The RTJ Bridge is the new premium version of The RiskTech Journal, delivering fast-moving, strategically relevant insights for risk leaders navigating today’s digital business landscape.
Designed as the link between editorial commentary and in-depth research, The RTJ Bridge offers exclusive access to:
High-frequency insight notes on market shifts, regulatory signals, and emerging technologies
Executive briefings and editorial series including “The Risk Ignored”
Strategic previews of IRM Navigator™ research, including upcoming Risk Landscape Reports
Whether you're monitoring vendor moves, tracking governance shifts, or preparing for regulatory disruption, The RTJ Bridge equips you with actionable foresight.
The RTJ Bridge - The Premium Version of The RiskTech Journal
Subscribe to get access now
The RTJ Bridge Subscription is a premier resource for executives and professionals focused on the intersection of risk management and technology. It provides subscribers with access to a curated collection of articles and expert insights designed to enhance risk management strategies through technological innovation. With its online format, The RTJ Bridge offers flexible access to critical information, helping leaders make informed decisions and stay competitive.
Can AI Be Governed?
The Governance Paradox
The question of whether artificial intelligence can be governed may seem philosophical. But in 2025, it has become operational—and urgent. Just reference our recent article on Builder.ai to learn about the escalating risks driven by AI. As generative AI, autonomous agents, and foundation models accelerate their integration into critical systems, the pace of innovation is rapidly outstripping the scaffolding of rules, oversight, and control.
“Governance” in this context is often mistaken for static oversight: policy frameworks, codes of conduct, or aspirational principles. But as defined in the discipline of integrated risk management (IRM), governance is the rule-setting subset of management—the top of the pyramid. True risk control comes from marrying that governance with relentless operational execution: identification, assessment, mitigation, and continuous monitoring.
So: Can AI be governed? The answer is yes—but only if organizations recognize that compliance checklists and PR-friendly charters are no substitute for enterprise-wide, integrated, and adaptive risk management.
When the AI Black Box Blows Up
Builder.ai’s Collapse and the Unspoken Risk of Third-Party AI Dependencies
In May 2025, Builder.ai—a self-styled “AI software factory” based in London—collapsed into insolvency. Its promise had captivated global investors: a revolutionary platform that used artificial intelligence to build bespoke software with the ease of ordering a pizza. The startup raised over $500 million from Microsoft, the Qatar Investment Authority, SoftBank, and Insight Partners. In 2023, it was valued at over $1.3 billion.
But beneath its glossy demos and bold claims, Builder.ai was held together by human coders, creative accounting, and possibly fabricated revenue. As reported by the Financial Times, Microsoft and other top-tier investors are now grappling with the realization that they may have backed a business that not only overstated its AI capabilities—but systematically inflated its financials.
Builder.ai is not merely a failed startup. It is a warning shot to any organization that depends on third-party AI providers without meaningful oversight or technical verification. The question that now must be asked across boardrooms and IT departments alike:
If Microsoft—with all its engineering prowess—could be misled, what chance does a mid-sized business have?
The Risk Ignored – Part I, Chapter 4. The Irony of Risk Intelligence: When GRC’s Founders Became IRM’s Followers
When Risk Culture Meets Rocket Fuel
In early 2007, SunTrust’s board appointed a new CEO. The new CEO had been waiting in the wings since SunTrust acquired his bank that was heavily weighted toward mortgage banking. Unlike his predecessor, he saw risk not as a discipline but as a throttle—something to push forward, not manage. His first strategic move was aggressive: set a Big Hairy Audacious Goal (BHAG) – a term ironically made famous by Jim Collins’ book “Built to Last”. The SunTrust BHAG, as defined by the new CEO, was to more than double the mortgage portfolio within twelve months to compete head-on with Wall Street’s securitization giants.
To hit that target, underwriting controls were systematically dismantled. Incentives for mortgage originators surged dramatically, creating an environment ripe for aggressive lending and shortcuts. When I saw these changes, I foresaw the inevitable crash. As the senior executive overseeing Internal Audit, Compliance, and Risk Management, I confronted both the CEO and his protégé—the head of mortgage banking—in a tense meeting. The mortgage head literally writhed in his seat with anger; I had never seen anything like it.
The Risk Ignored – Part I, Chapter 3. The Acronym That Built a Market – And the One That Rescued It
As many industry shifts do, it began in a quiet room with a big idea. One conversation was with a Big Four consulting firm eager to formalize its newest offering. Another was with a risk software vendor in search of identity and traction. Sitting across the table from both in 2002 was Michael Rasmussen, then an analyst at Giga Information Group.
What he encountered in those two briefings wasn't just a common theme but a shared phrase. The software vendor and PwC had already begun using "Governance, Risk, and Compliance" to describe their offerings. Rasmussen helped bring it to life—not as a framework, not as an architecture, but as a market category. And almost overnight, that name became an industry.
