Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal
〰️
Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal 〰️
The RiskTech Journal
The RiskTech Journal is your premier source for insights on cutting-edge risk management technologies. We deliver expert analysis, industry trends, and practical solutions to help professionals stay ahead in an ever-changing risk landscape. Join us to explore the innovations shaping the future of risk management.
Where Autonomous IRM Begins—And Where It Must Go Next
The Quiet Rise of Autonomous IRM—From the Middle Out
Autonomous IRM is no longer theoretical. AI-powered platforms are starting to deliver tangible value: agentic systems that simulate attacker behavior, validate control effectiveness, and recommend mitigation actions—often autonomously.
The June 5 announcement from Tuskira, integrating directly with ServiceNow’s Vulnerability Response and SecOps modules, is a prime example. By embedding simulation-backed scoring and posture-aware mitigation into operational workflows, Tuskira is delivering intelligence in real time.
But there’s something missing: the announcement doesn’t mention Integrated Risk Management (IRM) at all.
That silence is a signal. Tuskira operates in what Wheelhouse Advisors defines as Layer 3: Intelligence & Validation—the middle of the risk architecture. And while this layer is where automation is gaining traction, it’s also where many organizations are managing in isolation, without input from either end of the enterprise risk stack.
Inside the Hack: Why Social Engineering Exposes the Limits of Cyber Defense and Demands Integrated Risk Management
The recent cyberattack on Marks & Spencer (M&S), perpetrated by the notorious hacking group Scattered Spider, vividly underscores the evolving sophistication of cyber threats—and the alarming vulnerability of even well-protected enterprises. Despite significant investments in cybersecurity defenses, M&S faces an estimated loss of up to £300 million in operating profits and a plunge of £600 million in market capitalization following the breach.
As detailed recently by the Financial Times, Scattered Spider’s methods illuminate a stark reality: technical cybersecurity solutions alone are not enough. The group’s expertise lies in a blend of digital deception and human manipulation, a practice known as social engineering. Unlike traditional cybercriminals reliant solely on technical exploits, Scattered Spider meticulously researches employee identities, simulates convincing interactions, and leverages human psychology to circumvent cyber defenses.
Generative AI Is Steering Banks Toward Autonomous IRM—But the Bridge Isn’t Finished Yet
When McKinsey & Company published “How generative AI can help banks manage risk and compliance” in March 2024, it put blue-chip credibility behind a growing consensus: large-language models and related GenAI tools will automate swaths of the three-lines-of-defense and up-end conventional governance, risk, and compliance (GRC) workflows. What McKinsey did not say—but unmistakably implied—is that the old compliance-first paradigm is now on borrowed time. The firm’s use-case catalogue—from virtual regulatory advisors to code-generating “risk bots”—maps neatly onto the early layers of Autonomous Integrated Risk Management (IRM): continuously sensing risk, generating controls, and feeding decision-grade insight back into the business.
Yet the report also reveals a tension. McKinsey still frames GenAI as a helper inside discrete risk silos, guarded by human-in-the-loop checkpoints. Autonomous IRM envisions something bolder: an AI-directed control fabric that dissolves those silos, embeds itself in front-line processes, and—over time—lets the machine take the first swing at routine risk decisions while humans govern the exceptions.
McKinsey Confirms the Limits of GRC and Points Toward Integration
In its May 2025 article “Governance, Risk, and Compliance: A New Lens on Best Practices,” McKinsey & Company delivers a candid assessment of the widespread shortcomings in today’s governance, risk, and compliance (GRC) functions. Based on survey data from nearly 200 corporate leaders, the article highlights persistent underperformance across all three pillars of GRC and outlines five imperatives for reform. But what McKinsey never quite says—though it clearly suggests—is that the GRC model itself may be past its expiration date.
The findings echo what many in the risk management profession have long understood: legacy GRC frameworks are no longer adequate in a world defined by interconnected risks, real-time decisions, and strategic uncertainty. Below, we examine the key insights from the report and explain how they point—whether intentionally or not—toward Integrated Risk Management (IRM) as the future-facing alternative.
Introducing The RTJ Bridge—A Premium Subscription Delivering Strategic Insights for Risk Leaders
Wheelhouse Advisors announces the formal launch of The RTJ Bridge, the new premium subscription service from The RiskTech Journal. Positioned strategically between our daily industry commentary and comprehensive quarterly IRM Navigator™ research reports, The RTJ Bridge delivers weekly insights, executive briefings, and exclusive deep-dive editorial series.
