The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S6E6: Board Priorities 2026 - The Integration Trap
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Growth used to win every boardroom vote. Now the data says something different: directors are prioritizing technology adoption and integration as the top 2026 investment, even as they admit their weakest expertise sits in AI, cybersecurity, and geopolitics. We unpack that paradox and show how uninformed speed turns “integration” into a superhighway for risk, unless you pair it with decision rights, embedded controls, and verifiable assurance.
We trace the three forces of compression squeezing leaders today: AI racing into core workflows, platform sprawl from a decade of M&A, and disruption traveling through third-party pathways. From there, we break down the shift from reporting efficiency to manageability, where value is measured in time to detect, time to decide, and time to act. You’ll hear why coordinated programs stall at visibility, and how embedded maturity connects radar to rudder so preauthorized responses trigger without delay. We also tackle the workforce and supply chain blind spot that makes integrated systems brittle when stress hits.
Throughout the conversation, we spotlight the winners moving from legacy GRC systems of record to IRM systems of action. IRM systems unify signals across goals, processes, assets, and policies, then convert breaches into automated workflows with audit-ready evidence. Expect sharp guidance on AI governance hardening, continuous third-party monitoring, and vendor proofs that show integration-to-action, not just architecture diagrams. We close with near-term forecasts: consolidation of risk and assurance data layers, and a likely rise in “visibility without control” incidents where dashboards outpace authority.
If you’re ready to replace high definition views of the crash with real control, tune in, grab the playbook, and pressure-test your decision rights. Subscribe, share with your team, and leave a review to help more leaders escape the integration trap.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Hello, and a very warm welcome to another edition of the Risk Wheelhouse. I'm your host, Ori Wellington, and we are coming to you live and lively from the headquarters of Wheelhouse Advisors right here in the heart of Atlanta.
Sam Jones:It's great to be here. I'm Samantha Jones, but please, everyone, just call me Sam. And you're right about the focus today. We've got a topic that uh I think is really gonna make a lot of people sit up and pay attention.
Ori Wellington:Oh, absolutely. Now, for anyone who's new or maybe you've just stumbled upon this deep dive, let me just sort of set the stage a little.
Sam Jones:Please do.
Ori Wellington:We're both analysts here at Wheelhouse. We spend our waking hours, and let's be honest, probably a few of our sleeping ones too, just thinking about the integrated risk management market, IRM.
Sam Jones:It's a bit of an obsession, it's true. Our job really is to wade through this ocean of reports and white papers and you know, vendor pitches, all of it so that you don't have to. We try to filter that signal from the noise.
Ori Wellington:And we are really, really excited about today's session because we are digging into a brand new piece of research that comes directly from the top. We're talking about an article by none other than John A. Wheeler, the founder and CEO of Wheelhouse Advisors.
Sam Jones:And we really have to pause there for a second because context is just everything in this industry. When we say John A. Wheeler, we aren't just, you know, name-dropping our boss.
Ori Wellington:Not at all.
Sam Jones:For anyone who might be new to this space, it is so crucial to remember that John is the person who actually coined the term integrated risk management way back in 2016.
Ori Wellington:That is such a vital piece of history. I mean, before 2016, the world was just growning in GRC governance, risk, and compliance. And GRC, you know, it had its place, right?
Sam Jones:Sure it did.
Ori Wellington:It was about digitizing forms, checking boxes. Right. But John led the research that basically said, wait a minute, checking boxes doesn't stop the building from burning down. He's the one who moved the entire industry beyond those legacy technologies toward a truly integrated view.
Sam Jones:Exactly. He saw that risk is horizontal, not vertical. It cuts across every single silo in an organization. So everything we talk about on this show, and certainly the deep dive we are doing today, it really stands on the shoulders of that foundational thinking.
Ori Wellington:Today we're dissecting a really fascinating shift in the market. The episode is titled Board Priorities 2026: The Integration Trap. And we're basing all of this on John's analysis of some, frankly, startling new data about what's happening inside the boardroom.
