The Risk Wheelhouse Podcast
The Risk Wheelhouse is the podcast dedicated to exploring how RiskTech is reshaping the future of risk management. Hosted by our experts, Ori Wellington and Sam Jones, each episode delves deep into Integrated Risk Management (IRM), offering insights into the latest trends, technologies, and strategies. Join us to stay ahead in the ever-evolving risk landscape and empower your organization with actionable knowledge.
S6E7: AI Upends GRC - From Clipboards To Control Planes
What happens when the firm that helped define integrated risk management turns a critical lens on the category's foundations?
In this episode, analysts Ori Wellington and Sam Jones preview two major Wheelhouse Advisors research publications: The Integration Trap for GRC and the IRM50 AI Disruption Risk Index. The data reveals a surprising finding: when 50 IRM vendors are scored on structural exposure to AI disruption, market leadership and market durability turn out to be very different things.
At the heart of the analysis is what Wheelhouse calls the Integration Trap. Many established platforms excel at compliance documentation and assurance reporting but were never architected for real-time operational control. That distinction matters now more than ever. Agentic AI does not need dashboards or user interfaces. It needs APIs and control planes. Vendors with deep operational DNA are naturally positioned for this shift, while those built primarily around human workflows face difficult architectural decisions.
S6E6: Board Priorities 2026 - The Integration Trap
Growth used to win every boardroom vote. Now the data says something different: directors are prioritizing technology adoption and integration as the top 2026 investment, even as they admit their weakest expertise sits in AI, cybersecurity, and geopolitics. We unpack that paradox and show how uninformed speed turns “integration” into a superhighway for risk, unless you pair it with decision rights, embedded controls, and verifiable assurance.
S6E5: 2026 Convergence - Risk Management Must Be Integrated
The ground rules of risk have changed, and waiting for the next headline won’t save the balance sheet. We take you inside “The 2026 Convergence: Integrated Risk Management in a New Era” and map how cyber, AI, third parties, geopolitics, and reputation have fused into one risk surface. Instead of chasing alerts, we focus on disruption economics: what a breach costs per minute, which processes bleed first, and how quickly you can recover without compounding fines. Cyber stops being an IT story and becomes a CFO story.
S6E4: Avoiding The RiskTech Buyer Trap
Shiny demos are everywhere, but what if that “next-gen SaaS” risk platform is still a construction zone under the hood? We unpack the Risk Tech Buyer Trap and show how modern UIs and AI buzz can disguise where vendors really are on the path to true integration maturity. Our conversation breaks down a clear four-stage transformation sequence—SaaS foundation, experience reset, object model stabilization, and finally productized integration—so you can pinpoint a platform’s real readiness and avoid inheriting the vendor’s rebuild risk.
AI raises the stakes. As non-human identities proliferate and SaaS-to-SaaS connections multiply, trust becomes the new currency. We explore how data boundaries, continuous assurance, and identity governance reshape due diligence, and why vague claims about “secure cloud” and “powerful AI” no longer cut it. Using Archer’s Evolv journey as a transparent case study, we illustrate the signals of staged modernization and the common gap between marketing momentum and operational maturity
S6E3: The IRM Navigator™ - Turning Risk Into A Strategic Operating Model
Risk work that lives in reports but not in decisions is a hidden tax on performance. We tackle that problem head-on by unpacking the IRM Navigator™, an operating model that connects standards and roles to the real systems and moments where choices are made. Instead of treating risk as a sidecar, we show how to embed it into approvals, planning, and daily operations so decision velocity and decision quality rise together.
S6E2: Rethinking Integrated Risk, From ROI To Dividends
Integrated Risk Management (IRM) is repeatedly underfunded for a structural reason: leaders keep forcing IRM into an ROI construct that demands a single, auditable chain of causality, while IRM is designed to distribute value across multiple domains at once. In this episode, Ori Wellington and Sam Jones explain why ROI framing collapses into assumption-stacked narrative under CFO scrutiny, and why risk leaders need a finance-compatible alternative that remains decision-grade.
The episode’s answer is a disciplined shift: evaluate IRM with cost/benefit analysis, and label the benefit streams as dividends. Dividends are distributed outcomes that improve enterprise performance and resilience without requiring false precision in a single attributable cash-flow line.