Why Q1 2025 Was a Wake Up Call for Compliance-Centric IRM Vendors
Despite beating earnings estimates, a surprise sell-off in Workiva stock on May 2 sent a jolt through the Integrated Risk Management (IRM) technology market. The trigger wasn't financial underperformance but political indecision: Germany and France signaled their intent to water down or delay the European Union's Corporate Sustainability Reporting Directive (CSRD) application. In addition, the European Parliament formally agreed to postpone the enforcement of new sustainability and due diligence rules.
The reaction was swift and severe for Workiva, a leading compliance-first vendor built around ESG reporting and assurance workflows. However, this moment revealed a more systemic truth for the broader IRM market: IRM's trajectory is now shaped as much by the pace of regulatory implementation as by the innovation of its technology platforms.
The market's reaction reflects a correction in growth expectations for compliance-oriented vendors and an inflection point in how investors, boards, and buyers view risk management software. As regulation stalls, the IRM market is fragmenting into more clearly defined value segments—each responding differently to volatility. These are the market realities shaping Q1 2025.
Operational Intelligence — How IRM Solves Connected Risk Failures
Agility and resilience are everything when is comes to digital business today. Risk events once considered unlikely—global cyber disruptions, third-party failures, data breaches, operational breakdowns—now occur with alarming frequency. As these risks grow more interconnected, traditional Governance, Risk and Compliance (GRC) frameworks, often built around static risk registers and slow reporting cycles, are no longer sufficient.
Risk management is evolving from a reactive back-office control utility into a strategic engine of operational intelligence. Enabled by advancements in risk technology, analytics, and real-time data integration, modern Integrated Risk Management (IRM) platforms are helping organizations detect emerging operational risks earlier, connect siloed insights, and embed resilience into the core of enterprise decision-making.
This article previews that transformation—and offers a forward look at what’s coming in the IRM Navigator™ ORM Report – Q2 2025, which evaluates key trends, capabilities, and vendors shaping the future of operational risk management (ORM).
The Risk Ignored – Part I, Chapter 2. The Risk That Created the Category
It didn't take long. The software market found its opportunity once the Sarbanes-Oxley Act was signed into law. Vendors who had once built their businesses on knowledge management—rooted in workflow automation, document control, and internal collaboration—suddenly had something they'd never had before: urgency.
SOX 404 didn't just create a mandate. It created a narrative.
By late 2003, PwC—a global audit and consulting firm—had appointed a Governance, Risk & Compliance (GRC) Practice Leader, becoming the first major firm to formalize GRC as a branded consulting offering. OpenPages, an enterprise software vendor specializing in compliance and risk management, issued a press release marketing its platform as a "GRC solution." Analysts took the bait. And seemingly overnight, what had been a faltering product category now had a fresh label, a growing audience, and a new group of buyers scrambling to meet audit requirements.
The acronym spread faster than the architecture.
And the risk, ironically, wasn't what these platforms were solving—it was what they were failing to acknowledge.
Diligent’s Cyber Risk Report Brings Real-Time Threat Intelligence to the Boardroom
As the RSA Conference 2025 concludes, one of the final—but potentially far-reaching—announcements came from Diligent, the board-focused GRC software provider. On April 29, the company revealed its new Cyber Risk Report, delivered via the Diligent One platform and developed in partnership with Cloudflare and Qualys.
The announcement addresses a longstanding IRM challenge: effectively communicating cybersecurity risk to non-technical decision-makers. Diligent’s approach combines real-time threat intelligence (Cloudflare), risk surface scoring (Qualys), and executive-facing reporting tools—all within a single, continuously updating report format.
Rather than expanding detection capabilities or technical automation, this product aims to improve the interpretation and presentation of cyber risk at the board level.
ServiceNow’s Risk Expansion: What the CIMCON Partnership Reveals About the Future of IRM
On the final day of the RSA Conference 2025, ServiceNow unveiled a strategic partnership with CIMCON Software. This announcement may appear modest at first glance, but it has profound implications for the future of integrated risk management.
Integrating CIMCON’s technology into ServiceNow’s IRM platform extends its reach into two complex and under-managed domains: End User Computing (EUC) and AI model risk. Both represent decentralized, often undocumented elements of the modern digital enterprise. Historically, these domains have eluded traditional GRC platforms—falling outside structured risk workflows and beyond the reach of legacy tooling.
With this move, ServiceNow is not simply expanding features. It is expanding the definition of what an IRM platform must be.
AuditBoard’s Connected Risk Strategy: Strategic Evolution or History Repeating Itself?
On Day Two of RSA Conference 2025, AuditBoard presented a series of announcements intended to reposition the company well beyond its audit origins. Among them, a brand refresh with a new design language, the debut of an AI governance module, and the launch of a regulatory compliance platform called RegComply. These moves suggest an ambition to reframe AuditBoard as a broader platform for managing risk—beyond audit and into what it describes as “connected risk.”