Sam Jones:Before we jump into the numbers, and the numbers are wild, I just want to remind our listeners where they can find all this stuff. You can always visit wheelhouseadvisors.com for more information on our broader research.
Ori Wellington:And for the specific article we are uh tearing apart today, you can head over to risktechjournal.com. That's our free standard publication. It's really the best place to keep your finger on the pulse of the IRM market without spending a dime.
Sam Jones:However, if you're a practitioner, you know, if you're a C DISO, a chief risk officer, an audit leader, or just someone who needs to be the smartest person in the room on this topic, you really need to be looking at the RTJ Bridge.
Ori Wellington:Oh, absolutely.
Sam Jones:That's at rtj-bridge.com.
Ori Wellington:That's our premium tier. It's weekly in-depth research notes. And honestly, it provides the kind of deep analyst grade insight that you usually have to pay what tens of thousands of dollars for with the big legacy firms.
Sam Jones:Oh, easily.
Ori Wellington:And we offer it at a fraction of that cost. It's it's really a no-brainer if you're serious about this industry.
Sam Jones:Okay, plugs aside, let's get into the meat of this. Set the scene for us. We're looking at the year 2026. What is going on?
Ori Wellington:Okay, so let's unpack this. I want to play a little game. If I were to put you in a time machine and send you back to, I don't know, let's say 2018 or 2021, even last year, 2024.
Sam Jones:Yeah.
Ori Wellington:And you walk into a Fortune 500 board meeting, you ask the directors, what is the number one priority for your capital investment budget next year? What do they say?
Sam Jones:Oh, that's easy. Without hesitation, they say growth. They say mergers and acquisitions, market expansion, new product development. The board's primary mandate is to drive shareholder value, and the traditional playbook for that is just get bigger. Yeah, you buy a competitor, you open an office in a new region, you launch a new widget. MA is almost always the king of the Capitol Hill.
Ori Wellington:Exactly. Growth with a capital G. That's the standard operating procedure. But we have data now from the Diligent Institute and corporate board member, specifically their report, what directors think 2026. And, well, the king has been dethroned.
Sam Jones:Wow. Okay, so that's a massive upset.
Ori Wellington:The number one capital investment focus for boards in 2026 is technology adoption and integration.
Sam Jones:Just let that phrase hang in the air for a moment. Technology adoption and integration. It doesn't sound sexy, does it? Not at all. It sounds like plumbing. It sounds like something the IT manager worries about in the server room, not something the board of directors prioritizes above acquiring whole new companies.
Ori Wellington:That is precisely why this is such a huge market signal. This is not just routine maintenance. This is not, you know, we need to upgrade to the next version of Windows. This is a board level acknowledgement that fragmentation, this whole mess of disconnected systems, has become a constraint on execution.
Sam Jones:Constraint on execution. Okay, that is the key phrase right there. It means the machine is so gummed up that it literally cannot grow anymore. Right. So imagine you're a board director. You want to approve a new acquisition, but the CEO has to turn around and look at you and say, we can't. We literally can't. We still haven't integrated the data from the last three companies we bought. If we add another one, the whole system might just collapse.
Ori Wellington:That's the reality they're facing. They realize that the complexity is killing them. They can't move fast because they're tripping over their own digital shoelaces. So now they're prioritizing integration just to clear that blockage.
Sam Jones:So on the surface, this sounds like fantastic news for the IRM market, right? The board finally gets it, they're writing big checks to connect all the dots.
Ori Wellington:It does sound great. But and this is where it gets really interesting. When I say interesting, I mean uh potentially disastrous. There is a massive paradox hiding in this data.
Sam Jones:The Great Mismatch.
Ori Wellington:Correct. The data shows that while boards are prioritizing integration and pouring millions and millions of dollars into it, they are simultaneously reporting the largest expertise gaps in three absolutely critical areas.
