The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S7E3: Why ERM Keeps Getting Ignored
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
93% is not a rounding error, it’s a warning flare. When enterprise leaders ask for guidance on the biggest strategic risks ahead, many risk teams respond with a quarterly risk register and a heat map. That’s not “wrong,” it’s simply what a compliance-first system is designed to produce. The result is an asymmetric exchange: executives need a radar, and the organization hands them a snapshot from the past.
We walk through new practitioner research from COSO and Crowe alongside John A. Wheeler’s analysis in the RiskTech Journal to explain why the ERM strategy gap persists. Our core claim is straightforward: the failure of ERM is largely structural, not behavioral. When ERM gets fused with GRC under the same reporting line, tooling, and audit committee cadence, uncertainty gets treated like a defect. That destroys psychological safety, suppresses early warning signals, and leaves strategy teams flying blind.
To make the fix practical, we map Wheeler’s IRM Navigator Compass (West GRC, South technology risk, East operational risk, North ERM) and the IRM Navigator Curve (foundational through autonomous maturity). We also pressure-test the model against what top practitioners are actually facing right now: AI governance, data governance, third-party dependency, and geopolitical volatility. If agentic AI can make decisions at machine speed, quarterly checklists and static matrices cannot be your governance plan.
If you want ERM to shape strategic planning, start by rebuilding the architecture that produces decision-useful signals. Subscribe, share this with a risk leader or board member, and leave a review with the biggest “West Anchor” symptom you see in your organization.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
The Shocking 93% Disconnect
Sam JonesNinety-three percent. I mean just think about that number for a second.
Ori WellingtonIt's uh it's genuinely staggering when you actually unpack it.
Sam JonesRight. Welcome to this deep dive on the Risk Webhouse podcast, where we're looking at a completely mind-blowing disconnect today. Because in nine out of ten Fortune five hundred companies right now, the department literally named Enterprise Risk Management is well, they're entirely shut out of the company's strategic planning.
Ori WellingtonYeah. They have absolutely no voice in how the enterprise strategically moves forward. They're just they're completely blind to the future.
Sam JonesAaron Powell And we are diving deep into exactly why that is, addressing you, the listener who knows this space and is probably feeling this exact pain point. We're pulling from this incredibly dense stack of research today.
Ori WellingtonAaron Powell Primarily focusing on two interconnected articles published just this week by John A. Wheeler.
Sam JonesAaron Powell Right. In the Risk Tech Journal, which is of course a free weekly publication by Wheelhouse Advisors. And Wheeler is bringing, what, like three decades of executive risk advisory to this?
Ori WellingtonYeah, 30 years. And he's looking at a problem that is quite frankly paralyzing boardrooms globally.
Sam JonesAaron Powell So our mission today is to uncover exactly why that 93% failure rate exists. And we want to decode a completely new way of mapping out organizational risk using a framework Wheeler calls the IRM navigator compass.
Ori WellingtonAaron Powell Because the premise we're exploring here is vital. You know, the failure of ERM isn't uh it isn't a human capital issue.
Sam JonesRight. It's not like the employees are just bad at their jobs.
Ori WellingtonExactly. It isn't because of bad corporate culture or lazy employees. The reason risk management is failing to impact corporate strategy is due to an architectural flaw in how businesses are fundamentally built.
Sam JonesIt's a structural failure, not a behavioral one. And to really understand that architectural flaw, I think we need to look at how this failure manifests in the real world, right? Let's go straight into the boardroom.
Ori WellingtonOh, the classic boardroom scenario. It plays out exactly the same way everywhere.
Sam JonesAaron Powell Totally. Imagine the typical quarterly review at any major global enterprise. The CEO is managing like market volatility, supply chain disruptions, capital allocation, and they turn to their
The Boardroom Heat Map Problem
Sam Joneschief risk officer.
Ori WellingtonTrevor Burrus And they ask for guidance, right? They want the top three strategic risks threatening their current goals.
Sam JonesAaron Powell Yes. The CEO is essentially asking for navigation. Like where are the icebergs on our current route? And how does the CRO actually respond to that?
Ori WellingtonAaron Ross Powell Well, they hand over a quarterly risk register refresh and a heat map.
Sam JonesTrevor Burrus A heat map, right. And if I'm a CEO trying to allocate capital dynamically across a really volatile global market, a static matrix of green, yellow, and red boxes doesn't help me at all.
