Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal
〰️
Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal 〰️
The RiskTech Journal
The RiskTech Journal is your premier source for insights on cutting-edge risk management technologies. We deliver expert analysis, industry trends, and practical solutions to help professionals stay ahead in an ever-changing risk landscape. Join us to explore the innovations shaping the future of risk management.
Where Autonomous IRM Begins—And Where It Must Go Next
The Quiet Rise of Autonomous IRM—From the Middle Out
Autonomous IRM is no longer theoretical. AI-powered platforms are starting to deliver tangible value: agentic systems that simulate attacker behavior, validate control effectiveness, and recommend mitigation actions—often autonomously.
The June 5 announcement from Tuskira, integrating directly with ServiceNow’s Vulnerability Response and SecOps modules, is a prime example. By embedding simulation-backed scoring and posture-aware mitigation into operational workflows, Tuskira is delivering intelligence in real time.
But there’s something missing: the announcement doesn’t mention Integrated Risk Management (IRM) at all.
That silence is a signal. Tuskira operates in what Wheelhouse Advisors defines as Layer 3: Intelligence & Validation—the middle of the risk architecture. And while this layer is where automation is gaining traction, it’s also where many organizations are managing in isolation, without input from either end of the enterprise risk stack.
Inside the Hack: Why Social Engineering Exposes the Limits of Cyber Defense and Demands Integrated Risk Management
The recent cyberattack on Marks & Spencer (M&S), perpetrated by the notorious hacking group Scattered Spider, vividly underscores the evolving sophistication of cyber threats—and the alarming vulnerability of even well-protected enterprises. Despite significant investments in cybersecurity defenses, M&S faces an estimated loss of up to £300 million in operating profits and a plunge of £600 million in market capitalization following the breach.
As detailed recently by the Financial Times, Scattered Spider’s methods illuminate a stark reality: technical cybersecurity solutions alone are not enough. The group’s expertise lies in a blend of digital deception and human manipulation, a practice known as social engineering. Unlike traditional cybercriminals reliant solely on technical exploits, Scattered Spider meticulously researches employee identities, simulates convincing interactions, and leverages human psychology to circumvent cyber defenses.
From Permit to Platform—How CTRL WRK Turns Lockout/Tagout into an Autonomous IRM Use Case
A high-risk, paper-bound safety workflow finds new life on the ServiceNow platform—signaling a broader shift toward AI-enabled operational risk intelligence.
What was once a clipboard-bound safety task has now become a signal of something larger: the acceleration of Autonomous Integrated Risk Management (Autonomous IRM) through purpose-built, domain-native micro-apps. On June 2, CTRL WRK—a GenAI-powered “Control of Work” (CoW) application focused on lockout/tagout (LOTO) permitting—launched on the ServiceNow Store. While its function is precise, the implications are far-reaching.
This is more than digitization. It’s the embodiment of a broader market shift: from static compliance toward dynamic, AI-enabled risk management embedded directly into operational workflows.
Generative AI Is Steering Banks Toward Autonomous IRM—But the Bridge Isn’t Finished Yet
When McKinsey & Company published “How generative AI can help banks manage risk and compliance” in March 2024, it put blue-chip credibility behind a growing consensus: large-language models and related GenAI tools will automate swaths of the three-lines-of-defense and up-end conventional governance, risk, and compliance (GRC) workflows. What McKinsey did not say—but unmistakably implied—is that the old compliance-first paradigm is now on borrowed time. The firm’s use-case catalogue—from virtual regulatory advisors to code-generating “risk bots”—maps neatly onto the early layers of Autonomous Integrated Risk Management (IRM): continuously sensing risk, generating controls, and feeding decision-grade insight back into the business.
Yet the report also reveals a tension. McKinsey still frames GenAI as a helper inside discrete risk silos, guarded by human-in-the-loop checkpoints. Autonomous IRM envisions something bolder: an AI-directed control fabric that dissolves those silos, embeds itself in front-line processes, and—over time—lets the machine take the first swing at routine risk decisions while humans govern the exceptions.
Beyond the Firewall - Why Integrated Risk Management Is the Missing Layer in Cyber Defense
The recent revelation that Marks & Spencer—one of Britain’s most iconic retailers—suffered a cyberattack that could cost it up to £300 million in annual operating profit is a reminder that no amount of cybersecurity spending can fully inoculate a company from human error. The attack, reportedly traced to a third-party vendor and facilitated by social engineering, underscores a hard truth: cybersecurity is necessary, but not sufficient.
Despite boosting its cyber investment by 75% and quadrupling its team over the past two years, M&S was not spared. Nor were other well-known retailers like Harrods and the Co-op grocery group. These incidents reflect a deeper problem in the digital defense playbook—one that requires a broader, integrated approach to risk.
