Flip the Risk Conversation Forward—Lessons from the Front Lines of Resilience

Integrated Risk ManagementIntegrated Risk Thinking
Written By Ori Wellington

As operational complexity increases and business environments shift at a faster pace, organizations are under growing pressure to evolve their approach to risk. Risk management can no longer be reactive, control-focused, or functionally siloed. Instead, it must become proactive, performance-aligned, and strategically embedded. That was the focus of the breakout session "Holding the Line: Building Resilient Risk Programs in the Modern Era," presented at the 2025 Mitratech Interact Conference in Dallas.

The session was moderated by Ryan Fox, Director of GRC Solutions at Mitratech. It featured John A. Wheeler, CEO of Wheelhouse Advisors, and Andrea Elliott, Chief Compliance Officer at ACI Worldwide. The audience included legal, risk, and compliance leaders and practitioners seeking practical strategies to strengthen program maturity and build enterprise resilience.

Flip. Adopt. Manage.

Risk leaders can demonstrate tangible value and influence the decisions that matter most by tying risk to strategy and embedding it into business rhythms.

Reframing the Risk Conversation

Wheeler opened the session with a call to action: to flip the risk conversation forward. Too often, risk is positioned as a barrier—something to avoid, mitigate, or report after the fact. In reality, Wheeler argued, risk is essential to decision-making and long-term value creation.

He introduced a three-part model designed to help organizations shift their mindset:

  1. Flip — Reposition risk from a compliance exercise to a strategic dialogue. This means moving away from fear-based narratives centered on audit failures or policy violations and instead emphasizing risk as a lever for resilience, foresight, and better outcomes.

  2. Adopt — Introduce a unifying framework to organize and prioritize risk objectives. Wheeler outlined the PRAC model—Performance, Resilience, Assurance, and Compliance—as a practical way to align risk activities with the organization's purpose. The model connects the dots between strategic goals, operational execution, internal accountability, and regulatory obligations.

  3. Manage — Establish integrated risk oversight that breaks down silos between departments. Whether it's cybersecurity, legal, finance, or audit, each function must align around shared risk definitions, objectives, and data. True resilience depends on coordinated execution across the enterprise.

Wheeler emphasized that this approach is not just about structure—it's about relevance. Risk leaders can demonstrate tangible value and influence the decisions that matter most by tying risk to strategy and embedding it into business rhythms.

ACI Worldwide: IRM in Action

Andrea Elliott built on these ideas by offering a real-world case study from ACI Worldwide. Her remarks focused on the company's multi-year journey to mature its risk capabilities across three key transformation pillars: Simplify, Integrate, and Enable.

  1. Simplify
    The first step was eliminating unnecessary complexity in the risk and compliance functions. Elliott described efforts to streamline policies, automate repetitive workflows, and remove overlaps between second-line responsibilities. This freed up capacity and allowed teams to focus on more meaningful analysis and engagement.

  2. Integrate
    Next, ACI worked to embed risk into business planning and cross-functional operations. Rather than treating risk as a separate layer of oversight, the company integrated risk analysis into core decision processes—including program planning, vendor management, and technology investments. Risk data became more visible, usable, and relevant to the first line.

  3. Enable
    Finally, the company focused on enabling the business to manage risk in real-time. That meant giving first-line managers access to better tools, more precise guidance, and greater accountability. Elliott emphasized the importance of shifting the second line from a policing role to an advisory one—supporting decision-makers rather than slowing them down.

Elliott also highlighted the importance of culture. Risk education, leadership visibility, and shared ownership were critical to making risk management more than a compliance function. Over time, the program evolved from fragmented and reactive to structured, embedded, and forward-looking.

Resilience is Continuous

Resilience is not a fixed outcome—it is a capability that must be built, sustained, and continually improved.

Essential Takeaways: Three Strategic Imperatives

To close the session, Wheeler and Elliott outlined three strategic imperatives that every risk, compliance, and legal leader should prioritize:

  1. Translate the value of risk into action.
    Risk programs must go beyond identifying threats. They must deliver insight that drives better business outcomes. This means aligning risk appetite with investment decisions, translating findings into operational guidance, and helping senior leaders make informed trade-offs.

  2. Develop an integrated risk approach.
    Integration is not just about systems. It's about people, language, and priorities. Risk leaders must coordinate across silos to establish shared methodologies, consistent taxonomies, and unified metrics that give leadership a clear and complete view of risk.

  3. Manage risk dynamically and continuously.
    The old model of quarterly assessments and static risk registers is no longer sufficient. Organizations must adopt dynamic risk practices that include real-time monitoring, early-warning indicators, horizon scanning, and scenario modeling to anticipate disruption before it materializes.

These imperatives reflect the broader evolution of risk—from control to capability. Risk leaders who embrace this evolution position their organizations to withstand volatility and thrive through it.

Risk Resilience as a Competitive Advantage

The overarching theme of the session was that resilience is not a fixed outcome—it is a capability that must be built, sustained, and continually improved. This requires more than regulatory compliance. It demands strategic alignment, cultural buy-in, and operational agility.

By flipping the risk conversation forward—and adopting models that connect performance, resilience, assurance, and compliance—organizations can reposition risk as a contributor to growth and innovation. When risk becomes a shared language across business functions, it enables smarter decisions, stronger execution, and better outcomes.

For risk and compliance leaders navigating today's pressures, that shift represents more than a change in mindset. It's a change in mandate.

Explore More:

Ori Wellington

Orion "Ori" Wellington is an integral part of the Wheelhouse Advisors team, bringing extensive expertise in risk management and technology. With a background that includes roles such as Risk Analyst, Information Security Specialist, and IT Project Manager, Ori contributes to helping organizations navigate complex risk and technology challenges.

At Wheelhouse Advisors, Ori focuses on supporting clients in the ever-changing landscape of risk management. This well-rounded experience enhances the success of both clients and the company. Committed to continuous learning, Ori is a valued member of the Wheelhouse Advisors team.

https://wheelhouseadvisors.com
Previous

To Visualize Risk, You Need Two Lenses—Essential Takeaways from the Mitratech Interact 2025 General Session
Next

No Manager, No Strategy—Why GRC Alone Can’t Win the Risk Game