Sam Jones:Okay, let me guess. Artificial intelligence has to be one.
Ori Wellington:Number one gap. They flat out admit they don't understand it.
Sam Jones:Cybersecurity.
Ori Wellington:Huge gap. They know it's important, but they don't have the expertise at the board level.
Sam Jones:And what? Maybe geopolitical risk?
Ori Wellington:Massive. The third huge gap.
Sam Jones:All right. This is this is terrifying. Think about what that combination actually means. You have a board saying, we need to integrate everything. We need to use AI. We need to be faster. But in the very same breath, they're saying, we don't understand AI, we don't understand cyber, we have no real grasp of geopolitics.
Ori Wellington:It creates this scenario of what we're calling integration ambition versus the ability to interpret. They have the ambition to build a Formula One car. They're buying the best engine, they're connecting all the aerodynamics, but they openly admit they don't know how to drive, they don't know the track, and they don't know the rules of the race.
Sam Jones:It's the danger of uninformed speed. That's what it is. If you integrate your systems without a deep understanding of the risks, you aren't just speeding up your business processes. You're speeding up the propagation of risk. You're building a superhighway for disaster to travel from one end of your company to the other in seconds.
Ori Wellington:So why is this happening now? I mean, why 2026? What shifted in the atmosphere to make integration the top priority, even with this glaring lack of expertise?
Sam Jones:Well, the research identifies three specific forces, and we're calling them the three forces of compression. These are the pressures that are squeezing the board, forcing them to prioritize integration, even if they aren't, you know, fully ready for the consequences.
Ori Wellington:Let's walk through them because they really explain the why behind this whole thing. Force number one is the big one: AI adoption.
Sam Jones:And we really cannot overstate this. AI is accelerating inside management workflows and inside board workflows. It's everywhere.
Ori Wellington:Right. And we're not just talking about using a chatbot to write a marketing email. We are talking about deep, deep integration. AI is being used to optimize supply chains. It's being used to screen job candidates. It's being used to make automated credit decisions.
Sam Jones:Which brings us right back to that expertise gap. The moment you inject AI into a critical workflow, you introduce whole new categories of risk. Model risk. Is the math actually doing what we think it's doing?
Ori Wellington:Or is the AI hallucinating facts? Is it biased against certain demographics?
Sam Jones:And then there's the data risk. I mean, where did the training data even come from? Did we accidentally feed our proprietary trade secrets into a public model that now the whole world can access? Right. Exactly. And the regulatory angle here is just huge. Regulators are waking up to this fast. You can't just say the computer said no anymore. You have to be able to explain how and why the AI made that specific decision. So if your automode is funding integration to roll out AI faster, but they admit they don't understand how AI works. I mean, how are they possibly overseeing that regulatory risk?
Ori Wellington:They aren't. They're flying completely blind. They are writing the check for the technology, but they're failing to write the check for the governance that has to go with it.
Sam Jones:That is a perfect way to put it.
Ori Wellington:Okay, so that's force one. Force number two platform sprawl via MA. This is basically the hangover from the last decade of business, isn't it?
Sam Jones:It absolutely is. We just said that MA used to be the top priority. Well, companies spent the last 10 years buying other companies to fuel their growth. And every time you buy a company, you don't just get their revenue and their customer list, you get their entire IT department.
Ori Wellington:You get their baggage, all of it.
Sam Jones:You get their legacy servers from a decade ago, you get their weird custom-built ERP system from 1999 that one guy in a basement still maintains. You get their HR software that absolutely does not talk to your HR software.
Ori Wellington:And now you have what we call platform sprawl, identity sprawl, and control sprawl.
Sam Jones:Identity sprawl is a real killer. You have employees with six different logins for six different systems. Nobody really knows who has access to what anymore. It's just a complete mess from a security standpoint.
