The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S6E8: 2026 VC Sonar™ for Performance and Resilience
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Risk teams don’t lose sleep over unknowns anymore. They lose sleep over lag. We dig into why time-to-action has eclipsed visibility as the true differentiator for performance and resilience, and how autonomous IRM turns risk signals into verified outcomes at operational speed. Drawing on the 2026 VC Sonar for Performance and Resilience, we explain the market’s second investment wave: operate-through resilience, third‑party dependency as a structural amplifier, and agentic AI raising expectations for execution. The core idea is simple but demanding: automate only what you can execute, and execute only what you can evidence.
We break down the five functional layers that form a digital nervous system for the enterprise—strategic oversight, business orchestration, threat validation, remediation and response, and verification and audit—showing how each layer reduces friction and creates trustworthy evidence as work happens. You’ll hear how ERM sets decision cadence and thresholds while ORM executes with speed, and why evidence closure is the gating dividend that earns board confidence and satisfies regulators. Speed without a narrative and audit trail isn’t progress; it’s exposure.
We also tour the VC Sonar’s augmentation landscape: tools that bolt onto platforms like ServiceNow or Archer to deliver autonomy without a rip-and-replace. From live board oversight and policy tracking to contract lifecycle intelligence, computer vision for EHS, verified crisis intelligence, and tier‑N supply chain mapping, we highlight the capabilities that cut coordination time, mitigate losses, and build trust you can prove months later. Our buyer guidance is pragmatic: stop shopping features, start investing for dividends—efficiency, loss mitigation, and trust—and sequence your roadmap so decision cadence and taxonomy come before flashy automation.
If you’re ready to shrink lag, earn trust on impact, and build systems that are not just fast but transparently accountable, this conversation is for you. Subscribe, share with your team, and leave a review with one question: where does lag still hide in your organization?
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Hello and welcome back to the Risk Wheelhouse. I'm Ori Wellington.
Sam JonesAnd I'm Samantha Jones. But please call me Sam.
Ori WellingtonSam, it is. We are so glad you're joining us today.
Sam JonesAbsolutely.
Ori WellingtonAs you know, we're both analysts here at Wheelhouse Advisors, a global research and advisory firm based right here in Atlanta.
Sam JonesWhich is uh a little bit rainy today.
Ori WellingtonIt is a little rainy, yeah. But we are keeping the energy high because we are tackling a subject that I think, I really think keeps a lot of people up at night. Even if they don't have the, you know, the specific vocabulary for it just yet.
Sam JonesIt's that feeling, isn't it? That 3.am feeling in the back of your mind. Yes. You've done the work, you've documented everything, you've followed the rules, but there's still this nagging sense that something is going to catch you completely off guard.
Ori WellingtonExactly. And that's what we're here to talk about. We are moving past the era of um just documenting things. You know the drill, and I know if you're listening to this, you definitely know the drill. Filling out the risk register, coloring in the heat map until it looks like a, I don't know, a Christmas tree, and then just crossing your fingers.
Sam JonesAnd hoping for the best.
Ori WellingtonWe are shifting. The market is shifting from an era of just knowing to an era of doing.
Sam JonesIt's a really pivotal moment. For the last decade, maybe even longer, the holy grail in our industry was all about visibility. Right. Can we see the risk? Can we count it? Can we categorize it? And now the goalpost is just completely moved. Visibility is table stakes.
Ori WellingtonTable stakes, I like that.
Sam JonesIt is. The new goal is velocity, it's speed. Can we actually act on that risk before it materially impacts the bottom line or you know your brand reputation?
Ori WellingtonSo to guide us through this pretty massive shift, we're doing a deep dive today, a really deep dive into a very specific and uh very forward-looking piece of research. It's called the 2026 IRM Navigator VC Sonar for Performance and Resilience Report.
Sam Joneswhich is a mouthful. I will grant you that.
Ori WellingtonIt is a bit of a mouthful, yeah. It sounds like something you'd need a PhD to decode.
Sam JonesIt does sound dense, but trust me, what's inside is absolute gold for anyone trying to navigate really the next five years of risk management.
Ori WellingtonAnd we should be clear this report comes directly from our firm, Wheelhouse Advisors, and it's written by none other than John A. Wheeler.
Sam JonesRight. And for those of you who might be new to this space, or maybe you just joined the industry, John Wheeler isn't just an analyst.
Speaker 2Yeah.
From Visibility To Velocity
Sam JonesHe's the founder and CEO of Wheelhouse, of course, but historically speaking, he is the analyst who actually coined the term integrated risk management back in 2016.
Ori WellingtonWhich is just wild to think about. I mean IRM is just the standard term now. It's what we all say. But back then, that was a pretty radical idea, wasn't it?
Sam JonesIt really was. He was leading research at the time and he saw the um the real limitations of the legacy GRC technologies.
Ori WellingtonGovernance, risk, and compliance.
Sam JonesExactly. He saw that GRC was becoming this dusty compliance exercise, a check the box thing. He saw that the market needed a much more integrated approach, one that connected risk to actual business performance. So when John publishes a report on where he sees the market going in 2026, we don't just skim it.
Ori WellingtonNo, you don't. You study it. You take notes.
