The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S5E3: 2025 ORM Vendor Compass - The Enterprise Resilience Engine
Resilience isn’t a binder anymore. It’s a live system that has to perform under pressure. We pull apart the 2025 IRM Navigator™ Vendor Compass for Operational Risk Management (ORM) to show how ORM moved from back-office compliance to the execution engine of enterprise resilience. The stakes are massive. They include billions in spend, tighter regulations across the US, UK, and EU, and a rising demand for continuous, auditable proof that controls actually work when services fail.
We break down where ORM sits inside integrated risk management and how it turns risk appetite into daily action across business continuity, incident and loss event operations, KRIs, EHS, and deep third-party and supply chain risk. Then we unpack the four structural drivers forcing change: buyers rewarding measurable outcomes over feature checklists, resilience defined as end-to-end service delivery, assurance-grade automation with transparent trust layers and data lineage, and the hard convergence of TPRM with continuity and incident response as vendor failures directly hit customer experience. If one in three major incidents involves an external partner, vendor monitoring can’t live on the sidelines.
To make this practical, we map the vendor landscape across two dimensions—solution coverage and level of integration—and explain three categories that align to your maturity curve. Integrators like Riskonnect and IBM OpenPages centralize claims, continuity, RCSAs, KRIs, and loss events under strong governance for complex enterprises. Accelerators such as ServiceNow, Hyperproof, and Safe Security embed controls and monitoring into existing workflows fast, moving teams from coordinated to embedded. Pace setters like Fusion Risk Management, ProcessUnity, and Origami Risk deliver targeted wins in resilience mapping, third-party risk, and incident-to-claims operations.
The takeaway is simple: aim for defensible operational assurance without drowning in manual work. As AI-native runbooks evolve by simulating impacts, selecting responses, and triggering mitigation with audit-ready evidence the question becomes whether your current telemetry and control data will meet disclosure-grade standards. Subscribe, share with your risk and operations teams, and leave a review with your biggest challenge. Where are you on the maturity curve, and what proof do you still need?
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Welcome back to the deep dive. We're here again digging into the complex research so you don't have to. Today, uh, we're tackling the 2025 IRM Navigator Vendor Compass. Specifically, we're zeroing in on operational risk management. You'll hear us call it ORM.
Sam Jones:Yeah, and it's a really timely discussion because ORM, well, it's changed a lot. It's definitely not just that uh back office compliance function anymore. The sources we're looking at are clear. ORM is now basically the execution engine for enterprise resilience.
Ori Wellington:Execution engine. Okay. So our mission today is really to understand what's driving this shift, the market forces, and then look at the vendors, the actual technology players enabling this.
Sam Jones:Exactly. And this isn't just, you know, a theoretical shift. It's strategic. And the money involved tells that story. Aaron Powell Right.
Ori Wellington:The financial stakes are just staggering, the spending projections alone. We're talking operational risk management hitting an estimated $13.8 billion this year, this year alone. And that's projected to climb past $31.5 billion by 2032.
Sam Jones:Yeah, it's huge. That's a what, 12.6% compound annual growth rate? It just shows this massive reprioritization in how companies are dealing with instability. And remember, that ORM piece is part of the bigger integrated risk management market, IRM. That whole market is expected to more than double. But the money's flowing into ORM specifically because, well, organizations learn the hard way that static controls, you know, checklists, annual reviews, they just don't cut it when a real crisis hits.
Ori Wellington:That really feels like the core idea here, doesn't it? The report hammers this point. Regulators, whether it's the US, UK, EU, they're moving beyond just ticking boxes. They're demanding uh demonstrable impact tolerances, continuous service assurance. You can't just have a plan anymore.
Sam Jones:No, you have to prove it works continuously, in real time. Prove you can execute under pressure.
Ori Wellington:It's a complete flip from policy documents to actual operational readiness.
Sam Jones:Totally. There was a great quote in the sources from Wheelhouse Advisor CEO. They called operational risk the connective tissue that keeps performance and resilience aligned in real time.
Ori Wellington:Connective tissue. I really like that phrase. Okay, so if I integrated risk management is the whole nervous system, what's ORM's specific job? Where does it fit?
Sam Jones:So ORM is basically the process backbone. Think of it like this IRM sets the strategy, the risk appetite. ORM is what translates that into, well, actual functioning processes on the ground. In the IRM navigator model they talk about, it sits right at the process's integration point. It takes the high-level stuff and makes sure operations stay resilient.
Ori Wellington:Okay, makes sense. Can you walk us through the specific things covered by modern ORM? Because I think a lot of people still just think, you know, I key failures. Trevor Burrus, Jr.
Sam Jones:Right. And it's much, much broader now. We're talking of business continuity and crisis management, BCM, incident and loss event management, uh monitoring key risk indicators, KRIs, environmental health and safety, EHS, and this is critical, vendor and supply chain risk management. See how those are all about actions, people, physical processes, not just data logs.
Ori Wellington:Yeah, absolutely. That's where risk becomes real disruption. And you mentioned connectivity. The report talks about something called PRAs, PRA-C. What's that about? How does ORM tie into it?
