Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal
〰️
Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal 〰️
The RiskTech Journal
The RiskTech Journal is your premier source for insights on cutting-edge risk management technologies. We deliver expert analysis, industry trends, and practical solutions to help professionals stay ahead in an ever-changing risk landscape. Join us to explore the innovations shaping the future of risk management.
The AI Wild West is Over — Why IRM Must Now Govern the Frontier
When John A. Wheeler and Avivah Litan collaborated as colleagues at Gartner, they shared a simple but powerful conviction: technology without governance invites risk, and risk without context invites disaster. That belief feels more urgent than ever in the age of generative AI.
This month, Avivah returned to the spotlight with a compelling Gartner webinar titled “A Partner Framework to Manage AI Governance, Trust, Risk and Security.” It laid out a comprehensive vision for AI Trust, Risk, and Security Management (AI TRiSM), exposing the vulnerabilities of current AI adoption strategies and presenting a future where organizations no longer treat AI oversight as optional.
But here’s the problem: most companies are still stuck in a fractured model of Governance, Risk, and Compliance (GRC). And the rise of autonomous, agentic AI systems is about to make that dysfunction terminal.
The Risk Ignored — Part 1: Revisiting the Origin Story of a Software Industry
Some of the biggest failures in modern risk management didn't happen because we lacked frameworks. They happened because we misunderstood risk and how it must be managed.
We've built controls. We've stood up compliance programs. We've adopted acronyms and bought technology platforms promising enterprise-wide oversight. Yet risk still slips through the cracks—not because it isn't documented, but because it isn't truly visible and understood.
I've spent 35 years helping organizations—from Fortune 100 giants to growing mid-market firms—face this reality. And the truth is this: risk management has always been more fragmented, political, and performative than most are willing to admit.
“The Risk Ignored” is a documentary-style series of articles I’ve created to give readers exclusive insights into what really happened in the last 25 years of risk management technology development.
To Visualize Risk, You Need Two Lenses—Essential Takeaways from the Mitratech Interact 2025 General Session
As today's business environment becomes more unpredictable, interconnected, and technologically driven, the traditional view of risk—focused primarily on controls, compliance, and containment—is no longer sufficient. Organizations must now see risk through a wider lens to avoid failure and inform success.
The central message was delivered during the general session "From Gatekeepers to Growth Partners: Embedding Risk at the Heart of the Organization" at the 2025 Mitratech Interact Conference in Dallas.
Moderated by Justin Silverman, Chief Product Officer at Mitratech, the session featured a dynamic dialogue between John A. Wheeler, CEO of Wheelhouse Advisors, and Andrea Elliott, Chief Compliance Officer at ACI Worldwide. They offered a forward-looking perspective on how organizations can evolve their risk practices to become more strategic, resilient, and business-aligned.
Flip the Risk Conversation Forward—Lessons from the Front Lines of Resilience
As operational complexity increases and business environments shift at a faster pace, organizations are under growing pressure to evolve their approach to risk. Risk management can no longer be reactive, control-focused, or functionally siloed. Instead, it must become proactive, performance-aligned, and strategically embedded. That was the focus of the breakout session "Holding the Line: Building Resilient Risk Programs in the Modern Era," presented at the 2025 Mitratech Interact Conference in Dallas.
The session was moderated by Ryan Fox, Director of GRC Solutions at Mitratech. It featured John A. Wheeler, CEO of Wheelhouse Advisors, and Andrea Elliott, Chief Compliance Officer at ACI Worldwide. The audience included legal, risk, and compliance leaders and practitioners seeking practical strategies to strengthen program maturity and build enterprise resilience.
No Manager, No Strategy—Why GRC Alone Can’t Win the Risk Game
If Governance, Risk, and Compliance (GRC) is like a team without a manager, IRM is the system that brings structure, alignment, and leadership to the field. Without a manager, even talented players operate in silos—doing what they think is best individually but without strategic coordination or shared purpose. That’s the reality in many organizations today: siloed compliance, governance, and risk functions acting without integration.