Sam JonesYou study it. You highlight things.
Ori WellingtonAnd look, before we get into the you know the nuts and bolts, and we promise we are going to get into the weeds today about vendors and APIs and this concept of evidence closure. I want to set the stage with the core thesis here. Okay. The report talks about a second investment wave in IRM. So help me paint the picture. If the first wave was all about visibility, you know, seeing the monster in the closet, what is this second wave about?
Sam JonesThe second wave is about one thing: lag.
Ori WellingtonLag.
Sam JonesSpecifically eliminating it.
Ori WellingtonOkay. Unpack that for me.
Sam JonesThe time between the signal and the action. Think about it. The first wave gave us digitized risk registers. We moved from endless spreadsheets to platforms like ServiceNow or Archer.
Speaker 2Right.
Sam JonesAnd that was great. It was great for standardization, everyone speaking the same language, using the same taxonomy. But the problem John identifies in the report is that even with those massive, very expensive platforms, there is still this massive gap, a lag between detecting a risk signal and actually doing something about it.
Ori WellingtonSo it's the difference between uh reading a weather report that says, hey, it rained yesterday versus having an umbrella that just automatically pops open the second a drop of rain hits your shoulder.
Sam JonesThat is a perfect analogy. That's exactly it. We are moving from systems of record, which are really just fancy databases of what we think might happen or what has already happened.
Ori WellingtonRight, a history book.
Sam JonesTo systems of action. These are systems designed to reduce the friction between detection, response, and crucially verification.
Ori WellingtonSystems of action. I like that phrase. It sounds proactive. It sounds like you're on the offensive rather than constantly playing defense.
Speaker 2It is.
Ori WellingtonBut I have to play the skeptic for just a second here. Go for it. Systems of action sounds great in a white paper. It looks great on a slide. But in the real world, I mean, most of the companies I talk to are still struggling just to get people to log into the GRC portal once a quarter. Are we really ready for systems that act on their own?
Sam JonesThat is the big question, isn't it? And the answer the report gives is that the market is split. The leaders are ready. The laggards are, well, they're still filling out forms, but the technology itself is dragging everyone forward, whether they like it or not.
Ori WellingtonKicking and screaming.
Sam JonesKicking and screaming. The point of this report isn't to tell you what the average company is doing today, it's to tell you what the surviving companies will be doing in 2026.
Ori WellingtonThat's a good point. Survival of the fastest. Now, before we really start unpacking the why now and all the specific vendors, because I know people want to hear about the tools, I want to make sure everyone knows where to find this stuff. If you want more info on our research in general, you can always go to wheelhouseadvisors.com. But if you want to read the article and the standard of publication we're discussing today, it is available for free at risktechjournal.com.
Sam JonesAnd I have to mention, for the listeners who are really in the trenches, you know, the practitioners, the consultants, the people who need that board level detail, we have a premium subscription. It's called the RTJ Bridge. Right. It offers really deep analysis and research notes. I mean, it's comparable to those high price subscriptions from the big analyst firms, you know, the ones I'm talking about.
Ori WellingtonWho we know that.
Sam JonesBut at a, you know, a fraction of the cost. You can find that at RTJ-bridge.com.
Why The Shift: Operate-Through Resilience
Ori WellingtonOkay, housekeeping is done. Let's get into the meat of this. Section one, the market evolution. Why is this big shift happening now? Why isn't the old risk register good enough anymore? The report identifies three specific drivers of change. Walk us through the first one.
Sam JonesOkay. The first driver is that performance and resilience have become operating objectives. They are not just program goals anymore.
Ori WellingtonBreak that down for me. Operating objectives. What's the difference?
Sam JonesWell, in the past, resilience might have been a slide in a quarterly presentation. You know, the board asks, do we have a business continuity plan?
Ori WellingtonAnd the CRO says yes, it's in this giant binder on the shelf.
Sam JonesIt's in the binder, check the box, move on.
Ori WellingtonRight.
Sam JonesToday, regulators, boards, shareholders, they're all treating resilience as a non-negotiable operate-through requirement. Trevor Burrus, Jr.: Operate through.
Ori WellingtonThat sounds intense. That sounds like military doctrine or something.
Sam JonesIt essentially is. I mean, it means if a system goes down or a key supplier fails or a big cyber event happens, you don't just stop operations and then recover later. You have to operate through the disruption.
Ori WellingtonWithin defined impact tolerances.
Sam JonesExactly.
Ori WellingtonSo let's make this concrete. If I'm a bank and my payment processor goes down, I can't just put a sorry, we're closed sign on the website. Trevor Burrus, Jr.
Sam JonesExactly. The regulators, and you can think about Dora in Europe or the new SEC rules on cybersecurity here in the US, they don't really care about your plan. They don't care about the binder. They care about the outcome.
Ori WellingtonCan customers get their money?
Sam JonesCan your customers still access their money? Can they still make a payment? If the answer is no, you are noncompliant, and it doesn't matter how good your risk register looks. And you just can't achieve that operate through resilience if you're relying on a manual risk register that gets updated once a quarter. It's impossible. You need real-time operational capability.
Ori WellingtonSo it's not about how quickly can we fix it after it breaks. It's about how do we keep moving while it's breaking.