Sam Jones:Ah, PRAC. Okay, so that defines the four main goals of IRM: performance, resilience, assurance, and compliance. ORM is absolutely fundamental to hitting all four. It drives resilience, obviously, through continuity and recovery plans that actually work, and it drives assurance by constantly gathering verifiable proof that controls are effective.
Ori Wellington:So it connects daily process, success, or failure directly to those big enterprise outcomes.
Sam Jones:Exactly. It's where the theory of risk management meets the reality of operations.
Ori Wellington:Okay. So ORM is critical. It's where the rubber meets the road. Before we get into the vendors, though, the source material mentions this IRM navigator maturity curve. Foundational, coordinated, embedded, extended, autonomous. Where are most organizations now?
Sam Jones:Well the report suggests most are kind of clustered between coordinated and embedded.
Ori Wellington:Coordinated and embedded. Okay, what does that mean practically?
Sam Jones:It means they might have pulled their risk data together. Maybe they've even got a single platform. But that next step, embedding risk management identification, monitoring, fixing things right into the core business services, into the supply chains, that's still the big hurdle for many. The systems talk to each other, maybe, but it's not seamless, not yet automated risk management woven into the fabric of the business.
Ori Wellington:Right. That gap between just coordinating data and truly embedding the process that leads us perfectly into the next part of the report. This is where it gets really interesting. Because this whole shift, it isn't random. It's being pushed by four big structural drivers in the market. Let's unpack why ORM matters so much right now.
Sam Jones:Okay, driver number one. And this one probably stings a bit for traditional IT and risk teams.
Ori Wellington:Yeah.
Sam Jones:The market has shifted decisively. It's moved from rewarding vendors for software features to rewarding them for delivering measurable business outcomes. Buyers are just tired of fragmented systems that take tons of manual work just to spit out a compliance report.
Ori Wellington:And there's data on that frustration, isn't there? I saw that risk.net finding. Fewer than half of banks rate their current GRC vendor as good. That's pretty damning.
Sam Jones:It really is. It shows that fragmentation, you know, having one system for compliance, another for third-party risk, another for BCM, it's just too expensive. Yeah. Not just in licenses, but in actual operational failures. So now buyers are saying, prove it. Prove you can cut my recovery time by X percent. Show me how you reduce incident loss severity because you connect claims and incident data.
Ori Wellington:So the conversation shifts from do you have this button to can you guarantee my SLA?
Sam Jones:Precisely. And that leads right into the second driver. Resilience is operational now. It's not just an IT thing anymore. For years, resilience meant keeping the servers humming. But now, regulators, the market, they define resilience as delivering the critical business service end-to-end.
Ori Wellington:Which means the perimeter just exploded, right? It's just just the data center wall.
Sam Jones:Exactly. Think about, say, a big retailer. If a key supplier's truck breaks down 500 miles out, or a logistics partner has a strike, that's an operational risk event. It hits business continuity just as hard as a server outage. Modern ORM has to map those critical services, stress test the entire playbook, measure our torpo across everything, including suppliers way down the chain.
Ori Wellington:So BCM moves from being a dusty binder to a live, dynamic dependency map.
Sam Jones:Okay.
Ori Wellington:Driver three feels crucial for that assurance goal you mentioned earlier. Assurance grade automation is the new baseline. Yeah. Not optional.
Sam Jones:Yes. We're past basic automation. Things like continuous control monitoring, CCM, that's just table stakes now. But the keyword is assurance grade.
Ori Wellington:What does assurance grade really mean, though? Sounds technical, but I guess it's about auditability.
Sam Jones:That's exactly it. It means if automation makes a decision, maybe AI flags something weird or analytics triggers a workflow. You need proof, govern proof. It has to operate under transparent trust layers. You can't just tell the auditor the AI did it. You need verifiable evidence, a clear data lineage. Think frameworks like ISO 42001. That's what provides the transparent, provable trail. The automation output has to stand up in court, basically, or you know, in front of the board.
Ori Wellington:Got it. So it's not just about being fast, it's about trusting the evidence the automation produces. That seems huge, especially as AI gets more complex.
Sam Jones:It's the foundation for future risk management, which actually brings us neatly to driver number four third-party risk convergence. Supply chain fragility, everyone felt that during the pandemic, right? It forced third-party risk management, TPRM, out of the procurement back office and into the live operational spotlight. It's not just about contracts anymore.
Ori Wellington:And the numbers back that up starkly. That Verizon report for 2025 said third-party involvement in data breaches doubled to 30%.
Sam Jones:Doubled. To 30%. One in three major security incidents involves an external vendor.
Ori Wellington:Wow.
Sam Jones:So you just cannot treat vendor monitoring as separate from your internal BCM or your incident response and claims. The risk is immediate, it's operational. If your vendor hiccups, your service hiccups, ORM is increasingly becoming that central point, that orchestration layer that pulls TPRM, incident response, BCM all together, making sure those external dependencies are watched continuously.
Ori Wellington:Okay, so we've got the why. Market dynamics, forcing convergence, demanding real outcomes. That context is perfect for looking at the vendor landscape itself. The IRM navigator vendor compass uses two main dimensions to plot these players.