Ori Wellington:And the consequence of this sprawl isn't just that it's, you know, annoying for the IT help desk. It creates what we call inconsistent evidence.
Sam Jones:This is the absolute nightmare scenario for any risk manager. Let's just paint a quick picture. Imagine you need to know if a specific vendor, let's just call them vendor X, is safe to do business with. So you look in your legacy SAP system and it says vendor X is green, verified.
Ori Wellington:Okay, looks good, all clear.
Sam Jones:But if you were to look in the new cloud procurement system that you acquired last year, it might say, warning, vendor X has a critical security vulnerability.
Ori Wellington:So you have two systems owned by the same company giving you two completely contradictory facts about the same entity.
Sam Jones:One says go go, the other says stop. And because those systems aren't integrated, you have no idea which one is the truth. You're paralyzed.
Ori Wellington:That is the inconsistent evidence problem in a nutshell. And that is why the board is screaming for integration. They're just sick and tired of getting different answers depending on which screen they happen to look at. They want a single source of truth.
Sam Jones:Which is a noble goal, a worthy goal. But again, if you just mash all that data together without cleaning it or understanding the underlying controls, you don't get a single source of truth. You just get a single source of bad information.
Ori Wellington:Right. Garbage in, integrated garbage out.
Sam Jones:Precisely.
Ori Wellington:Okay, let's move to the third one. Force number three disruption pathways and third parties.
Sam Jones:This is the big realization that the castle walls are gone. In the old days, you know, you secured your perimeter, you had a big firewall, and you basically felt safe. Disruption usually came from inside the building, a server failure, a fire, a labor strike.
Ori Wellington:But now.
Sam Jones:Now disruption runs through your digital supply chains, it runs through your third parties, it runs through your vendor's vendor.
Ori Wellington:We've seen this time and time again with the major incidents in recent years. I mean, think about the SolarWinds hack or the crowd strike outage. It wasn't necessarily that your company did anything wrong.
Sam Jones:No.
Ori Wellington:It was a tool you used or a platform your vendor used that created the vulnerability.
Sam Jones:Exactly. The threat is two or three hops away from you in the supply chain, and this requires unified signals. You cannot rely on a siloed view anymore. If your procurement team knows a vendor is financially shaky, but your IT security team thinks they're technically sound, you have a massive gap.
Ori Wellington:You need the system to be smart enough to connect those dots for you. You need the financial signal to automatically trigger a security review.
Sam Jones:Right. You need to see the ripple effect. If this supplier in Southeast Asia goes down because of a typhoon, how does that impact our factory in Mexico? And how does that then impact our revenue projection in New York? You can't answer that with spreadsheets anymore. You need real integration.
Ori Wellington:So, okay, let's synthesize this section. Boards are reacting to these three forces the incredible speed of AI, the inherited mess of MA sprawl, and the constant threat of supply chain disruption. And their reaction is to fund integration.
Sam Jones:But, and this is the big synthesis, many of them are doing so before they have defined what integrated risk management actually looks like in practice for their organization. They're buying the technology of integration before they have the philosophy of integration.
Ori Wellington:It's like buying a gym membership and a bunch of expensive running shoes, but having no workout plan and no diet. You're spending money on the idea of health, not on the actual practice of it.
Sam Jones:That's a great analogy. It's perfect. They're buying all the fancy equipment, but they haven't decided what muscles they're actually trying to build.
Ori Wellington:So let's talk about the muscles. Let's get into what IRM leaders actually need to do to avoid falling into this trap. The research outlines five major implications. This is basically the playbook for our listeners.
Sam Jones:Okay, let's start with implication number one: the shift from reporting to manageability.
Ori Wellington:Okay, contrast those for us. What is reporting efficiency? What does that mean?
Sam Jones:Reporting efficiency is the old way. It's what we've all been doing for the last 10 years. It basically means it used to take me two weeks to copy and paste data from 10 different Excel sheets into a PowerPoint deck for the board. Now, with this fancy new GRC software, it only takes me two days.