Sam JonesPrecisely. And that leads directly into the second driver, which the report calls a structural amplifier of risk. And that's third-party dependency.
Third-Party Dependency As Amplifier
Ori WellingtonAaron Powell A structural amplifier. I like that term. It sounds like something that takes a uh a small noise and just makes it deafening.
Sam JonesThat's exactly what it does. Just think about how modern businesses are built today. We don't really build our own software anymore. We assemble it, we stitch it together.
Ori WellingtonWe use API.
Sam JonesWe rely on cloud, on Saws, on outsource logistics, specialized API providers. We have this massive, interconnected and very fragile ecosystem.
Ori WellingtonIt's like a house of cards, but digital. And probably hosted on AWS.
Sam JonesIn a way, yes. Because of this concentration, everybody using the same few big providers, a failure upstream, say a major cloud provider has an outage or a critical software vendor gets hacked, that failure propagates instantly across your entire organization. And not just your organization, but all of their other customers too. It's not a slow burn anymore. It's an instant shock to the system.
Ori WellingtonYeah. If Salesforce goes down, sales stops, period. If AWS East goes down, half the internet stops.
Sam JonesAnd here's the kicker. The legacy tools we use to manage third-party risk were mostly static assessments. You'd send a questionnaire to a vendor.
Ori WellingtonThe dreaded spreadsheet.
Sam JonesDo you have a firewall? They send it back two weeks later. Yes, we have a firewall. That doesn't work when the risk is propagating in milliseconds.
Ori WellingtonIt's like sending a letter to ask if your house is on fire. By the time you get the reply, the house is already gone. The lag is fatal.
Sam JonesThe lag is fatal. That's a great way to put it. So we have resilience as an operating objective, and we have third-party dependency amplifying the risk. Now, what's the third driver? This is the one that really changes the game.
Ori WellingtonThis is where we talk about AI, isn't it?
Agentic AI And Time To Action
Sam Jonesthis is where we talk about AI, but not just AI as a broad buzzword. The report is very specific. It calls out agentic AI.
Ori WellingtonOkay, let's pause here because this is important. We hear AI everywhere. It's the buzzword of the century. But agentic feels really specific. I think a lot of people, you know, they conflate generative AI like asking ChatGPT to write a poem with agentic AI. What is the difference in this context?
Sam JonesIt's a massive difference, and it's critical to understand. Generative AI creates content. It writes text, it generates images, it can summarize a meeting for you.
Ori WellingtonIt produces artifacts.
Sam JonesIt produces artifacts. Agentic AI acts, it has agency, you can give it a goal, and it can execute workflows, route tasks, and even make decisions within prescribed boundaries to achieve that goal.
Ori WellingtonOkay, so uh generative AI writes the angry customer email. Agentic AI sees the email, identifies the customer, updates the CRM, issues a refund, and schedules a follow-up call from a human agent.
Sam JonesCorrect. Or in a risk context. Generative AI summarizes the security alert from the firewall. Agentic AI sees the alert, logs into the firewall, blocks the malicious IP address, and opens a priority one ticket for the security team all before a human has even seen the alert.
Ori WellingtonThat is a that's a terrifying amount of power to give a piece of software.
Sam JonesIt is. It is. But here's the driver. Because this technology now exists, leadership CEOs, boards of directors, they now expect faster execution. The question they're asking is: if the technology exists to spot a trend and act on it instantly, why are we waiting for a monthly committee meeting to decide what to do?
Ori WellingtonSo the existence of the technology effectively raises the bar for all the humans in the room.
Sam JonesExactly.
Ori WellingtonIf the bot can do it in two seconds, why did it take your team two weeks?
Sam JonesThat's the new standard. It raises the expectation for time to action. And this brings us right back to that lag problem we touched on in the intro. The report highlights that the biggest constraint in risk management right now isn't a lack of data. We are drowning in data. We have more data than we know what to do with. The constraint is the lag.
Speaker 2Okay.
Sam JonesSignals arrive too late. The response requires manual coordination, endless emails, phone calls, meetings to get meetings scheduled. And the evidence of what you did is reconstructed after the fact.
Autonomous IRM Defined
Ori WellingtonThat evidence piece is so interesting. Reconstructed after the fact. You mean the mad scramble to find emails and Slack messages to prove to the auditor that you actually did fix the problem?
Sam JonesYes. The audit scramble. We've all been there, it's awful. Trying to piece together a coherent timeline from three different systems three months after the incident happened. In a system of action, the evidence is created as you do the work. It's a byproduct. But we'll get to that later because that is so crucial for the trust component.
Ori WellingtonOkay, so the board level reality is changing. John Wheeler really emphasizes this in the report. He says, risk visibility is no longer a differentiator.
Sam JonesNot anymore?
Ori WellingtonKnowing you have a risk isn't special. Everyone has data. The differentiator is time to action.
Sam JonesRight. Boards are asking new questions. They're not asking, do we have a risk register? They're asking, can our management team detect material drift?
Ori WellingtonMaterial drift. I love that phrase.
Sam JonesIt's great, is it?
Ori WellingtonIt sounds like a slow landslide. You want to catch it when the first pebble moves, not when the whole hill is coming down on top of you.
