The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S6E6: Board Priorities 2026 - The Integration Trap
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Growth used to win every boardroom vote. Now the data says something different: directors are prioritizing technology adoption and integration as the top 2026 investment, even as they admit their weakest expertise sits in AI, cybersecurity, and geopolitics. We unpack that paradox and show how uninformed speed turns “integration” into a superhighway for risk, unless you pair it with decision rights, embedded controls, and verifiable assurance.
We trace the three forces of compression squeezing leaders today: AI racing into core workflows, platform sprawl from a decade of M&A, and disruption traveling through third-party pathways. From there, we break down the shift from reporting efficiency to manageability, where value is measured in time to detect, time to decide, and time to act. You’ll hear why coordinated programs stall at visibility, and how embedded maturity connects radar to rudder so preauthorized responses trigger without delay. We also tackle the workforce and supply chain blind spot that makes integrated systems brittle when stress hits.
Throughout the conversation, we spotlight the winners moving from legacy GRC systems of record to IRM systems of action. IRM systems unify signals across goals, processes, assets, and policies, then convert breaches into automated workflows with audit-ready evidence. Expect sharp guidance on AI governance hardening, continuous third-party monitoring, and vendor proofs that show integration-to-action, not just architecture diagrams. We close with near-term forecasts: consolidation of risk and assurance data layers, and a likely rise in “visibility without control” incidents where dashboards outpace authority.
If you’re ready to replace high definition views of the crash with real control, tune in, grab the playbook, and pressure-test your decision rights. Subscribe, share with your team, and leave a review to help more leaders escape the integration trap.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Hello, and a very warm welcome to another edition of the Risk Wheelhouse. I'm your host, Ori Wellington, and we are coming to you live and lively from the headquarters of Wheelhouse Advisors right here in the heart of Atlanta.
Sam JonesIt's great to be here. I'm Samantha Jones, but please, everyone, just call me Sam. And you're right about the focus today. We've got a topic that uh I think is really gonna make a lot of people sit up and pay attention.
Ori WellingtonOh, absolutely. Now, for anyone who's new or maybe you've just stumbled upon this deep dive, let me just sort of set the stage a little.
Sam JonesPlease do.
Ori WellingtonWe're both analysts here at Wheelhouse. We spend our waking hours, and let's be honest, probably a few of our sleeping ones too, just thinking about the integrated risk management market, IRM.
Sam JonesIt's a bit of an obsession, it's true. Our job really is to wade through this ocean of reports and white papers and you know, vendor pitches, all of it so that you don't have to. We try to filter that signal from the noise.
Why John A. Wheeler’s Lens Matters
Ori WellingtonAnd we are really, really excited about today's session because we are digging into a brand new piece of research that comes directly from the top. We're talking about an article by none other than John A. Wheeler, the founder and CEO of Wheelhouse Advisors.
Sam JonesAnd we really have to pause there for a second because context is just everything in this industry. When we say John A. Wheeler, we aren't just, you know, name-dropping our boss.
Ori WellingtonNot at all.
Sam JonesFor anyone who might be new to this space, it is so crucial to remember that John is the person who actually coined the term integrated risk management way back in 2016.
Ori WellingtonThat is such a vital piece of history. I mean, before 2016, the world was just growning in GRC governance, risk, and compliance. And GRC, you know, it had its place, right?
Sam JonesSure it did.
Ori WellingtonIt was about digitizing forms, checking boxes. Right. But John led the research that basically said, wait a minute, checking boxes doesn't stop the building from burning down. He's the one who moved the entire industry beyond those legacy technologies toward a truly integrated view.
Sam JonesExactly. He saw that risk is horizontal, not vertical. It cuts across every single silo in an organization. So everything we talk about on this show, and certainly the deep dive we are doing today, it really stands on the shoulders of that foundational thinking.
Ori WellingtonToday we're dissecting a really fascinating shift in the market. The episode is titled Board Priorities 2026: The Integration Trap. And we're basing all of this on John's analysis of some, frankly, startling new data about what's happening inside the boardroom.