Ori Wellington:Which, I mean, don't get me wrong, that's nice. Nobody likes administrative drudgery.
Sam Jones:It's nice, but it's fundamentally low value. It doesn't actually reduce your risk. It just reduces the time it takes to tell people about the risk you have. You're just delivering the bad news faster.
Ori Wellington:So what is manageability? What's the new way?
Sam Jones:Manageability is the new way. It is integration as a management outcome. It's not about the report, it's about the action that follows the report.
Ori Wellington:So what are the metrics we should be looking at then, if not speed of reporting?
Sam Jones:We should be measuring things like reduce time to detect, reduce time to decide, and reduce time to act.
Ori Wellington:So it's all about operational speed.
Sam Jones:It's about verifiable assurance. It's about proving that your controls are working as designed across the entire enterprise in near real time. It's the difference between telling the board we have a fire alarm policy and telling them the fire alarm was tested automatically 10 minutes ago, it is fully functional, and we have verification that the sprinklers are connected to it.
Ori Wellington:That is a massive, massive shift. It moves the risk manager from being a scorekeeper to being a goalkeeper. You're actually stopping the ball, not just writing down the final score after the game is over.
Sam Jones:I love that. From scorekeeper to goalkeeper, that's exactly it.
Ori Wellington:And this leads us directly to implication number two the coordinated versus embedded trap. This is a framework we use a lot here at Wheelhouse to describe the maturity of a risk program.
Sam Jones:We do. And the big warning here is that the market is still, by and large, stuck in the coordinated stage.
Ori Wellington:Okay, define coordinated for the listeners. What does that actually look like?
Sam Jones:Coordinated means you've improved your data aggregation, you have better dashboards, the risk team talks to the compliance team. You might even have a shared GRC tool where everything lives. It looks nice, it feels organized. You have a heat map with lots of pretty colors. It's always a but. But you haven't changed the underlying behavior of the organization. You haven't changed ownership of the risk. You haven't changed the escalation thresholds. You haven't changed the response authority. So the decision making is still completely siloed, even if the data is shared.
Ori Wellington:So everyone can see the same data on the same screen.
Sam Jones:Yeah.
Ori Wellington:But nobody knows who's actually supposed to pull the trigger.
Sam Jones:That's the trap. In a coordinated model, visibility increases much faster than the ability to act.
Ori Wellington:Okay, give us the analogy, the so what moment.
Sam Jones:The so what is the iceberg. In a coordinated system, you can see the iceberg coming in beautiful 4K resolution. It's stunning. You have a high-definition screen showing you the exact dimensions of the ice, the temperature of the water, and the speed of impact.
Ori Wellington:But can you turn the ship?
Sam Jones:And that's the problem. The steering wheel is disconnected. Or even worse, there are five different VPs standing around the steering wheel arguing about who has the authority to turn it. You have legal saying we can't turn left, and compliance saying we need a committee meeting first before we make a decision.
Ori Wellington:And while they're all arguing, you hit the iceberg.
Sam Jones:Exactly. You just have a high definition view of the crash. That is the coordinated trap. Embedded maturity, which is where we all want to go, is when the steering wheel is connected directly to the radar. When the radar sees the iceberg, the ship automatically begins to turn, or the captain is immediately alerted with a specific pre-authorized protocol to execute. No argument, just action.
Ori Wellington:That's such a powerful image. And it brings us right to implication number three, which is the speed of integration versus the speed of interpretation. This goes right back to that expertise gap we started with.
Sam Jones:Right. If you integrate faster than you can interpret, you get a failure mode that we call signals without decisions.
Ori Wellington:Okay, expand on that. What does that mean?
Sam Jones:It means you build this amazing, expensive, integrated system. It detects a geopolitical shift. Let's say a new sanction is announced against a raw material that you use. The system flags it instantly, a big red light flashes on the dashboard.
