The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S6E2: Rethinking Integrated Risk, From ROI To Dividends
Integrated Risk Management (IRM) is repeatedly underfunded for a structural reason: leaders keep forcing IRM into an ROI construct that demands a single, auditable chain of causality, while IRM is designed to distribute value across multiple domains at once. In this episode, Ori Wellington and Sam Jones explain why ROI framing collapses into assumption-stacked narrative under CFO scrutiny, and why risk leaders need a finance-compatible alternative that remains decision-grade.
The episode’s answer is a disciplined shift: evaluate IRM with cost/benefit analysis, and label the benefit streams as dividends. Dividends are distributed outcomes that improve enterprise performance and resilience without requiring false precision in a single attributable cash-flow line.
Source: RTJ Bridge (Wheelhouse Advisors Premium Research)
What executives should take from this episode
- ROI is the wrong container for IRM. ROI demands strict attribution. IRM delivers system-level uplift where attribution is inherently weak.
- Use dividends to quantify value in decision-grade terms:
- Efficiency dividend (cycle time and throughput improvements), with explicit discipline on what becomes realized value.
- Loss mitigation dividend (reduction in expected loss), modeled through scenarios, frequency, severity, and control effectiveness assumptions.
- Trust dividend (friction removed), increasingly the gating factor for velocity in an AI-era operating model.
- Avoid the credibility traps embedded in legacy GRC value calculators. They pull the conversation toward compliance throughput, invite silo double counting, and emphasize backward-looking activity counts rather than continuous assurance.
If IRM is positioned as a strategic capability, its value model must be positioned the same way. Build a dividend-based business case that finance can challenge and still accept, then use it to protect and accelerate the enterprise’s highest-leverage investments.
Podcast Episode Chapters
0:00 The ROI Mismatch Problem
3:58 Defining Finance-Grade ROI Rigor
7:03 Why IRM Defies Singular Attribution
12:03 Introducing The Dividends Model
15:48 Efficiency Dividend And Its Limits
21:48 Capacity Redeployment Vs Trapped Time
25:58 Quantifying Loss Mitigation Credibly
31:48 Presenting Ranges And Confidence
36:03 The Trust Dividend As Friction Removed
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Integrated risk management. It's supposed to be the connective tissue for the modern enterprise, you know, linking security, compliance, privacy, and business strategy into one cohesive operational system.
Ori Wellington:It's the cornerstone of resilience, or at least it should be.
Sam Jones:Yet when you, as the risk or resilience leader, walk into the CFO's office or you stand before the board to ask for capital, there's often this immediate and I'd say sometimes deserved skepticism about its true financial impact. Oh, absolutely. And why is that? It's because you are constantly being asked to prove its return on investment. It's ROI.
Ori Wellington:And that right there is the absolute foundational problem we have to confront. We are routinely forcing integrated risk management IRM into an ROI framing that, well, it just doesn't fit its economic reality.
Sam Jones:What do you mean by that? It's economic reality.
Ori Wellington:It's a distributed value generator. The whole model is wrong. It's a fundamental measurement mismatch. It's sort of like trying to measure the systemic health of a massive integrated supply chain using the profitability metric of a single small inventory warehouse. The calculation itself is structurally biased against the outcome we're actually trying to achieve.
Sam Jones:Which is that systemic resilience and performance lift.
Ori Wellington:Exactly.
Sam Jones:So this deep dive is our response to that bias, and we're drawing on some really critical cutting-edge research to fundamentally reframe this whole value conversation. Our anchor is the RTJ Bridge research note. IRM does not produce ROI, it produces dividends authored by you.
Ori Wellington:That's right. And the core thesis that really drives this analysis is that the current ROI framework, at least as is traditionally applied to strategic investments like IRM, it systematically misprices its value.
Sam Jones:Misprices it how?
Ori Wellington:It misprices it because the framework rigidly demands a single, isolated, and strictly attributable cash flow stream tied directly back to the investment. But IRM is designed to do the exact opposite.
Sam Jones:It's designed to distribute value across the organization, not isolate it.
Ori Wellington:It integrates. It doesn't compartmentalize.
Sam Jones:Precisely. So we need a different model.
Ori Wellington:We have to fundamentally upgrade our measurement model. We need to adopt the lens of dividends, a concept that acknowledges and uh and measures these distributed outcomes. These dividends are the beneficial effects that fundamentally improve enterprise performance and resilience across numerous interconnected domains.