IRM provides the playbook and the leadership. It integrates GRC with Enterprise Risk Management (ERM), Operational Risk Management (ORM), and Technology Risk Management (TRM) to form a unified team—managed strategically, guided by data, and aligned around shared enterprise objectives.
From Code to Conduct: UK Cyber Mandate and Tech Disruption Signal a Governance Reckoning
Two significant announcements this week—one from the UK government and the other from Deloitte—highlight a rapidly converging future in which cybersecurity, advanced technology, and corporate governance are no longer siloed concerns but integrated imperatives for the boardroom. While distinct in origin and focus, both developments send a clear signal: the pressure on executive leaders to govern technology risks with discipline, foresight, and accountability is mounting.
When Encryption Isn't Enough—A Sidewalk Interview and a Global Wake-Up Call
I was in Washington, D.C., when the story broke. Reports surfaced that U.S. officials had used Signal—a consumer-grade encrypted messaging app—to coordinate sensitive military operations in Yemen. I was finishing a dinner meeting after a full day of engagements when my phone rang. It was the BBC reaching out for immediate commentary on a fast-developing national security story.
Why Generative AI Is Breaking Cyber Insurance—and What Risk Leaders Must Do Next
The promise of generative artificial intelligence (AI) is captivating: it automates content creation, accelerates decision-making, and unlocks new efficiencies across industries. But beneath this glittering facade lurks an existential threat that few executives acknowledge: these systems are introducing catastrophic risks that cyber insurance markets are neither prepared for—nor willing to underwrite fully. As insurers frantically scramble to recalibrate policies in light of AI-driven threats, risk executives face a stark choice: transform how they manage emerging digital risks or face potentially devastating uninsured losses.
The Limits of Legacy GRC — Seven Reasons It Fails Modern Risk Management
In the corridors of risk management conferences and behind closed doors at technology vendor meetings, there's a reluctant acknowledgment that few are willing to voice publicly — traditional Governance, Risk, and Compliance (GRC) platforms are struggling to meet the demands of today's dynamic risk landscape. As someone who has spent decades consulting with both GRC vendors and their customers, I've heard the whispered confessions from technology providers who recognize these limitations but fear alienating their long-standing clients by admitting them openly.
The Great Risk Revolution—Why GRC Alone Can't Save Your Organization
In boardrooms across the globe, a quiet revolution is underway. Organizations that once viewed risk management primarily through the lens of Governance, Risk, and Compliance (GRC) are discovering—often the hard way—that yesterday's frameworks are increasingly inadequate for today's complex threat landscape.
Consider this. When the World Economic Forum recently surveyed global executives, the most pressing concerns they identified—from AI disruption to supply chain vulnerabilities—weren’t neatly contained within traditional GRC boundaries. These risks cascade across organizational silos, render conventional approaches obsolete, and demand a fundamentally different way of thinking about organizational resilience.
Risk Rewired — Why CROs Must Lead the Charge in the New Era of Digital-First Risk Management
For the first time in over a decade, not a single financial risk made it into the top 10 concerns for chief risk officers (CROs). Instead, cybersecurity (75%), operational resilience (38%), and geopolitical volatility (36%) dominate the agenda. These are not just new threats—they are structurally different, externally driven, and deeply interconnected. Managing them demands a new kind of leadership—one capable of navigating a risk matrix that is faster, flatter, and far more fragile than ever before.
Chief Risk Officers now stand at the intersection of technology, strategy, and trust. The question is no longer whether they have a seat at the table. It’s whether they’re prepared to lead the table—or risk becoming sidelined as the world moves ahead without them.
Audit at the Edge: Governing AI Before It Governs You
Artificial intelligence is no longer a side project buried in IT. It’s now embedded in decision-making processes across finance, operations, marketing, and customer service. From algorithmic underwriting to autonomous workforce tools, AI is transforming how businesses operate—and how they fail. Yet for many organizations, Internal Audit remains stuck in the past: buried in compliance checklists, siloed in function, and reliant on legacy Governance, Risk, and Compliance (GRC) systems incapable of keeping pace.
