The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S6E3: The IRM Navigator™ - Turning Risk Into A Strategic Operating Model
Risk work that lives in reports but not in decisions is a hidden tax on performance. We tackle that problem head-on by unpacking the IRM Navigator, an operating model that connects standards and roles to the real systems and moments where choices are made. Instead of treating risk as a sidecar, we show how to embed it into approvals, planning, and daily operations so decision velocity and decision quality rise together.
We start by locating the Navigator within a clear four-layer stack: principles and standards set intent, the three lines model defines accountability, and execution lives in processes and platforms. The missing middle is operating integration. From there, we reframe outcomes around four executive priorities: performance, resilience, assurance, and compliance. That lens shifts conversations from control checklists to growth, continuity, confidence, and efficient obligations management which is the language leaders use when allocating capital.
Then we get practical. We map risk to four integration seams—goals, processes, assets, and policies—so that when a policy changes, linked assets and processes update automatically and related strategic goals reflect the new risk posture. Real examples bring the shift to life, like vendor risk checks built into procurement workflows via live APIs. We also outline the maturity path from foundational and coordinated to embedded, extended across third parties, and ultimately autonomous with AI-driven sensing, testing, mitigation, and verification. The throughline is clear: you cannot buy your way to integration; you must design and wire it.
If you’re ready to move from reporting on risk to managing with risk, this conversation is your blueprint. Hear how to build an enterprise nervous system that turns data into action and transforms risk from a cost center into a competitive edge. If this resonates, follow the show, share it with your team, and leave a review to help more leaders find a smarter path to integrated risk.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Hello and welcome back, everyone. I'm Ori Wellington, an analyst here at Wheelhouse Advisors.
Sam Jones:And I'm Samantha Jones, also with Wheelhouse.
Ori Wellington:You are tuning in to another edition of The Risk Wheelhouse. This is the show where we uh we try to crack open the often dense, sometimes chaotic, but always absolutely critical world of integrated risk management, IRM.
Sam Jones:That's right. And our goal here is pretty simple, really. We want to help you navigate the market, understand the trends that actually matter, and you know, frankly, figure out how to stop risk from being a four-letter word in your organization.
Ori Wellington:And start making it a strategic asset.
Sam Jones:Exactly.
Ori Wellington:And today we are doing something a little different. Usually we might bounce around a few different news items or market updates, but today is a proper deep dive. We're focusing entirely on a single high-impact article that I genuinely believe is going to change the way a lot of you look at your own organizations.
Sam Jones:It really is a foundational piece. We're going to be dissecting IRM Navigator, the operating model for integrated risk management.
Ori Wellington:And we absolutely have to mention the author right up top, because in this uh in this specific sandbox, his name carries a ton of weight. This piece was written by John A. Wheeler.
Sam Jones:Right. And for those listeners who might be newer to the industry or maybe you just joined a risk team recently, John isn't just an observer writing commentary. He's the founder and CEO of Wheelhouse Advisors. But I mean, more importantly for the history books, he's the person who actually coined the term integrated risk management back in 2016.
Ori Wellington:Which is just wild to think about. I mean, before that point, we were all just sort of swimming in the soup of GRC governance, risk, and compliance, and dealing with all that legacy tech. He was the one leading the research that effectively said, hey, we need to move beyond just checking boxes.
Sam Jones:Exactly. So when he sits down to write about where the industry's going, or specifically about something like an operating model, it's not speculation. It's coming from what, nearly a decade of defining this entire category.
Ori Wellington:So let's get into the meat of this. Here's the problem statement, or the hook, as I like to call it. I talk to a lot of companies, and you do too. And they tell us, look, we've done the work.
Sam Jones:Right. They feel like they've checked all the boxes.
Ori Wellington:Exactly. They say, we have an enterprise risk management program. We have standards. We know who is accountable for what. They have the binders, they have the software, they have the committee meetings.
Sam Jones:They have the heat maps. Oh, everyone loves a heat map.