S6E1: NVIDIA CES 2026 - The Blueprint for Autonomous IRM
Season 6 opens with a clear message for Technology Risk Management leaders: autonomy is no longer constrained by model capability, it is constrained by infrastructure discipline and auditable management controls.
In S6E1, Ori Wellington and Sam Jones translate NVIDIA’s CES 2026 signals into a practical blueprint for Autonomous IRM, defined as continuous, AI-enabled verification and response loops that operate within explicit policy boundaries and generate audit-grade evidence by design. As inference costs fall, “always-on” control validation becomes economically viable at enterprise scale. That shift forces a new operating model: humans stop chasing evidence and start adjudicating pre-enriched exceptions with decision provenance, context, and rollback paths already assembled.
S5E9: ServiceNow Buys Armis, Telemetry Meets Workflow for IRM
ServiceNow’s planned $7.75B all-cash acquisition of Armis (targeted to close in H2 2026) is easy to misfile as “just another cybersecurity deal.” In this episode, Wheelhouse Advisors’ Ori Wellington and Sam Jones explain why it is actually a defining IRM market signal, one that raises the standard for what “risk management at scale” should mean going into 2026 procurement cycles.
S5E8: 2025 ERM Vendor Compass, The New Enterprise Decision Layer
ERM has a perception problem, and in 2025 it becomes a performance problem. Many programs still optimize for completeness, annual reporting cycles, and beautifully formatted board packs. Boards increasingly optimize for something else: faster, defensible decisions under volatility. The market’s new standard is measurable and uncompromising: time to decision and time to evidence. If your ERM platform depends on manual synthesis to tell the story, the story arrives late, and leadership is forced to decide on partial facts.
In this episode, we unpack the 2025 IRM Navigator™ Vendor Compass for Enterprise Risk Management (ERM) and explain why ERM must operate as the enterprise decision layer. That means converting risk appetite into quantified thresholds and escalation logic, sustaining a living scenario portfolio that can be refreshed and reused, and reusing verified evidence from ORM, TRM, and GRC to produce board-grade outputs with traceability.
S5E7: Stop Buying Better Silos: How the IRM Navigator™ Curve Exposes RiskTech Hype
In this episode of The Risk Wheelhouse, Ori Wellington and Sam Jones tackle one of the most expensive mistakes in risk management today: buying impressive tools that quietly deepen silos instead of advancing your program. If you have ever sat through a RiskTech demo and wondered whether you are truly moving forward or just spending more, this conversation is your roadmap.
Ori and Sam unpack the IRM Navigator™ Curve, a visual model that traces the journey from fragmented Risk Dysfunction to unified Risk Agency, where human and machine agency work together inside validated guardrails. They explain the five maturity levels and four investment domains, then show why you cannot simply “skip ahead” by buying an advanced TRM or AI platform before your GRC, ERM, and ORM foundations are in place.
S5E6: Build An Emerging Risk Reflex Before The Next Shock Hits
The conversation centers on a stubborn truth: most boards are well briefed on emerging risks, yet few translate insight into movement. The research shows 76 percent receive comprehensive risk reports, 42 percent engage meaningfully, and just 22 percent act. That collapse at the decision point is the “funnel of inaction.” The hosts argue that leaders chase the wrong fix by investing in problem precision using hyper-detailed probabilities and impact ranges. This approach only provides a marginal, statistically insignificant uplift in action. Precision invites skepticism, shifts attention to model assumptions, and implies costly, multi-year programs that boards rationally defer. The better path is to reframe conversations around solution options that emphasize low regret actions, the cost of delay, adjustments to existing programs, and clear pacing across quarters.
S5E5: Why GRC Stabilized And IRM Took The Lead
The latest episode of The Risk Wheelhouse tackles one of the strangest sights in this year’s risk technology landscape. The “2025 Gartner Magic Quadrant for Governance, Risk, and Compliance” arrives with an empty Visionaries quadrant. No challengers, no upstarts, just silence where innovation used to live. Rather than treating this as a warning sign, Ori Wellington and Sam Jones explain why the quiet is a signal that GRC has finally stabilized into what it was always best suited to be: the institutional assurance backbone that proves what happened, preserves the evidence, and keeps auditors, regulators, and boards on solid ground.
