The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S6E3: The IRM Navigator™ - Turning Risk Into A Strategic Operating Model
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Risk work that lives in reports but not in decisions is a hidden tax on performance. We tackle that problem head-on by unpacking the IRM Navigator, an operating model that connects standards and roles to the real systems and moments where choices are made. Instead of treating risk as a sidecar, we show how to embed it into approvals, planning, and daily operations so decision velocity and decision quality rise together.
We start by locating the Navigator within a clear four-layer stack: principles and standards set intent, the three lines model defines accountability, and execution lives in processes and platforms. The missing middle is operating integration. From there, we reframe outcomes around four executive priorities: performance, resilience, assurance, and compliance. That lens shifts conversations from control checklists to growth, continuity, confidence, and efficient obligations management which is the language leaders use when allocating capital.
Then we get practical. We map risk to four integration seams—goals, processes, assets, and policies—so that when a policy changes, linked assets and processes update automatically and related strategic goals reflect the new risk posture. Real examples bring the shift to life, like vendor risk checks built into procurement workflows via live APIs. We also outline the maturity path from foundational and coordinated to embedded, extended across third parties, and ultimately autonomous with AI-driven sensing, testing, mitigation, and verification. The throughline is clear: you cannot buy your way to integration; you must design and wire it.
If you’re ready to move from reporting on risk to managing with risk, this conversation is your blueprint. Hear how to build an enterprise nervous system that turns data into action and transforms risk from a cost center into a competitive edge. If this resonates, follow the show, share it with your team, and leave a review to help more leaders find a smarter path to integrated risk.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Setting The Stakes For IRM
Ori WellingtonHello and welcome back, everyone. I'm Ori Wellington, an analyst here at Wheelhouse Advisors.
Sam JonesAnd I'm Samantha Jones, also with Wheelhouse.
Ori WellingtonYou are tuning in to another edition of The Risk Wheelhouse. This is the show where we uh we try to crack open the often dense, sometimes chaotic, but always absolutely critical world of integrated risk management, IRM.
Sam JonesThat's right. And our goal here is pretty simple, really. We want to help you navigate the market, understand the trends that actually matter, and you know, frankly, figure out how to stop risk from being a four-letter word in your organization.
Ori WellingtonAnd start making it a strategic asset.
Sam JonesExactly.
Why Coordination Isn’t Integration
Ori WellingtonAnd today we are doing something a little different. Usually we might bounce around a few different news items or market updates, but today is a proper deep dive. We're focusing entirely on a single high-impact article that I genuinely believe is going to change the way a lot of you look at your own organizations.
Sam JonesIt really is a foundational piece. We're going to be dissecting IRM Navigator, the operating model for integrated risk management.
Ori WellingtonAnd we absolutely have to mention the author right up top, because in this uh in this specific sandbox, his name carries a ton of weight. This piece was written by John A. Wheeler.
Sam JonesRight. And for those listeners who might be newer to the industry or maybe you just joined a risk team recently, John isn't just an observer writing commentary. He's the founder and CEO of Wheelhouse Advisors. But I mean, more importantly for the history books, he's the person who actually coined the term integrated risk management back in 2016.
Ori WellingtonWhich is just wild to think about. I mean, before that point, we were all just sort of swimming in the soup of GRC governance, risk, and compliance, and dealing with all that legacy tech. He was the one leading the research that effectively said, hey, we need to move beyond just checking boxes.
Sam JonesExactly. So when he sits down to write about where the industry's going, or specifically about something like an operating model, it's not speculation. It's coming from what, nearly a decade of defining this entire category.
Ori WellingtonSo let's get into the meat of this. Here's the problem statement, or the hook, as I like to call it. I talk to a lot of companies, and you do too. And they tell us, look, we've done the work.
Sam JonesRight. They feel like they've checked all the boxes.
Ori WellingtonExactly. They say, we have an enterprise risk management program. We have standards. We know who is accountable for what. They have the binders, they have the software, they have the committee meetings.
Sam JonesThey have the heat maps. Oh, everyone loves a heat map.
