IRM Navigator: The Operating Model for Integrated Risk Management
Executive Summary
Many organizations have adopted ERM standards and clarified accountability, yet risk still fails to shape planning, capital allocation, and operational decisions. The gap is not conceptual. It is operational. Most programs have guidance on what effective risk management should achieve and who should perform key activities, but they lack an operating model that specifies how risk work is unified across domains and instrumented through business processes and technology.
IRM Navigator™ addresses that gap. It is an operating model for integrated risk management that translates management intent and accountability into unified execution across enterprise, operational, technology, and compliance risk domains. It defines what must be unified, where integration matters, how maturity progresses, and what outcomes indicate that risk has become embedded rather than merely coordinated.
What Is IRM Navigator?
IRM Navigator is a management operating model that structures integrated risk management around four executive objectives, Performance, Resilience, Assurance, and Compliance (PRAC). It is not a framework, a control standard, or a technology platform. It is a design model that helps leaders build a unified risk management system by specifying:
The executive outcomes risk management should enable (PRAC).
The integration points where fragmentation must be resolved.
A maturity progression that links investment to operating change.
Practical indicators that separate coordinated reporting from embedded management.
IRM Navigator was developed by Wheelhouse Advisors as an applied model to help organizations operationalize integration across risk domains without defaulting to compliance-centric design or siloed execution.
Why It Matters
ERM programs frequently stall at a coordinated state. Organizations centralize risk registers and harmonize taxonomies, but decision velocity and decision quality do not improve because risk is not structurally integrated into the management systems that run the business.
Frameworks and standards do not fully resolve this because they typically stop at intent and structure:
They describe how risk management should align with strategy and performance.
They clarify accountability for ownership, challenge, and independent assurance.
They rarely prescribe how risk data, workflows, evidence, and actions should be unified across domains and embedded into operational systems.
IRM Navigator exists to close that operational gap.
Where IRM Navigator Fits Relative to COSO ERM and Three Lines
COSO ERM defines management intent
COSO ERM provides a widely adopted set of principles for aligning risk management with strategy and performance. It emphasizes objective setting, risk appetite, and linkage to value preservation and value creation. COSO is strongest as a statement of what effective ERM should accomplish. In practice, it does not specify how to unify execution across enterprise, operational, technology, and compliance domains, especially when different functions operate distinct processes and tools.
Three Lines defines accountability
The IIA Three Lines Model clarifies roles and responsibilities. The first line owns and manages risk, the second line enables and challenges, and the third line provides independent assurance. Three Lines reduces confusion about who does what, but it is not an operating model. It does not prescribe how risk signals should flow between lines, how evidence should be generated through operational systems, or how assurance should connect back to business outcomes.
IRM Navigator defines operating integration
IRM Navigator sits between standards and execution. It translates intent and accountability into a unified operating design for risk management.
A practical way to view the relationship is a four-layer stack:
Principles and standards, such as COSO ERM, that define expectations for effective risk management.
Accountability models, such as Three Lines, that clarify roles.
IRM Navigator, which defines integration points, maturity progression, and outcome measures.
Execution and instrumentation, including processes, controls, workflows, and RiskTech platforms.
Without the operating model layer, many organizations remain coordinated, but not embedded.
The IRM Navigator Model
Strategic objectives, PRAC
IRM Navigator aligns risk management to four strategic objectives that executive teams can use consistently across functions:
Performance, enabling better decisions and value creation under uncertainty.
Resilience, sustaining operations through disruption and stress.
Assurance, increasing confidence that controls and responses operate as intended.
Compliance, meeting obligations efficiently and predictably.
PRAC is not a reporting construct. It is an alignment mechanism intended to unify risk management outcomes with management priorities.
Integration points
IRM Navigator defines four integration points that anchor unification across domains:
Goals, aligned with enterprise risk management activities.
Processes, aligned with operational risk management activities.
Assets, aligned with technology risk management activities.
Policies, aligned with compliance and assurance activities.
These integration points represent the seams where fragmentation persists. Coordinated programs collect information across these seams. Embedded programs integrate management execution across them.
Maturity progression and investment meaning
IRM Navigator defines five maturity stages that describe how integration evolves as organizations invest in operating design, process discipline, data unification, and enabling technology:
Foundational, siloed, manual, and largely reactive.
Coordinated, centralized reporting with fragmented workflows.
Embedded, risk processes integrated into operational systems and decision forums.
Extended, shared platforms and taxonomies across enterprise and third parties.
Autonomous, AI-driven sensing, testing, mitigation, and verification with real-time assurance.
This progression helps leaders connect investment to observable changes in operating reality, not just new dashboards and documentation.
Strategic implications
If COSO ERM is the management intent and Three Lines is the accountability design, IRM Navigator is the operating model that makes integration actionable. It defines what must be unified, where integration matters, how maturity progresses, and how to recognize when risk management is genuinely embedded into decision making. Organizations that stop at coordination will continue to report on risk. Organizations that implement an operating model for integration will manage with risk.
References
1. Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management Integrating with Strategy and Performance, Executive Summary, 2017.
2. Institute of Internal Auditors (IIA), The Three Lines Model, 2020.
3. Gartner, Definition of Integrated Risk Management (IRM), 2016
4. Wheelhouse Advisors, IRM Navigator Model overview and related IRM Navigator research.
5. Kaplan, R.S. and Mikes, A., Managing Risks A New Framework, Harvard Business Review, June 2012.
6. Power, M., The Risk Management of Everything, Demos, 2004.