Ori WellingtonAaron Powell No, it's practically useless for what they're asking.
Sam JonesAaron Powell I'm asking for forward-looking strategic velocity. And the CRO is handing me an inventory of known issues. It's like well, it's like handing a ship's captain an inventory of life jackets when they are asking if there are icebergs on the current route.
Ori WellingtonAaron Powell That is a perfect analogy. It's a completely asymmetric exchange. The CEO nods politely, thanks the CRO for the compliance update, and absolutely nothing about the company's strategic direction changes.
Sam JonesAaron Powell Nothing changes. Which perfectly aligns with the stark numbers we see in the new practitioner guide released by COSO and Crow.
Ori WellingtonAaron Powell Right. The guide titled uh From Guidance to Action, that's exactly where that 93% figure comes from.
Sam JonesAaron Powell 93% of ERM programs are just not part of the strategy conversation. But the perception gap in that COSO data is what really highlights the internal friction for me.
Ori WellingtonAaron Powell Yeah, the gap between what risk leaders want to do and what they actually do.
Sam JonesAaron Powell Exactly. 98% of risk leaders believe ERM should play a strategic role, but only 7% report that it actually does.
Ori WellingtonAaron Powell So you have this entire profession that knows its mandate is supposed to be strategic, yet they are structurally locked out of doing it.
Sam JonesAnd when you look at how the rest of the business views them, the lockout becomes even more apparent, doesn't it?
Ori WellingtonOh, absolutely. 54% of these programs are viewed strictly as a compliance or assurance function.
Sam JonesOh.
Ori WellingtonYeah. And only 28% are seen as a strategic partner.
Sam JonesAaron Powell So the business units are looking at the ERM team and basically saying, you are the assurance mechanism. You produce evidence for the audit committee. You don't help us capture market share.
Ori WellingtonExactly. Which completely explains why the CEO ignores the heat map. I mean, a heat map is inherently retrospective. Trevor Burrus, Jr.
Sam JonesRight. It categorizes a risk based on historical data and just freezes it in time. Trevor Burrus, Jr.
Ori WellingtonIt cannot show the velocity of a risk, and it certainly cannot map interconnected triggers across different business units.
Sam JonesAaron Powell The executive team is asking for a radar system, and ERM is handing them a photograph of where the ship used to be. But the industry obviously recognizes this disconnect, right? Like the failure is universally acknowledged.
Ori WellingtonOh yeah. Everyone knows it's broken. But the real debate and where John Wheeler's analysis sharply diverges from the CSO guide is in the diagnosis of the underlying disease.
Sam JonesAaron Powell Let's unpack that divergence. Yeah. Because the authors of the COSO and Crow guide look at that 93% failure rate and they diagnose it as an implementation issue. Trevor Burrus Right.
Ori WellingtonThey see it as a behavioral problem. Their interpretation is that the people in these roles just aren't, you know, executing the mandate correctly.
Sam JonesSo they prescribe behavioral fixes. They outline 10 operating disciplines for risk teams to adopt.
Ori WellingtonAnd they suggest establishing a minimum viable rhythm of about five hours a week, strictly dedicated to strategic risk conversations.
Sam JonesAnd they also strongly advocate for a cultural shift toward candor, right? Yeah. Pushing business leaders to speak more openly about emerging threats.
Ori WellingtonExactly. Just be more honest and hold more
COSO’s Behavioral Fixes Debate
Ori Wellingtonmeetings.
Sam JonesBut wait, if I'm looking at a 93% systemic failure rate across the entire global corporate landscape, it seems incredibly naive to say, well, everyone just needs to schedule five more hours of meetings and be more honest.
Ori WellingtonYeah, it really does.
Sam JonesThat implies that 93% of global rich professionals are just lacking discipline, which defies statistical logic.
Ori WellingtonAnd that is precisely Wheeler's counterargument. He doesn't dismiss the value of operating discipline or candor. Good behavior is obviously always a net positive. Sure. But after 30 years of advising on these exact boardroom dynamics, he asserts that behavioral fixes will fundamentally fail to close this gap. You cannot fix a structural flaw with a behavioral patch.
Sam JonesOkay, so if the root cause isn't human behavior, what is the exact structural flaw? What is this massive architectural error that companies have built into their own org charts?