Ori WellingtonOh, the heat maps, red, yellow, green. It looks fantastic on a slide deck. But, and here's the twist: when you actually look at how they make decisions, how they plan for the next year, where they allocate capital, how they run their daily operations, risk data is nowhere to be found. That is the central conflict. The risk team is over here doing risk things, and the business is over there doing business things. And they just don't meet. Never. And that is exactly the thesis of John's article. He argues the gap isn't conceptual anymore. People get the concepts. The gap is operational. Organizations are stuck at what he calls coordination. They're coordinating risk activities, sure.
Sam JonesBut they haven't moved to embedded management.
Standards Set Intent, Not Operations
Ori WellingtonCoordination versus embedded management. That is the key distinction we are going to unpack today. Before we dive into the details, just a quick housekeeping note for everyone listening. You can find the full source material we're discussing today at risktechjournal.com. That's our free standard publication.
Sam JonesAnd for those of you who want the really deep analysis, the kind of stuff you'd usually pay a fortune for from the big analyst firms, you should check out the RTJ Bridge. That's at RTJ-bridge.com. It's our premium deeper analysis published weekly, and it really is the best way to get that high-level insight at a fraction of the cost.
Ori WellingtonAnd of course, for everything else about us and the research we do, head to wheelhouseadvisors.com. Okay, plugs over, let's get to work. Section one, the operational gap. Let's do it. So paint the picture for me. What does it actually look like when a company is stalling in a coordinated state? Because coordinated sounds good, right? I mean, if I'm coordinating an event, that's a positive thing.
Sam JonesIt does sound positive, and that's why it is such a dangerous trap. It feels like progress, especially if you came from, you know, total chaos before that.
Ori WellingtonRight.
Sam JonesIn a coordinated state, an organization has usually centralized its risk registers.
Ori WellingtonOkay, so all the lists of bad things that could happen are in one place instead of scattered across 50 different spreadsheets on 50 different laptops.
Sam JonesExactly. And they've harmonized their taxonomies.
Ori WellingtonWhich is just a fancy way of saying everyone agrees on what to call the risks, right? Right. We all agree that a cyber breach means the same thing in marketing as it does in IT.
Sam JonesPrecisely. You have a shared vocabulary. And you probably have a centralized reporting structure. The board gets a nice unified report every quarter. Looks great.
Ori WellingtonSo what's the failure? I mean, that sounds like a well-oiled machine. Why is John saying this isn't enough?
Sam JonesThe failure is in the outcome. Despite all that centralization, decision velocity and decision quality don't improve.
Ori WellingtonOkay, break that down for me. Decision velocity.
Sam JonesSpeed. Can you make a safe decision faster because you have risk data? In a coordinated model, the answer is usually no. You have to stop, go ask the risk team for a report, wait for the analysis, and then you can proceed.
Ori WellingtonSo the risk insight isn't happening in the meeting where the decision is being made.
Sam JonesNo, it's a sidecar. It's an afterthought.
Ori WellingtonIt's an attachment to the email, not the text of the email itself.
Sam JonesThat is a great way to put it. And because it isn't integrated into the management systems that actually run the business, risk just becomes a reporting exercise. We are reporting on what happened or what we think might happen, but we aren't using that data to steer the ship in real time.
Ori WellingtonIt feels like you're looking in the rearview mirror versus looking through the windshield.
Sam Jones100%.
Ori WellingtonSo the natural question then is why haven't the standards fixed this? We have frameworks. We have ISO, we have NIST, and we have the big one, COSO. Why aren't they solving this operational gap?
Sam JonesAnd this is a really crucial point in the article. Existing standards like COS, and that's pronounced COSO for anyone taking notes, they're incredibly valuable, but they generally stop at two things: intent and structure.
Ori WellingtonIntent and structure. Okay. Unpack that.
Sam JonesRight. So they describe alignment with strategy. They tell you that you should align risk with your goals, and they clarify accountability, who owns the risk, who checks the risk, who provides assurance.