Sam JonesExactly. Can you detect that drift early and can you trigger a response immediately? That's the new test. And that is why we are now talking about autonomous IRM.
Ori WellingtonOkay, let's unpack that term. Autonomous IRM. When I hear the word autonomous, my brain immediately goes to self-driving cars. Sure. I think of robots running the company while I'm, you know, sipping a margarita on a beach somewhere. Is that what we're talking about? Because I could tell you my compliance officer friends are going to have a heart attack if I say autonomous compliance.
Sam JonesI wish it meant margaritas. I really do. But no, that is a very common misconception. In this report, autonomous does not mean humans are removed from the loop.
Speaker 2Okay.
Sam JonesIt refers to reducing friction. It means creating a system where the detection of a signal, the routing of that signal to the right person or system, the response and the verification of that response all happen in a continuous, seamless flow. It's about moving signals at the speed of modern operations.
Ori WellingtonSo it's not about the machine making the uh the big strategic decision, but about the machine clearing the path so the human can make the decision instantly.
Sam JonesRight.
Ori WellingtonOr maybe handling all the routine low-level stuff so the human doesn't have to.
Sam JonesCorrect. Think of it less like a robot CEO and more like a um a nervous system for your business.
Ori WellingtonOoh, I like that.
Sam JonesYour body's nervous system handles a lot of things autonomously, right? Breathing, heart rate, pulling your hand away from a hot stove. It does all that. So your brain can focus on the complex tasks, like you know, navigating this conversation.
Ori WellingtonRight.
The Five Functional Layers
Sam JonesAutonomous IRM is about building that digital nervous system for the enterprise.
Ori WellingtonThat's a great visual. So how do we build this nervous system? The report breaks this down into five functional layers. I think it helps to visualize this. If you're listening, imagine a set of concentric rings, like a target.
Sam JonesRight. Let's start from the outside ring and work our way in. The first, outermost layer is strategic oversight.
Speaker 2Okay.
Sam JonesThis is where you define your intent. What are your thresholds? What is your actual risk appetite, not just what's written in a policy? You can't automate anything if you don't first define the rules.
Ori WellingtonThis is the rules of engagement, the prime directive.
Sam JonesExactly. If you don't tell the system stop any transaction that exceeds $1 million without human approval, the system doesn't know what to do. This layer is usually human-defined, often in the ERM function.
Ori WellingtonOkay, makes sense. Layer two.
Sam JonesLayer two is business orchestration. This is the connective tissue.
Ori WellingtonThe plumbing.
Sam JonesThe plumbing, the wiring. It's the routing layer. If a signal comes in, where does it go? Who owns it? This is often where things completely break down in traditional companies. It's the email that sits in an inbox for three days because the person who owns it is on vacation.
Ori WellingtonIt's the black hole of the general inquiries inbox.
Sam JonesYeah.
Ori WellingtonOr the security at company.com email address that nobody actually checks.
Sam JonesExactly. Business orchestration ensures that the signal finds a destination and finds it fast. Okay, so layer three is threat intelligence and validation. This is all about separating the noise from the credible triggers.
Ori WellingtonAnd this is so vital because if you automate responses to every single little blip on the radar, you're just going to paralyze the company with false alarms.
Sam JonesRight. Not every angry tweet is a brand crisis. Not every server glitch is a nation state hack. You need a layer that validates the signal, maybe using data correlation or AI verification to say, yes, this is real and it matters.
Ori WellingtonSo we know the rules, we know where to send the signal, and we know the signal is real. What's next?
Sam JonesLayer four is remediation and response. This is the actual work getting done. Translating that validated trigger into a concrete action.
Speaker 2Okay.
Sam JonesNow this could be a fully automated action, like the system shutting down a port on a firewall, or it could be human-centric, like the system automatically initiating a supplier review workflow and assigning it to the right person. But the system triggers the workflow.
Ori WellingtonAnd the final layer. The center of the bullseye.
Sam JonesThe final layer is verification and audit, closing the loop. This is absolutely crucial, and it's what most legacy systems miss. You must create evidence as you work.
Ori WellingtonNot after.
Sam JonesNot after. If the system takes an action, it must log that action in a permanent, auditable way so that an auditor can look at it six months later and say, with confidence, yes, this happened correctly, and here is the proof.
Ori WellingtonThat brings us to the tool at the very heart of this report, the VC sonar map. Now, usually when we see analyst reports with maps, we see rankings. Who's number one? Who is in the top right corner of the magic quadrant? Is that what the VC sonar is?
Sam JonesNo. And that is a very, very important distinction to make. The VC sonar is not a vendor ranking. There are no one to ten scores. It is also not a list of the IRM 50, you know, the big established platform players like ServiceNow or Urcher.
Ori WellingtonSo if I'm a big ServiceNow user and I'm looking at this map, should I be worried that they aren't on it?
Sam JonesNot at all. In fact, it's the opposite. The VC sonar is a visibility tool for emerging capabilities. These are the vendors that typically sit outside the big platforms. John calls them augmentation layers in the report.
Ori WellingtonAugmentation layer.
ERM Versus ORM Roles
Sam JonesThese are the tools you add to your existing stack, to your ServiceNow, to your Archer to make it faster, to give it these autonomous capabilities.