Sam JonesBefore we jump into the numbers, and the numbers are wild, I just want to remind our listeners where they can find all this stuff. You can always visit wheelhouseadvisors.com for more information on our broader research.
Ori WellingtonAnd for the specific article we are uh tearing apart today, you can head over to risktechjournal.com. That's our free standard publication. It's really the best place to keep your finger on the pulse of the IRM market without spending a dime.
Sam JonesHowever, if you're a practitioner, you know, if you're a C DISO, a chief risk officer, an audit leader, or just someone who needs to be the smartest person in the room on this topic, you really need to be looking at the RTJ Bridge.
Ori WellingtonOh, absolutely.
Sam JonesThat's at rtj-bridge.com.
Ori WellingtonThat's our premium tier. It's weekly in-depth research notes. And honestly, it provides the kind of deep analyst grade insight that you usually have to pay what tens of thousands of dollars for with the big legacy firms.
Sam JonesOh, easily.
Ori WellingtonAnd we offer it at a fraction of that cost. It's it's really a no-brainer if you're serious about this industry.
Sam JonesOkay, plugs aside, let's get into the meat of this. Set the scene for us. We're looking at the year 2026. What is going on?
Ori WellingtonOkay, so let's unpack this. I want to play a little game. If I were to put you in a time machine and send you back to, I don't know, let's say 2018 or 2021, even last year, 2024.
Sam JonesYeah.
Ori WellingtonAnd you walk into a Fortune 500 board meeting, you ask the directors, what is the number one priority for your capital investment budget next year? What do they say?
Sam JonesOh, that's easy. Without hesitation, they say growth. They say mergers and acquisitions, market expansion, new product development. The board's primary mandate is to drive shareholder value, and the traditional playbook for that is just get bigger. Yeah, you buy a competitor, you open an office in a new region, you launch a new widget. MA is almost always the king of the Capitol Hill.
Ori WellingtonExactly. Growth with a capital G. That's the standard operating procedure. But we have data now from the Diligent Institute and corporate board member, specifically their report, what directors think 2026. And, well, the king has been dethroned.
Sam JonesWow. Okay, so that's a massive upset.
Ori WellingtonThe number one capital investment focus for boards in 2026 is technology adoption and integration.
Sam JonesJust let that phrase hang in the air for a moment. Technology adoption and integration. It doesn't sound sexy, does it? Not at all. It sounds like plumbing. It sounds like something the IT manager worries about in the server room, not something the board of directors prioritizes above acquiring whole new companies.
The Great Mismatch In Board Expertise
Ori WellingtonThat is precisely why this is such a huge market signal. This is not just routine maintenance. This is not, you know, we need to upgrade to the next version of Windows. This is a board level acknowledgement that fragmentation, this whole mess of disconnected systems, has become a constraint on execution.
Sam JonesConstraint on execution. Okay, that is the key phrase right there. It means the machine is so gummed up that it literally cannot grow anymore. Right. So imagine you're a board director. You want to approve a new acquisition, but the CEO has to turn around and look at you and say, we can't. We literally can't. We still haven't integrated the data from the last three companies we bought. If we add another one, the whole system might just collapse.
Ori WellingtonThat's the reality they're facing. They realize that the complexity is killing them. They can't move fast because they're tripping over their own digital shoelaces. So now they're prioritizing integration just to clear that blockage.
Sam JonesSo on the surface, this sounds like fantastic news for the IRM market, right? The board finally gets it, they're writing big checks to connect all the dots.
Ori WellingtonIt does sound great. But and this is where it gets really interesting. When I say interesting, I mean uh potentially disastrous. There is a massive paradox hiding in this data.
Sam JonesThe Great Mismatch.
Ori WellingtonCorrect. The data shows that while boards are prioritizing integration and pouring millions and millions of dollars into it, they are simultaneously reporting the largest expertise gaps in three absolutely critical areas.