Ori WellingtonBut they don't give you the instruction manually.
Sam JonesThat's it. Exactly. They rarely prescribe how the data, the workflows, the evidence should be unified across different domains. They don't tell you how to get the data from the IT server log into the operational risk dashboard that the CFO is looking at automatically without some poor analyst pasting it into a spreadsheet in the middle.
Ori WellingtonIt's the how. And that leads us directly to the mission of the IRM navigator.
The Four-Layer Stack Explained
Sam JonesYes. So John defines the IRM navigator not as another framework. We really don't need another one of those, and not as a control standard. And this is important, not as a technology platform. You can't just go buy the navigator off the shelf and plug it in.
Ori WellingtonIt's more of a mindset shift or a blueprint.
Sam JonesIt's a management operating model. Its specific goal is to translate that management intent, the we want to be safe and profitable idea into unified execution. And it does that across four specific domains enterprise, operational, technology, and compliance.
Ori WellingtonOkay, I really want to visualize this because I think the four-layer stack analogy in the article is the biggest aha moment for understanding where this all fits. Because I know our listeners are sitting there thinking, wait a minute, I just spent two years implementing the three lines of defense model. Are you telling me to throw that out now?
Sam JonesDefinitely not. And that's why the stack analogy is so helpful. It categorizes everything very clearly. So just imagine a layer cake with four layers.
Ori WellingtonOkay, I'm a hungry, but I'm with you. Layer one, the bottom, the foundation.
Sam JonesLayer one is principles and standards. This is where COSO ERM lives.
Ori WellingtonOkay. Cozo, Coso, got it.
Sam JonesRight. The role of this layer is to define management intent. It's the statement of what effective ERM should accomplish. It talks about objective setting, risk appetite, culture. It's the why and the what.
Ori WellingtonOkay. So COSO says we intend to manage risk in order to create and preserve value.
Sam JonesCorrect. But as we just discussed, it has a limitation. It doesn't specify how to unify execution when your legal team uses one piece of software, your IT team uses another, and your ops team is still using clipboards and spreadsheets.
Ori WellingtonRight. Okay. Moving up the stack, layer two.
Sam JonesLayer two is accountability models. This is the home of a three lines model from the IAA.
Ori WellingtonThe Institute of Internal Auditors.
Sam JonesYes. The role here is accountability. It clarifies the roles. The first line owns the risk, that's management. The second line challenges and monitors, that's your risk and compliance functions. And the third line assures that's internal audit.
Ori WellingtonRight. This is what stops everyone from pointing fingers when something goes wrong. I thought you were watching the firewall. No, I thought you were.
Sam JonesExactly. It reduces confusion about who does what. But again, the limitation. It is not an operating model. It doesn't tell you how a risk signal, say, a failed server flows from the first line to the second line, or how evidence about it is generated and shared. It just says who is responsible for it when it happens.
Ori WellingtonSo it's an org chart, not a wiring diagram.
Sam JonesThat is a perfect analogy. Now let's skip layer three for just a second. Let's go all the way to the top, layer four. This is execution and instrumentation.
Ori WellingtonThe actual doing, the day-to-day.
Sam JonesThe doing. This is your processes, your controls, your workflows, and importantly, your risk tech platforms. This is the software you log into every day.
Ori WellingtonSo we have the intent at the bottom in layer one, the accountability in layer two, and the tools at the top in layer four. So what's missing? What's in the middle?
Sam JonesThe glue, the connective tissue. That is layer three, the IRM navigator. Its role is operating integration.
PRAC: Objectives Executives Care About
Ori WellingtonSo this sits between the high-level standards and the actual buttons you push on your keyboard every day.
Sam JonesYes. It defines the integration points. It defines the maturity progression. It defines the outcome measures. Without layer three, you can have great standards and clear roles, but your tools at the COP are just functioning in silos because nothing has been architected to actually connect them in a meaningful way.
Ori WellingtonThat makes so much sense. You can have the best blueprint, which is COSO, and the best construction crew with clear jobs, which is the three lines model. But if you don't have a project manager and a schedule the navigator, you're just gonna have a bunch of people standing around with hammers.