Sam Jones:That's right. It's all about utility and integration. First dimension, solution coverage. Basically, how broad and deep are their ORM capabilities? Do they cover resilience, EHS, vendor risk well? Second dimension, level of integration. How well do these platforms actually connect ORM into the rest of the enterprise risk world, ERM, TRM, GRC? Are they playing nice or are they another silo?
Ori Wellington:And based on those two axes, the report puts vendors into three categories, which kind of map to where an organization might be in its maturity journey.
Sam Jones:Let's start at the top. The integrators. Who are they for?
Ori Wellington:Integrators are the uh the heavyweights, comprehensive coverage, deep integration across different risk domains. They're really aimed at large enterprises, the ones shooting for or already at that extended maturity level, think complex global companies needing serious orchestration.
Sam Jones:Gotcha. Can you give an example or two? What makes them an integrator?
Ori Wellington:Sure. Risk onnect is a prime example mentioned. Their big strength is unifying things like claims data, continuity planning, and risk assessment. Really good for industries where an operational slip immediately becomes a liability issue. They close that loop fast. Then there's IBM open pages. They're known for centralizing things like risk and control self-assessments, RCSAs, loss events, KRIs pulling it all into one unified assurance model across the enterprise risk structure. Consistency and central governance are key there. Okay. Integrators for the big, complex players. Now, what about the accelerators? These sound like they're strong in specific areas or driving innovation. Maybe for companies moving up that maturity curve.
Sam Jones:Exactly. Perfect for organizations moving from coordinated towards embedded. This category includes uh ServiceNow. Now, ServiceNow is a huge platform, right? But the report puts them here likely because they accelerate specific ORM processes, RCSA, control assurance, incident capture, by plugging them directly into the existing workflow engine of the Now platform. It's about speed and leveraging existing workflows.
Ori Wellington:Hmm. That's interesting. So even though ServiceNow is massive, it's an accelerator here, not an integrator. Does that suggest maybe narrower ORM specific coverage compared to Risk Connect or IBM? Or is it more about their go-to-market focus on workflow acceleration?
Sam Jones:That's a really good question. It likely reflects how the report is weighing things. While they have broad capabilities, their superpower is embedding risk tasks into existing IT and operational workflows very quickly. That speed of embedding is often the biggest bottleneck for those mid to large firms trying to mature. So accelerator fits that impact. We also see others here like hyper-proof, extending compliance work with really strong continuous control monitoring, and safe security, which is important for bringing risk quantification using models like FAIR into operational decisions.
Ori Wellington:That makes sense. Finally, the pace setters, niche capabilities, targeted solutions. Who needs these?
Sam Jones:These often hit the spot for mid-market companies or maybe programs just starting out. They need a quick win on a specific critical pain point. I think best in breed for a specific function. Fusion risk management, for example, is very resilience-focused, top-notch BCM dependency mapping. Process Unity nails third-party risk management. Origami Risk comes from an RMIS background, so they're excellent with claims and incident operations.
Ori Wellington:Okay, so let's tie this back to you, the listener. You're looking at this compass. What's the practical advice? How do you choose?
Sam Jones:Well, the guidance is pretty pragmatic. Match the tool to where you are now. If you're a large enterprise drowning in complexity, especially with claims or lots of incidents, you probably need an integrator. You need that unified orchestration across different risk areas.
Ori Wellington:And for the SMEs, the small to mid-sized folks, or those just starting their journey.
Sam Jones:For SMEs, look hard at the pace setters if you have one burning issue like getting TPRM under control fast. They offer quick, targeted value. Then as you mature past that foundational stage, maybe look to the accelerators to scale up, perhaps embed continuous monitoring more broadly. But the goal for everyone really is defensible operational assurance without creating a mountain of manual work. Right.
Ori Wellington:That brings us towards the end of this deep dive on the ORM vendor compass. The big takeaway scene is crystal clear. ORM isn't just a compliance task anymore. It's moved right to the center. It's about resilience.
Sam Jones:Absolutely. It's acting as both the organization's sensor, picking up problems, and its stabilizer, helping orchestrate the response. It turns what's happening on the ground into genuine enterprise readiness.
Ori Wellington:And looking ahead, the report hints at the next stage. Autonomous IRM. Sounds futuristic, but it's where things are heading.
Sam Jones:Yeah. Think AI native run books. Systems that don't just detect issues, but instantly simulate the impact, figure out the best response, and kick off mitigation all with minimal human touch. That's the North Star.
Ori Wellington:Okay, so here's the final thought to leave you with, building on everything we've discussed.
Sam Jones:If ORM truly is becoming the core process architecture for achieving assurance, and if leaders are going to be judged on their ability to prove outcomes, you really have to ask yourself this. The evidence your current systems are capturing right now, from vendor checks to incident logs, will that evidence meet the coming demand for disclosure grade proof? The kind boards and regulators will require. Because the standard is shifting fast. It's moving away from checklists towards continuous, auditable, trustworthy evidence. That's the challenge ahead.