Ori Wellington:The system did its job. It sent the signal.
Sam Jones:The system did its job perfectly. But because you have an expertise gap in geopolitics or supply chain strategy, nobody in the room knows what that red light means for the business. Is that a shut down the factory immediately, red light, or is it a buy from a different vendor next week? Red light.
Ori Wellington:So the signal is there, but the decision is completely missing.
Sam Jones:Or worse, you get alerts without accountable response owners. The alert goes off, the email blast goes out, marketing thinks IT is handling it, IT thinks legal is handling it, legal thinks the risk team is handling it, and the ball just drops right between all the outfielders.
Ori Wellington:So what's the IRM fix here? If you're a risk leader listening to this right now, how do you prevent that ball from dropping?
Sam Jones:You have to explicitly link your integrations to decision rights.
Ori Wellington:Decision rights. That sounds a little bit academic. Make that practical for us.
Sam Jones:It's extremely practical. It means you sit down before the crisis and you say, when system A sends signal X, person Y is responsible for taking action Z. You map it all out. If the cyber dashboard turns red, Jane Doe has the authority to shut down that server without asking for permission from three levels of management.
Ori Wellington:You preauthorize the response.
Sam Jones:Exactly. You cannot wait for the house to be on fire to figure out who's in charge of the fire hose. The speed of integration demands an equal speed of decision making.
Ori Wellington:Let's move to section four because this touches on the human connection in all this. Yeah. Implication number four: the workforce and supply chain blind spot.
Sam Jones:Yeah, this was another piece of data from the report that really just jumped off the page at me. While boards are pouring all this money into technology integration, the investment in workforce and supply chain is a comparatively low priority for them.
Ori Wellington:That seems incredibly misaligned.
Sam Jones:It is completely and totally misaligned. I mean, think about how disruption actually propagates. Does it travel through the cables? Sometimes. But more often than not, it propagates through people.
Ori Wellington:It's always the human element.
Sam Jones:It's the phishing email that a tired overwork employee clicks on at 5 p.m. on a Friday. It's the vendor who forgets to patch a critical server. It's the insider threat.
Ori Wellington:So if you invest millions and millions in the tech integration, building this, you know, supercomputer network, but you underinvest in the people who are supposed to be running it.
Sam Jones:You create what we call a brittle system.
Ori Wellington:Brittle, that's a dangerous word for a company.
Sam Jones:Because it breaks easily under stress. A brittle system looks strong on the outside. It has the shiny dashboards and all the blinking lights. But the moment you put real stress on that human element, a pandemic, a market crash, a burst of employee turnover, it just shatters because the people are burnt out, or they're undertrained, or they're just not empowered to actually use the expensive tools you bought them.
Ori Wellington:It's like having a Ferrari engine inside a cardboard chassis driven by someone who hasn't slept in three days.
Sam Jones:Exactly. That's a perfect analogy, not a recipe for winning any race. And the supply chain aspect is just as important. You can have your internal house in perfect order, but if your critical suppliers are a mess and you aren't investing and continuously monitoring them, you are incredibly vulnerable.
Ori Wellington:Okay. Implication number five.
Sam Jones:The winner profile is definitely shifting. We are seeing a very clear move toward what we call systems of action.
Ori Wellington:As opposed to the old systems of record.
Sam Jones:Right. For the last 10 or 15 years, the goal was to have a system of record, basically a big digital filing cabinet, a place where you store your policies, your risk assessments, your audit findings. It's a place to keep things, to prove to an auditor that you did them, you know, a year ago.
Ori Wellington:Very passive.
Sam Jones:Very passive. The winners now are. Are the vendors who can unify signals across goals, processes, assets, and policies, we call that GPAP, and then convert those signals into actual triggers.
Ori Wellington:Triggers. That's the active word.
Sam Jones:Yes. It's not about software that connects anymore. It's about software that acts. The board doesn't want to know that the software is connected. They want to know that when a risk limit was breached, the software did something about it automatically.