But as competitors at RSA unveil agent-powered and AI-native capabilities, AuditBoard’s expansion strategy raises an important question:
Is this a strategic evolution—or is history repeating itself?
Safe Security’s Autonomous TPRM Heralds the Start of the Autonomous IRM Era
At the RSA Conference 2025, Safe Security unveiled its new Autonomous TPRM platform, positioning it as the industry’s first fully autonomous third-party risk management solution powered by specialized AI agents.
The solution automates third-party risk assessments, continuous monitoring, and vendor lifecycle management with minimal human intervention. It promises greater scalability, speed, and consistency in managing third-party ecosystems, which have historically been plagued by fragmentation, high administrative overhead, and compliance exposure.
While Safe Security’s announcement is significant, it also signals something larger:
The risk management industry is beginning to operationalize the first phase of Autonomous Integrated Risk Management (Autonomous IRM).
When Culture Becomes a Control — How Supervisors Are Shaping the Future of Operational Risk
In regulatory circles, culture is no longer an abstract concept. It’s a measurable, reportable, and enforceable risk factor—viewed not as a soft HR issue, but as a core element of operational control. Across Australia, Europe, the UK, and the United States, financial and non-financial regulators are making it clear: the management of culture and conduct is now fundamental to operational risk oversight.
This shift is transforming the way Operational Risk Management (ORM) functions are being evaluated. Regulators are demanding not only documentation of controls but evidence that organizations understand how risk culture shapes operational performance, compliance behavior, and escalation pathways. In response, forward-looking ORM programs are moving beyond control testing and loss event tracking. They are building integrated risk intelligence systems that can monitor, measure, and adapt to the human dynamics of risk.
The Risk Ignored – Part I, Chapter 1. The Software That Lost Its Market
It’s a metaphor older than the software industry and time itself: the emperor with no clothes. But before the emperor stood exposed, his clothes began to fray—tattered garments passed off as innovation, stitched together by marketing promises and untested assumptions. That’s the story we’re telling here, not just of the naked moment but of the unraveling that came before it.
In the early 2000s, that unraveling began with knowledge management. Later, it would continue under a new name: GRC.
The Risk of Unheard Warnings — How Suppressed Signals Trigger Operational Failures
Today, the loudest failures often follow the quietest warnings. Not because no one saw them coming—but because someone did, and the system failed to listen.
Operational risk is no longer defined solely by failures in processes, systems, or external disruptions. Increasingly, it stems from something far harder to quantify: the failure to recognize, interpret, and elevate early signals of internal misconduct, breakdowns in oversight, or cultural deterioration. These signals are often present long before a public scandal, a regulatory penalty, or a financial collapse. But too often, they go unheard.
This article examines the phenomenon of risk signal suppression—why organizations ignore the earliest warnings of operational failure, how this risk materializes inside complex institutions, and what forward-looking ORM programs must do to identify and act on weak signals before they become systemic threats.
Culture as Capital Risk — Lessons from the ANZ Breakdown
Now that intangible risks are becoming materially consequential, few cases better illustrate the price of cultural failure than the one unfolding at ANZ. In March 2025, the Australian Prudential Regulation Authority (APRA) imposed a $1 billion capital charge on the bank, citing persistent governance failures and an organizational culture that allowed misconduct to fester unchecked.
This was not a case of financial fraud or a high-profile cyber breach. It was the slow erosion of internal accountability—fueled by poor leadership, ineffective escalation channels, and a widespread underestimation of non-financial risks. As APRA Chair John Lonsdale put it, ANZ’s problems were “persistent and prevalent,” with echoes of similar issues already observed at its peer institutions.
The implications extend far beyond Australia’s banking sector. The ANZ case is a clear signal to global risk leaders: organizational culture is now a capital issue.
Culture, Conduct, and Consequences: The Operational Risk Lens on Today’s Most Dangerous Failures
Organizations are waking up to a hard truth: operational risk isn’t just about systems and controls—it’s about people, behavior, and culture. From misconduct in trading rooms to mismanaged whistleblowing programs, the failures dominating headlines today stem less from compliance gaps and more from breakdowns in cultural awareness, risk signal interpretation, and operational accountability.
As regulatory scrutiny intensifies and stakeholder expectations evolve, organizations must move beyond the traditional confines of Governance, Risk, and Compliance (GRC). They must build Operational Risk Management (ORM) programs that are equipped to detect, interpret, and act on cultural and conduct risks as core components of enterprise risk. This editorial series, Culture, Conduct, and Consequences, explores how non-financial risks—when left unmanaged—become operational failures. It sets the stage for the 2025 IRM Navigator™ ORM Report, to be published this June, and offers risk leaders a new lens for navigating the next era of operational resilience.