Ori Wellington:Oh, the heat maps, red, yellow, green. It looks fantastic on a slide deck. But, and here's the twist: when you actually look at how they make decisions, how they plan for the next year, where they allocate capital, how they run their daily operations, risk data is nowhere to be found. That is the central conflict. The risk team is over here doing risk things, and the business is over there doing business things. And they just don't meet. Never. And that is exactly the thesis of John's article. He argues the gap isn't conceptual anymore. People get the concepts. The gap is operational. Organizations are stuck at what he calls coordination. They're coordinating risk activities, sure.
Sam Jones:But they haven't moved to embedded management.
Ori Wellington:Coordination versus embedded management. That is the key distinction we are going to unpack today. Before we dive into the details, just a quick housekeeping note for everyone listening. You can find the full source material we're discussing today at risktechjournal.com. That's our free standard publication.
Sam Jones:And for those of you who want the really deep analysis, the kind of stuff you'd usually pay a fortune for from the big analyst firms, you should check out the RTJ Bridge. That's at RTJ-bridge.com. It's our premium deeper analysis published weekly, and it really is the best way to get that high-level insight at a fraction of the cost.
Ori Wellington:And of course, for everything else about us and the research we do, head to wheelhouseadvisors.com. Okay, plugs over, let's get to work. Section one, the operational gap. Let's do it. So paint the picture for me. What does it actually look like when a company is stalling in a coordinated state? Because coordinated sounds good, right? I mean, if I'm coordinating an event, that's a positive thing.
Sam Jones:It does sound positive, and that's why it is such a dangerous trap. It feels like progress, especially if you came from, you know, total chaos before that.
Ori Wellington:Right.
Sam Jones:In a coordinated state, an organization has usually centralized its risk registers.
Ori Wellington:Okay, so all the lists of bad things that could happen are in one place instead of scattered across 50 different spreadsheets on 50 different laptops.
Sam Jones:Exactly. And they've harmonized their taxonomies.
Ori Wellington:Which is just a fancy way of saying everyone agrees on what to call the risks, right? Right. We all agree that a cyber breach means the same thing in marketing as it does in IT.
Sam Jones:Precisely. You have a shared vocabulary. And you probably have a centralized reporting structure. The board gets a nice unified report every quarter. Looks great.
Ori Wellington:So what's the failure? I mean, that sounds like a well-oiled machine. Why is John saying this isn't enough?
Sam Jones:The failure is in the outcome. Despite all that centralization, decision velocity and decision quality don't improve.
Ori Wellington:Okay, break that down for me. Decision velocity.
Sam Jones:Speed. Can you make a safe decision faster because you have risk data? In a coordinated model, the answer is usually no. You have to stop, go ask the risk team for a report, wait for the analysis, and then you can proceed.
Ori Wellington:So the risk insight isn't happening in the meeting where the decision is being made.
Sam Jones:No, it's a sidecar. It's an afterthought.
Ori Wellington:It's an attachment to the email, not the text of the email itself.
Sam Jones:That is a great way to put it. And because it isn't integrated into the management systems that actually run the business, risk just becomes a reporting exercise. We are reporting on what happened or what we think might happen, but we aren't using that data to steer the ship in real time.
Ori Wellington:It feels like you're looking in the rearview mirror versus looking through the windshield.
Sam Jones:100%.
Ori Wellington:So the natural question then is why haven't the standards fixed this? We have frameworks. We have ISO, we have NIST, and we have the big one, COSO. Why aren't they solving this operational gap?
Sam Jones:And this is a really crucial point in the article. Existing standards like COS, and that's pronounced COSO for anyone taking notes, they're incredibly valuable, but they generally stop at two things: intent and structure.
Ori Wellington:Intent and structure. Okay. Unpack that.
Sam Jones:Right. So they describe alignment with strategy. They tell you that you should align risk with your goals, and they clarify accountability, who owns the risk, who checks the risk, who provides assurance.
Ori Wellington:But they don't give you the instruction manually.