Sam JonesOkay, let me guess. Artificial intelligence has to be one.
Ori WellingtonNumber one gap. They flat out admit they don't understand it.
Sam JonesCybersecurity.
Ori WellingtonHuge gap. They know it's important, but they don't have the expertise at the board level.
Sam JonesAnd what? Maybe geopolitical risk?
Ori WellingtonMassive. The third huge gap.
Sam JonesAll right. This is this is terrifying. Think about what that combination actually means. You have a board saying, we need to integrate everything. We need to use AI. We need to be faster. But in the very same breath, they're saying, we don't understand AI, we don't understand cyber, we have no real grasp of geopolitics.
Ori WellingtonIt creates this scenario of what we're calling integration ambition versus the ability to interpret. They have the ambition to build a Formula One car. They're buying the best engine, they're connecting all the aerodynamics, but they openly admit they don't know how to drive, they don't know the track, and they don't know the rules of the race.
Sam JonesIt's the danger of uninformed speed. That's what it is. If you integrate your systems without a deep understanding of the risks, you aren't just speeding up your business processes. You're speeding up the propagation of risk. You're building a superhighway for disaster to travel from one end of your company to the other in seconds.
Ori WellingtonSo why is this happening now? I mean, why 2026? What shifted in the atmosphere to make integration the top priority, even with this glaring lack of expertise?
Sam JonesWell, the research identifies three specific forces, and we're calling them the three forces of compression. These are the pressures that are squeezing the board, forcing them to prioritize integration, even if they aren't, you know, fully ready for the consequences.
Three Forces Of Compression
Ori WellingtonLet's walk through them because they really explain the why behind this whole thing. Force number one is the big one: AI adoption.
Sam JonesAnd we really cannot overstate this. AI is accelerating inside management workflows and inside board workflows. It's everywhere.
Ori WellingtonRight. And we're not just talking about using a chatbot to write a marketing email. We are talking about deep, deep integration. AI is being used to optimize supply chains. It's being used to screen job candidates. It's being used to make automated credit decisions.
Sam JonesWhich brings us right back to that expertise gap. The moment you inject AI into a critical workflow, you introduce whole new categories of risk. Model risk. Is the math actually doing what we think it's doing?
Ori WellingtonOr is the AI hallucinating facts? Is it biased against certain demographics?
Sam JonesAnd then there's the data risk. I mean, where did the training data even come from? Did we accidentally feed our proprietary trade secrets into a public model that now the whole world can access? Right. Exactly. And the regulatory angle here is just huge. Regulators are waking up to this fast. You can't just say the computer said no anymore. You have to be able to explain how and why the AI made that specific decision. So if your automode is funding integration to roll out AI faster, but they admit they don't understand how AI works. I mean, how are they possibly overseeing that regulatory risk?
Ori WellingtonThey aren't. They're flying completely blind. They are writing the check for the technology, but they're failing to write the check for the governance that has to go with it.
Sam JonesThat is a perfect way to put it.
Ori WellingtonOkay, so that's force one. Force number two platform sprawl via MA. This is basically the hangover from the last decade of business, isn't it?
Sam JonesIt absolutely is. We just said that MA used to be the top priority. Well, companies spent the last 10 years buying other companies to fuel their growth. And every time you buy a company, you don't just get their revenue and their customer list, you get their entire IT department.
Ori WellingtonYou get their baggage, all of it.
Sam JonesYou get their legacy servers from a decade ago, you get their weird custom-built ERP system from 1999 that one guy in a basement still maintains. You get their HR software that absolutely does not talk to your HR software.
Ori WellingtonAnd now you have what we call platform sprawl, identity sprawl, and control sprawl.
Sam JonesIdentity sprawl is a real killer. You have employees with six different logins for six different systems. Nobody really knows who has access to what anymore. It's just a complete mess from a security standpoint.
Ori WellingtonAnd the consequence of this sprawl isn't just that it's, you know, annoying for the IT help desk. It creates what we call inconsistent evidence.
