The RTJ Bridge - The Research Platform Created by the Publishers of The RiskTech Journal
The RTJ Bridge is an independent research platform delivering institutional-grade IRM market intelligence, vendor competitive assessments, and strategic risk technology analysis. Built by the analyst who created the Integrated Risk Management category at Gartner, The RTJ Bridge gives risk leaders, technology executives, and solution providers the same caliber of competitive intelligence that major analyst firms charge $25,000 to $50,000+ per year to access.
Subscribers to The RTJ Bridge receive full access to:
IRM50 OnWatch Vendor Assessments — Competitive analysis of leading IRM vendors as market events unfold, covering platform strategy shifts, M&A impact, earnings signals, and positioning changes.
Autonomous IRM and AI Governance Research — Original research on how agentic AI is reshaping risk management operating models, from production deployment patterns to the structural implications for vendor platforms and enterprise programs.
Analyst Firm and Market Critiques — Independent assessments of research from Gartner, Forrester, and other major analyst firms, viewed through the IRM Navigator Model to identify gaps, validate signals, and challenge conventional positioning.
Board Governance and Audit Committee Intelligence — Research on oversight effectiveness, emerging risk response gaps, audit committee workload challenges, and the disconnect between risk reporting and executive action.
M&A and Strategic Alliance Analysis — Same-week analysis of acquisitions, partnerships, and PE investment moves reshaping the IRM competitive landscape, with implications for buyers, vendors, and investors.
Regulatory, ESG, and Sustainability Risk — Research on how evolving regulatory frameworks (SEC cyber disclosure, EU CSRD/CSDDD, AI regulation) affect enterprise risk programs and technology requirements.
IRM Navigator™ Market Intelligence — Strategic previews and deep dives from the IRM Navigator Model, the only independent model built specifically to evaluate integrated risk management maturity and vendor alignment.
Cyber Risk, Insurance, and Third-Party Risk — Analysis of cyber risk quantification, insurance market dynamics, and the convergence of third-party risk management into enterprise IRM programs.
Subscribe to get access now
The RTJ Bridge is an independent IRM research platform published by Wheelhouse Advisors. Subscribers receive ongoing access to vendor competitive assessments, AI disruption analysis, M&A and partnership impact research, and IRM Navigator™ market intelligence. This is the only research platform built and led by the analyst who created the Integrated Risk Management category, a market now valued at over $61 billion and projected to reach $133 billion by 2031.
The Integration Trap for GRC: Why "Integrated GRC" Platforms Create Visibility Without Control
Every major GRC vendor claims integration as a core capability. The claims hold up. They also stop short. The gap between what these platforms integrate and what organizations actually need creates a structural vulnerability Wheelhouse Advisors calls The Integration Trap for GRC. Seven vendors examined. Five trap patterns identified. Twelve evaluation questions to expose integration gaps before deployment. Available now to RTJ Bridge subscribers.
IRM50 OnWatch: Diligent Says Boards Put “Integration” at the Top of 2026 Capital Priorities
Diligent Institute and Corporate Board Member data indicates directors are prioritizing “technology adoption and integration” as the leading 2026 capital investment focus. This is not a routine modernization signal, it is a board-level acknowledgment that fragmentation has become a constraint on execution. The same dataset also indicates meaningful board expertise gaps in AI, cybersecurity, and geopolitical risk, creating a mismatch between integration ambition and the enterprise’s ability to interpret, manage, and act on fast-moving risk signals.
IRM50 OnWatch - Wolters Kluwer Acquires StandardFusion and Signals Audit Plus GRC Convergence Trend
Wolters Kluwer Corporate Performance & ESG (CP and ESG) signed and completed the acquisition of StandardFusion on January 9, 2026 for approximately €32 million in cash. StandardFusion is a Vancouver-based provider of cloud GRC software, and Wolters Kluwer states it will be integrated into TeamMate to create a more unified audit plus GRC offering.
IRM50 OnWatch - Diligent Acquires 3rdRisk, Signaling a Faster IRM Convergence of GRC and AI-Native Third-Party Risk
On January 14, 2026, Diligent announced its acquisition of 3rdRisk, a Netherlands-based, AI-native third-party risk management (TPRM) platform. Diligent positioned the deal as an expansion of its Diligent One Platform toward “AI-native third-party risk management at scale,” emphasizing automated vendor profiling, assessment workflows, and AI-driven document analysis to compress audit readiness timelines.