Ori WellingtonSo you don't throw out your massive GRC platform that you just spent millions on. You mold these things onto it to give it superpowers.
Sam JonesThat's the idea exactly. It's about composability, not replacement. The map itself is visualized with those concentric rings representing the five layers we just discussed. And then it's sliced radially like a pizza into different solution areas for ERM and RM.
Ori WellingtonOkay, let's pause on that acronym SUP for a second, because this is important.
Sam JonesUh-huh.
Ori WellingtonERM and ORM, enterprise risk management and operational risk management.
Speaker 2Yeah.
Ori WellingtonI feel like in a lot of conversations, these two just get mashed together into one big risk blob.
Sam JonesThey do all the time.
Ori WellingtonBut in this report, the distinction is vital. So how does John Wheeler distinguish them?
Sam JonesIt all comes down to one key difference: decision versus execution.
Speaker 2Okay.
Sam JonesERM, enterprise risk management, is the decision backbone of the company. It sits at the integration point of goals. ERM is about setting the strategy, deciding on the risk appetite, and managing the escalation of big strategic risks up to the board. It's about the cadence of decision making.
Ori WellingtonSo ERM is the brain deciding where the ship steers. It's answering questions like are we going to enter this new market? Are we going to accept this level of debt?
Sam JonesRight. And ORM, operational risk management, is the execution backbone. It sits at the integration point processes. ORM is about the day-to-day workflows, the disruption response, the safety incidents on the factory floor, the claims processing. It's about keeping the engine of the business running smoothly.
Group A: Detect And Board Oversight
Ori WellingtonGot it. So if ERM says we have decided to enter a new market in Southeast Asia, ORM is the function that says, okay, here is exactly how we will handle the local safety regulations and the supply chain logistics for that market.
Sam JonesYou've got it. And for true performance and resilience, you absolutely need both. ERM handles the big stop go decisions. Do we shut down the factory because of the approaching hurricane? ORM handles the fix it execution. How do we get the emergency generator running and get our people to safety? You can't have one without the other and expect to survive a major disruption.
Ori WellingtonThat is a crystal clear distinction. I appreciate that. Okay, now comes the fun part. Let's talk about the players. The report spotlights some specific vendors that fit into this new systems of action model. We've grouped them a bit to tell the story of Detect to Act. Let's start with group A, the eyes and ears, strategic oversight and threat intel.
Sam JonesRight. So here we're looking at the tools that help you see the risk faster and with more clarity. The report mentions two interesting ones in the board risk oversight space, Datamen and Domo.
Ori WellingtonI definitely heard of Datamen. They do real-time alerts, right? I usually think of them in the context of newsrooms or emergency services.
Sam JonesThey started there, and they're still huge in that space, but their use case here is all about real-time corporate security. It's about shrinking the time to awareness for physical threats. If there's a protest forming outside your main manufacturing plant or a wildfire is rapidly approaching your West Coast data center, Dataminer picks that up from public data signals way, way before it hits the mainstream news. Sophisticated than that now. They ingest billions of public data points, social media, yes, but also local sensors, blogs, public safety scanner audio. They use AI to triangulate events in real time. If 50 different people in a specific geotagged area suddenly start tweeting about smoke or fire at the same time, the system flags it as a high confidence event. It gives the board and the crisis management team a critical head start. Minutes matter in those situations.
Ori WellingtonSo you know about the fire before CNN does. That is incredibly valuable. What about Domo? I usually think of them as a business intelligence tool for marketing or sales dashboards.
Sam JonesThey are, but they are playing a huge role in risk now, specifically for the CFO and the audit committee. The report classifies them in board risk oversight as well. The value proposition is always live reporting.
Ori WellingtonAs opposed to what dead reporting.
Sam JonesLaughs. As opposed to the quarterly deck. Think about how most boards get their risk information. Someone on the finance or risk team spends two weeks pulling data, compiling a PowerPoint. By the time the board actually sees it, the data is three weeks old. It's a snapshot of the past.
Ori WellingtonRight. A history lesson.
Sam JonesA history lesson. Domo connects directly to the source systems, the ERP, the GRC platform, the CRM, and provides a live interactive dashboard of key risk indicators. It allows the board to see the health of the company in real time, not as it was last month.
Ori WellingtonSo no more of the oh well those numbers are from last month. Things have changed. It's this is our cash position right now. This is our supply chain status at this very moment.
Sam JonesAaron Powell Exactly. Then you have a couple of others in this eyes and ears group, Fiscal Note and Pre-Wave.
Ori WellingtonFiscal Note, they handle government and regulatory stuff.
Sam JonesYes, policy tracking. They use AI to monitor legislation and regulation globally at all levels of government. In the context of the report, this is directly linked to detecting that material drift in regulations. If a new law changes in the EU that affects your product's data privacy requirements, or a new bill is introduced in Congress that could impact your tax strategy, Fiscal Note alerts you immediately. That's a pure ERM focus. It changes your long-term strategy.
Prewave Vs Dataminr Context
Ori WellingtonAnd pre-wave.