Sam JonesThis is the absolute nightmare scenario for any risk manager. Let's just paint a quick picture. Imagine you need to know if a specific vendor, let's just call them vendor X, is safe to do business with. So you look in your legacy SAP system and it says vendor X is green, verified.
Ori WellingtonOkay, looks good, all clear.
Sam JonesBut if you were to look in the new cloud procurement system that you acquired last year, it might say, warning, vendor X has a critical security vulnerability.
Ori WellingtonSo you have two systems owned by the same company giving you two completely contradictory facts about the same entity.
Sam JonesOne says go go, the other says stop. And because those systems aren't integrated, you have no idea which one is the truth. You're paralyzed.
Ori WellingtonThat is the inconsistent evidence problem in a nutshell. And that is why the board is screaming for integration. They're just sick and tired of getting different answers depending on which screen they happen to look at. They want a single source of truth.
Sam JonesWhich is a noble goal, a worthy goal. But again, if you just mash all that data together without cleaning it or understanding the underlying controls, you don't get a single source of truth. You just get a single source of bad information.
Ori WellingtonRight. Garbage in, integrated garbage out.
Sam JonesPrecisely.
Ori WellingtonOkay, let's move to the third one. Force number three disruption pathways and third parties.
Sam JonesThis is the big realization that the castle walls are gone. In the old days, you know, you secured your perimeter, you had a big firewall, and you basically felt safe. Disruption usually came from inside the building, a server failure, a fire, a labor strike.
Ori WellingtonBut now.
Sam JonesNow disruption runs through your digital supply chains, it runs through your third parties, it runs through your vendor's vendor.
Ori WellingtonWe've seen this time and time again with the major incidents in recent years. I mean, think about the SolarWinds hack or the crowd strike outage. It wasn't necessarily that your company did anything wrong.
Sam JonesNo.
Ori WellingtonIt was a tool you used or a platform your vendor used that created the vulnerability.
Sam JonesExactly. The threat is two or three hops away from you in the supply chain, and this requires unified signals. You cannot rely on a siloed view anymore. If your procurement team knows a vendor is financially shaky, but your IT security team thinks they're technically sound, you have a massive gap.
Ori WellingtonYou need the system to be smart enough to connect those dots for you. You need the financial signal to automatically trigger a security review.
Sam JonesRight. You need to see the ripple effect. If this supplier in Southeast Asia goes down because of a typhoon, how does that impact our factory in Mexico? And how does that then impact our revenue projection in New York? You can't answer that with spreadsheets anymore. You need real integration.
Ori WellingtonSo, okay, let's synthesize this section. Boards are reacting to these three forces the incredible speed of AI, the inherited mess of MA sprawl, and the constant threat of supply chain disruption. And their reaction is to fund integration.
Sam JonesBut, and this is the big synthesis, many of them are doing so before they have defined what integrated risk management actually looks like in practice for their organization. They're buying the technology of integration before they have the philosophy of integration.
Ori WellingtonIt's like buying a gym membership and a bunch of expensive running shoes, but having no workout plan and no diet. You're spending money on the idea of health, not on the actual practice of it.
Sam JonesThat's a great analogy. It's perfect. They're buying all the fancy equipment, but they haven't decided what muscles they're actually trying to build.
Ori WellingtonSo let's talk about the muscles. Let's get into what IRM leaders actually need to do to avoid falling into this trap. The research outlines five major implications. This is basically the playbook for our listeners.
Sam JonesOkay, let's start with implication number one: the shift from reporting to manageability.
Ori WellingtonOkay, contrast those for us. What is reporting efficiency? What does that mean?
Sam JonesReporting efficiency is the old way. It's what we've all been doing for the last 10 years. It basically means it used to take me two weeks to copy and paste data from 10 different Excel sheets into a PowerPoint deck for the board. Now, with this fancy new GRC software, it only takes me two days.