Ori WellingtonIt's conflation. Organizations have fatally conflated ERM enterprise risk management with GRC governance, risk, and compliance.
Sam JonesThey've just mashed them together.
Ori WellingtonExactly. They have taken two distinctly different disciplines, merged them under a single umbrella, and expected them to perform simultaneously.
Sam JonesLet's really analyze what that conflation looks like mechanically inside a company. Because this isn't just like a naming convention issue, is it?
Ori WellingtonNot at all. This conflation dictates reporting lines, technology procurement, capital allocation, everything.
Sam JonesBecause in most enterprises, ERM and GRC report to the exact same leader.
Ori WellingtonAaron Ross Powell They report to the same leader. They're forced to run on the exact same software platforms, they produce the exact same artifacts.
Sam JonesAnd they present those artifacts to the exact same primary audience, right? The corporate audit committee.
Ori WellingtonExactly. The corporate audit committee is the audience for both.
Sam JonesBut wait, if they share the same software architecture, the same leadership, and the same oversight committee, how can anyone realistically expect them to do two completely different jobs?
Ori WellingtonThey can't. It's structurally impossible.
Sam JonesBecause the software itself is going to enforce a specific workflow. If the platform is built to track compliance sign-offs, you can't just magically use it to model dynamic geopolitical scenarios.
Ori WellingtonYou really can't. The structure dictates the output. And to understand why this conflation is so incredibly toxic to corporate strategy, we have to isolate the fundamental DNA of what GRC and ERM are actually built to achieve.
Sam JonesLet's do that. Let's look at their core objectives. What is the true mandate of governance, risk, and compliance? Like what is GRC's actual job?
Ori WellingtonGRC's mandate is to bridge compliance and assurance. It exists to produce concrete evidence.
Sam JonesEvidence for who?
Ori WellingtonFor auditors and regulators. Evidence that internal controls are operating, that regulatory policies are being strictly adhered to, and that employees are checking the necessary boxes.
Sam JonesWhich means GRC is fundamentally wired for certainty. It operates in a binary pass or fail environment.
Ori WellingtonCompletely binary. A control is either effective or it is deficient. A policy is either signed or it is ignored. Certainty is the ultimate currency of GRC.
Sam JonesAnd contrast that with the true mandate of ERM, ERM is not designed to bridge
The Real Issue: ERM And GRC
Sam Jonescompliance and assurance.
Ori WellingtonNo, ERM is designed to bridge assurance and performance.
Sam JonesPerformance, that's the key word there.
Ori WellingtonExactly. ERM's job is not to produce historical evidence of compliance. Its job is to produce decision-useful uncertainty signals.
Sam JonesRight. It exists to tell executives and capital allocators whether their strategic assumptions are holding up against external reality. And to identify the triggers that indicate a strategy actually needs to pivot.
Ori WellingtonSo if GRC is wired for certainty, ERM requires the exact opposite. It requires exploring widening ranges of probability. It requires looking at weakening market assumptions.
Sam JonesYou are trying to quantify the unknown, which, you know, it's kind of like GRC is like grading a math test. There is a definitive right and wrong answer.
Ori WellingtonAaron Powell That's a great way to put it.
Sam JonesBut true ERM is like forecasting the weather for a high-stakes outdoor event. It's about ranges of probability and preparedness.
Ori WellingtonAaron Powell Right. And that fundamental difference brings us to a really distorting statistic from the COSO survey that suddenly makes perfect sense in this context.
Sam JonesOh, the psychological safety one?
Ori WellingtonYes. Only 20% of respondents report having high psychological safety in leadership risk discussions.
Sam JonesThat is wild. Only 20% feel safe talking about risk. But I guess that lack of psychological safety is a direct symptom of conflating certainty and uncertainty.
Ori WellingtonIt absolutely is. Think about the psychological environment of GRC. GRC rewards a checked box and heavily punishes ambiguity.
Sam JonesBecause to an auditor, ambiguity is a control failure.
Ori WellingtonExactly. So if I'm a business unit leader and my risk department is structurally built as a GRC function, raising uncertainty is basically career suicide.
Sam JonesBecause if I walk into a meeting and say, hey, the consumer data for our new product launch in Europe is getting volatile and our baseline assumptions might be 20% off, I am looking for a strategic discussion on capital reallocation.