Sam Jones:Okay. So our mission today is to unpack exactly why this legacy habit of forcing IRM into the let's call it the GRC calculator mindset distorts capital allocation and decision making at the executive level. Right. And crucially, we need to show why this distortion is becoming exponentially more dangerous, more constraining, as artificial intelligence shifts the entire economic value calculus for the modern enterprise.
Ori Wellington:Yeah, this is not a tactical discussion anymore.
Sam Jones:No. We are moving this conversation from a tactical GRC procurement discussion to a mandatory executive capital allocation imperative.
Ori Wellington:Okay. So let's start with first principles. And that means being really rigorous about the language we use.
Sam Jones:Especially when you're communicating with finance leaders, CFOs, and the board.
Ori Wellington:Absolutely. We have to be precise about what ROI actually means in a strict financial context. It's not, you know, it's not a flexible term in accounting.
Sam Jones:And what does that strip finance construct demand of any investment?
Ori Wellington:It demands the measurement of incremental cash flows that are strictly, directly, and verifiably attributable to the investment, measured against the initial cost over a defined time horizon.
Sam Jones:So you have to prove that direct causal link.
Ori Wellington:You have to construct a defensible chain of causality. Investment X directly and singularly caused cash flow Y. That linkage, it has to be auditable, verifiable, and it has to withstand skeptical review. That's just the necessary rigor of capital expenditure accounting and finance. Trevor Burrus, Jr.
Sam Jones:And this is exactly where integrated risk management just hits a conceptual and quantitative wall.
Ori Wellington:It really does.
Sam Jones:I mean, IRM, by its very definition and purpose, is designed to weave disparate processes, controls, technologies, and teams together. It's designed to be ubiquitous, the infrastructure for trust.
Ori Wellington:That's the conceptual contradiction right there. IRM integrates security controls with compliance regimes, it feeds audit evidence back into policy frameworks, and it connects operational risk data to business continuity planning.
Sam Jones:So it's designed to create a systemic effect.
Ori Wellington:Yes, a systemic reduction in drag and an increase in assurance. But because it is so systemic, attribution is inherently and frankly hopelessly weak across these integrated domains.
Sam Jones:Can you give us a concrete example of that attribution weakness?
Ori Wellington:Sure. Imagine an organization implements a modern, robust, integrated policy management and third-party risk management workflow, all powered by their IRM suite.
Sam Jones:Okay.
Ori Wellington:Now the single workflow, it simultaneously accomplishes three things. It reduces a critical supply chain security exposure, it improves a major regulatory compliance reporting mechanism, and it speeds up the due diligence process for the procurement team who's just trying to onboard a new vendor.
Sam Jones:So you've got a security benefit, a compliance benefit, and a procurement velocity benefit, all from one investment.
Ori Wellington:Exactly. Now, try to attribute the subsequent cash flow game. Did the security reduction cause a lower expected loss? Did the compliance improvement save an operational expense? Did the procurement acceleration increase revenue?
Sam Jones:All three. Some combination.
Ori Wellington:Right. And if you try to collapse those three distributed benefits into a single isolated ROI number for that IRM investment, the linkage becomes highly tenuous. It's based on numerous shaky assumptions.
Sam Jones:It becomes fuzzy fast. And I imagine finance leaders who are just trained to look for those deterministic linkages, they immediately challenge that.
Ori Wellington:They do. And this is the critical takeaway for everyone listening. In the finance world, when attribution is weak and assumptions are layered on top of each other, the calculated ROI quickly ceases to be an auditable, verifiable financial fact.
Sam Jones:It just becomes a story.
Ori Wellington:It degrades into mere narrative. It becomes a story we tell ourselves and the board to justify the spend, rather than a rigorous, quantifiable, decision grade input for capital allocation. CFOs are masters at identifying these assumptions, and they immediately discount the asserted value of the investment, often by 50% or more.
Sam Jones:So the system itself, the integrated distributed nature of IRM, it works against the legacy measurement model.
Ori Wellington:It fundamentally does.
Sam Jones:And that makes sense. But the problem isn't just the definition of ROI, is it? It's also reinforced by the tools that risk leaders are using every day.
Ori Wellington:Oh, for sure.
Sam Jones:The legacy GRC calculators out there in the market, they almost seem designed to reinforce this mispricing.
Ori Wellington:Absolutely. I mean, many of the value calculators and justification models that risk leaders are forced to rely on, they are not truly IRM native. They are fundamentally legacy GRC instruments.
Sam Jones:What do you mean by that? GRC instruments?
Ori Wellington:They were conceived and optimized for a different era, a compliance era, where the primary value conversation revolved around the cost of compliance or maybe the avoidance of fines, framed entirely within a single silo, like ITGRC or internal audit management or just regulatory mapping.