Sam Jones:That's it. Exactly. They rarely prescribe how the data, the workflows, the evidence should be unified across different domains. They don't tell you how to get the data from the IT server log into the operational risk dashboard that the CFO is looking at automatically without some poor analyst pasting it into a spreadsheet in the middle.
Ori Wellington:It's the how. And that leads us directly to the mission of the IRM navigator.
Sam Jones:Yes. So John defines the IRM navigator not as another framework. We really don't need another one of those, and not as a control standard. And this is important, not as a technology platform. You can't just go buy the navigator off the shelf and plug it in.
Ori Wellington:It's more of a mindset shift or a blueprint.
Sam Jones:It's a management operating model. Its specific goal is to translate that management intent, the we want to be safe and profitable idea into unified execution. And it does that across four specific domains enterprise, operational, technology, and compliance.
Ori Wellington:Okay, I really want to visualize this because I think the four-layer stack analogy in the article is the biggest aha moment for understanding where this all fits. Because I know our listeners are sitting there thinking, wait a minute, I just spent two years implementing the three lines of defense model. Are you telling me to throw that out now?
Sam Jones:Definitely not. And that's why the stack analogy is so helpful. It categorizes everything very clearly. So just imagine a layer cake with four layers.
Ori Wellington:Okay, I'm a hungry, but I'm with you. Layer one, the bottom, the foundation.
Sam Jones:Layer one is principles and standards. This is where COSO ERM lives.
Ori Wellington:Okay. Cozo, Coso, got it.
Sam Jones:Right. The role of this layer is to define management intent. It's the statement of what effective ERM should accomplish. It talks about objective setting, risk appetite, culture. It's the why and the what.
Ori Wellington:Okay. So COSO says we intend to manage risk in order to create and preserve value.
Sam Jones:Correct. But as we just discussed, it has a limitation. It doesn't specify how to unify execution when your legal team uses one piece of software, your IT team uses another, and your ops team is still using clipboards and spreadsheets.
Ori Wellington:Right. Okay. Moving up the stack, layer two.
Sam Jones:Layer two is accountability models. This is the home of a three lines model from the IAA.
Ori Wellington:The Institute of Internal Auditors.
Sam Jones:Yes. The role here is accountability. It clarifies the roles. The first line owns the risk, that's management. The second line challenges and monitors, that's your risk and compliance functions. And the third line assures that's internal audit.
Ori Wellington:Right. This is what stops everyone from pointing fingers when something goes wrong. I thought you were watching the firewall. No, I thought you were.
Sam Jones:Exactly. It reduces confusion about who does what. But again, the limitation. It is not an operating model. It doesn't tell you how a risk signal, say, a failed server flows from the first line to the second line, or how evidence about it is generated and shared. It just says who is responsible for it when it happens.
Ori Wellington:So it's an org chart, not a wiring diagram.
Sam Jones:That is a perfect analogy. Now let's skip layer three for just a second. Let's go all the way to the top, layer four. This is execution and instrumentation.
Ori Wellington:The actual doing, the day-to-day.
Sam Jones:The doing. This is your processes, your controls, your workflows, and importantly, your risk tech platforms. This is the software you log into every day.
Ori Wellington:So we have the intent at the bottom in layer one, the accountability in layer two, and the tools at the top in layer four. So what's missing? What's in the middle?
Sam Jones:The glue, the connective tissue. That is layer three, the IRM navigator. Its role is operating integration.
Ori Wellington:So this sits between the high-level standards and the actual buttons you push on your keyboard every day.
Sam Jones:Yes. It defines the integration points. It defines the maturity progression. It defines the outcome measures. Without layer three, you can have great standards and clear roles, but your tools at the COP are just functioning in silos because nothing has been architected to actually connect them in a meaningful way.
Ori Wellington:That makes so much sense. You can have the best blueprint, which is COSO, and the best construction crew with clear jobs, which is the three lines model. But if you don't have a project manager and a schedule the navigator, you're just gonna have a bunch of people standing around with hammers.