Ori Wellington:Can you give us a concrete example of an action?
Sam Jones:Sure. A risk limit was breached on a financial transaction. The software automatically locked the account, it alerted the fraud team via their preferred channel, and it halted the transfer. That is an action.
Ori Wellington:So it's actionable evidence that will actually stand up to scrutiny.
Sam Jones:Exactly. If the regulator comes knocking on your door, you don't show them a report that says, we found a problem last month. You show them the workflow log that says, we found a problem at 2.15 PM, the system stopped it at 2.16, a human reviewed it by 2.3, and here is the documented resolution. That is what wins in this new environment.
Ori Wellington:So we've covered the trap, the forces, and the implications for leaders. Let's look forward now. Section 5, what to watch next.
Sam Jones:If I'm a listener, what should I be looking for in my next board meeting or budget cycle to see if my company is getting this right? Okay, first thing, watch for the board agenda evolution. The conversation itself is going to shift from just integration as a concept to integration for decision advantage.
Ori Wellington:Decision advantage. I like that. It sounds competitive.
Sam Jones:It is intensely competitive. It's not just about the plumbing anymore, it's about speed and agility. You should look for requirements from the board tying investment to measurable reductions in decision latency.
Ori Wellington:So the CFO is going to start asking: if we spend this million dollars on this project, how much faster will we be able to make a critical crisis decision?
Sam Jones:Exactly. And if the answer is uh we don't know, you might not get the funding. Boards want to know that they can outmaneuver the competition because their risk data is faster and more reliable.
Ori Wellington:Okay, what about AI? We talked a lot about the lack of expertise. What happens there? Aaron Ross Powell, Jr.
Sam Jones:We're calling this AI management hardening. The honeymoon phase with AI is officially ending. We are now entering the governance phase.
Ori Wellington:Well, maybe the hangover phase.
Sam Jones:Maybe, yeah. You can expect boards to start demanding really practical controls. Things like acceptable use policies, data handling rules, and most importantly, model accountability.
Ori Wellington:And evidence trails for decision.
Sam Jones:Absolutely critical. If an AI influences a decision like denying a loan or hiring a candidate or firing someone, you need a clear, auditable evidence trail that explains why. Boards are going to demand that to protect the company and themselves from lawsuits and regulatory fines.
Ori Wellington:And what about third-party instrumentation?
Sam Jones:We are finally, hopefully, moving from static assessments to continuous monitoring.
Ori Wellington:So the death of the annual security questionnaire. Please tell me it's true.
Sam Jones:Oh, please let it be true. The annual questionnaire is just a snapshot in time. It's basically useless the day after you send it. Boards want continuous monitoring that's tied to their most critical processes. They want to know the health of their most important vendor today, right now, not what it was last November.
Ori Wellington:And finally, vendor messaging. Yeah. How will that change?
Sam Jones:The smart vendors are going to change their tune. They will stop talking about integration claims. You know, look, we have an API for everything, and they'll start talking about quantified outcomes.
Ori Wellington:Things like cycle time reduction. Yeah. Lower loss exposure.
Sam Jones:We save you money and we keep you out of jail. That's the message that is going to resonate with boards in 2026 and beyond. Simple, direct, value-driven.
Ori Wellington:Okay, we have arrived at the finale. Section six, the wheelhouse horizon view. This is where we put our reputation on the line with some specific forecasts. We have two big ones for this episode. Let's start with the market view looking out about 12 to 18 months.
Sam Jones:So we're putting this at a 70% probability. We predict that this board-driven funding will massively accelerate the consolidation of risk and assurance data layers.
Ori Wellington:Consolidation, so breaking down the silos.
Sam Jones:The walls between cyber risk and operational risk and audit and compliance are finally coming down. The data is merging into a unified layer. And this in turn increases the demand for platforms that can translate those unified signals into automated decision workflows.