Ori WellingtonBut if you raise that in a conflated environment, which is what 93% of these companies are operating in the system, processes your strategic uncertainty as a compliance failure.
Sam JonesOh, wow. So the response isn't let's model some new scenarios.
Ori WellingtonNo, the response is you are out of compliance with your initial projections. This is a deficiency. Why haven't you remediated this?
Sam JonesThat is terrifying. You are literally punished for raising a performance signal because the structure only knows how to process assurance data. No wonder no one feels safe talking about risk.
Ori WellingtonRight. And when business leaders push back, when they tell the risk team, you're just checking boxes, you're slowing us down, they're making a completely accurate diagnosis.
Sam JonesBecause the risk team has been forced to bridge to the wrong objective.
Ori WellingtonExactly. Which brings us to the visual framework John Wheeler uses to dismantle this conflation. He maps this out using the IRM navigator compass.
Sam JonesAnd to visualize this, you really have to picture the four cardinal directions, right? Each anchoring a specific domain of risk. Let's map the compass for the listener.
Ori WellingtonOkay, let's start at the West Anchor.
Sam JonesWhat's sitting on the West Anchor?
Ori WellingtonThe West Anchor is GRC. Governance, risk, and compliance. And this anchor is fundamentally tied to organizational policies. It is a defensive perimeter. Got it.
Sam JonesPolicies and defense. Then we move down to the South Anchor.
Ori WellingtonThe South Anchor is TRM, Technology Risk Management. This is tied to your assets.
Mapping Risk With The Compass
Sam JonesMeaning your digital infrastructure, your physical hardware, your data security, all of that.
Ori WellingtonExactly. So West is policies, South is assets.
Sam JonesOver on the East Anchor, we have what?
Ori WellingtonThe East Anchor is ORM, operational risk management. This domain is tied to processes.
Sam JonesSo the actual day-to-day friction of running the business.
Ori WellingtonRight. Supply chains, health and safety protocols, business continuity, third-party vendor management. That all lives in the East.
Sam JonesWhich leaves the North Anchor. What is pointing north?
Ori WellingtonThe North Anchor is ERM, Enterprise Risk Management, and it is tied entirely to goals.
Sam JonesGoals. So it points toward the strategic horizon, focusing on performance, market share, and capital allocation.
Ori WellingtonAaron Powell Precisely. And this compass model completely clarifies the architectural flaw we've been talking about.
Sam JonesAaron Powell Because if we look at what happens when a company conflates ERM with GRC, when they put them under the same leader in the same audit committee reporting line, they are effectively taking the ERM function and dragging it off the north anchor.
Ori WellingtonAaron Powell Yes. They drag it all the way over to the west. Wheeler calls this the severed bridge.
Sam JonesThe severed bridge.
Ori WellingtonWhen ERM is forced into the West Anchor, the North Anchor completely empties out. The bridge between assurance and performance is destroyed. The company is flying blind strategically.
Sam JonesSo to paint a picture for you listening, it's like you have an entire organization crowded on the west side of the ship, meticulously verifying that the compliance lifeboats are secured while absolutely no one is standing at the bow looking north to see where the ship is actually sailing.
Ori WellingtonThat's exactly it. And this is why Wheeler makes a very crucial distinction here. He says that the 54% of programs that the business views as mere compliance functions aren't actually failing.
Sam JonesRight. They aren't failing.
Ori WellingtonThey aren't failing at their assigned structure. They are successfully executing GRC because that is how they are structurally built and incentivized.
Sam JonesOh, I see. If you build a machine to optimize for certainty and compliance, you cannot fault the machine when it produces heat maps and audit reports instead of dynamic strategic forecasting.
Ori WellingtonExactly. Separating ERM from GRC doesn't mean diminishing GRC. GRC on the West Anchor is absolutely vital for keeping the enterprise legally viable.
Sam JonesAaron Powell But separating them is the only way to allow the North Anchor to actually function.
Ori WellingtonRight.
Sam JonesSo if an enterprise leadership team is listening to this right now and they realize their North Anchor is completely empty, what does structurally repositioning ERM actually entail? Like what does a properly functioning North Anchor look like in practice?
Ori WellingtonAaron Powell Well, the first fundamental change is the data feeds. An ERM function on the West Anchor relies on internal audit reports and compliance attestations.