Alongside this premium offering, the standard edition of The RiskTech Journal is now fully open-access, including unrestricted browsing of our past content library.
This tiered content strategy ensures risk leaders and senior executives receive timely and actionable insights at a fraction of the cost associated with traditional analyst firms such as Gartner and Forrester.
Cisco and ServiceNow Deepen AI Security Partnership—What Does It Mean for Integrated Risk Management?
The Cisco-ServiceNow partnership directly addresses these concerns by providing a tightly integrated solution that combines Cisco's established security expertise with ServiceNow's robust operational workflow capabilities. Customers will be able to map Cisco AI Defense controls to relevant standards in ServiceNow’s Integrated Risk Management (IRM) platform so teams can measure and demonstrate AI organizational compliance.
Operational Intelligence — How IRM Solves Connected Risk Failures
in today’s digital risk environment, agility and resilience are everything. Risk events once considered unlikely—global cyber disruptions, third-party failures, data breaches, operational breakdowns—now occur with alarming frequency. As these risks grow more interconnected, traditional Governance, Risk and Compliance (GRC) frameworks, often built around static risk registers and slow reporting cycles, are no longer sufficient.
Risk management is evolving from a reactive back-office control utility into a strategic engine of operational intelligence. Enabled by advancements in risk technology, analytics, and real-time data integration, modern Integrated Risk Management (IRM) platforms are helping organizations detect emerging operational risks earlier, connect siloed insights, and embed resilience into the core of enterprise decision-making.
This article previews that transformation—and offers a forward look at what’s coming in the IRM Navigator™ ORM Report – Q2 2025, which evaluates key trends, capabilities, and vendors shaping the future of operational risk management (ORM).
Live from RSA: Autonomous IRM Moves from Vision to Reality
The RSA Conference is renowned for highlighting significant shifts in cybersecurity and risk management. This year, alongside familiar conversations about persistent cybersecurity threats and regulatory pressures, a deeper transformation is occurring: the rise of Autonomous Integrated Risk Management (Autonomous IRM). Vendors at RSA 2025 are showcasing solutions that go beyond merely automating routine tasks, moving toward independently identifying, assessing, and mitigating risks across enterprise ecosystems without constant human intervention.
When Robots Walk, Risk Converges - Humanoids and the Future of Integrated Risk Management
For IRM professionals, the emergence of humanoids provides a rare moment of clarity: no single risk domain can manage this disruption in isolation. Humanoid robotics is where GRC, ERM, ORM, and TRM collide—and where their integration becomes essential.
The Risk Ignored — Part 1: Revisiting the Origin Story of a Software Industry
Some of the biggest failures in modern risk management didn't happen because we lacked frameworks. They happened because we misunderstood risk and how it must be managed.
We've built controls. We've stood up compliance programs. We've adopted acronyms and bought technology platforms promising enterprise-wide oversight. Yet risk still slips through the cracks—not because it isn't documented, but because it isn't truly visible and understood.
I've spent 35 years helping organizations—from Fortune 100 giants to growing mid-market firms—face this reality. And the truth is this: risk management has always been more fragmented, political, and performative than most are willing to admit.
“The Risk Ignored” is a documentary-style series of articles I’ve created to give readers exclusive insights into what really happened in the last 25 years of risk management technology development.
No Manager, No Strategy—Why GRC Alone Can’t Win the Risk Game
If Governance, Risk, and Compliance (GRC) is like a team without a manager, IRM is the system that brings structure, alignment, and leadership to the field. Without a manager, even talented players operate in silos—doing what they think is best individually but without strategic coordination or shared purpose. That’s the reality in many organizations today: siloed compliance, governance, and risk functions acting without integration.
IRM provides the playbook and the leadership. It integrates GRC with Enterprise Risk Management (ERM), Operational Risk Management (ORM), and Technology Risk Management (TRM) to form a unified team—managed strategically, guided by data, and aligned around shared enterprise objectives.
When Encryption Isn't Enough—A Sidewalk Interview and a Global Wake-Up Call
I was in Washington, D.C., when the story broke. Reports surfaced that U.S. officials had used Signal—a consumer-grade encrypted messaging app—to coordinate sensitive military operations in Yemen. I was finishing a dinner meeting after a full day of engagements when my phone rang. It was the BBC reaching out for immediate commentary on a fast-developing national security story.