This transaction is not simply module expansion. It is a strategic signal that TPRM has moved from being a compliance-adjacent workflow into a board-visible risk domain that must operate continuously, particularly as regulatory expectations for supply chain and digital dependency oversight intensify.
IRM50 OnWatch - What the ServiceNow Armis Deal Signals for IRM
ServiceNow’s announced agreement to acquire Armis for $7.75 billion in an all-cash transaction (expected to close in the second half of 2026) is not just a cybersecurity expansion move. It is a market signal that “risk management at scale” is shifting toward a unified operating model where (1) real-time technology and asset intelligence, (2) prioritization logic, and (3) remediation and verification workflows increasingly sit on the same platform spine.
For IRM leaders, this matters because it tightens the linkage between technology risk signals and enterprise risk action, and it changes what “continuous monitoring” should mean in buyer evaluations.
Does GRC Need Finishing School? The IRM Navigator™ View on Forrester’s GRC ‘Grad School’ Story
Forrester's recent blog “GRC Platforms Enter Their Grad School Era” contains a notable admission. The analysts describe GRC as "old enough to be in grad school," yet still struggling to prove it can act as the workhorse technology for modern risk professionals. After roughly 20 years of formal coverage, the firm suggests that GRC is not yet fully ready for the “real world” of risk and now needs a kind of graduate-level evolution, built on continuous controls monitoring, quantification, and AI. This observation raises an obvious question. Does GRC really need finishing school after decades of market evolution, or have we been asking the category to do the wrong job?
The 22 Percent Problem: Why Boards Hear the Risks but Still Do Nothing
If your board is hearing more emerging risks than ever and still doing almost nothing, you are not alone. Gartner data shows seventy-six percent of boards receive emerging risk reports, but only twenty-two percent are likely to act on what they hear. This IRM Navigator™ research note explains why that gap exists and how GRC-centric investment quietly builds oversight while starving your organization of reflex. If you are tired of “noted” being the only outcome, this is the playbook for turning emerging risk insight into action.
ServiceNow Q3 2025 Through an IRM Market Lens
ServiceNow’s Q3 2025 performance is a clear demand signal for platform-centric Integrated Risk Management. The company reported subscription revenue of 3.299 billion dollars, up 21.5 percent year over year, with strong large-deal activity and a raised full-year subscription outlook. These results, combined with the AI Control Tower launch and continued Now Assist upgrades, indicate that buyers are consolidating GRC, technology risk, and assurance workflows on a single operating platform that can also govern AI models, agents, and evidence. This is an accelerant for IRM programs that seek unified taxonomies, end-to-end traceability, and continuous control monitoring across ERM, ORM, TRM, and compliance functions.
Reinventing Risk Management Through Integrated Risk, A PwC and OneTrust Perspective
PwC and OneTrust have published a concise eBook that advocates for a unified, digital operating model for risk, and positions their alliance to deliver it. The document highlights pressure on risk and compliance teams, presents recent PwC survey signals on funding and prioritization gaps, and outlines an “IRM ecosystem mindset” anchored in OneTrust’s modular platform and PwC’s implementation services.
Bridging the Divide: How ServiceNow’s AI Experience Could Unify TRM and IRM
ServiceNow’s latest innovation, AI Experience, introduces a unified conversational interface that could redefine how organizations manage risk. Far from being another “AI assistant,” this platform-level integration embeds natural language and multimodal intelligence across workflows, connecting Technology Risk Management (TRM) with Integrated Risk Management (IRM) in ways that make risk management feel less like a process and more like a conversation. This commentary explores how AI Experience extends ServiceNow’s TRM and IRM capabilities, why it represents a major shift toward unified risk intelligence, and how it aligns with the Performance, Resilience, Assurance, and Compliance (PRAC) objectives of the IRM Navigator™ Model.