Sam JonesPre-wave is laser focused on supply chain and ESG risk. They turn millions of external risk events, news articles, social media, local reports, into actionable alerts about your specific suppliers. This directly supports that loss mitigation dividend we'll talk about later.
Ori WellingtonOkay, so how is pre-wave different from, say, Dataminar? They both sound like they're scanning the world for bad news.
Sam JonesThe difference is the focus and the mapping. Dadamer is broad, it tells you about events happening in the world. PreWave builds a detailed map of your supply chain, your tier one, tier two, even tier three suppliers, and monitors specifically for disruptions within that map.
Ori WellingtonOh, so it's contextualized.
Sam JonesIt's highly contextualized. So if a factory owned by your tier two supplier of microchips has a labor strike, prewave tells you why. So you can proactively switch to an alternate supplier before you run out of inventory and your production line shuts down.
Ori WellingtonGot it. Okay, so that's the detect part of the equation. But now we have the signal. We need to move it through the organization. This is what the report calls the messy middle business orchestration. Group B.
Sam JonesThis group is fascinating to me because it really highlights how functions like legal and governance are becoming operational, not just advisory. The vendors highlighted here are Athenian, Ironclad, and Link Squares.
Ori WellingtonAthenian is an interesting one. I have to admit, I haven't heard that name as much as some of the others.
Group B: Business Orchestration And CLM
Sam JonesAthenian is focused on what you could call governance ops. Think about the nightmare of managing corporate entities. If you're a multinational company, you might have hundreds of legal subsidiaries keeping track of their directors, their annual filings, their tax status across dozens of jurisdictions. It's an administrative hellscape.
Ori WellingtonAnd it's usually managed on a spreadsheet somewhere in the general counsel's office.
Sam JonesIf you're lucky. Athenian automates and centralizes all of that. Why is that a risk function? Because if you need to do a transaction, a merger, an acquisition, and your entity structure is a mess, the deal stalls. Or worse, you find out you're operating illegally in a jurisdiction because a critical filing expired. That's execution friction. Athenian keeps the corporate plumbing clean so business can flow.
Ori WellingtonIt's the plumbing of the corporation. If the pipes are clogged with paperwork, nothing flows.
Sam JonesPrecisely. And then you have ironclad and link squares. These are both in the contract lifecycle management or CLM space.
Ori WellingtonContracts. Usually seen as the most boring part of business. Why are they showing up in a cutting-edge report on autonomous risk?
Sam JonesBecause the report makes a really key insight here. Contracts are not just static documents, they are dynamic data sources for risk. Every single contract your company signs contains obligations, liabilities, renewal dates, indemnity clauses, force majeure clauses. Ironclad and LinkSquares use AI to digitize all of this. They turn the unstructured text of the contract into structured data that the broader enterprise risk view can finally consume.
Ori WellingtonSo instead of a PDF sitting in a folder on someone's hard drive, the system actually knows, hey, this critical supplier contract expires in 30 days and it has a high-risk liability clause we need to renegotiate.
Group C: Execution Engines In Action
Sam JonesRight. And it connects that legal data to operations. If a supplier breaches a term in their contract, the system knows immediately what the legal recourse is. It can trigger a workflow, that is, business orchestration. It turns the legal department from a potential bottleneck into a real-time data stream for the business.
Ori WellingtonOkay, so we've detected the risk, we've routed it through our now digitized contracts and entities. But now something bad has actually happened. We need to fix it. This is group C, the execution engines, remediation and response.
Sam JonesThis is where the rubber really meets the road. And the report highlights a company called Intenseye.
Ori WellingtonIntense ye? That sounds well, intense.
Sam JonesIt is. It's for EHS Environment Health and Safety. They use computer vision AI hooked up to your facility's existing camera systems.
Ori WellingtonWhoa. Okay, computer vision. We're talking about AI watching the workplace. That immediately raises some big privacy flags for me.
Sam JonesIt absolutely does. And they are very aware of that and they address it head on. They use technology to blur faces and anonymize the data. The stated goal isn't to spy on individual workers, it's to detect hazards 24-7.
Ori WellingtonOkay, like what kind of hazards?
Sam JonesFor example, if a worker enters a restricted zone without the proper PPE or is walking under a suspended load from a crane, the system detects it in real time and can trigger an audible alert or a notification to a supervisor to stop the work before an accident happens.
Ori WellingtonSo it's literally preventing the accident before it happens. That is the absolute definition of loss mitigation.
Sam JonesExactly. It's not just logging the injury after the ambulance leaves, it's actively changing the outcome. Then you have a company called a claimant. They work in the insurance and claims space. Their whole focus is on reducing claim lag time. If an incident happens, say a customer slips and falls in one of your stores, a claimant's platform connects that incident directly to the insurance claim workflow. It standardizes the data capture and reporting process so you aren't chasing paperwork for weeks while the claim gets more and more expensive.
Ori WellingtonAnd speed equals money in claims for sure. The longer it takes, the more it costs.
Sam JonesEvery time. Then there is factal. They sit in a slightly different space. Strategic risk and business continuity. They call what they do decision-ready intelligence.
Ori WellingtonHow is factal different from Datamin? They both seem to be in the what's happening the world business.