Ori WellingtonWhich, I mean, don't get me wrong, that's nice. Nobody likes administrative drudgery.
Sam JonesIt's nice, but it's fundamentally low value. It doesn't actually reduce your risk. It just reduces the time it takes to tell people about the risk you have. You're just delivering the bad news faster.
Ori WellingtonSo what is manageability? What's the new way?
Sam JonesManageability is the new way. It is integration as a management outcome. It's not about the report, it's about the action that follows the report.
Ori WellingtonSo what are the metrics we should be looking at then, if not speed of reporting?
Sam JonesWe should be measuring things like reduce time to detect, reduce time to decide, and reduce time to act.
Ori WellingtonSo it's all about operational speed.
Sam JonesIt's about verifiable assurance. It's about proving that your controls are working as designed across the entire enterprise in near real time. It's the difference between telling the board we have a fire alarm policy and telling them the fire alarm was tested automatically 10 minutes ago, it is fully functional, and we have verification that the sprinklers are connected to it.
Ori WellingtonThat is a massive, massive shift. It moves the risk manager from being a scorekeeper to being a goalkeeper. You're actually stopping the ball, not just writing down the final score after the game is over.
Sam JonesI love that. From scorekeeper to goalkeeper, that's exactly it.
Ori WellingtonAnd this leads us directly to implication number two the coordinated versus embedded trap. This is a framework we use a lot here at Wheelhouse to describe the maturity of a risk program.
Sam JonesWe do. And the big warning here is that the market is still, by and large, stuck in the coordinated stage.
Ori WellingtonOkay, define coordinated for the listeners. What does that actually look like?
M&A Sprawl And Inconsistent Evidence
Sam JonesCoordinated means you've improved your data aggregation, you have better dashboards, the risk team talks to the compliance team. You might even have a shared GRC tool where everything lives. It looks nice, it feels organized. You have a heat map with lots of pretty colors. It's always a but. But you haven't changed the underlying behavior of the organization. You haven't changed ownership of the risk. You haven't changed the escalation thresholds. You haven't changed the response authority. So the decision making is still completely siloed, even if the data is shared.
Ori WellingtonSo everyone can see the same data on the same screen.
Sam JonesYeah.
Ori WellingtonBut nobody knows who's actually supposed to pull the trigger.
Sam JonesThat's the trap. In a coordinated model, visibility increases much faster than the ability to act.
Ori WellingtonOkay, give us the analogy, the so what moment.
Sam JonesThe so what is the iceberg. In a coordinated system, you can see the iceberg coming in beautiful 4K resolution. It's stunning. You have a high-definition screen showing you the exact dimensions of the ice, the temperature of the water, and the speed of impact.
Ori WellingtonBut can you turn the ship?
Sam JonesAnd that's the problem. The steering wheel is disconnected. Or even worse, there are five different VPs standing around the steering wheel arguing about who has the authority to turn it. You have legal saying we can't turn left, and compliance saying we need a committee meeting first before we make a decision.
Ori WellingtonAnd while they're all arguing, you hit the iceberg.
Sam JonesExactly. You just have a high definition view of the crash. That is the coordinated trap. Embedded maturity, which is where we all want to go, is when the steering wheel is connected directly to the radar. When the radar sees the iceberg, the ship automatically begins to turn, or the captain is immediately alerted with a specific pre-authorized protocol to execute. No argument, just action.
Ori WellingtonThat's such a powerful image. And it brings us right to implication number three, which is the speed of integration versus the speed of interpretation. This goes right back to that expertise gap we started with.
Sam JonesRight. If you integrate faster than you can interpret, you get a failure mode that we call signals without decisions.
Ori WellingtonOkay, expand on that. What does that mean?
Sam JonesIt means you build this amazing, expensive, integrated system. It detects a geopolitical shift. Let's say a new sanction is announced against a raw material that you use. The system flags it instantly, a big red light flashes on the dashboard.
Ori WellingtonThe system did its job. It sent the signal.