Audit Committees Signal a Mandate for Unified IRM, Not Just GRC
Audit committees in 2025 are under growing pressure to oversee risks that are more complex, interconnected, and fast-moving than ever before. KPMG’s survey of 85 U.S. audit committee members (February–May 2025) highlights systemic oversight gaps in cybersecurity, privacy, AI, and third-party resilience. While only one-quarter of respondents describe their risk management as holistic and forward looking, the survey reveals that committees are struggling less with awareness and more with execution. The IRM Navigator™ Maturity Curve confirms that most organizations remain in the early to mid stages of maturity. However, the five functional layers of Autonomous IRM offer a more practical blueprint for closing these oversight gaps and absorbing workload without restructuring committees.
This research note interprets the KPMG findings through the lens of both frameworks: the Maturity Curve, which shows where audit committees are today, and the five functional layers, which define how they can progress toward unified, assurance-driven oversight.
Workiva’s Q2 Surge Underscores IRM Integration Strategy
Workiva’s second quarter 2025 results reaffirmed the company’s strategic pivot toward an integrated risk and compliance platform, highlighting a promising yet incomplete transformation. The company delivered robust 21% year-over-year revenue growth, driven by strong subscription growth (up 23%), sparking a noteworthy 32% post-earnings stock surge. This positive investor reaction underscores early confidence in Workiva’s evolution from a compliance-centric financial reporting tool toward broader capabilities encompassing ESG, audit, financial disclosure, and integrated risk management (IRM).
How IRM Can Protect Cyberinsurers from Cyberattacks
Cyberinsurance providers face a unique irony in today's risk landscape. Despite their role in safeguarding others against cyber threats, they have become prime targets for cybercriminals. Recent high-profile breaches, including attacks on Allianz Life, CNA Financial, and Philadelphia Indemnity, vividly illustrate this growing vulnerability. These incidents underscore not only the attractiveness of insurers as targets—given the extensive sensitive client data they hold—but also reveal substantial weaknesses in their ability to manage third-party risks, respond to incidents, and comply with tightening regulations.
If cyberinsurance companies fail to adopt a holistic, integrated approach to risk management, the resulting breaches may significantly damage their reputations, compromise their operational integrity, and erode market trust. It is therefore imperative to rethink their approach to cybersecurity risk management.
NAVEX’s Big Deal: Goldman Sachs and Blackstone Bet on IRM
The July 2025 agreement for a Goldman Sachs-led consortium to acquire a majority stake in NAVEX marks a milestone for the Integrated Risk Management (IRM) technology market¹. Long viewed as a niche segment, IRM tech is now receiving institutional validation on a grand scale. With Goldman Sachs Alternatives and Blackstone joining forces—alongside BC Partners retaining a minority stake and Vista Equity Partners fully exiting—the deal signals that IRM software has firmly come of age.
From a high-level thesis perspective, the NAVEX acquisition conveys institutional confidence in the long-term growth of IRM. It suggests that large-cap investors believe the market will continue consolidating and expanding, with platforms like NAVEX One poised to capture increasing enterprise spend. The participation of firms like Goldman and Blackstone is more than just capital—it is an endorsement of the market’s strategic relevance, particularly as organizations face rising regulatory obligations, complex supply chains, and evolving digital risks.
When Everyone’s a Leader, No One Is: Why IDC’s Latest GRC Report Misses the Mark
Analyst reports, such as IDC’s MarketScape, have long promised clarity in crowded software markets. But clarity requires more than graphics. It requires relevance. It requires structure. And most importantly, it requires alignment with how risk is managed in today’s enterprise. The newly released IDC MarketScape: Worldwide Governance, Risk, and Compliance Software Vendor Assessment 2025 falls short on all three fronts. It presents a visually familiar layout, but surrounds it with inconsistent definitions, outdated assumptions, and scoring criteria that obscure more than they illuminate.
When One Link Breaks the Chain
UNFI, Whole Foods, and the Broader Crisis of Single-Point Fragility in the Age of Integrated Risk
A silent node in the North American supply chain collapsed on June 7, 2025. Its name: United Natural Foods Inc. (UNFI), the primary distributor for Whole Foods and a dominant force in food logistics. A cyberattack forced UNFI to take its systems offline. Overnight, deliveries halted. Shelves emptied. Shares fell. And just like that, a backend dependency became a front-page disruption.