Avatars in Armani — How AI Analysts Are Reshaping the Future of Finance & Risk Management
When UBS digitally cloned three dozen equity analysts into AI-generated avatars, it wasn’t just experimenting with client communications but sounding the opening bell on a new era in financial services. This wasn’t deepfake theatre or AI as a back-office assistant. It was artificial intelligence stepping into the polished shoes of the investment banker.
The avatars, trained to deliver short videos based on research notes—complete with facial expressions and gestures—represent a subtle but significant shift. UBS reports that clients respond to them as positively as traditional analysts, even if the result feels slightly uncanny.
The Modern Risk Stack — A Primer Explaining How IRM Integrates GRC, ERM, ORM, and TRM
Many organizations seeking a better path for risk management are often confused by multiple risk domains—GRC, ERM, ORM, TRM—each promising mastery over a specific slice of risk management. But as risks evolve, multiply, and interconnect at unprecedented speed, these isolated approaches no longer suffice. Integrated Risk Management (IRM) has emerged as the essential response, weaving together the strengths of each domain to build one cohesive, strategic narrative.
Integrated Risk Thinking: The Mindset That Unlocks the Power of the IRM Navigator™ Model
Today’s businesses face unprecedented complexity. Rapid technological advances, evolving regulatory environments, escalating cyber threats, and global operational challenges have rendered traditional risk management approaches obsolete. Siloed processes, reactive responses, and fragmented risk oversight are no longer enough to safeguard modern organizations.
Wheelhouse Advisors has identified that effective risk management in today’s landscape requires not only powerful tools and methods but, more importantly, a fundamentally new way of thinking. This strategic shift is what we call Integrated Risk Thinking (IRT)—the essential mindset that allows organizations to leverage risk as an integral part of strategy, decision-making, and competitive advantage.
McKinsey Confirms the Limits of GRC and Points Toward Integration
In its May 2025 article “Governance, Risk, and Compliance: A New Lens on Best Practices,” McKinsey & Company delivers a candid assessment of the widespread shortcomings in today’s governance, risk, and compliance (GRC) functions. Based on survey data from nearly 200 corporate leaders, the article highlights persistent underperformance across all three pillars of GRC and outlines five imperatives for reform. But what McKinsey never quite says—though it clearly suggests—is that the GRC model itself may be past its expiration date.
The findings echo what many in the risk management profession have long understood: legacy GRC frameworks are no longer adequate in a world defined by interconnected risks, real-time decisions, and strategic uncertainty. Below, we examine the key insights from the report and explain how they point—whether intentionally or not—toward Integrated Risk Management (IRM) as the future-facing alternative.
AI Insurance Emerges as Chatbot Failures Highlight New Liabilities
In a notable development reflecting AI’s increasing integration into business operations, insurers at Lloyd’s of London have launched specialized coverage for losses caused by artificial intelligence tool failures. This initiative, spearheaded by Armilla, a startup backed by Y Combinator, underscores growing corporate concerns about the unpredictable and costly errors AI-powered tools can generate, particularly chatbots and customer service platforms.
Introducing The RTJ Bridge—A Premium Subscription Delivering Strategic Insights for Risk Leaders
Wheelhouse Advisors announces the formal launch of The RTJ Bridge, the new premium subscription service from The RiskTech Journal. Positioned strategically between our daily industry commentary and comprehensive quarterly IRM Navigator™ research reports, The RTJ Bridge delivers weekly insights, executive briefings, and exclusive deep-dive editorial series.
Alongside this premium offering, the standard edition of The RiskTech Journal is now fully open-access, including unrestricted browsing of our past content library.
This tiered content strategy ensures risk leaders and senior executives receive timely and actionable insights at a fraction of the cost associated with traditional analyst firms such as Gartner and Forrester.
Cisco and ServiceNow Deepen AI Security Partnership—What Does It Mean for Integrated Risk Management?
The Cisco-ServiceNow partnership directly addresses these concerns by providing a tightly integrated solution that combines Cisco's established security expertise with ServiceNow's robust operational workflow capabilities. Customers will be able to map Cisco AI Defense controls to relevant standards in ServiceNow’s Integrated Risk Management (IRM) platform so teams can measure and demonstrate AI organizational compliance.
Operational Intelligence — How IRM Solves Connected Risk Failures
in today’s digital risk environment, agility and resilience are everything. Risk events once considered unlikely—global cyber disruptions, third-party failures, data breaches, operational breakdowns—now occur with alarming frequency. As these risks grow more interconnected, traditional Governance, Risk and Compliance (GRC) frameworks, often built around static risk registers and slow reporting cycles, are no longer sufficient.
Risk management is evolving from a reactive back-office control utility into a strategic engine of operational intelligence. Enabled by advancements in risk technology, analytics, and real-time data integration, modern Integrated Risk Management (IRM) platforms are helping organizations detect emerging operational risks earlier, connect siloed insights, and embed resilience into the core of enterprise decision-making.