Sam JonesBackward-looking data.
Ori WellingtonExactly. But a north anchored ERM relies on operational telemetry, financial systems data, and external market indicators. It ingests data to stress test strategic assumptions.
Sam JonesAnd the cadence has to change as well, right? You can't run a north anchor on a quarterly refresh cycle.
Ori WellingtonNo, the timing completely shifts. The reporting cadence of a north anchored ERM aligns
What A North Anchored ERM Does
Ori Wellingtonwith the heartbeat of the business itself.
Sam JonesSo it aligns with like capital allocation gates, MA evaluations, and major product delivery checkpoints.
Ori WellingtonExactly. And the outputs graduate from static to dynamic. You basically throw the heat map in the trash.
Sam JonesGood riddance to the heat map. So what replaces it?
Ori WellingtonYou replace it with scenario ranges, leading indicators, and specific trigger thresholds that alert executives when a strategic assumption is deteriorating.
Sam JonesAnd most importantly, the primary audience changes, doesn't it?
Ori WellingtonOh, absolutely. You no longer report primarily to the audit committee, you report to the executive team and the strategy committee of the board.
Sam JonesNow, this theoretical framework makes total logical sense, but Wheeler doesn't stop at theory. To prove how pervasive this conflation is, we have to look at the second article in our source material.
Ori WellingtonRight, which analyzes real-world evidence from a recent highly prestigious gathering of risk practitioners.
Sam JonesYes. The 2026 ERM Roundtable Summit at NC State's Pool College. This summit gathered over 110 top-tier risk professionals.
Ori WellingtonAnd we should clarify: this is not a group of novices. These are the people defining the industry standard for Fortune 500 companies.
Sam JonesAbsolutely. And at this summit, two major case studies were presented that perfectly illustrate the trap of the West Anchor. We have presentations from Christy Absher of ExxonMobil and Chelsea Javorski Smith of Westinghouse.
Ori WellingtonOn paper, their programs sound like the absolute pinnacle of corporate risk management. They are massive, highly mature, incredibly impressive achievements.
Sam JonesLet's look at ExxonMobil first. Christy Absher detailed a program based on aligned assurance.
Ori WellingtonRight. This was a monumental structural effort to connect compliance, internal audit, legal, and operational risk into a unified taxonomy.
Sam JonesGiving leadership shared visibility across all traditional lines of defense. To achieve that at the scale of ExxonMobil requires immense capital, political capital, and technological integration. It is a massive undertaking.
Ori WellingtonIt really is. And then you have Westinghouse.
Sam JonesRight. Chelsea Javorsky Smith described a program at Westinghouse that was deeply embedded into strategic planning, largely sustained through intense relationship-driven networks across business functions.
Ori WellingtonAllowing the risk team to navigate years of organizational upheaval. These programs are celebrated as the gold standard of ERM.
Sam JonesBut Wheeler delivers a brutally provocative diagnosis of these case studies. He looks at ExxonMobil and Westinghouse and says, these are phenomenal programs, but they are absolutely not GRM.
Ori WellingtonYeah, he says they are perfect examples of successful GRC at the coordinated stage.
Sam JonesBut wait, if I'm the CEO of ExxonMobil and I'm spending tens of
Summit Evidence From Top Practitioners
Sam Jonesmillions of dollars integrating my audit and legal teams, if my teen stands up at an ERM summit and calls it ERM, isn't it a bit bold for an advisor to reclassify it as just GRC?
Ori WellingtonIt sounds incredibly bold, maybe even arrogant, until you apply the structural definitions of the compass.
Sam JonesRight. Try telling my shareholders that aligned assurance isn't a strategic risk function.
Ori WellingtonWell, to understand his diagnosis, we have to introduce the evolutionary component of Wheeler's framework, the IRM navigator curve.
Sam JonesSo if the compass maps the positions of risk, the curve maps the evolution of risk maturity over time.
Ori WellingtonExactly. It maps out how an organization actually evolves its risk capability.
Sam JonesOkay, let's dissect this curve for the listener. How does it work?
Ori WellingtonThe curve tracks the journey from a state of complete risk dysfunction to a state of complete risk agency across five specific stages.
Sam JonesAaron Powell What are those five stages?
Ori WellingtonThey are foundational, coordinated, embedded, extended, and autonomous.