Sam JonesThe system did its job perfectly. But because you have an expertise gap in geopolitics or supply chain strategy, nobody in the room knows what that red light means for the business. Is that a shut down the factory immediately, red light, or is it a buy from a different vendor next week? Red light.
Ori WellingtonSo the signal is there, but the decision is completely missing.
Sam JonesOr worse, you get alerts without accountable response owners. The alert goes off, the email blast goes out, marketing thinks IT is handling it, IT thinks legal is handling it, legal thinks the risk team is handling it, and the ball just drops right between all the outfielders.
Ori WellingtonSo what's the IRM fix here? If you're a risk leader listening to this right now, how do you prevent that ball from dropping?
Sam JonesYou have to explicitly link your integrations to decision rights.
Ori WellingtonDecision rights. That sounds a little bit academic. Make that practical for us.
Third-Party Pathways And Unified Signals
Sam JonesIt's extremely practical. It means you sit down before the crisis and you say, when system A sends signal X, person Y is responsible for taking action Z. You map it all out. If the cyber dashboard turns red, Jane Doe has the authority to shut down that server without asking for permission from three levels of management.
Ori WellingtonYou preauthorize the response.
Sam JonesExactly. You cannot wait for the house to be on fire to figure out who's in charge of the fire hose. The speed of integration demands an equal speed of decision making.
Ori WellingtonLet's move to section four because this touches on the human connection in all this. Yeah. Implication number four: the workforce and supply chain blind spot.
Sam JonesYeah, this was another piece of data from the report that really just jumped off the page at me. While boards are pouring all this money into technology integration, the investment in workforce and supply chain is a comparatively low priority for them.
Ori WellingtonThat seems incredibly misaligned.
Sam JonesIt is completely and totally misaligned. I mean, think about how disruption actually propagates. Does it travel through the cables? Sometimes. But more often than not, it propagates through people.
Ori WellingtonIt's always the human element.
Sam JonesIt's the phishing email that a tired overwork employee clicks on at 5 p.m. on a Friday. It's the vendor who forgets to patch a critical server. It's the insider threat.
Ori WellingtonSo if you invest millions and millions in the tech integration, building this, you know, supercomputer network, but you underinvest in the people who are supposed to be running it.
Sam JonesYou create what we call a brittle system.
Ori WellingtonBrittle, that's a dangerous word for a company.
Sam JonesBecause it breaks easily under stress. A brittle system looks strong on the outside. It has the shiny dashboards and all the blinking lights. But the moment you put real stress on that human element, a pandemic, a market crash, a burst of employee turnover, it just shatters because the people are burnt out, or they're undertrained, or they're just not empowered to actually use the expensive tools you bought them.
Ori WellingtonIt's like having a Ferrari engine inside a cardboard chassis driven by someone who hasn't slept in three days.
Sam JonesExactly. That's a perfect analogy, not a recipe for winning any race. And the supply chain aspect is just as important. You can have your internal house in perfect order, but if your critical suppliers are a mess and you aren't investing and continuously monitoring them, you are incredibly vulnerable.
Ori WellingtonOkay. Implication number five.
Sam JonesThe winner profile is definitely shifting. We are seeing a very clear move toward what we call systems of action.
Ori WellingtonAs opposed to the old systems of record.
Sam JonesRight. For the last 10 or 15 years, the goal was to have a system of record, basically a big digital filing cabinet, a place where you store your policies, your risk assessments, your audit findings. It's a place to keep things, to prove to an auditor that you did them, you know, a year ago.
Ori WellingtonVery passive.
Sam JonesVery passive. The winners now are. Are the vendors who can unify signals across goals, processes, assets, and policies, we call that GPAP, and then convert those signals into actual triggers.
Ori WellingtonTriggers. That's the active word.
Sam JonesYes. It's not about software that connects anymore. It's about software that acts. The board doesn't want to know that the software is connected. They want to know that when a risk limit was breached, the software did something about it automatically.