Sam JonesIt's about the next step: verification. When a crisis hits, a terrorist attack, a natural disaster, a major protest, there is so much noise and misinformation on social media. Rumors, fake photos, panic. Factal's job is to validate that noise. They have a newsroom of experienced journalists who work alongside their AI to verify information from the ground. They tell the crisis team, yes, this is confirmed. Here's the exact impact zone. Here are the road closures. It allows leaders to make critical decisions based on verified facts, not rumors.
Ori WellingtonAnd finally, in this group, you have Sayari.
Sam JonesSayari is crucial for anyone worried about supply chain and governance. They map the tier N supplier network.
Ori WellingtonTier N? What's that?
Buyer Guidance: Invest For Dividends
Sam JonesIt means not just your direct supplier, which is tier one, but your supplier's supplier, which is tier two, and their supplier, which is tier three, and so on. You can't truly manage your risk if you don't know who is three or four layers deep in your supply chain.
Ori WellingtonI feel like supply chain visibility has been a buzzword for a decade. Why is Sayari different from just sending out 5,000 questionnaires?
Sam JonesIt's the difference between asking someone, who do you know, and looking at public records to see who are you actually paying. Sayari ingests billions of records of public data bill, of lading data from shipping manifests, corporate registry documents, sanctions lists, to build a global graph database of commercial relationships. They aren't relying on the supplier to self-disclose the truth. They are looking at the digital exhaust of global trade to see the hidden connections.
Ori WellingtonThat is huge. I feel like half the supply chain scandals in the last five years have boiled down to we didn't know our supplier was buying from that factory that uses forced labor.
Sam JonesExactly. So Yari's mission is to shine a very bright light on those hidden and often risky relationships.
Ori WellingtonSo we have this incredible landscape of tools. I mean, it's a lot to take in, but I'm putting myself in the shoes of a listener who is a CRO or a CIO. And they're probably thinking, that's all sounds great, but I have a limited budget and I have 50 salespeople calling me every week. How on earth do I choose?
Sam JonesThat is the million-dollar question. And section five of the report is dedicated specifically to buyer guidance. The advice here is very, very stark. Stop looking at features. Stop comparing feature lists on a spreadsheet. Look for dividends.
Ori WellingtonDividends. Yeah. Usually when I hear that word, I think of cash back to shareholders. What does it mean in this context?
Sam JonesIt means the tangible, measurable return on your investment in terms of risk outcomes. The report identifies three specific IRM dividends that you should be investing for.
Ori WellingtonOkay, let's run through them. Dividend number one.
Sam JonesEfficiency. This is about reducing coordination costs and cycle time. You buy a tool for this dividend if your biggest problem is manual handoffs. If your team is drowning in spreadsheets and follow-up emails, you need an efficiency dividend.
Ori WellingtonMakes sense. Dividend number two.
Evidence Closure And Trust
Sam JonesLoss mitigation. This is about reducing the duration and the severity of a disruption. You invest for this dividend if you are actively bleeding value from incidents. If workplace accidents are costing you millions in claims or supply chain breaks are stopping your production line, you need a loss mitigation dividend.
Ori WellingtonAnd dividend number three.
Sam JonesTrust. And the report is very specific here. It calls this the gating dividend.
Ori WellingtonThe gating dividend. Okay, why is trust singled out like that? What makes it a gate?
Sam JonesBecause speed without evidence creates exposure. That's the bottom line. If you automate everything, but you can't prove why a decision was made or what actions were taken, the board will not trust the system. And more importantly, regulators will not trust the system.
Ori WellingtonThis goes right back to that reconstructed evidence problem we talked about earlier.
Sam JonesIt's the solution to it. The report introduces this powerful concept called evidence closure. It says that for a system to be trustworthy, evidence must be an immutable byproduct of execution.
Ori WellingtonA byproduct.
Sam JonesA byproduct. So if you use a tool like Ironclad to manage a contract negotiation or a claimant to manage a claim, the log of what happened, who approved what and when is created automatically as you do the work. You don't have to go back and write a report about it. That creates trust.
Ori WellingtonLet's dig into this a little more. Evidence closure. Sounds like a legal term.
Sam JonesIt's very much related to the legal concept of non-repudiation. In a manual world, if I approve a high-risk exception via email, that email can be deleted. It can be lost in a server migration. It can be disputed. In an automated system with true evidence closure, the approve button writes an immutable time-stamped log to the database. Sam approved this at 2.14 p.m. That log cannot be changed. That is far stronger evidence in court or with a regulator than any manual paper trail could ever be.
Ori WellingtonSo the rule of thumb should be if you can't prove it, you can't automate it.
Sam JonesThat is the rule. Exactly.
Ori WellingtonThe report actually lists some executive stop rules based on these dividends, which I love because they're so practical and blunt.
Sam JonesThey are. The first one is if visibility improves but your routing and closure time doesn't Stope. Right. Don't buy another pretty dashboard if it doesn't actually help you fix the problem faster.
Ori WellingtonThat's the so what rule. Your team comes to you and says, look at this amazing new chart, and you ask, okay, so what do we do about it? And they say, ah, I don't know. Stop.