Sam JonesFoundational, coordinated, embedded, extended, autonomous.
Ori WellingtonOkay. Where do ExxonMobil and Westinghouse sit on this evolutionary timeline?
Sam JonesThey have successfully mastered the transition from the foundational stage to the coordinated stage.
Ori WellingtonLet's define what that means. What is the foundational stage?
Sam JonesThe foundational stage is just getting your house in order. It's basic ad hoc compliance, ensuring policies are written, checking the mandatory legal boxes.
Ori WellingtonIt's the bare minimum required to not get shut down by regulators.
Sam JonesAaron Powell Exactly. Moving from foundational to coordinated requires massive investment, but it is fundamentally a GRC investment. Because the coordinated stage is about standardizing reporting, right?
Ori WellingtonYes. Creating a shared taxonomy and forcing audit, legal, and compliance to talk to each other so the board gets a unified picture of assurance.
Sam JonesWhich is exactly what ExxonMobil's aligned assurance is. It is the absolute peak of coordinating the West Anchor.
Ori WellingtonRight. But Wheeler's point is that if you define ERM simply as integrating your lines of defense, all you are doing is pouring concrete around your GRC function and labeling it strategy.
Sam JonesYou've built a beautiful coordinated compliance machine. But the North Anchor, the bridge to performance, the forecasting of strategic uncertainty remains completely unbuilt.
Ori WellingtonExactly. So mastering the coordinated stage is a trap if you think it's the finish line. It just makes you the best in the world at backward-looking assurance.
Sam JonesOkay, so if coordinated isn't the end goal, how does an enterprise actually break out of the West Anchor? What defines the transition to the next stage, the embedded stage?
Ori WellingtonTo reach the embedded stage, the conversation has to shift away from assurance entirely. Embedded risk means the risk function is no longer a separate oversight department asking business units for quarterly reports.
Sam JonesIt has to be baked in.
Ori WellingtonYes. It means risk mechanics are woven directly into the daily operational processes of the business, sustained by real-time monitoring rather than periodic audits.
Sam JonesWhich brings us back to the compass. If West is GRC and North is ERM, embedded risk is the activation of the East Anchor, right?
Ori WellingtonYes, the East Anchor. ORM or operational risk management.
Sam JonesBecause RRM encompasses the massive, complex realities of daily execution. It covers ESG and sustainability, environmental health and safety, supplier and third-party risk, and business continuity.
Ori WellingtonIt is exactly where strategy meets the friction of reality.
Sam JonesAnd we actually have a prime example of an organization attempting this embedded stage execution from the summit sources.
Ori WellingtonWe do, during the Westinghouse presentation.
Sam JonesRight. They detailed their response to the COVID-19 pandemic. They executed an 18-month cross-functional assessment that engaged eight different work streams.
Ori WellingtonThey were diving deep into supply chain resilience, workforce availability, and infrastructure stability.
Sam JonesThat is a textbook definition of operational risk management operating at an intense, embedded stage level.
Ori WellingtonIt really is. You are mapping out how a localized shock to a tier two supplier in Asia impacts workforce deployment in Europe. It requires deep process integration.
Sam JonesBut there was a glaring vulnerability in how Westinghouse sustained this, which Wheeler highlights.
Ori WellingtonA huge vulnerability.
Sam JonesChelsea Javorsky Smith explicitly stated that her ability to execute this level of integration relied heavily on her strong Personal relationships across the enterprise.
Ori WellingtonTrevor Burrus, Jr.: Yeah, she noted that without those relationships, she wouldn't have been invited to the strategic planning tables.
Sam JonesAaron Powell And this is where we have to dissect a very dangerous corporate myth because we are constantly told that business is all about relationships, right? That breaking down silos requires networking and personal capital.
Ori WellingtonAaron Powell We hear it all the time. But Wheeler points out that relying on personal relationships to execute enterprise risk is a fatal structural vulnerability.
Sam JonesBut why? Like if relationships are the glue of a successful corporate culture, why is it a liability for the risk team to rely on them?
Ori WellingtonBecause true embedded risk must survive the individual. Think about the mechanical fragility of a relationship-driven program.
Sam JonesOkay, fragile how.
Ori WellingtonWhat happens if Chelsea Javorski Smith gets poached by a competitor? What happens if Westinghouse acquires a massive new subsidiary where she has zero established relationships?