Ori WellingtonCan you give us a concrete example of an action?
From Reporting To Manageability
Sam JonesSure. A risk limit was breached on a financial transaction. The software automatically locked the account, it alerted the fraud team via their preferred channel, and it halted the transfer. That is an action.
Ori WellingtonSo it's actionable evidence that will actually stand up to scrutiny.
Sam JonesExactly. If the regulator comes knocking on your door, you don't show them a report that says, we found a problem last month. You show them the workflow log that says, we found a problem at 2.15 PM, the system stopped it at 2.16, a human reviewed it by 2.3, and here is the documented resolution. That is what wins in this new environment.
Ori WellingtonSo we've covered the trap, the forces, and the implications for leaders. Let's look forward now. Section 5, what to watch next.
Sam JonesIf I'm a listener, what should I be looking for in my next board meeting or budget cycle to see if my company is getting this right? Okay, first thing, watch for the board agenda evolution. The conversation itself is going to shift from just integration as a concept to integration for decision advantage.
Ori WellingtonDecision advantage. I like that. It sounds competitive.
Sam JonesIt is intensely competitive. It's not just about the plumbing anymore, it's about speed and agility. You should look for requirements from the board tying investment to measurable reductions in decision latency.
Ori WellingtonSo the CFO is going to start asking: if we spend this million dollars on this project, how much faster will we be able to make a critical crisis decision?
Sam JonesExactly. And if the answer is uh we don't know, you might not get the funding. Boards want to know that they can outmaneuver the competition because their risk data is faster and more reliable.
Ori WellingtonOkay, what about AI? We talked a lot about the lack of expertise. What happens there? Aaron Ross Powell, Jr.
Sam JonesWe're calling this AI management hardening. The honeymoon phase with AI is officially ending. We are now entering the governance phase.
Ori WellingtonWell, maybe the hangover phase.
Sam JonesMaybe, yeah. You can expect boards to start demanding really practical controls. Things like acceptable use policies, data handling rules, and most importantly, model accountability.
Ori WellingtonAnd evidence trails for decision.
Sam JonesAbsolutely critical. If an AI influences a decision like denying a loan or hiring a candidate or firing someone, you need a clear, auditable evidence trail that explains why. Boards are going to demand that to protect the company and themselves from lawsuits and regulatory fines.
Ori WellingtonAnd what about third-party instrumentation?
Sam JonesWe are finally, hopefully, moving from static assessments to continuous monitoring.
Ori WellingtonSo the death of the annual security questionnaire. Please tell me it's true.
Sam JonesOh, please let it be true. The annual questionnaire is just a snapshot in time. It's basically useless the day after you send it. Boards want continuous monitoring that's tied to their most critical processes. They want to know the health of their most important vendor today, right now, not what it was last November.
Ori WellingtonAnd finally, vendor messaging. Yeah. How will that change?
Sam JonesThe smart vendors are going to change their tune. They will stop talking about integration claims. You know, look, we have an API for everything, and they'll start talking about quantified outcomes.
Ori WellingtonThings like cycle time reduction. Yeah. Lower loss exposure.
Sam JonesWe save you money and we keep you out of jail. That's the message that is going to resonate with boards in 2026 and beyond. Simple, direct, value-driven.
The Coordinated Versus Embedded Trap
Ori WellingtonOkay, we have arrived at the finale. Section six, the wheelhouse horizon view. This is where we put our reputation on the line with some specific forecasts. We have two big ones for this episode. Let's start with the market view looking out about 12 to 18 months.
Sam JonesSo we're putting this at a 70% probability. We predict that this board-driven funding will massively accelerate the consolidation of risk and assurance data layers.
Ori WellingtonConsolidation, so breaking down the silos.
Sam JonesThe walls between cyber risk and operational risk and audit and compliance are finally coming down. The data is merging into a unified layer. And this in turn increases the demand for platforms that can translate those unified signals into automated decision workflows.