Moving Beyond the GRC Mindset - Why Boards Must Rethink Risk for the AI Era
I’m often questioned—sometimes challenged and occasionally attacked—by professionals who are deeply invested in traditional Governance, Risk, and Compliance (GRC) approaches. For many, GRC isn’t just a framework or a set of tools—it’s an identity, a career foundation, and in many cases, a commercial interest. So when I suggest that risk management must evolve beyond legacy GRC models, I’m not just raising a strategic argument—I’m challenging a belief system.
But this is not about abandoning GRC. It’s about recognizing that GRC, in its traditional, siloed, compliance-first form, is no longer sufficient for today’s risk environment.
What Happens When Risk Protocols Fail - Lessons from the Signal App Incident
When BBC News investigated a recent national security communications breach, they reached out to Wheelhouse Advisors for expert analysis. The incident highlighted a growing risk not just for governments—but for every organization managing sensitive information in a digital world.
AI's Risk Reckoning: How Integrated Risk Management Can Prevent Catastrophe
Organizations must adopt a structured, enterprise-wide approach to AI risk governance to balance AI's opportunities and risks. Integrated Risk Management (IRM) provides the governance framework to manage AI risks holistically, aligning AI implementation with corporate strategy, regulatory compliance, cybersecurity, and operational resilience.
HIPAA 2.0 — How Risk Management Evolves Under HIPAA’s Cybersecurity Overhaul
In the face of escalating cyber threats, the U.S. healthcare sector is on the brink of its most dramatic regulatory transformation in more than a decade. The Department of Health and Human Services’ recent Notice of Proposed Rulemaking (NPRM) for the HIPAA Security Rule doesn’t just update a long-standing framework—it signals a revolutionary shift in how organizations must guard patient data. The stakes are higher than ever, with compliance costs set to soar and the consequences of non-compliance more severe than ever imagined.
The Future of Risk Management - How AI Agents Are Transforming IRM
Artificial Intelligence (AI) agents are revolutionizing Integrated Risk Management (IRM) by enabling organizations to detect, analyze, and mitigate risks autonomously. Unlike traditional risk management frameworks that rely heavily on manual assessments and static controls, AI-driven solutions enhance speed, accuracy, and adaptability, reducing financial losses, security breaches, and compliance failures.
The Challenges of AI Agents and Why Risk Management Matters
Artificial intelligence (AI) agents are being promoted as game-changers for businesses, helping automate tasks, reduce costs, and improve efficiency. However, recent research from CB Insights shows that many companies using AI agents face three significant problems: unreliable performance, complex integration with existing systems, and lack of uniqueness among different AI solutions. These issues highlight why businesses need Integrated Risk Management (IRM)—a structured way to handle risks related to AI, including security, compliance, and performance challenges. Without proper oversight, AI agents can cause more harm than good.
Bridging the Resilience Gap: Why Integrated Risk Management Outperforms Legacy GRC Solutions
A recent KPMG Risk & Resilience Survey (March 2025) has revealed a concerning reality: most U.S. organizations remain unprepared to handle increasing risk events and broad disruptions. The report highlights that two-thirds to nearly three-quarters of organizations face moderate to strong barriers to managing risk effectively. The survey findings confirm a critical gap in how organizations manage risk and, more importantly, where traditional Governance, Risk, and Compliance (GRC) technologies fall short.
Distilled Intelligence or Compressed Catastrophe? The High-Stakes Risks of Shrinking AI
Their is a great deal of hype about distilled AI, an emerging technique that trims down massive machine learning models into leaner, cheaper versions. While these distilled “student” models may look—and sometimes perform—much like their full-fledged AI counterparts, a closer inspection reveals a labyrinth of potential flaws: from amplified bias and reduced accuracy to hidden legal liabilities.