Ori Wellington:So if you're a leader listening to this, what's the action item?
Sam Jones:My advice and your advice in the article is to require your vendors and your internal teams to prove integration to action. Do not buy architecture narratives.
Ori Wellington:Don't just buy a pretty diagram of the cloud.
Sam Jones:Don't buy a drawing of a cloud. Buy operational outcomes. Ask the vendor point blank. Show me exactly what happens when this risk indicator turns red. Who gets notified? What workflow triggers? Show me the action. Make them prove it.
Ori Wellington:Love that. Okay, the second one. The risk view looking out six to twelve months. This is a bit closer, a bit more immediate.
Sam Jones:Yeah, and this one is a bit darker, unfortunately. We're giving it a 60% probability. We predict a significant rise in visibility without control incidents. It really is the theme of this whole discussion. The scenario is this reporting improves, you get the better dashboards, you can see the problems more clearly than ever before. But your response authority, your ability to act, lags behind.
Ori Wellington:And the result.
Sam Jones:Preventable disruptions and what we call post-event assurance failures.
Ori Wellington:The we knew about it, but nobody stopped it headline.
Sam Jones:That is the epitaph of the failed risk manager in the 2020s. We saw it coming. Can you imagine having to explain that to the press or to the regulators? Yes, we saw the data leak happening on our dashboard in real time, but we didn't have a protocol to shut the server down without VP approval, and the VP was on a plane to Dubai.
Ori Wellington:That is a career-ending nightmare.
Sam Jones:That's a classic visibility without control incident. It's deeply embarrassing, and it's incredibly expensive.
Ori Wellington:So, what is the leadership action to prevent that?
Sam Jones:Establish explicit decision threshold and accountable owners now. Do it as part of every single integration initiative. If you are connecting a new system, you must simultaneously define who owns the decisions that will come out of that system. Do not wait for the crash to decide who is driving the car.
Ori Wellington:That is powerful stuff. Do not wait for the crash to decide who is driving.
Sam Jones:It's absolutely essential. We are heading into a very fast, very complex 2026. The boards are putting the money up for integration, which is a good thing, but money without method is just expensive chaos.
Ori Wellington:Expensive chaos. I think that sums up the risk perfectly. Okay, let's wrap this deep dive up. We've covered a lot of ground today. Let's just quickly recap the main theme.
Sam Jones:The theme is pretty simple. 2026 is the year of integration.
Ori Wellington:The boards want it, they are paying for it, but integration without decision rights is a trap. It is the integration trap.
Sam Jones:Exactly. So the goal for all our listeners is to move from being coordinated or where you're just sharing data to being truly embedded, where you have automated, preauthorized responses.
Ori Wellington:And to move from a focus on reporting efficiency to one on manageability. Don't just show me the risk. Help me manage it in real time.
Sam Jones:And before we sign off, just a quick reminder, we threw a lot of concepts at you today. You can find more about all of our research at wheelhouseadvisors.com. The specific article we discussed today is at risktechjournal.com.
Ori Wellington:And if you want the deep dive notes, the weekly insights that really get into the weeds of this stuff, the cheat codes, as we sometimes call them, you should subscribe to the RTJ Bridge at rtj bridge.com. It really is the best value in the market for this level of insight.
Sam Jones:It is.
Ori Wellington:Now, as we always do, we want to leave you with a final thought. Something for you to chew on as you head into your next strategy meeting. Bring us home.
Sam Jones:We talked a lot today about visibility without control. We talked about those fancy dashboards. So here's my question for you to take back to your team. If your dashboard turns red tomorrow, a big flashing critical red light, does everyone in your organization know exactly who holds the steering wheel? Or will you just have a high definition view of the crash?
Ori Wellington:Oof, a high definition view of the crash. Don't let that be you.
Sam Jones:Please don't.
Ori Wellington:Thanks for listening to the Risk Wheel House.
Sam Jones:I'll see you next time.