Sam JonesOr worse, you'll have them building four different walls that don't meet in the corners.
Ori WellingtonWhich happens way more often than we'd like to admit. Okay, so that's where it fits. Now let's talk about what it does. The article introduces this concept of pre-IC PRAC, the four executive objectives.
Sam JonesThis is a really important shift in thinking. I mean, usually when you ask a risk manager what their objective is, they say things like compliance with Sarban's Oxley or achieving cybersecurity maturity level four.
Ori WellingtonRight. Very technical, very specific, and usually very boring to the CEO or the board.
Sam JonesExactly. The IRM navigator structures risk management around four executive objectives that actually mean something to the CEO and the board. And the crucial distinction here is that PRA is not a reporting construct. You don't go and create a pre-aic report. It's an alignment mechanism.
Ori WellingtonOkay, let's walk through them. P is for performance.
Sam JonesPerformance. This is about enabling better decisions and creating value under uncertainty. It's moving beyond just avoiding bad things. This is about taking the right risks to actually grow the business.
Ori WellingtonThis is the one that always trips people up. Risk management helps performance.
Sam JonesBut it's true, isn't it? If you have better brakes on your car, you can drive faster, not slower.
Ori WellingtonThat's the analogy. If you know exactly where the cliff edge is, you can drive right up to it and enjoy the amazing view. If you're just driving in the dark with no idea, you have to crawl along at five miles an hour. Performance is about using risk data to go faster, safely.
Sam JonesI love that. Okay. R is for resilience. Resilience? This is all about sustaining operations through disruption and stress. And note the word sustaining. It's not just about bouncing back after a disaster. It's about being able to operate through the disaster.
Ori WellingtonThat's a huge topic right now, especially with supply chains. Yeah. It's not just do we have insurance if the factory burns down? It's can we shift production to a different factory within four hours and not miss a single order?
Sam JonesPrecisely. That is a resilience objective. It's active, not passive.
Ori WellingtonA is for assurance.
Sam JonesAssurance. This is about increasing confidence that your controls and your responses operate as intended. This is the sleep at night factor for the board. How confident are we that the things we say we are doing on paper are actually happening in reality?
Ori WellingtonAnd finally, C is for compliance.
Sam JonesCompliance. Meeting your obligations efficiently and predictably, and that word efficiently is key there. Compliance shouldn't be a fire drill every quarter where everyone stays late pasting screenshots into Word documents. It should be a natural byproduct of good, well-managed operations.
Ori WellingtonSo when you put these together, performance, resilience, assurance, and compliance, you suddenly have a language that the entire C-suite speaks. The CEO cares about performance. The COO cares about resilience. The audit committee chair cares about assurance. The general counsel cares about compliance.
Sam JonesExactly. And the IRM Navigator says your risk operating model must serve all four of these objectives simultaneously. You can't just build a program for compliance and then hope it helps with performance. It won't. You have to design for it from the start.
Ori WellingtonSo we've got the objectives. Now let's get into the mechanics of it. How do we actually stitch this whole monster together? The article talks about the four integration points.
Sam JonesRight. So these are the seams in the organization where fragmentation usually happens. And John identifies four specific areas where you need to anchor your unification efforts.
Ori WellingtonOkay, walk us through them.
Sam JonesFirst is goals. This aligns with your enterprise risk management activities. You have to link every significant risk to the strategic goals of the company. I mean, if a risk doesn't threaten a strategic goal or present an opportunity to achieve one, why are we spending time and money tracking it?
Ori WellingtonThat's a fair point. Okay. What's next?
Sam JonesSecond is processes. This aligns with your operational risk management activities. You have to map risk to the actual business processes. Order to cash, procure to pay, hire to retire. If you don't understand the process, you can't possibly manage the risk within it.
Ori WellingtonMakes sense.
Goals, Processes, Assets, Policies
Sam JonesThird is assets. This aligns with technology risk management activities. And when we say assets, we mean servers, data centers, laptops, but also your critical data sets, your intellectual property, the crown jewels.