Sam Jones:Or worse, you'll have them building four different walls that don't meet in the corners.
Ori Wellington:Which happens way more often than we'd like to admit. Okay, so that's where it fits. Now let's talk about what it does. The article introduces this concept of pre-IC PRAC, the four executive objectives.
Sam Jones:This is a really important shift in thinking. I mean, usually when you ask a risk manager what their objective is, they say things like compliance with Sarban's Oxley or achieving cybersecurity maturity level four.
Ori Wellington:Right. Very technical, very specific, and usually very boring to the CEO or the board.
Sam Jones:Exactly. The IRM navigator structures risk management around four executive objectives that actually mean something to the CEO and the board. And the crucial distinction here is that PRA is not a reporting construct. You don't go and create a pre-aic report. It's an alignment mechanism.
Ori Wellington:Okay, let's walk through them. P is for performance.
Sam Jones:Performance. This is about enabling better decisions and creating value under uncertainty. It's moving beyond just avoiding bad things. This is about taking the right risks to actually grow the business.
Ori Wellington:This is the one that always trips people up. Risk management helps performance.
Sam Jones:But it's true, isn't it? If you have better brakes on your car, you can drive faster, not slower.
Ori Wellington:That's the analogy. If you know exactly where the cliff edge is, you can drive right up to it and enjoy the amazing view. If you're just driving in the dark with no idea, you have to crawl along at five miles an hour. Performance is about using risk data to go faster, safely.
Sam Jones:I love that. Okay. R is for resilience. Resilience? This is all about sustaining operations through disruption and stress. And note the word sustaining. It's not just about bouncing back after a disaster. It's about being able to operate through the disaster.
Ori Wellington:That's a huge topic right now, especially with supply chains. Yeah. It's not just do we have insurance if the factory burns down? It's can we shift production to a different factory within four hours and not miss a single order?
Sam Jones:Precisely. That is a resilience objective. It's active, not passive.
Ori Wellington:A is for assurance.
Sam Jones:Assurance. This is about increasing confidence that your controls and your responses operate as intended. This is the sleep at night factor for the board. How confident are we that the things we say we are doing on paper are actually happening in reality?
Ori Wellington:And finally, C is for compliance.
Sam Jones:Compliance. Meeting your obligations efficiently and predictably, and that word efficiently is key there. Compliance shouldn't be a fire drill every quarter where everyone stays late pasting screenshots into Word documents. It should be a natural byproduct of good, well-managed operations.
Ori Wellington:So when you put these together, performance, resilience, assurance, and compliance, you suddenly have a language that the entire C-suite speaks. The CEO cares about performance. The COO cares about resilience. The audit committee chair cares about assurance. The general counsel cares about compliance.
Sam Jones:Exactly. And the IRM Navigator says your risk operating model must serve all four of these objectives simultaneously. You can't just build a program for compliance and then hope it helps with performance. It won't. You have to design for it from the start.
Ori Wellington:So we've got the objectives. Now let's get into the mechanics of it. How do we actually stitch this whole monster together? The article talks about the four integration points.
Sam Jones:Right. So these are the seams in the organization where fragmentation usually happens. And John identifies four specific areas where you need to anchor your unification efforts.
Ori Wellington:Okay, walk us through them.
Sam Jones:First is goals. This aligns with your enterprise risk management activities. You have to link every significant risk to the strategic goals of the company. I mean, if a risk doesn't threaten a strategic goal or present an opportunity to achieve one, why are we spending time and money tracking it?
Ori Wellington:That's a fair point. Okay. What's next?
Sam Jones:Second is processes. This aligns with your operational risk management activities. You have to map risk to the actual business processes. Order to cash, procure to pay, hire to retire. If you don't understand the process, you can't possibly manage the risk within it.
Ori Wellington:Makes sense.
Sam Jones:Third is assets. This aligns with technology risk management activities. And when we say assets, we mean servers, data centers, laptops, but also your critical data sets, your intellectual property, the crown jewels.