Sam Jones:So they are built around measuring inputs and throughput within a checklist framework rather than measuring integrated enterprise-wide outcomes.
Ori Wellington:Exactly. The measurement model centers on GRC program inputs and throughput. How many policies did you review? How many control tests did you run? How much time did you save the internal audit team?
Sam Jones:And those are valid things to count.
Ori Wellington:They are valid, countable metrics, but they stop short of quantifying the integrated cross-domain enterprise outcomes that truly define IRM value. These tools structurally struggle to quantify the value of cross-domain evidence reuse, true enterprise loss mitigation, and especially the requirements for modern AI Trust, which is highly distributed.
Sam Jones:So this structural bias in the tooling, which is optimized for counting compliance activities and internal labor hours, makes it nearly impossible for a risk leader to capture the holistic systemic value that IRM is actually designed to deliver.
Ori Wellington:It does.
Sam Jones:It's forcing a strategic asset back into a tactical cost reduction justification.
Ori Wellington:That is the crux of it. This compliance-centric, siloed approach, it limits the perceived value entirely to the cost of compliance. And that's a necessary but ultimately insufficient narrative. Senior executives find that narrative insufficient to justify the strategic level of investment IRM truly demands to function as a real enterprise resilience platform.
Sam Jones:So we need a new framework.
Ori Wellington:We need a completely different conceptual framework to accurately convey value, one that embraces distribution.
Sam Jones:Okay, so let's unpack this new lens. If ROI is the rigid finance construct that demands singular attribution, then what is the definition of a dividend in this context? Why is it better suited for the distributed nature of IRM?
Ori Wellington:We use the term dividends because it is a management construct, it's not a financial one.
Sam Jones:A management construct.
Ori Wellington:Right. Unlike ROI, which is financial, dividends represent distributed outcomes that improve enterprise performance and resilience across the entire system. And crucially, they do not need to collapse cleanly into a single attributable cash stream.
Sam Jones:So they're more like beneficial effects.
Ori Wellington:There are beneficial effects spread across the organization. A systemic lift in performance, a quantifiable reduction in systemic drag, and acceleration velocity all flowing from that central IRM investment. The measurement discipline is showing the collective uplift, not trying to prove singular causality.
Sam Jones:That immediately aligns so much better with how risk and resilience actually function in a complex enterprise.
Ori Wellington:It has to.
Sam Jones:Now the research note identifies three core IRM dividends. Let's start with the one that's probably the easiest to measure, the efficiency dividend.
Ori Wellington:Right. Dividend one is the efficiency dividend. This is the most defensible dividend, and that's because it ties directly to observable throughput and cycle time reduction. It's measurable because the input time, labor, rework, administrative drag, it's all visible, countable, and verifiable.
Sam Jones:What are some specific, repeatable examples of this that risk leaders should be quantifying right now?
Ori Wellington:The examples are clear across multiple domains. I mean, think about audit cycle time reduction cutting, the week saved between fieldwork completion and the final report sign-off.
Sam Jones:That's a huge one.
Ori Wellington:It is. And consider the massive efficiency gain from automation and reuse of evidence collection. Instead of three different teams pulling the same control evidence manually for PCI and GDPR and ISO 2700001, the system provides a centralized repository and maps controls automatically. That is pure administrative drag removed from the system.
Sam Jones:And that velocity is felt on the back end as well. So reduced rework and faster cycle time for issue remediation. When an issue is identified, the speed at which it gets fixed is a direct measure of operational efficiency.
Ori Wellington:Absolutely. Yeah. And third-party assessment turntime reduction is perhaps the most visible example for the business side. Procurement cycles often stall for weeks, sometimes months, just waiting for the security and compliance assessments to clear. If you can cut that due diligence turn time by 50%, that's pure velocity added back into the enterprise revenue engine.
Sam Jones:Okay, but this is where we need to introduce the crucial analytical discipline you highlight in the research. Efficiency alone doesn't automatically translate into a hard financial saving.
Ori Wellington:It does not.
Sam Jones:And this is where risk leaders often lose credibility with finance.
Ori Wellington:That's the most vital concept for our audience to grasp, particularly when you're addressing capital allocation. Time saved only converts to money saved, or a realized financial benefit if the organization can prove one of two things. First is cash release, meaning you eliminate a full-time employee position, or you reduce an external operating expenditure, which, let's be honest, is rare in GRC investments.
Sam Jones:Right. That's the harder one to prove. So what's the second?
Ori Wellington:The second and more realistic one is measurable capacity redeployment.