Sequencing The Roadmap To Autonomy
Sam JonesExactly. And the second rule is just as important. If your response is faster, but you can't produce a leadership-ready narrative of what happened, Stop P. This is the trust issue. If the AI fixed the problem, but it can't explain how or why in a way a human can understand, you have a massive governance and accountability issue on your hands.
Ori WellingtonThe big takeaway here seems to be don't buy intelligence tooling and pretend it's autonomy enablement. Intelligence just makes you smarter. Autonomy helps you act faster and more reliably. So we know what to look for when we buy. Now, how do we implement it? Section six of the report covers the roadmap. Moving from, say, an extended level of maturity to a truly autonomous level. What is the biggest mistake companies make here?
Sam JonesMisssequencing, hands down, doing things in the wrong order. The report is very, very clear on this. And the most common pitfall it calls out is automating reporting before you have stabilized your decision cadence.
Ori WellingtonSo trying to make the dashboard real time before you've even decided who is supposed to look at the dashboard and what they're supposed to do when they see it.
Sam JonesExactly. Or an even more dangerous one, pursuing flashy AI features before you have solved for evidence closure. You turn on an AI agent, it starts doing things, making changes, and suddenly you have a compliance mess on your hands because there's no audit trail, no proof of what it did.
Ori WellingtonSo what is the golden rule for sequencing this journey?
Sam JonesThe report phrases it beautifully, and if you remember one thing, remember this. Automate only what you can execute and execute only what you can evidence.
Ori WellingtonThat should be tattooed on the arm of every risk manager and CIO. Automate only what you can execute and execute only what you can evidence. So, practically speaking, what's step one? Where do you start?
Sam JonesStep one is to stabilize the decision cadence in ERM. Before you buy the fancy AI, make sure you have a defined, agreed-upon rhythm for how decisions are made, who makes them, what are the thresholds for escalation. Then unify your taxonomies so that your ERM language and your ORM language are the same. You can't connect the systems if they're speaking different dialects. Yes. And the final maturity signal, the sign that you have actually arrived at a state of autonomous IRM is when exception routing is real.
Ori WellingtonExplain what you mean by that.
Sam JonesIt means that when a high severity event occurs, a key threshold is breached, it automatically routes to a named accountable owner who actually acts on it. It doesn't go to a generic inbox. It doesn't go onto a committee agenda for next month's meeting. It goes to Jane Doe's queue, and Jane Doe has a service level agreement, a deadline, and the system tracks if she meets it. That is autonomy in action.
Ori WellingtonThat sounds like a dream for accountability and uh probably a nightmare for people who like to hide in the bureaucracy.
Final Takeaways And Calls To Action
Sam JonesIt definitely removes the hiding spots. There's nowhere to hide. But for the organization as a whole, it builds immense resilience.
Ori WellingtonThis has been an incredible deep dive, really. We've covered the fundamental market shift from visibility to action. We've looked at the five functional layers of autonomous IRM. We've explored the VC sonar map and the specific vendors like Dataminer, Athenian, and Intensi who are actually building this future. And we've talked about the critical importance of that gating dividend, trust.
Sam JonesIt really is a comprehensive look at the future of our industry. We are in the second wave of IRM. It's no longer about just cataloging risks in a database. It's about speed, execution, and provable evidence.
Ori WellingtonAnd the big takeaway for me, I think, is that autonomy is earned, not installed. You don't just buy a software package off the shelf and suddenly become autonomous. It comes from the thoughtful composition of these new tools layered onto your existing stack and rigorous, sometimes painful attention to process and governance.
Sam JonesAbsolutely. And as we wrap up, I want to leave the listeners with one final thought, something derived from the report's conclusion that I think is really provocative.
Speaker 2Great.
Sam JonesWe are entering the age of agentic AI. We have machines that can act independently. But the limiting factor in this new age isn't going to be the technology. It's going to be accountability. So what? If a machine executes a risk decision that saves the company money, everyone's a hero. Great. But if it executes a decision that causes harm or misses a critical compliance step, who is responsible? The developer. Yeah. The person who configured it? The company. Can you trust that the machine has created the evidence trail that will save you in court? As we move to these systems of action, the audit trail isn't just a boring log file for nerds anymore. It's your primary corporate defense. And the future belongs to those who can build systems that are not just fast, but are transparently auditably accountable.
Ori WellingtonThat is a heavy thought to chew on. Speed without evidence is just exposure.
Sam JonesThat's it in a nutshell.
Ori WellingtonWell, thank you, Sam, for guiding us through this incredibly detailed and insightful report. And thank you to our listeners for tuning in to the Risk Wheelhouse.
Sam JonesMy pleasure.
Ori WellingtonAgain, I want to remind you to check out the full report for yourself. You can find the free standard publication at risktechjournal.com. And for those of you who need that deep, board ready analysis, the research notes that help you actually implement what we talked about today, I highly recommend you subscribe to the RTJ Bridge at RTJ Bridge.com. It's premium intelligence at a fraction of the cost of the big firms.
Sam JonesIt's definitely worth a look if this is your world.
Ori WellingtonUntil next time, keep looking for those signals, keep reducing that lag, and keep turning the wheel. I'm Ori Wellington.
Sam JonesAnd I'm Sam Jones.
Ori WellingtonThanks for listening.