ORM or TRM to an action, which is driven by ERM and GRC.
Ori Wellington:The IRM Navigator Vendor Compass reports are already assessing vendors with this lens, right?
Sam Jones:Yes, that's the core of the analysis. And for advisors, this model provides the necessary strategic language to guide their clients out of the reporting plateau. The IRM Navigator of Vendor Compass for Risk Management Consulting, or RMC, addresses this need for partners who can connect the strategic intent of a client with a technological capability required.
Ori Wellington:So they need to use the model.
Sam Jones:Advisory firms must use the IRM navigator model to provide transformation roadmaps that address the investment asymmetry directly, moving clients from a GRC-centric organization to one with a balanced, full-body, emerging risk reflex.
Ori Wellington:This deep dive has, I think, fundamentally recalibrated how we need to understand strategic paralysis. We've moved from the idea that the problem is insufficient data, that failed strategy of problem precision, to the realization that the 22% problem is a structural investment issue, and it's rooted in this GRC-centric asymmetry. The organization has built the eye and the ear, but it's failed to build the necessary operational and strategic movement capacity.
Sam Jones:The solution is the deliberate, balanced building of that pre-free focused emerging risk reflex. This means prioritizing investment in ERM and ORM to drive performance and TRM to drive resilience. It's about engineering a system where when the board sees a significant risk, they don't see an abstract threat. They see a clear choice, a paced path forward, and an achievable trade-off.
Ori Wellington:So the real question then is no longer whether you can see the emerging risks. 76% of organizations already can. The question for you now is whether your structural capabilities, as defined by the IRM Navigator model, allow you to move when the stakes are highest.
Sam Jones:And for risk leaders and senior executives who are seeking to apply this framework and benchmark their organizations against market leaders, the detailed research that underpins this whole deep dive is available now. This includes the full series of IRM Navigator Vendor Compass reports for governance, risk and compliance, operational risk management, and risk management consulting. You can access these vital resources at wheelhouseadvisors.com.
Ori Wellington:And be sure to look out for the next critical piece of this puzzle, the IRM Navigator Vendor Compass for Enterprise Risk Management Report. It's publishing this December, and it will be essential for those aiming to strengthen that performance capability we spent so much time on today. You'll find vendors like Risk onnect, ServiceNow, OneTrust, Archer, KPMG, and EY profiled across all of this invaluable research. Go assess your structure and go make sure you can move. We'll see you on the next deep dive.