Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal
〰️
Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal 〰️
The RiskTech Journal
The RiskTech Journal is your premier source for insights on cutting-edge risk management technologies. We deliver expert analysis, industry trends, and practical solutions to help professionals stay ahead in an ever-changing risk landscape. Join us to explore the innovations shaping the future of risk management.
McKinsey Confirms the Limits of GRC and Points Toward Integration
In its May 2025 article “Governance, Risk, and Compliance: A New Lens on Best Practices,” McKinsey & Company delivers a candid assessment of the widespread shortcomings in today’s governance, risk, and compliance (GRC) functions. Based on survey data from nearly 200 corporate leaders, the article highlights persistent underperformance across all three pillars of GRC and outlines five imperatives for reform. But what McKinsey never quite says—though it clearly suggests—is that the GRC model itself may be past its expiration date.
The findings echo what many in the risk management profession have long understood: legacy GRC frameworks are no longer adequate in a world defined by interconnected risks, real-time decisions, and strategic uncertainty. Below, we examine the key insights from the report and explain how they point—whether intentionally or not—toward Integrated Risk Management (IRM) as the future-facing alternative.
AI Insurance Emerges as Chatbot Failures Highlight New Liabilities
In a notable development reflecting AI’s increasing integration into business operations, insurers at Lloyd’s of London have launched specialized coverage for losses caused by artificial intelligence tool failures. This initiative, spearheaded by Armilla, a startup backed by Y Combinator, underscores growing corporate concerns about the unpredictable and costly errors AI-powered tools can generate, particularly chatbots and customer service platforms.
Introducing The RTJ Bridge—A Premium Subscription Delivering Strategic Insights for Risk Leaders
Wheelhouse Advisors announces the formal launch of The RTJ Bridge, the new premium subscription service from The RiskTech Journal. Positioned strategically between our daily industry commentary and comprehensive quarterly IRM Navigator™ research reports, The RTJ Bridge delivers weekly insights, executive briefings, and exclusive deep-dive editorial series.
Alongside this premium offering, the standard edition of The RiskTech Journal is now fully open-access, including unrestricted browsing of our past content library.
This tiered content strategy ensures risk leaders and senior executives receive timely and actionable insights at a fraction of the cost associated with traditional analyst firms such as Gartner and Forrester.
Cisco and ServiceNow Deepen AI Security Partnership—What Does It Mean for Integrated Risk Management?
The Cisco-ServiceNow partnership directly addresses these concerns by providing a tightly integrated solution that combines Cisco's established security expertise with ServiceNow's robust operational workflow capabilities. Customers will be able to map Cisco AI Defense controls to relevant standards in ServiceNow’s Integrated Risk Management (IRM) platform so teams can measure and demonstrate AI organizational compliance.
Operational Intelligence — How IRM Solves Connected Risk Failures
in today’s digital risk environment, agility and resilience are everything. Risk events once considered unlikely—global cyber disruptions, third-party failures, data breaches, operational breakdowns—now occur with alarming frequency. As these risks grow more interconnected, traditional Governance, Risk and Compliance (GRC) frameworks, often built around static risk registers and slow reporting cycles, are no longer sufficient.
Risk management is evolving from a reactive back-office control utility into a strategic engine of operational intelligence. Enabled by advancements in risk technology, analytics, and real-time data integration, modern Integrated Risk Management (IRM) platforms are helping organizations detect emerging operational risks earlier, connect siloed insights, and embed resilience into the core of enterprise decision-making.
This article previews that transformation—and offers a forward look at what’s coming in the IRM Navigator™ ORM Report – Q2 2025, which evaluates key trends, capabilities, and vendors shaping the future of operational risk management (ORM).
Live from RSA: Autonomous IRM Moves from Vision to Reality
The RSA Conference is renowned for highlighting significant shifts in cybersecurity and risk management. This year, alongside familiar conversations about persistent cybersecurity threats and regulatory pressures, a deeper transformation is occurring: the rise of Autonomous Integrated Risk Management (Autonomous IRM). Vendors at RSA 2025 are showcasing solutions that go beyond merely automating routine tasks, moving toward independently identifying, assessing, and mitigating risks across enterprise ecosystems without constant human intervention.