Sam JonesOh, I see. Or what happens during unprecedented zero-day crisis where there is literally no time to call in favors and schedule alignment meetings.
Ori WellingtonExactly. The entire risk apparatus collapses.
Sam JonesSo if your risk program only functions because the business leaders happen to like and trust the risk officer enough to invite them to the meeting, you do not actually have an embedded risk program.
Ori WellingtonNo, you just have a highly charismatic individual doing heroic ad hoc work.
Sam JonesRisk is in the process, not in the relationship. That concept is so powerful.
Ori WellingtonIt's essential. True embedded maturity means the
Relationship-Driven Risk Breaks Under Stress
Ori Wellingtonrisk triggers, the data telemetry, and the reporting mandates are hard-coded into the operational workflows.
Sam JonesThe system has to detect the failing supply chain, regardless of who is sitting in the CRO's chair.
Ori WellingtonPrecisely. And this transition from relationship-driven risk to process-driven, hard-coded risk is no longer just an academic debate about best practices.
Sam JonesNo, it has become an immediate existential necessity due to the terrifying velocity of emerging threats, which transitions us into the most urgent application of this entire framework.
Ori WellingtonYes. Why this structural shift has to happen today, not next quarter.
Sam JonesBecause at the end of the pool summit, the organizers ran a round-robin discussion to uncover the raw, unfiltered pressures keeping these top practitioners awake at night.
Ori WellingtonAnd the consensus was immediate. The top-shared pressures across the board were AI and data governance, coupled with massive geopolitical uncertainty.
Sam JonesLet's plot those threats on the IRM navigator curve. We've discussed foundational, coordinated, and embedded. Where do AI and geopolitics sit?
Ori WellingtonThey sit squarely in the extended and autonomous stages of the curve. These are highly interconnected, hyperspeed operational risks that exist far beyond the traditional four walls of the enterprise.
Sam JonesLet's zero in on AI governance because this perfectly illustrates the failure of the conflated West Anchor. We aren't just talking about employees using a chatbot to write marketing copy here.
Ori WellingtonOh no. We are talking about the deployment of agentic AI.
Sam JonesAgentic AI, meaning artificial intelligence systems granted agency to execute tasks autonomously across enterprise workflows to achieve predefined goals.
Ori WellingtonRight. You are looking at AI systems dynamically rerouting global shipping logistics based on real-time weather satellite data.
Sam JonesOr autonomous pricing algorithms adjusting costs across millions of SKUs in milliseconds based on competitive micro movements.
Ori WellingtonThey are making operational decisions at literal machine speed, 24 hours a day.
Sam JonesNow imagine a traditional West Anchored GRC program trying to govern an agentic AI system. The CRO walks in with their quarterly risk register refresh and a heat map.
Ori WellingtonIt is completely absurd. It is structurally impossible to govern a system executing 10,000 decisions a minute using a quarterly compliance cadence.
Sam JonesIt's a total mismatch of velocity. Trying to manage agentic AI with a quarterly heat map is like trying to photograph a speeding bullet with a Polaroid camera. By the time the picture develops, the damage is already done.
Ori WellingtonExactly. If an organization treats AI governance like a traditional GRC exercise, meaning they just verify that an AI ethics policy was signed by the engineering team and check a box, they are governing the ghost of yesterday's risk.
Sam JonesMeanwhile, tomorrow's risk is actively executing code, reallocating capital, and altering supply chains in their live environment.
Ori WellingtonThe traditional tools of certainty and compliance shatter under the pressure of machine speed uncertainty.
Sam JonesYou cannot check a box to govern an autonomous algorithm. You have to embed real-time telemetry directly into the AI's operational domain. You need cross-domain analytics to monitor the triggers.
Ori WellingtonAaron Powell, which is why Wheeler noted something very telling about the summit itself. The fact that AI governance surfaced organically during a round robin discussion rather than being the structured keynote of the conference is a massive signal.
Sam JonesWhat does that signal tell us?
Ori WellingtonIt indicates that enterprises are treating AI as a peripheral challenge, something they hope they can manage at the coordinated stage by just drafting a new policy.
Sam JonesBut the moment they realize their static, relationship-driven infrastructure cannot keep pace with algorithmic velocity, the structural cracks turn into fault lines.