Sam Jones:Okay, let's focus on capacity redeployment because that feels like the real opportunity. What is the difference between trapped capacity and realized capacity?
Ori Wellington:So if a compliance team saves, say, 200 hours of manual repetitive work like reconciling two different control frameworks, but they'd simply use those 200 hours to write longer, more complex, and ultimately unnecessary reports, the capacity is trapped.
Sam Jones:Nothing has really been gained for the business.
Ori Wellington:No measurable value has been created for the enterprise. No cash was released, and no strategic work was accomplished. Benefit just remains potential, not realized.
Sam Jones:Versus realized capacity.
Ori Wellington:Realized capacity is when those 200 hours are demonstrably and strategically redirected. For instance, those same 200 hours are now spent proactively identifying emerging AI model risks or quantifying the financial exposure of a new geopolitical risks scenario, or performing crucial forward-looking threat modeling that the team previously just lacked the resources to do.
Sam Jones:That's real strategic value creation.
Ori Wellington:It is, even if the cash wasn't released. The efficiency dividend is foundational, but at higher IRM maturity stages, it's insufficient on its own to justify the entire strategic investment. It justifies consolidation, but you need the next dividends to drive the executive conversation.
Sam Jones:Which brings us to dividend two, the loss mitigation dividend. This is where we move into the economic core of risk management itself.
Ori Wellington:That's right. The loss mitigation dividend is defined as the reduction in expected loss. Risk management reduces this expected loss by shifting the probability distribution of adverse outcomes, specifically pushing the tails of the distribution inward.
Sam Jones:So you're reducing both the likelihood and the severity of a bad event.
Ori Wellington:We are actively reducing both the likelihood or frequency of a high impact event and the severity if one does occur.
Sam Jones:But here is the challenge that finance leaders always raise. The avoided loss is, by definition, unobservable. You cannot put a deterministic dollar sign on something that didn't happen. And if you claim it, a CFO will rightly ask, how do we know we didn't overinvest if the loss was never going to happen anyway? That sounds like high-level theory. How do we make the case for probabilistic models when the board often demands certainty?
Ori Wellington:And that skepticism is entirely warranted if the risk leader is just presenting vague narratives or qualitative heat maps. To overcome the challenge of unobservable loss, decision grade measurement requires rigorous modeling discipline.
Sam Jones:So no more high or medium risk.
Ori Wellington:No. You cannot rely on qualitative descriptions. You need to adopt quantitative methods.
Sam Jones:So what does that rigor look like in practice?
Ori Wellington:To achieve credibility with finance, a decision grade loss mitigation approach requires several components. First, it's mandatory to use scenario-based exposure quantification using frequency and severity data. We need to model the impact of, for example, a material data breach or a significant supply chain disruption based on a spectrum of potential financial outcomes, say $10 million at the low end, $50 million at the high end, not just a single worst-case fear number.
Sam Jones:So it requires explicit assumptions about how effective your controls are. You have to quantify, using data or expert judgment, what percentage of the financial risk is actually being reduced by the control environment you are building with IRM.
Ori Wellington:Exactly. If you invest in integrated controls, you must be able to state this investment is expected to increase the effectiveness of control group A from 70% to 90%. And here is the resultant reduction in financial exposure.
Sam Jones:And the presentation of that matters.
Ori Wellington:Critically, the results must be presented as ranges with confidence levels, not deterministic point estimates. A statement like, we saved the company $5 million this year is challenged immediately.
Sam Jones:Or what's the alternative?
Ori Wellington:But a statement like, based on our modeling, we have reduced our 96th percentile expected annual loss from cyber risk from $80 million to $55 million due to integrated control adoption is far more credible.
Sam Jones:That shift in language from claiming an isolated saving to quantifying a trade-off in potential risk, that's powerful. You're giving them a clear data-driven decision point.
Ori Wellington:It is decision grade input. And my critique of legacy GRC approaches is that they tend to sidestep this rigor entirely. They either rely on anecdote or they try to translate complex probabilistic risk reduction into deterministic savings. A single fixed dollar amount, which almost always fails finance scrutiny because it lacks the necessary mathematical foundation.
Sam Jones:It remains a narrative.
Ori Wellington:Divorced from verifiable financial facts. Yes.
Sam Jones:That is a fundamental distinction. Which brings us to the third dividend, and this is the one gaining the most strategic heat right now, the trust dividend. And you define it as friction removed, not revenue directly added.