Ori WellingtonAnd this is usually the domain of the CISO, the chief information security officer.
Sam JonesYeah.
Ori WellingtonAnd just for everyone, we pronounce that CISO.
Sam JonesRight. The CSO usually owns the assets, but the risk to those assets directly impacts the processes and the goals. You can see how they start to connect, right?
Ori WellingtonAnd the fourth integration point.
Sam JonesFourth is policies. This aligns with your compliance and assurance activities. These are the rules of the road. The internal and external obligations you have to meet.
Ori WellingtonSo goals, processes, assets, policies.
Sam JonesAnd the distinction the article makes here is just vital. A coordinated program just collects information across these seams. They might have a big spreadsheet that lists a goal next to a process next to an asset.
Ori WellingtonBut they aren't actually integrated. They're just neighbors on a page.
Sam JonesRight. An embedded program integrates management execution across them. What that means is if a policy changes, it automatically triggers a review of the assets and processes associated with that policy, which in turn updates the risk score against the related strategic goal.
Ori WellingtonThat is a dynamic system. That's not a report, that's a nervous system.
Sam JonesThat is the perfect metaphor. It's an enterprise nervous system.
Ori WellingtonBut and there's always a but. You can't just snap your fingers and have a nervous system. That takes time. It has to evolve. And this brings us to the maturity progression in the model.
Sam JonesYes. The roadmap. This is one of the most useful parts of the model for our listeners because it helps you self-diagnose. You can look at it and say, okay, where are we really?
Ori WellingtonAnd there are five stages. Let's run through them quickly. Stage one, foundational.
Sam JonesFoundational. This is where most startups are, and frankly, some very large old companies too. It's siloed, it's manual, and it's largely reactive. Something breaks, you scramble to fix it. You might have a risk register, but it's probably an Excel file on someone's desktop.
Ori WellingtonStage two, coordinated.
Sam JonesCoordinated. This is the trap. This is where the article suggests many large organizations get stuck. You have centralized reporting, you've probably bought a GRC tool, but the workflows are still fragmented. The data is pulled in manually once a quarter for the big report. It looks pretty, but it's stale the minute it's published.
Ori WellingtonOkay. Stage three, embedded. This sounds like the goal.
Sam JonesThis is the tipping point. Embedded. This is where risk processes are integrated directly into your operational systems and your decision forums.
Ori WellingtonGive me a real-world example of integrated into operational systems.
Sam JonesOkay. Imagine a procurement system. A manager wants to hire a new vendor. In a coordinated model, they hire the vendor, and then maybe a month later, the risk team gets a list and checks if that vendor is compliant or has a bad security score.
Ori WellingtonToo late. The contract is already signed.
Sam JonesExactly. In an embedded model, the procurement software itself has a live API connection that checks the vendor's credit rating and their real-time cyber score before the manager can even click the approve button. The risk check is part of the transaction, not a separate activity.
Ori WellingtonThat's powerful. Oh. Okay, stage four. Extended.
Sam JonesExtended takes that internal integration and pushes it outside your four walls out to your third parties. You have shared platforms and shared taxonomies across the enterprise and your critical ecosystem partners. Your key vendors might be feeding risk data directly into your risk model in real time.
Ori WellingtonAnd finally, the sci-fi stage. Stage five, autonomous.
Sam JonesAutonomous. This is where AI really comes in. And we're talking about AI-driven sensing, testing, mitigation, and verification, all with real-time assurance.
Ori WellingtonSo in this world, the system detects a new type of cyber threat, automatically deploys a patch to the vulnerable assets, and updates the compliance and risk scores without a human having to schedule a meeting about it.
Sam JonesThat's the vision. It's like the human immune system. Your body fights off a virus without you having to consciously tell your white blood cells what to do. That is the ultimate goal of the IRM navigator maturity ladder.
Ori WellingtonIt's fascinating, but I want to pause on the investment aspect here because the article notes that moving up this ladder isn't just about buying more expensive software.