This article previews that transformation—and offers a forward look at what’s coming in the IRM Navigator™ ORM Report – Q2 2025, which evaluates key trends, capabilities, and vendors shaping the future of operational risk management (ORM).
Live from RSA: Autonomous IRM Moves from Vision to Reality
The RSA Conference is renowned for highlighting significant shifts in cybersecurity and risk management. This year, alongside familiar conversations about persistent cybersecurity threats and regulatory pressures, a deeper transformation is occurring: the rise of Autonomous Integrated Risk Management (Autonomous IRM). Vendors at RSA 2025 are showcasing solutions that go beyond merely automating routine tasks, moving toward independently identifying, assessing, and mitigating risks across enterprise ecosystems without constant human intervention.
When Robots Walk, Risk Converges - Humanoids and the Future of Integrated Risk Management
For IRM professionals, the emergence of humanoids provides a rare moment of clarity: no single risk domain can manage this disruption in isolation. Humanoid robotics is where GRC, ERM, ORM, and TRM collide—and where their integration becomes essential.
The AI Wild West is Over — Why IRM Must Now Govern the Frontier
When John A. Wheeler and Avivah Litan collaborated as colleagues at Gartner, they shared a simple but powerful conviction: technology without governance invites risk, and risk without context invites disaster. That belief feels more urgent than ever in the age of generative AI.
This month, Avivah returned to the spotlight with a compelling Gartner webinar titled “A Partner Framework to Manage AI Governance, Trust, Risk and Security.” It laid out a comprehensive vision for AI Trust, Risk, and Security Management (AI TRiSM), exposing the vulnerabilities of current AI adoption strategies and presenting a future where organizations no longer treat AI oversight as optional.
But here’s the problem: most companies are still stuck in a fractured model of Governance, Risk, and Compliance (GRC). And the rise of autonomous, agentic AI systems is about to make that dysfunction terminal.
The Risk Ignored — Part 1: Revisiting the Origin Story of a Software Industry
Some of the biggest failures in modern risk management didn't happen because we lacked frameworks. They happened because we misunderstood risk and how it must be managed.
We've built controls. We've stood up compliance programs. We've adopted acronyms and bought technology platforms promising enterprise-wide oversight. Yet risk still slips through the cracks—not because it isn't documented, but because it isn't truly visible and understood.
I've spent 35 years helping organizations—from Fortune 100 giants to growing mid-market firms—face this reality. And the truth is this: risk management has always been more fragmented, political, and performative than most are willing to admit.
“The Risk Ignored” is a documentary-style series of articles I’ve created to give readers exclusive insights into what really happened in the last 25 years of risk management technology development.
To Visualize Risk, You Need Two Lenses—Essential Takeaways from the Mitratech Interact 2025 General Session
As today's business environment becomes more unpredictable, interconnected, and technologically driven, the traditional view of risk—focused primarily on controls, compliance, and containment—is no longer sufficient. Organizations must now see risk through a wider lens to avoid failure and inform success.
The central message was delivered during the general session "From Gatekeepers to Growth Partners: Embedding Risk at the Heart of the Organization" at the 2025 Mitratech Interact Conference in Dallas.
Moderated by Justin Silverman, Chief Product Officer at Mitratech, the session featured a dynamic dialogue between John A. Wheeler, CEO of Wheelhouse Advisors, and Andrea Elliott, Chief Compliance Officer at ACI Worldwide. They offered a forward-looking perspective on how organizations can evolve their risk practices to become more strategic, resilient, and business-aligned.
Flip the Risk Conversation Forward—Lessons from the Front Lines of Resilience
As operational complexity increases and business environments shift at a faster pace, organizations are under growing pressure to evolve their approach to risk. Risk management can no longer be reactive, control-focused, or functionally siloed. Instead, it must become proactive, performance-aligned, and strategically embedded. That was the focus of the breakout session "Holding the Line: Building Resilient Risk Programs in the Modern Era," presented at the 2025 Mitratech Interact Conference in Dallas.
The session was moderated by Ryan Fox, Director of GRC Solutions at Mitratech. It featured John A. Wheeler, CEO of Wheelhouse Advisors, and Andrea Elliott, Chief Compliance Officer at ACI Worldwide. The audience included legal, risk, and compliance leaders and practitioners seeking practical strategies to strengthen program maturity and build enterprise resilience.
No Manager, No Strategy—Why GRC Alone Can’t Win the Risk Game
If Governance, Risk, and Compliance (GRC) is like a team without a manager, IRM is the system that brings structure, alignment, and leadership to the field. Without a manager, even talented players operate in silos—doing what they think is best individually but without strategic coordination or shared purpose. That’s the reality in many organizations today: siloed compliance, governance, and risk functions acting without integration.
IRM provides the playbook and the leadership. It integrates GRC with Enterprise Risk Management (ERM), Operational Risk Management (ORM), and Technology Risk Management (TRM) to form a unified team—managed strategically, guided by data, and aligned around shared enterprise objectives.