Ori Wellington:That is the crucial economic distinction. Trust is now an essential economic factor for high velocity enterprises, but it is best defined and measured as friction removed. Trying to claim that a better compliance program directly drives a new revenue stream is often tenuous and, frankly, fragile.
Sam Jones:But measuring how much faster and smoother the existing revenue machine can move, that's the trust dividend.
Ori Wellington:You're applying lubricant to a high-speed machine to prevent it from seizing up. That's a good way to put it.
Sam Jones:So quantify that friction removed for us in a modern enterprise context.
Ori Wellington:Okay. Think about the internal friction points. Faster approvals through legal privacy, security, and compliance. When the product team finishes developing a new feature, does it sit in a queue for weeks while disparate teams manually check boxes and request documentation that already exists elsewhere?
Sam Jones:Or does the IRM system provide that immediate integrated assurance needed for sign-off?
Ori Wellington:Right, dramatically reducing time to market friction.
Sam Jones:And what about those costly late stage reversals?
Ori Wellington:Yes. Fewer late stage deployment reversals due to documentation or control gaps. The cost of unwinding a deployment because someone realized at the 11th hour that a key security control was missed or a privacy requirement was violated is enormous. It's lost development time, it's wasted marketing spend, and potential reputational damage. The trust dividend prevents those costs by embedding assurance and control evidence early in the process.
Sam Jones:And externally, how does that friction manifest?
Ori Wellington:Externally, it translates into faster customer assurance responses for AI-enabled products, which reduces sales cycle friction. Customers, particularly large BDB buyers, they demand proof of security and compliance before contracting. Sure. If you can provide that proof instantly, credibly, and holistically via your IRM system, you win deals faster. And crucially, it results in a reduced probability of regulatory escalation stemming from transparency or accountability failures, reducing external drag on the business.
Sam Jones:So the ability to quickly and credibly attest to your operating environment suddenly becomes a key competitive differentiator and an economic enabler that directly impacts velocity and capital protection.
Ori Wellington:It absolutely does.
Sam Jones:Okay, here's where this reframing moves from just, you know, important to absolutely mandatory. AI.
Ori Wellington:Right. AI fundamentally changes the magnitude and the cadence of the trust requirement. The need for trust shifts dramatically from primarily a regulatory compliance concern, you know, something you deal with periodically to satisfy an audit to a gating mechanism. Trevor Burrus, Jr.
Sam Jones:Or, as you say in the note, a scale constraint.
Ori Wellington:Trevor Burrus, Jr.: An even more accurate term, yes.
Sam Jones:Yeah.
Ori Wellington:A scale constraint for all high-leverage AI initiatives.
Sam Jones:Gating mechanism. I mean, if the assurance mechanisms fail, the business process stalls completely. That is a serious strategic constraint.
Ori Wellington:Precisely. If we look at AI at scale, the deployment of hundreds or even thousands of models across the enterprise, the primary constraint is no longer computational power or even model capability. It's whether the enterprise can prove the system is acceptable, transparent, and controlled.
Sam Jones:So can you trace the training data provenance? Can you explain the model's outcomes in a business context?
Ori Wellington:Can you prove it adheres to internal policy and external regulatory guards? Rails. All of those questions.
Sam Jones:So AI introduces these mandatory, evidence-based questions across its entire life cycle that, frankly, traditional compliance and GRC were never built to answer with speed and rigor.
Ori Wellington:Absolutely. The enterprise must demonstrate trustworthiness, characteristics, and risk controls across the entire AI lifecycle, from data ingestion and model training all the way through continuous deployment and monitoring. Can the enterprise operationalize an AI management system that actually holds up to internal audits and third-party scrutiny?
Sam Jones:And we're talking about adhering to frameworks that are now globally recognized as necessary.
Ori Wellington:Yes, referencing contexts like the NIST AI Risk Management Framework, the RMF, and ISOIE SOVI 2001.
Sam Jones:So for the listener who might not be steeped in these standards, what does something like ISOIES 40 2001 represent strategically for an executive?
Ori Wellington:It represents proving due diligence. Strategically, these standards are the requirement for evidence-based accountability. They demand a system for managing AI risk that is structured, repeatable, and auditable.
Sam Jones:So it's not enough to just say you thought about it.
Ori Wellington:No. It means you must be able to prove continuously that you didn't just think about bias mitigation. You implemented controls, you tested them, and here is the evidence trail proving the system is within acceptable risk tolerances. Without that systemic proof, deployment risks catastrophic reversal.
Sam Jones:And this means the speed at which you can generate and present that evidence is now an operational necessity. If your transparency and information obligations take too long to meet, your business cycles stall.