S5E4: Unified IRM - AI Governance, Acquisitions and Alliances
We dive into why AI governance is now table stakes for any serious IRM platform, what an effective AI registry and dynamic risk assessment look like, and how automated compliance mapping to the NIST AI RMF, ISO 42001, and the EU AI Act changes daily work. Along the way, we unpack recent moves like AuditBoard’s AI-focused acquisition and its expanded alliance with a major consultancy, illustrating why services plus software has become the adoption formula. On the ESG front, partnerships that link board reporting with carbon accounting signal a deeper integration of climate and sustainability data into operational risk and financial performance.
S5E3: 2025 ORM Vendor Compass - The Enterprise Resilience Engine
Resilience isn’t a binder anymore. It’s a live system that has to perform under pressure. We pull apart the 2025 IRM Navigator™ Vendor Compass for Operational Risk Management (ORM) to show how ORM moved from back-office compliance to the execution engine of enterprise resilience. The stakes are massive. They include billions in spend, tighter regulations across the US, UK, and EU, and a rising demand for continuous, auditable proof that controls actually work when services fail.
S5E2: Redrawing Data Lines - DOJ’s DSP and the New National Security Mandate
Your “encrypted” data may still be regulated and today the rules start to bite. We unpack how the Department of Justice’s Data Security Program moves from guidance to strict enforcement and why it reframes data governance as a national security mandate. From redefining “covered data” to treating anonymized and encrypted datasets as in-scope when they enable linkage or inference, we walk through what changes right now for risk leaders, counsel, and compliance teams.
S5E1: When AI manages risk, who manages the AI?
Autonomous IRM is moving from the lab into the core of enterprise risk, compliance, and security and the stakes couldn’t be higher. When a self-learning agent flags threats, scores claims, or polices policy violations, who is accountable, how do we intervene, and what proof can we show regulators and customers? We unpack the three frameworks shaping credible answers: ISO/IEC 42001 as a certifiable management system that embeds AI governance into everyday processes, the EU AI Act as hard law with high‑risk tiers and eye‑watering fines, and the NIST AI Risk Management Framework as a practical playbook for building trustworthy systems.
S4E11: Behind Boardroom Doors - The New Era of UK Corporate Transparency
Corporate governance is undergoing a revolution in the UK, and Provision 29 of the 2024 Corporate Governance Code stands at the epicenter of this transformation. Far beyond traditional financial oversight, this groundbreaking rule mandates unprecedented transparency from company boards about their internal controls across all domains – financial, operational, compliance, and critically, technology.
S4E10: From Boardroom to Code Base - How the EU AI Act Reshapes Business Strategy
Artificial intelligence stands at a crossroads of breathtaking innovation and urgent need for responsible guardrails. Every breakthrough brings questions about safety, fairness, and accountability that can no longer be afterthoughts. The European Union has responded with the AI Act – the world's first comprehensive legal framework for artificial intelligence – and its General Purpose AI Code of Practice has already secured commitments from tech giants like OpenAI, Google, Microsoft, and Anthropic.
S4E9: The SaaS Domino Effect - How Compromised OAuth Tokens Created a Cybersecurity Nightmare
Behind every digital business lies an invisible web of trust: the OAuth tokens silently connecting your applications. What happens when these trusted connections become your greatest vulnerability? A sophisticated attack campaign recently exploited these connections, bypassing traditional security measures to breach major cybersecurity companies including Cloudflare, Palo Alto Networks, and Proofpoint. Rather than directly attacking primary platforms, threat actors targeted Drift's OAuth integration tokens, effectively stealing the keys that allowed them to impersonate this trusted web chat tool when connecting to enterprise Salesforce instances.
S4E8: Beyond Binders - GRC's Radical Shift to Integrated Risk Management and Enterprise Trust
Governance, Risk, and Compliance (GRC) has undergone a remarkable transformation. What was once the "department of no" – characterized by manual checklists, endless audits, and rooms full of binders – has evolved into a strategic verification backbone powering trust across organizations.
This radical shift positions GRC at the center of Integrated Risk Management (IRM), where policies, controls, and compliance data flow dynamically through organizations to provide real-time assurance. The market reflects this evolution, with GRC projected to grow from $12.1 billion in 2025 to $25.1 billion by 2032 – not as an unavoidable cost, but as a strategic investment that builds market-enhancing trust and enables bolder innovation.