The Risk Wheelhouse Podcast
The Risk Wheelhouse is the podcast dedicated to exploring how RiskTech is reshaping the future of risk management. Hosted by our experts, Ori Wellington and Sam Jones, each episode delves deep into Integrated Risk Management (IRM), offering insights into the latest trends, technologies, and strategies. Join us to stay ahead in the ever-evolving risk landscape and empower your organization with actionable knowledge.
S5E7: Stop Buying Better Silos: How the IRM Navigator™ Curve Exposes RiskTech Hype
In this episode of The Risk Wheelhouse, Ori Wellington and Sam Jones tackle one of the most expensive mistakes in risk management today: buying impressive tools that quietly deepen silos instead of advancing your program. If you have ever sat through a RiskTech demo and wondered whether you are truly moving forward or just spending more, this conversation is your roadmap.
Ori and Sam unpack the IRM Navigator™ Curve, a visual model that traces the journey from fragmented Risk Dysfunction to unified Risk Agency, where human and machine agency work together inside validated guardrails. They explain the five maturity levels and four investment domains, then show why you cannot simply “skip ahead” by buying an advanced TRM or AI platform before your GRC, ERM, and ORM foundations are in place.
S5E6: Build An Emerging Risk Reflex Before The Next Shock Hits
The conversation centers on a stubborn truth: most boards are well briefed on emerging risks, yet few translate insight into movement. The research shows 76 percent receive comprehensive risk reports, 42 percent engage meaningfully, and just 22 percent act. That collapse at the decision point is the “funnel of inaction.” The hosts argue that leaders chase the wrong fix by investing in problem precision using hyper-detailed probabilities and impact ranges. This approach only provides a marginal, statistically insignificant uplift in action. Precision invites skepticism, shifts attention to model assumptions, and implies costly, multi-year programs that boards rationally defer. The better path is to reframe conversations around solution options that emphasize low regret actions, the cost of delay, adjustments to existing programs, and clear pacing across quarters.
S5E5: Why GRC Stabilized And IRM Took The Lead
The latest episode of The Risk Wheelhouse tackles one of the strangest sights in this year’s risk technology landscape. The “2025 Gartner Magic Quadrant for Governance, Risk, and Compliance” arrives with an empty Visionaries quadrant. No challengers, no upstarts, just silence where innovation used to live. Rather than treating this as a warning sign, Ori Wellington and Sam Jones explain why the quiet is a signal that GRC has finally stabilized into what it was always best suited to be: the institutional assurance backbone that proves what happened, preserves the evidence, and keeps auditors, regulators, and boards on solid ground.
S5E4: Unified IRM - AI Governance, Acquisitions and Alliances
We dive into why AI governance is now table stakes for any serious IRM platform, what an effective AI registry and dynamic risk assessment look like, and how automated compliance mapping to the NIST AI RMF, ISO 42001, and the EU AI Act changes daily work. Along the way, we unpack recent moves like AuditBoard’s AI-focused acquisition and its expanded alliance with a major consultancy, illustrating why services plus software has become the adoption formula. On the ESG front, partnerships that link board reporting with carbon accounting signal a deeper integration of climate and sustainability data into operational risk and financial performance.
S5E3: 2025 ORM Vendor Compass - The Enterprise Resilience Engine
Resilience isn’t a binder anymore. It’s a live system that has to perform under pressure. We pull apart the 2025 IRM Navigator™ Vendor Compass for Operational Risk Management (ORM) to show how ORM moved from back-office compliance to the execution engine of enterprise resilience. The stakes are massive. They include billions in spend, tighter regulations across the US, UK, and EU, and a rising demand for continuous, auditable proof that controls actually work when services fail.
S5E2: Redrawing Data Lines - DOJ’s DSP and the New National Security Mandate
Your “encrypted” data may still be regulated and today the rules start to bite. We unpack how the Department of Justice’s Data Security Program moves from guidance to strict enforcement and why it reframes data governance as a national security mandate. From redefining “covered data” to treating anonymized and encrypted datasets as in-scope when they enable linkage or inference, we walk through what changes right now for risk leaders, counsel, and compliance teams.
S5E1: When AI manages risk, who manages the AI?
Autonomous IRM is moving from the lab into the core of enterprise risk, compliance, and security and the stakes couldn’t be higher. When a self-learning agent flags threats, scores claims, or polices policy violations, who is accountable, how do we intervene, and what proof can we show regulators and customers? We unpack the three frameworks shaping credible answers: ISO/IEC 42001 as a certifiable management system that embeds AI governance into everyday processes, the EU AI Act as hard law with high‑risk tiers and eye‑watering fines, and the NIST AI Risk Management Framework as a practical playbook for building trustworthy systems.
S4E11: Behind Boardroom Doors - The New Era of UK Corporate Transparency
Corporate governance is undergoing a revolution in the UK, and Provision 29 of the 2024 Corporate Governance Code stands at the epicenter of this transformation. Far beyond traditional financial oversight, this groundbreaking rule mandates unprecedented transparency from company boards about their internal controls across all domains – financial, operational, compliance, and critically, technology.
S4E9: The SaaS Domino Effect - How Compromised OAuth Tokens Created a Cybersecurity Nightmare
Behind every digital business lies an invisible web of trust: the OAuth tokens silently connecting your applications. What happens when these trusted connections become your greatest vulnerability? A sophisticated attack campaign recently exploited these connections, bypassing traditional security measures to breach major cybersecurity companies including Cloudflare, Palo Alto Networks, and Proofpoint. Rather than directly attacking primary platforms, threat actors targeted Drift's OAuth integration tokens, effectively stealing the keys that allowed them to impersonate this trusted web chat tool when connecting to enterprise Salesforce instances.
S4E7: The Academic Reckoning of Risk Management
Risk management evolution isn't just about new acronyms. It's about organizational survival in an increasingly complex world. When we examine the journey from checkbox compliance to genuine integration, we uncover profound lessons about how businesses navigate danger and why some approaches fundamentally fail when pressure hits.
This deep dive traces the fascinating progression from Governance, Risk and Compliance (GRC) through Enterprise Risk Management (ERM) to today's Integrated Risk Management (IRM) framework. Drawing from John Wheeler's powerful "Risk Ignored" series, we explore how GRC emerged after Sarbanes-Oxley as an elegant solution on paper that quickly collapsed under its own weight. As Norman Marks memorably quipped, GRC often stood for "Governance, Risk Management, and Confusion."
S4E6: When AI Agents Outnumber Humans
The rapid proliferation of AI agents throughout enterprise environments isn't just another tech trend—it's a fundamental transformation of how organizations operate. When Nikesh Arora, CEO of Palo Alto Networks, warns that "there's going to be more agents than humans running around trying to help manage your enterprise," he's highlighting a seismic shift that demands immediate attention.
S4E2: Autonomous IRM - Orchestrating Risk at Machine Speed
The digital age has accelerated risk to unprecedented speeds, creating a fundamental challenge for organizations: how can you manage threats that move faster than humans can react? This paradigm shift has given rise to Autonomous Integrated Risk Management (IRM), a revolutionary approach that transitions from human-speed reactions to machine-speed foresight and response.