Ori Wellington:And this is usually the domain of the CISO, the chief information security officer.
Sam Jones:Yeah.
Ori Wellington:And just for everyone, we pronounce that CISO.
Sam Jones:Right. The CSO usually owns the assets, but the risk to those assets directly impacts the processes and the goals. You can see how they start to connect, right?
Ori Wellington:And the fourth integration point.
Sam Jones:Fourth is policies. This aligns with your compliance and assurance activities. These are the rules of the road. The internal and external obligations you have to meet.
Ori Wellington:So goals, processes, assets, policies.
Sam Jones:And the distinction the article makes here is just vital. A coordinated program just collects information across these seams. They might have a big spreadsheet that lists a goal next to a process next to an asset.
Ori Wellington:But they aren't actually integrated. They're just neighbors on a page.
Sam Jones:Right. An embedded program integrates management execution across them. What that means is if a policy changes, it automatically triggers a review of the assets and processes associated with that policy, which in turn updates the risk score against the related strategic goal.
Ori Wellington:That is a dynamic system. That's not a report, that's a nervous system.
Sam Jones:That is the perfect metaphor. It's an enterprise nervous system.
Ori Wellington:But and there's always a but. You can't just snap your fingers and have a nervous system. That takes time. It has to evolve. And this brings us to the maturity progression in the model.
Sam Jones:Yes. The roadmap. This is one of the most useful parts of the model for our listeners because it helps you self-diagnose. You can look at it and say, okay, where are we really?
Ori Wellington:And there are five stages. Let's run through them quickly. Stage one, foundational.
Sam Jones:Foundational. This is where most startups are, and frankly, some very large old companies too. It's siloed, it's manual, and it's largely reactive. Something breaks, you scramble to fix it. You might have a risk register, but it's probably an Excel file on someone's desktop.
Ori Wellington:Stage two, coordinated.
Sam Jones:Coordinated. This is the trap. This is where the article suggests many large organizations get stuck. You have centralized reporting, you've probably bought a GRC tool, but the workflows are still fragmented. The data is pulled in manually once a quarter for the big report. It looks pretty, but it's stale the minute it's published.
Ori Wellington:Okay. Stage three, embedded. This sounds like the goal.
Sam Jones:This is the tipping point. Embedded. This is where risk processes are integrated directly into your operational systems and your decision forums.
Ori Wellington:Give me a real-world example of integrated into operational systems.
Sam Jones:Okay. Imagine a procurement system. A manager wants to hire a new vendor. In a coordinated model, they hire the vendor, and then maybe a month later, the risk team gets a list and checks if that vendor is compliant or has a bad security score.
Ori Wellington:Too late. The contract is already signed.
Sam Jones:Exactly. In an embedded model, the procurement software itself has a live API connection that checks the vendor's credit rating and their real-time cyber score before the manager can even click the approve button. The risk check is part of the transaction, not a separate activity.
Ori Wellington:That's powerful. Oh. Okay, stage four. Extended.
Sam Jones:Extended takes that internal integration and pushes it outside your four walls out to your third parties. You have shared platforms and shared taxonomies across the enterprise and your critical ecosystem partners. Your key vendors might be feeding risk data directly into your risk model in real time.
Ori Wellington:And finally, the sci-fi stage. Stage five, autonomous.
Sam Jones:Autonomous. This is where AI really comes in. And we're talking about AI-driven sensing, testing, mitigation, and verification, all with real-time assurance.
Ori Wellington:So in this world, the system detects a new type of cyber threat, automatically deploys a patch to the vulnerable assets, and updates the compliance and risk scores without a human having to schedule a meeting about it.
Sam Jones:That's the vision. It's like the human immune system. Your body fights off a virus without you having to consciously tell your white blood cells what to do. That is the ultimate goal of the IRM navigator maturity ladder.