When Robots Walk, Risk Converges - Humanoids and the Future of Integrated Risk Management
For IRM professionals, the emergence of humanoids provides a rare moment of clarity: no single risk domain can manage this disruption in isolation. Humanoid robotics is where GRC, ERM, ORM, and TRM collide—and where their integration becomes essential.
The AI Wild West is Over — Why IRM Must Now Govern the Frontier
When John A. Wheeler and Avivah Litan collaborated as colleagues at Gartner, they shared a simple but powerful conviction: technology without governance invites risk, and risk without context invites disaster. That belief feels more urgent than ever in the age of generative AI.
This month, Avivah returned to the spotlight with a compelling Gartner webinar titled “A Partner Framework to Manage AI Governance, Trust, Risk and Security.” It laid out a comprehensive vision for AI Trust, Risk, and Security Management (AI TRiSM), exposing the vulnerabilities of current AI adoption strategies and presenting a future where organizations no longer treat AI oversight as optional.
But here’s the problem: most companies are still stuck in a fractured model of Governance, Risk, and Compliance (GRC). And the rise of autonomous, agentic AI systems is about to make that dysfunction terminal.
The Risk Ignored — Part 1: Revisiting the Origin Story of a Software Industry
Some of the biggest failures in modern risk management didn't happen because we lacked frameworks. They happened because we misunderstood risk and how it must be managed.
We've built controls. We've stood up compliance programs. We've adopted acronyms and bought technology platforms promising enterprise-wide oversight. Yet risk still slips through the cracks—not because it isn't documented, but because it isn't truly visible and understood.
I've spent 35 years helping organizations—from Fortune 100 giants to growing mid-market firms—face this reality. And the truth is this: risk management has always been more fragmented, political, and performative than most are willing to admit.
“The Risk Ignored” is a documentary-style series of articles I’ve created to give readers exclusive insights into what really happened in the last 25 years of risk management technology development.
To Visualize Risk, You Need Two Lenses—Essential Takeaways from the Mitratech Interact 2025 General Session
As today's business environment becomes more unpredictable, interconnected, and technologically driven, the traditional view of risk—focused primarily on controls, compliance, and containment—is no longer sufficient. Organizations must now see risk through a wider lens to avoid failure and inform success.
The central message was delivered during the general session "From Gatekeepers to Growth Partners: Embedding Risk at the Heart of the Organization" at the 2025 Mitratech Interact Conference in Dallas.
Moderated by Justin Silverman, Chief Product Officer at Mitratech, the session featured a dynamic dialogue between John A. Wheeler, CEO of Wheelhouse Advisors, and Andrea Elliott, Chief Compliance Officer at ACI Worldwide. They offered a forward-looking perspective on how organizations can evolve their risk practices to become more strategic, resilient, and business-aligned.
Flip the Risk Conversation Forward—Lessons from the Front Lines of Resilience
As operational complexity increases and business environments shift at a faster pace, organizations are under growing pressure to evolve their approach to risk. Risk management can no longer be reactive, control-focused, or functionally siloed. Instead, it must become proactive, performance-aligned, and strategically embedded. That was the focus of the breakout session "Holding the Line: Building Resilient Risk Programs in the Modern Era," presented at the 2025 Mitratech Interact Conference in Dallas.
The session was moderated by Ryan Fox, Director of GRC Solutions at Mitratech. It featured John A. Wheeler, CEO of Wheelhouse Advisors, and Andrea Elliott, Chief Compliance Officer at ACI Worldwide. The audience included legal, risk, and compliance leaders and practitioners seeking practical strategies to strengthen program maturity and build enterprise resilience.
No Manager, No Strategy—Why GRC Alone Can’t Win the Risk Game
If Governance, Risk, and Compliance (GRC) is like a team without a manager, IRM is the system that brings structure, alignment, and leadership to the field. Without a manager, even talented players operate in silos—doing what they think is best individually but without strategic coordination or shared purpose. That’s the reality in many organizations today: siloed compliance, governance, and risk functions acting without integration.
IRM provides the playbook and the leadership. It integrates GRC with Enterprise Risk Management (ERM), Operational Risk Management (ORM), and Technology Risk Management (TRM) to form a unified team—managed strategically, guided by data, and aligned around shared enterprise objectives.