Ori WellingtonSo if you're a leader listening to this, what's the action item?
Sam JonesMy advice and your advice in the article is to require your vendors and your internal teams to prove integration to action. Do not buy architecture narratives.
Ori WellingtonDon't just buy a pretty diagram of the cloud.
Sam JonesDon't buy a drawing of a cloud. Buy operational outcomes. Ask the vendor point blank. Show me exactly what happens when this risk indicator turns red. Who gets notified? What workflow triggers? Show me the action. Make them prove it.
Ori WellingtonLove that. Okay, the second one. The risk view looking out six to twelve months. This is a bit closer, a bit more immediate.
Sam JonesYeah, and this one is a bit darker, unfortunately. We're giving it a 60% probability. We predict a significant rise in visibility without control incidents. It really is the theme of this whole discussion. The scenario is this reporting improves, you get the better dashboards, you can see the problems more clearly than ever before. But your response authority, your ability to act, lags behind.
Ori WellingtonAnd the result.
Sam JonesPreventable disruptions and what we call post-event assurance failures.
Ori WellingtonThe we knew about it, but nobody stopped it headline.
Sam JonesThat is the epitaph of the failed risk manager in the 2020s. We saw it coming. Can you imagine having to explain that to the press or to the regulators? Yes, we saw the data leak happening on our dashboard in real time, but we didn't have a protocol to shut the server down without VP approval, and the VP was on a plane to Dubai.
Ori WellingtonThat is a career-ending nightmare.
Sam JonesThat's a classic visibility without control incident. It's deeply embarrassing, and it's incredibly expensive.
Ori WellingtonSo, what is the leadership action to prevent that?
Sam JonesEstablish explicit decision threshold and accountable owners now. Do it as part of every single integration initiative. If you are connecting a new system, you must simultaneously define who owns the decisions that will come out of that system. Do not wait for the crash to decide who is driving the car.
Ori WellingtonThat is powerful stuff. Do not wait for the crash to decide who is driving.
Sam JonesIt's absolutely essential. We are heading into a very fast, very complex 2026. The boards are putting the money up for integration, which is a good thing, but money without method is just expensive chaos.
Ori WellingtonExpensive chaos. I think that sums up the risk perfectly. Okay, let's wrap this deep dive up. We've covered a lot of ground today. Let's just quickly recap the main theme.
Sam JonesThe theme is pretty simple. 2026 is the year of integration.
Ori WellingtonThe boards want it, they are paying for it, but integration without decision rights is a trap. It is the integration trap.
Sam JonesExactly. So the goal for all our listeners is to move from being coordinated or where you're just sharing data to being truly embedded, where you have automated, preauthorized responses.
Ori WellingtonAnd to move from a focus on reporting efficiency to one on manageability. Don't just show me the risk. Help me manage it in real time.
Sam JonesAnd before we sign off, just a quick reminder, we threw a lot of concepts at you today. You can find more about all of our research at wheelhouseadvisors.com. The specific article we discussed today is at risktechjournal.com.
Signals Without Decisions And Decision Rights
Ori WellingtonAnd if you want the deep dive notes, the weekly insights that really get into the weeds of this stuff, the cheat codes, as we sometimes call them, you should subscribe to the RTJ Bridge at rtj bridge.com. It really is the best value in the market for this level of insight.
Sam JonesIt is.
Ori WellingtonNow, as we always do, we want to leave you with a final thought. Something for you to chew on as you head into your next strategy meeting. Bring us home.
Sam JonesWe talked a lot today about visibility without control. We talked about those fancy dashboards. So here's my question for you to take back to your team. If your dashboard turns red tomorrow, a big flashing critical red light, does everyone in your organization know exactly who holds the steering wheel? Or will you just have a high definition view of the crash?
Ori WellingtonOof, a high definition view of the crash. Don't let that be you.
Sam JonesPlease don't.
Ori WellingtonThanks for listening to the Risk Wheel House.
Sam JonesI'll see you next time.