Ori Wellington:That's the critical cadence problem. AI-enabled business processes move at machine speed, often generating decisions in milliseconds. If your risk and compliance assurance mechanisms operate a human or uh periodic speed checking a box once a quarter, they become a massive drag coefficient. Trevor Burrus, Jr.
Sam Jones:Slowing deployment and stifling innovation velocity.
Ori Wellington:Exactly. The trust dividend ensures the assurance moves at the speed of the business. It's the difference between a real-time risk check and a quarterly audit report.
Sam Jones:And this escalation in the measurement requirement explains why the trust dividend is increasingly dominating board-level discussions. They're no longer just asking, are we compliant with current law?
Ori Wellington:No, the question is much bigger.
Sam Jones:They're asking, can we scale this multimillion dollar new business capability without facing regulatory signs, a major reputational setback, or a catastrophic model failure that just destroys enterprise value?
Ori Wellington:Precisely. The regulatory environment, particularly with the recent global context like the EU AI Act, emphasizes transparency, accountability, and traceable evidence. In this environment, AI fundamentally penalizes compliance era measurement logic. Assertions, you know, we believe we are doing the right thing, are no longer adequate.
Sam Jones:Evidence is everything.
Ori Wellington:Audit grade, traceable evidence is mandatory, and the cost of failure is the inability to deploy transformative technology, which means the multimillion dollar investment in the AI initiative itself is gated by the quality of your risk management infrastructure. This makes trust the decisive economic factor.
Sam Jones:Okay, let's unpack this structural problem now in the context of the tools that many risk leaders are still using to justify their spend. We established that the market's current value tooling is structurally biased toward legacy GRC. Let's dig into those specific structural biases, starting with what you call compliance gravity.
Ori Wellington:Compliance gravity is the gravitational pull of historical necessity. I mean, these calculators were born in the era of regulatory checklists.
Sam Jones:So they're built for that purpose.
Ori Wellington:They are. Therefore, they focus heavily on GRC program factors, framing measurement primarily around compliance throughput rather than integrated business outcomes. And the result is a subtle but powerful constraint. It limits the perceived value conversation purely to the cost of compliance.
Sam Jones:In other words, the tool itself, by its very design, encourages the risk leader to justify the technology purchase based on saving audit hours or reducing the risk of a small fine. Yes. Not based on enabling faster time to market or reducing the probability of catastrophic systemic failure.
Ori Wellington:Exactly. If the tool asks you primarily, how many reports did you consolidate? Or how much time did you save in policy review? It automatically anchors the executive listener to the realm of cost reduction. And cost reduction is important, but it is a weak argument for strategic multimillion dollar capital expenditure. This bias fundamentally fails to capture the true strategic lift provided by an integrated risk view that connects technology risk to enterprise performance.
Sam Jones:Okay. The second major bias you identify is silo bias and double counting. This seems unavoidable because organizations often mature incrementally buying tools for specific domains.
Ori Wellington:It is, but it's a credibility killer when you're trying to justify an integrated IRM investment. It destroys credibility quickly when finance performs even a basic challenge. Many vendors, and this reflects their own product structures and the silo adoption patterns of their early customers, they provide value calculators as discrete assets by domain. A calculator for security, one for compliance, one for internal audit, one for privacy.
Sam Jones:So when an organization buys an IRM suite that's intended to integrate these functions, the risk leader can easily fall into the trap of double counting the benefits across these disparate calculators.
Ori Wellington:This is a classic issue. Let's use a strong, specific example. Imagine you invest in a single centralized control testing system via your IRM platform. This system automates evidence collection for a single foundational activity. Verifying access controls on critical databases.
Sam Jones:That one activity.
Ori Wellington:One activity. But that one activity supports four separate programs: PCI compliance, ISO 270001 requirements, GDPR technical controls, and internal IT audit. Now, if you use four separate silo calculators, each calculator will claim the labor hours saved on that one activity.
Sam Jones:And suddenly you are claiming four times the actual labor saving for the same foundational investment, and your asserted ROI is artificially inflated.
Ori Wellington:Which, when challenged, instantly destroys the credibility of the entire business case. IRM's core value is using one piece of evidence for many purposes. It's deduplication. The measurement system must reflect that deduplication, but legacy silo calculators are structurally incapable of doing so because they were designed to prove the value of a discrete siloed point solution.
Sam Jones:And the third structural bias is backward-looking measurement logic. How does that fundamentally clash with the demands of continuous operations in the AI era?
Ori Wellington:Well, legacy models typically start with periodic activity counts to estimate efficiency improvements. They look backward and say, we ran 500 control tests last year and now we run a thousand with the same resources. Therefore, we have doubled efficiency. This is historical compliance era thinking.