From Foundational To Autonomous
Sam JonesNo, and that's a critical insight for anyone listening. The progression requires real investment in operating design, process discipline, and data unification. You cannot buy your way to stage five with just software licenses. You have to do the hard, unglamorous work of defining your processes and cleaning up your data.
Ori WellingtonIt's the classic garbage in, garbage out rule. I mean, an AI can't save you if you don't even have a clear inventory of who owns your most critical servers.
Sam JonesExactly. That operating model layer three of the cake has to be built. It can't just be bought.
Ori WellingtonSo we've covered the gap, the stack, the peer egg objectives, the mechanics of integration, and the maturity model. Now we get to the so what section. What are the big strategic implications of all this?
Sam JonesI think if we synthesize all this, the ultimate goal of the IRM navigator is to solve that original conflict we started with, that massive gap between doing risk work over here and managing the business over there. Right. If CSO is the intent and the three lines model is the accountability, the navigator is what makes the actual integration actionable. It's the bridge between the two.
Ori WellingtonThere's a quote in the article's discussion that I think just sums it up perfectly. Organizations that stop at coordination will continue to report on risk. Organizations that That implement an operating model for integration will manage with risk.
Sam JonesThat is the bumper sticker right there. Manage with risk. It's a completely different verb.
Ori WellingtonIt shifts risk from being a sidecar, you know, something annoying and heavy that slows you down, to being part of the driver part of the navigation system that helps you get where you're going faster and safer.
Sam JonesAnd just think about the competitive advantage there. If company A is reporting on risk, they are looking in that rearview mirror, they know what hit them last month. If company B is managing with risk, they're looking through the windshield with a high-tech HUD, they see the pothole before they hit it. I mean, who is gonna win that race?
Ori WellingtonCompany B every single time. And in today's volatile market, whether it's geopolitical instability, AI disruption, climate change, the ability to see clearly through the windshield is basically the whole game.
Sam JonesIt is. It's no longer optional. The speed of risk itself has increased. You just can't wait for the quarterly report anymore. The world has already changed three times by then.
Ori WellingtonSo let's wrap this up. We've been on a pretty big journey today. We started with the operational gap in ERM, what we call the coordination trap.
Sam JonesWe introduced the solution, the IRM navigator, which sits as that crucial third layer in the stack between intent and accountability on one side and execution on the other.
Ori WellingtonWe talked about the PR-epped objectives, performance, resilience, assurance, and compliance as the way to align with what the C-suite actually cares about.
Sam JonesWe looked at the four integration points goals, processes, assets, and policies as the seams that we need to stitch together across the organization.
Ori WellingtonAnd finally, we climbed the maturity ladder from a foundational reactive state all the way to a future that is autonomous and AI-driven.
Sam JonesIt's a comprehensive model. And again, it's not just theory. This is coming from the person who literally defined the space.
Ori WellingtonSo here is my final provocative thought for our listeners. I want you to go back to your desk or to your next Zoom meeting, and I want you to look at the risk reports that you are either generating or receiving. Put them to the test. And ask yourself this question: Is this report telling me what happened, or is it helping me decide what to do right now? Are you a reporter or are you a manager?
Sam JonesAnd then look at your operating model. Do you even have an operating model for integration? Or do you just have a list of people in different departments who are supposed to talk to each other every so often? The difference between those two things is the IRM navigator.
Ori WellingtonThat is the question to mull over. If you want to dig deeper into the source material, and I highly, highly recommend you do, head over to risktechjournal.com.
Manage With Risk, Not About Risk
Sam JonesAnd for that next level analysis, remember to visit r etj-bridge.com to subscribe to the RTJ Bridge. It's weekly, it's deep, and it's a fraction of the cost of the big research firms.
Ori WellingtonAnd for more on the firm behind the model, you can always find us at wheelhouseadvisors.com. Thank you all for listening to the Risk Wheelhouse.
Sam JonesThanks for listening. Keep navigating.
Ori WellingtonSee you next time.