Ori WellingtonExactly. So how does an enterprise actually fix this? As we pull these threads together, we have to synthesize the behavioral prescriptions of the COSO guide with the structural imperatives of Wheeler's compass.
Sam JonesBecause Wheeler isn't telling companies to throw the COSO guide away, is he?
Ori WellingtonNot at all. The COSO guide's 10 disciplines, the focus on cadence, the culture of candor, those are the correct behaviors.
Sam JonesBut behaviors are fundamentally like software. If you install brilliant software on the wrong hardware architecture, it will crash.
Ori WellingtonPrecisely. You must apply those behaviors inside the correct positional frame.
AI Governance Moves At Machine Speed
Sam JonesSo the ultimate path forward is a sequential structural realignment. Step one, stop the conflation. Separate ERM from GRC.
Ori WellingtonYes. Leave GRC firmly on the West Anchor. Resource it properly to do its vital job of bridging compliance and assurance. Let it produce certainty for the regulators.
Sam JonesThen consciously build a distinct ERM function on the North Anchor, entirely focused on bridging assurance and performance.
Ori WellingtonAnd step two is guiding the evolutionary investment along the IRM curve. Once you have built your foundational and coordinated GRC, you have to stop buying more GRC and calling it strategy.
Sam JonesYou must shift your investment horizontally into the East Anchor.
Ori WellingtonYou move to the embedded stage by investing in operational risk management. You hard code risk telemetry into your processes so it survives the departure of key personnel.
Sam JonesAnd from there, you build toward the extended and autonomous stages to handle third-party networks and AI velocity. It is a deliberate, stage-by-stage journey.
Ori WellingtonAnd when an organization actually completes this structural realignment, when they empower a true North Anchored ERM, they finally unlock what the CEO in our boardroom example was begging for in the first place.
Sam JonesRight. Dynamic, forward-looking, decision-useful signals about the strategic performance of the enterprise.
Ori WellingtonYou finally give leadership a radar system instead of an inventory of life jackets.
Sam JonesFor those of you listening who recognize your own organization in these 93% failure statistics and want to explore the mechanics of this transition further, these frameworks are incredibly accessible.
Ori WellingtonYes, the IRM Navigator Compass, the IRM Navigator Curve, and this level of deep positional analysis are central to John A. Wheeler's ongoing work at Wheelhouse Advisors.
Sam JonesYou can follow this evolving methodology in their free publication, The Risk Tech Journal, which provided our source material today.
Ori WellingtonAnd for enterprises actively looking to execute this structural shift, Wheelhouse provides a premium research platform called the RTJ Bridge.
Sam JonesRight. It connects this topical coverage directly to actionable, exhaustive research notes within their IRM Navigator Report series. You can find all of this, including episodes of the Risk Wheelhouse podcast, at WheelhouseAdvisors.com.
Ori WellingtonIt is the literal blueprint for moving an enterprise from risk dysfunction to risk agency. It provides the architectural schematis to rebuild that severed bridge.
Sam JonesWe have covered immense ground today. We started in a frustrating, stagnant boardroom. We diagnosed the fatal conflation of ERM and GRC.
Ori WellingtonContrasting the past failed psychology of certainty against the dynamic necessity of uncertainty.
Sam JonesWe mapped out the four anchors of the IRM compass, redefined the coordinated achievements of ExxonMobil and Westinghouse, and stared down the machine speed velocity of agentic AI.
Ori WellingtonAnd the connective tissue through all of it is that structure dictates output. If you want strategic foresight, you have to build an architecture capable of producing it.
Sam JonesYou absolutely do. But as we wrap up this deep dive, I want to leave you with one final thought to mull over. We spent this time breaking down how the conflation of risk and compliance destroys strategic visibility.
Ori WellingtonBut think about the opportunity cost of that blindness over time.
Sam JonesThe compounding effect, right. If our global corporate structures have spent the last three decades systematically confusing backward-looking certainty with forward-looking performance.
Rebuilding The Bridge To Strategy
Ori WellingtonIt really makes you wonder.
Sam JonesIt does. How much incredible world changing innovation has your organization missed out on, not because the ideas were bad, but simply because the people in charge of analyzing risk were structurally forbidden from looking at the future. Thank you for joining us on this deep dive. Go take a hard look at your organization's compass, find out where your anchors are dropped, and we will see you next time.