Why Generative AI Is Breaking Cyber Insurance—and What Risk Leaders Must Do Next
The promise of generative artificial intelligence (AI) is captivating: it automates content creation, accelerates decision-making, and unlocks new efficiencies across industries. But beneath this glittering facade lurks an existential threat that few executives acknowledge: these systems are introducing catastrophic risks that cyber insurance markets are neither prepared for—nor willing to underwrite fully. As insurers frantically scramble to recalibrate policies in light of AI-driven threats, risk executives face a stark choice: transform how they manage emerging digital risks or face potentially devastating uninsured losses.
The Limits of Legacy GRC — Seven Reasons It Fails Modern Risk Management
In the corridors of risk management conferences and behind closed doors at technology vendor meetings, there's a reluctant acknowledgment that few are willing to voice publicly — traditional Governance, Risk, and Compliance (GRC) platforms are struggling to meet the demands of today's dynamic risk landscape. As someone who has spent decades consulting with both GRC vendors and their customers, I've heard the whispered confessions from technology providers who recognize these limitations but fear alienating their long-standing clients by admitting them openly.
The Great Risk Revolution—Why GRC Alone Can't Save Your Organization
In boardrooms across the globe, a quiet revolution is underway. Organizations that once viewed risk management primarily through the lens of Governance, Risk, and Compliance (GRC) are discovering—often the hard way—that yesterday's frameworks are increasingly inadequate for today's complex threat landscape.
Consider this. When the World Economic Forum recently surveyed global executives, the most pressing concerns they identified—from AI disruption to supply chain vulnerabilities—weren’t neatly contained within traditional GRC boundaries. These risks cascade across organizational silos, render conventional approaches obsolete, and demand a fundamentally different way of thinking about organizational resilience.
Moving Beyond the GRC Mindset - Why Boards Must Rethink Risk for the AI Era
I’m often questioned—sometimes challenged and occasionally attacked—by professionals who are deeply invested in traditional Governance, Risk, and Compliance (GRC) approaches. For many, GRC isn’t just a framework or a set of tools—it’s an identity, a career foundation, and in many cases, a commercial interest. So when I suggest that risk management must evolve beyond legacy GRC models, I’m not just raising a strategic argument—I’m challenging a belief system.
But this is not about abandoning GRC. It’s about recognizing that GRC, in its traditional, siloed, compliance-first form, is no longer sufficient for today’s risk environment.
AI's Risk Reckoning: How Integrated Risk Management Can Prevent Catastrophe
Organizations must adopt a structured, enterprise-wide approach to AI risk governance to balance AI's opportunities and risks. Integrated Risk Management (IRM) provides the governance framework to manage AI risks holistically, aligning AI implementation with corporate strategy, regulatory compliance, cybersecurity, and operational resilience.
The Future of Risk Management - How AI Agents Are Transforming IRM
Artificial Intelligence (AI) agents are revolutionizing Integrated Risk Management (IRM) by enabling organizations to detect, analyze, and mitigate risks autonomously. Unlike traditional risk management frameworks that rely heavily on manual assessments and static controls, AI-driven solutions enhance speed, accuracy, and adaptability, reducing financial losses, security breaches, and compliance failures.
Bridging the Resilience Gap: Why Integrated Risk Management Outperforms Legacy GRC Solutions
A recent KPMG Risk & Resilience Survey (March 2025) has revealed a concerning reality: most U.S. organizations remain unprepared to handle increasing risk events and broad disruptions. The report highlights that two-thirds to nearly three-quarters of organizations face moderate to strong barriers to managing risk effectively. The survey findings confirm a critical gap in how organizations manage risk and, more importantly, where traditional Governance, Risk, and Compliance (GRC) technologies fall short.
Distilled Intelligence or Compressed Catastrophe? The High-Stakes Risks of Shrinking AI
Their is a great deal of hype about distilled AI, an emerging technique that trims down massive machine learning models into leaner, cheaper versions. While these distilled “student” models may look—and sometimes perform—much like their full-fledged AI counterparts, a closer inspection reveals a labyrinth of potential flaws: from amplified bias and reduced accuracy to hidden legal liabilities.