But this isn't a grocery story. It's a structural parable. When a single upstream dependency goes dark, every industry—from manufacturing to finance, healthcare to logistics—learns the same hard lesson: concentration breeds collapse.
The era of just-in-time is colliding with the era of just one point of failure. And unless risk leaders elevate Integrated Risk Management (IRM) from a compliance afterthought to a strategic command center, the next outage won't just break continuity—it will break companies.
Can AI Be Governed?
The Governance Paradox
The question of whether artificial intelligence can be governed may seem philosophical. But in 2025, it has become operational—and urgent. Just reference our recent article on Builder.ai to learn about the escalating risks driven by AI. As generative AI, autonomous agents, and foundation models accelerate their integration into critical systems, the pace of innovation is rapidly outstripping the scaffolding of rules, oversight, and control.
“Governance” in this context is often mistaken for static oversight: policy frameworks, codes of conduct, or aspirational principles. But as defined in the discipline of integrated risk management (IRM), governance is the rule-setting subset of management—the top of the pyramid. True risk control comes from marrying that governance with relentless operational execution: identification, assessment, mitigation, and continuous monitoring.
So: Can AI be governed? The answer is yes—but only if organizations recognize that compliance checklists and PR-friendly charters are no substitute for enterprise-wide, integrated, and adaptive risk management.
The Risk Ignored – Part I, Chapter 4. The Irony of Risk Intelligence: When GRC’s Founders Became IRM’s Followers
When Risk Culture Meets Rocket Fuel
In early 2007, SunTrust’s board appointed a new CEO. The new CEO had been waiting in the wings since SunTrust acquired his bank that was heavily weighted toward mortgage banking. Unlike his predecessor, he saw risk not as a discipline but as a throttle—something to push forward, not manage. His first strategic move was aggressive: set a Big Hairy Audacious Goal (BHAG) – a term ironically made famous by Jim Collins’ book “Built to Last”. The SunTrust BHAG, as defined by the new CEO, was to more than double the mortgage portfolio within twelve months to compete head-on with Wall Street’s securitization giants.
To hit that target, underwriting controls were systematically dismantled. Incentives for mortgage originators surged dramatically, creating an environment ripe for aggressive lending and shortcuts. When I saw these changes, I foresaw the inevitable crash. As the senior executive overseeing Internal Audit, Compliance, and Risk Management, I confronted both the CEO and his protégé—the head of mortgage banking—in a tense meeting. The mortgage head literally writhed in his seat with anger; I had never seen anything like it.
The Risk Ignored – Part I, Chapter 3. The Acronym That Built a Market and the One That Rescued It
As many industry shifts do, it began in a quiet room with a big idea. One conversation was with a Big Four consulting firm eager to formalize its newest offering. Another was with a risk software vendor in search of identity and traction. Sitting across the table from both in 2002 was Michael Rasmussen, then an analyst at Giga Information Group.
What he encountered in those two briefings wasn't just a common theme but a shared phrase. The software vendor and PwC had already begun using "Governance, Risk, and Compliance" to describe their offerings. Rasmussen helped bring it to life—not as a framework, not as an architecture, but as a market category. And almost overnight, that name became an industry.
Why Q1 2025 Was a Wake Up Call for Compliance-Centric IRM Vendors
Despite beating earnings estimates, a surprise sell-off in Workiva stock on May 2 sent a jolt through the Integrated Risk Management (IRM) technology market. The trigger wasn't financial underperformance but political indecision: Germany and France signaled their intent to water down or delay the European Union's Corporate Sustainability Reporting Directive (CSRD) application. In addition, the European Parliament formally agreed to postpone the enforcement of new sustainability and due diligence rules.
The reaction was swift and severe for Workiva, a leading compliance-first vendor built around ESG reporting and assurance workflows. However, this moment revealed a more systemic truth for the broader IRM market: IRM's trajectory is now shaped as much by the pace of regulatory implementation as by the innovation of its technology platforms.
The market's reaction reflects a correction in growth expectations for compliance-oriented vendors and an inflection point in how investors, boards, and buyers view risk management software. As regulation stalls, the IRM market is fragmenting into more clearly defined value segments—each responding differently to volatility. These are the market realities shaping Q1 2025.