From Code to Conduct: UK Cyber Mandate and Tech Disruption Signal a Governance Reckoning
Two significant announcements this week—one from the UK government and the other from Deloitte—highlight a rapidly converging future in which cybersecurity, advanced technology, and corporate governance are no longer siloed concerns but integrated imperatives for the boardroom. While distinct in origin and focus, both developments send a clear signal: the pressure on executive leaders to govern technology risks with discipline, foresight, and accountability is mounting.
When Encryption Isn't Enough—A Sidewalk Interview and a Global Wake-Up Call
I was in Washington, D.C., when the story broke. Reports surfaced that U.S. officials had used Signal—a consumer-grade encrypted messaging app—to coordinate sensitive military operations in Yemen. I was finishing a dinner meeting after a full day of engagements when my phone rang. It was the BBC reaching out for immediate commentary on a fast-developing national security story.
Why Generative AI Is Breaking Cyber Insurance—and What Risk Leaders Must Do Next
The promise of generative artificial intelligence (AI) is captivating: it automates content creation, accelerates decision-making, and unlocks new efficiencies across industries. But beneath this glittering facade lurks an existential threat that few executives acknowledge: these systems are introducing catastrophic risks that cyber insurance markets are neither prepared for—nor willing to underwrite fully. As insurers frantically scramble to recalibrate policies in light of AI-driven threats, risk executives face a stark choice: transform how they manage emerging digital risks or face potentially devastating uninsured losses.
The Limits of Legacy GRC — Seven Reasons It Fails Modern Risk Management
In the corridors of risk management conferences and behind closed doors at technology vendor meetings, there's a reluctant acknowledgment that few are willing to voice publicly — traditional Governance, Risk, and Compliance (GRC) platforms are struggling to meet the demands of today's dynamic risk landscape. As someone who has spent decades consulting with both GRC vendors and their customers, I've heard the whispered confessions from technology providers who recognize these limitations but fear alienating their long-standing clients by admitting them openly.
The Great Risk Revolution—Why GRC Alone Can't Save Your Organization
In boardrooms across the globe, a quiet revolution is underway. Organizations that once viewed risk management primarily through the lens of Governance, Risk, and Compliance (GRC) are discovering—often the hard way—that yesterday's frameworks are increasingly inadequate for today's complex threat landscape.
Consider this. When the World Economic Forum recently surveyed global executives, the most pressing concerns they identified—from AI disruption to supply chain vulnerabilities—weren’t neatly contained within traditional GRC boundaries. These risks cascade across organizational silos, render conventional approaches obsolete, and demand a fundamentally different way of thinking about organizational resilience.
Risk Rewired — Why CROs Must Lead the Charge in the New Era of Digital-First Risk Management
For the first time in over a decade, not a single financial risk made it into the top 10 concerns for chief risk officers (CROs). Instead, cybersecurity (75%), operational resilience (38%), and geopolitical volatility (36%) dominate the agenda. These are not just new threats—they are structurally different, externally driven, and deeply interconnected. Managing them demands a new kind of leadership—one capable of navigating a risk matrix that is faster, flatter, and far more fragile than ever before.
Chief Risk Officers now stand at the intersection of technology, strategy, and trust. The question is no longer whether they have a seat at the table. It’s whether they’re prepared to lead the table—or risk becoming sidelined as the world moves ahead without them.
Audit at the Edge: Governing AI Before It Governs You
Artificial intelligence is no longer a side project buried in IT. It’s now embedded in decision-making processes across finance, operations, marketing, and customer service. From algorithmic underwriting to autonomous workforce tools, AI is transforming how businesses operate—and how they fail. Yet for many organizations, Internal Audit remains stuck in the past: buried in compliance checklists, siloed in function, and reliant on legacy Governance, Risk, and Compliance (GRC) systems incapable of keeping pace.
Moving Beyond the GRC Mindset - Why Boards Must Rethink Risk for the AI Era
I’m often questioned—sometimes challenged and occasionally attacked—by professionals who are deeply invested in traditional Governance, Risk, and Compliance (GRC) approaches. For many, GRC isn’t just a framework or a set of tools—it’s an identity, a career foundation, and in many cases, a commercial interest. So when I suggest that risk management must evolve beyond legacy GRC models, I’m not just raising a strategic argument—I’m challenging a belief system.
But this is not about abandoning GRC. It’s about recognizing that GRC, in its traditional, siloed, compliance-first form, is no longer sufficient for today’s risk environment.