Sam Jones:It's optimized for those periodic reporting cycles.
Ori Wellington:Exactly. But AI era trust requires something far more predictive, immediate, and continuous.
Sam Jones:It requires forward-looking assurance.
Ori Wellington:Absolutely. Forward-looking assurance, traceability, and continuous transparency evidence. AI-enabled systems are operating, adapting, and changing continuously, often at a cadence of hours or even minutes. The assurance cannot be periodic. It needs to be real-time, audit grade, and always on, providing continuous evidence of trustworthiness.
Sam Jones:And the old tools just can't do that.
Ori Wellington:Older backward-looking compliance era activity counters simply are not built to capture this continuous forward-looking validation necessary for scaling AI and autonomous operations. They measure what happened, not what is currently assured.
Sam Jones:So the implication here is really clear. These legacy GRC tools, they can be helpful for the initial business case, you know, justifying the move from a foundational stage to a coordinated stage.
Ori Wellington:Right. For that first step.
Sam Jones:But they quickly become a maturity ceiling because they reinforce silo thinking and they significantly underprice the trust dividend, which is now the most critical driver of modern strategic value.
Ori Wellington:The structural mismatch is now existential. We have to elevate both the measurement tools and the executive conversation.
Sam Jones:So let's tie this value discussion directly to the trajectory of organizational maturity. We're moving from basic centralization all the way to autonomous operation. And you track that along the IRM navigator curve.
Ori Wellington:Yes, the IRM navigator curve defines maturity through five stages: foundational, coordinated, embedded, extended, and autonomous. And how you measure value and which dividends you emphasize must evolve dramatically as you move across these stages.
Sam Jones:And if you use the wrong measurement model for your maturity level, you will stall.
Ori Wellington:So that's simple.
Sam Jones:Okay, so let's start with the early movement. Foundational to coordinated.
Ori Wellington:At these early stages, the legacy GRC calculators actually serve a valid tactical purpose. They support the business case justification for consolidation and standardization efforts. The ROI narrative, focused on achievable efficiency dividends through centralizing control inventories and simplifying reporting, is sufficient to justify that initial investment and the move away from spreadsheet-based chaos.
Sam Jones:But as the organization moves toward true integration, the measurement needs to mature dramatically. So that next step, from coordinated to embedded.
Ori Wellington:This transition is where the organization starts to truly integrate processes, you know, shared risk assessment methodologies, unified policy management, shared control testing. This transition requires sophisticated value instrumentation that spans domains and reflects truly integrated workflows.
Sam Jones:And this is the stage where the limitations of relying solely on the efficiency dividend become really apparent.
Ori Wellington:Oh, absolutely. Efficiency alone proves insufficient here. You have to start quantifying that cross-domain value reuse.
Sam Jones:You have to measure the deduplicated effort.
Ori Wellington:Precisely. You must start measuring the deduplicated effort, the reduction in risk transfer cost due to shared control efficacy, and the systemic uplift from having holistic visibility into the risk posture. This requires a rigor and measurement that spans security, compliance, and operational risk simultaneously, showing how integrated controls reduce the likelihood and severity of operational losses, which brings the loss mitigation dividend right into focus.
Sam Jones:And then the apex of the curve, the advanced stages, extended to autonomous. This requires deep ecosystem interoperability, continuous validation, and automated response loops.
Ori Wellington:This is the mandatory future state, and it's largely driven by the operational requirements of AI. And here, we must provide the mandatory definition from the research. Autonomous IRM is defined as continuous AI-enabled loops with bounded execution and audit grade evidence.
Sam Jones:That definition ties us right back to the trust dividend and the central argument of this entire discussion. The transition to higher maturity from extended to autonomous is explicitly tied to these AI era trust demands.
Ori Wellington:Absolutely. The AI penalty is the realization that if your current measurement systems are compliance-centric and periodic, they will prevent you from reaching these higher maturity stages.
Sam Jones:Why is that?
Ori Wellington:Because continuous autonomous operations demand continuous audit grade evidence, not periodic assertions. If your assurance mechanisms are slow, the enterprise cannot operate at the speed required for an autonomous environment. The measurement rigor moves from being, you know, an academic or a technical accounting exercise to a mandatory precondition for operational scale.
Sam Jones:So the investment in IRM is not just about buying software to save some time. It's buying the future capability to operate at machine velocity with evidence-based accountability.
Ori Wellington:It is an investment in systemic velocity and systemic control enablement, which directly protects the investments made in every other part of the business, particularly transformative technologies like AI.