Ori Wellington:It's fascinating, but I want to pause on the investment aspect here because the article notes that moving up this ladder isn't just about buying more expensive software.
Sam Jones:No, and that's a critical insight for anyone listening. The progression requires real investment in operating design, process discipline, and data unification. You cannot buy your way to stage five with just software licenses. You have to do the hard, unglamorous work of defining your processes and cleaning up your data.
Ori Wellington:It's the classic garbage in, garbage out rule. I mean, an AI can't save you if you don't even have a clear inventory of who owns your most critical servers.
Sam Jones:Exactly. That operating model layer three of the cake has to be built. It can't just be bought.
Ori Wellington:So we've covered the gap, the stack, the peer egg objectives, the mechanics of integration, and the maturity model. Now we get to the so what section. What are the big strategic implications of all this?
Sam Jones:I think if we synthesize all this, the ultimate goal of the IRM navigator is to solve that original conflict we started with, that massive gap between doing risk work over here and managing the business over there. Right. If CSO is the intent and the three lines model is the accountability, the navigator is what makes the actual integration actionable. It's the bridge between the two.
Ori Wellington:There's a quote in the article's discussion that I think just sums it up perfectly. Organizations that stop at coordination will continue to report on risk. Organizations that That implement an operating model for integration will manage with risk.
Sam Jones:That is the bumper sticker right there. Manage with risk. It's a completely different verb.
Ori Wellington:It shifts risk from being a sidecar, you know, something annoying and heavy that slows you down, to being part of the driver part of the navigation system that helps you get where you're going faster and safer.
Sam Jones:And just think about the competitive advantage there. If company A is reporting on risk, they are looking in that rearview mirror, they know what hit them last month. If company B is managing with risk, they're looking through the windshield with a high-tech HUD, they see the pothole before they hit it. I mean, who is gonna win that race?
Ori Wellington:Company B every single time. And in today's volatile market, whether it's geopolitical instability, AI disruption, climate change, the ability to see clearly through the windshield is basically the whole game.
Sam Jones:It is. It's no longer optional. The speed of risk itself has increased. You just can't wait for the quarterly report anymore. The world has already changed three times by then.
Ori Wellington:So let's wrap this up. We've been on a pretty big journey today. We started with the operational gap in ERM, what we call the coordination trap.
Sam Jones:We introduced the solution, the IRM navigator, which sits as that crucial third layer in the stack between intent and accountability on one side and execution on the other.
Ori Wellington:We talked about the PR-epped objectives, performance, resilience, assurance, and compliance as the way to align with what the C-suite actually cares about.
Sam Jones:We looked at the four integration points goals, processes, assets, and policies as the seams that we need to stitch together across the organization.
Ori Wellington:And finally, we climbed the maturity ladder from a foundational reactive state all the way to a future that is autonomous and AI-driven.
Sam Jones:It's a comprehensive model. And again, it's not just theory. This is coming from the person who literally defined the space.
Ori Wellington:So here is my final provocative thought for our listeners. I want you to go back to your desk or to your next Zoom meeting, and I want you to look at the risk reports that you are either generating or receiving. Put them to the test. And ask yourself this question: Is this report telling me what happened, or is it helping me decide what to do right now? Are you a reporter or are you a manager?
Sam Jones:And then look at your operating model. Do you even have an operating model for integration? Or do you just have a list of people in different departments who are supposed to talk to each other every so often? The difference between those two things is the IRM navigator.
Ori Wellington:That is the question to mull over. If you want to dig deeper into the source material, and I highly, highly recommend you do, head over to risktechjournal.com.
Sam Jones:And for that next level analysis, remember to visit r etj-bridge.com to subscribe to the RTJ Bridge. It's weekly, it's deep, and it's a fraction of the cost of the big research firms.
Ori Wellington:And for more on the firm behind the model, you can always find us at wheelhouseadvisors.com. Thank you all for listening to the Risk Wheelhouse.
Sam Jones:Thanks for listening. Keep navigating.
Ori Wellington:See you next time.