The Risk Ignored — Part 1: Revisiting the Origin Story of a Software Industry
This introductory article is available as a free preview on LinkedIn and through The RiskTech Journal.
To access the full series—including all four installments of the GRC origin arc—subscribe to The RTJ Bridge. Your first month is on us.
Some of the biggest failures in modern risk management didn't happen because we lacked frameworks. They happened because we misunderstood risk and how it must be managed.
We've built controls. We've stood up compliance programs. We've adopted acronyms and bought technology platforms promising enterprise-wide oversight. Yet risk still slips through the cracks—not because it isn't documented, but because it isn't truly visible and understood.
I've spent 35 years helping organizations—from Fortune 100 giants to growing mid-market firms—face this reality. And the truth is this: risk management has always been more fragmented, political, and performative than most are willing to admit.
“The Risk Ignored” is a documentary-style series of articles I’ve created to give readers exclusive insights into what really happened in the last 25 years of risk management technology development.
Why This Series
This series explores the untold history behind today's dominant risk frameworks—and the emergence of Integrated Risk Management (IRM) as something not born from marketing but from real-world experience, rigorous research and the growing need for risk-informed decision support in corporate boardrooms and executive suites.
I’ve lived this evolution—as a senior risk executive, as the leader of the first SOX remediation tied to a disclosed material weakness, as the Gartner analyst who helped define IRM, and now as a trusted advisor to boards and risk executives at global enterprises and growth-stage firms.
This isn't theory. It's what happened.
The First Arc: Revisiting the GRC Narrative
The first arc of the series unpacks the true origin story of GRC. In the wake of the dot-com collapse, one software vendor saw an opportunity to reframe its knowledge management platform as a solution for the post-Enron/Worldcom era. But it needed a story—and a category. Looking for a unifying label, the vendor introduced what it would soon market as ‘GRC’. An analyst report released soon after closely echoed that framing, helping propel the acronym into mainstream discourse. †
The True Story Behind GRC
Looking for a unifying label, the vendor introduced what would later be popularized as ‘GRC’
Together, this vendor‑analyst alignment popularized what became known as GRC — recasting existing software as a Sarbanes‑Oxley compliance solution during a period of heightened regulatory anxiety. ‡‖
It worked. But it also defined an entire segment of the industry around a framework never built to manage risk—it was built to sell software.
Over four installments, we'll cover:
1. The Software That Lost Its Market
How the collapse of knowledge management platforms created a vacuum—and a compliance-shaped opportunity.
“Sometimes, frameworks don't start with insight. They begin with inventory—software that needs to be sold.”
2. The Risk That Created the Category
What Enron, WorldCom, and Sarbanes-Oxley did to fuel the market—and how it sparked a platform gold rush.
“The crisis didn't just create urgency. It made a market—and every vendor wanted in.”
3. The Acronym That Built a Market—And the One That Rescued It
The inside story of how GRC was coined, shaped, and scaled—not by governance leaders, but by vendors and analysts defining a market. And how IRM emerged as a response—not a rival—rooted in field research, executive experience, and operational necessity.
“GRC was created to sell software. IRM was designed through research to add what the software couldn't manage.”
4. The Irony of Archer IRM
The full-circle moment where a platform instrumental in launching the GRC category now leads with IRM. What that turn tells us about how the market has evolved—and where it's headed. Archer—one of the original platforms synonymous with GRC—has since pivoted. Its 2024 white paper states that “the time has come for Integrated Risk Management to be elevated to the same status as other crucial business functions.” ††
“The platform that once helped define GRC now leads with IRM—the framework that evolved to manage risk beyond compliance, audit, and ethics.”
The Evolution of IRM
IRM emerged as a response—not a rival—rooted in field research, executive experience, and operational necessity
What Comes Next
This first arc is only the beginning. In the follow-on series—The Risk Ignored: The Dawn of a New Risk Era—we'll move beyond the legacy GRC framework debate to focus on what comes next: the boardroom battles, the redefinition of risk in the age of AI and ESG, and the journey from control checklists to real-time risk orchestration using the IRM Navigator™ Framework.
Subscribe and Follow the Story
The Risk Ignored is available exclusively through The RiskTech Journal. Subscribers receive:
Access to every installment of the GRC origin arc
First access to the upcoming series, The Dawn of a New Risk Era
Insights drawn from real-world advisory and research at the executive level
Start your RiskTech Journal subscription today—your first month is on us.
What you'll get isn't just early access. It's the full story—told by someone who lived it, shaped it, and is now ready to reveal it.
The first installment drops next. And from there, the story only gets more revealing.
Prefer to follow along at a distance? You can also subscribe to the free edition of The RiskTech Journal on LinkedIn for highlights and preview access.
Source References:
† CIO Magazine, “Sarbanes‑Oxley: The IT Manager’s New Risks and Responsibilities,” 15 May 2003.
‡ Bekker, Riaan. “The Interesting History of Governance, Risk and Compliance,” LinkedIn, 16 Sept 2019.
‖ SafePaaS, “Is Your Outdated GRC Software Putting Your Business at Risk?”.
†† Archer, “Integrated Risk Management: The Enterprise Capability Your Organization Needs,” 2024 White Paper, p. 2.
Michael Rasmussen, "GRC 3.0 – A History of GRC," GRC 20/20 Blog, 2013.
Editor’s Note (updated 4/21/2025): This article was updated to add source citations and clarify phrasing regarding early 2000s GRC marketing activity.
Editorial Disclaimer
The Risk Ignored is an independent editorial series created and authored by John A. Wheeler. The views and opinions expressed in this series are those of the author in his personal capacity and do not necessarily reflect the views of Wheelhouse Advisors LLC or its affiliates. This content is intended for informational and educational purposes only and should not be construed as legal, financial, or professional advice. All references to companies, products, or market events are based on publicly available information or the author’s professional experience and perspective.
The Risk Ignored is published by Wheelhouse Advisors LLC as part of The RTJ Bridge-The Premium Version of The RiskTech Journal.
The historical account of the Governance, Risk & Compliance (GRC) market's origin is based on publicly available sources, including a 2013 blog post by Michael Rasmussen. This article presents an editorial analysis of how those events influenced the development of risk technology platforms and market narratives. All individuals and organizations referenced are acknowledged for their contributions to the evolution of this field. No claims are made regarding proprietary ownership of terminology.