Sam Jones:This reframing from ROI to dividends requires a conscious tactical shift in how risk leaders communicate with financial executives and the board. So let's make us tactical now. How should risk leaders speak to finance leaders about these dividends?
Ori Wellington:The first and most critical step is the vocabulary shift. Stop using the word ROI when you're discussing the total strategic value of the IRM program.
Sam Jones:Just drop it from the lexicon.
Ori Wellington:Drop it. Because that word demands specific singular attribution, a demand IRM cannot credibly meet. Instead, pivot to dividends. Focus the conversation on how IRM enables enterprise resilience and provides a performance lift across distributed areas. You're aligning your communication with the management construct, which finance leaders understand in terms of systemic improvement and capital protection.
Sam Jones:So instead of claiming we achieved a 25% ROI, you should lead with something like: we have realized a significant efficiency dividend through audit cycle time reduction, coupled with a quantifiable reduction in our 95th percentile expected loss across our high frequency cyber scenarios.
Ori Wellington:Exactly. That is a robust statement of value. Now, secondly, and this is crucial for maintaining long-term credibility, risk leaders must be rigorously disciplined about the efficiency dividend. You must avoid overclaiming savings.
Sam Jones:That's a huge trap.
Ori Wellington:It is. Never promise deterministic cash savings unless they are demonstrable through a verifiable plan for headcount reduction or the clear elimination of a current vendor contract.
Sam Jones:So instead of cash savings, the focus should be on capacity redeployment.
Ori Wellington:Yes. Focus relentlessly on the capacity redeployment aspect. Quantify the ability to execute more high-value, work-like strategic AI risk modeling or geopolitical threat monitoring within the existing resource structure. You are unlocking capacity that can then be strategically redirected toward innovation, growth, or proactively addressing emerging systemic risks.
Sam Jones:And that's a real measurable asset.
Ori Wellington:Capacity redeployment is a real, measurable, and highly valuable asset, whereas unsubstantiated cash savings are easily dismissed as wishful accounting.
Sam Jones:And finally, defending trust investments. The trust dividend is paramount in the AI era. But how do we defend that without falling back on those shaky revenue attribution claims we advised against?
Ori Wellington:You defend trust investments by focusing on the friction removed and most importantly the fact that trust is the gating economic factor for scaling high-leverage assets like AI. Don't claim this new privacy platform will increase revenue by 2%. That's fragile.
Sam Jones:So what's the better claim?
Ori Wellington:Instead, quantify the reduction in time to market due to faster legal and privacy sign-offs, meaning the product is in the customer's hands 30 days sooner. Quantify the reduced probability of a late-stage project reversal that's a verifiable material cost avoidance that protects massive development investments.
Sam Jones:So the executive argument becomes this investment in our IRM assurance infrastructure is mandatory because without the embedded assurance it provides, our most transformative initiatives, AI, digital transformation, expansion to new markets, they cannot scale.
Ori Wellington:And therefore, their multimillion dollar investments are at risk of stalling or reversal. You move the conversation from being a defensive cost avoidance mechanism to an offensive value enablement and systemic capital protection mechanism.
Sam Jones:You're enabling future growth while simultaneously de-risking the present operating environment.
Ori Wellington:That's the conversation to have.
Sam Jones:So what does this all mean? The core message from our deep dive today is that integrated risk management is a powerful distributed value generator. However, its value has been systematically underpriced by risk leaders who are still relying on legacy compliance era ROI measurement models.
Ori Wellington:And risk leaders must urgently upgrade their measurement from that compliance era ROI narrative to a rigorous dividend framework. It has to encompass efficiency, loss mitigation, and crucially trust to capture the true strategic value. This shift is no longer optional. It is mandatory for executive steering enterprises through the accelerated complexity and velocity demands of the AI era.
Sam Jones:And that complexity raises a final provocative thought for all of you grappling with these investment decisions. The rise of AI ensures that measurement rigor is no longer merely a technical accounting exercise. It is now a mandatory precondition for operational scale. So the question to ask is this Can your current measurement system handle the speed and the continuous evidence demands of an autonomous operating environment? If not, your scale is constrained, regardless of the quality of your AI models.
Ori Wellington:And if you want to dive deeper into the economics, the measurement models, and the specific insights from the research that drove today's conversation, we encourage you to subscribe to Wheelhouse Advisors Premium Research, the RTJ Bridge.
Sam Jones:You can find that premium research by navigating to the url rtj dash bridge dot com. We appreciate you taking this deep dive with us today.