The Risk Wheelhouse

Wheelhouse Advisors LLC
  • 5,0 (1)
  • ADMINISTRAÇÃO

The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.

  1. HÁ 6 DIAS

    S5E4: Unified IRM - AI Governance, Acquisitions and Alliances

    The ground under GRC is shifting, and it’s not subtle. We break down how unified integrated risk management is replacing checklist compliance with an operating model that ties performance, resilience, assurance, and compliance together. From AI governance to ESG at the board level, we follow the money, the deals, and the data to show where risk management is actually going—and how to get there without drowning in spreadsheets. We dive into why AI governance is now table stakes for any serious IRM platform, what an effective AI registry and dynamic risk assessment look like, and how automated compliance mapping to the NIST AI RMF, ISO 42001, and the EU AI Act changes daily work. Along the way, we unpack recent moves like AuditBoard’s AI-focused acquisition and its expanded alliance with a major consultancy, illustrating why services plus software has become the adoption formula. On the ESG front, partnerships that link board reporting with carbon accounting signal a deeper integration of climate and sustainability data into operational risk and financial performance. For leaders in regulated industries, we highlight practical gains from automated evidence collection, pre-built control content, and faster audit cycles—and we hammer on outcome proof as the only real test of integration. You’ll leave with three actionable steps: treat AI governance as foundational, demand verified customer outcomes, and pair your platform with expert implementation to deliver value in 90 days. We close by exploring the next frontier: agentic AI for continuous control monitoring, and the new risks that come when machines start guarding the machines. Subscribe, share with a colleague who owns risk or audit, and leave a review telling us the one metric you need to trust a platform’s integration. Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    16min

  2. 15 DE OUT.

    S5E3: 2025 ORM Vendor Compass - The Enterprise Resilience Engine

    Resilience isn’t a binder anymore. It’s a live system that has to perform under pressure. We pull apart the 2025 IRM Navigator™ Vendor Compass for Operational Risk Management (ORM) to show how ORM moved from back-office compliance to the execution engine of enterprise resilience. The stakes are massive. They include billions in spend, tighter regulations across the US, UK, and EU, and a rising demand for continuous, auditable proof that controls actually work when services fail. We break down where ORM sits inside integrated risk management and how it turns risk appetite into daily action across business continuity, incident and loss event operations, KRIs, EHS, and deep third-party and supply chain risk. Then we unpack the four structural drivers forcing change: buyers rewarding measurable outcomes over feature checklists, resilience defined as end-to-end service delivery, assurance-grade automation with transparent trust layers and data lineage, and the hard convergence of TPRM with continuity and incident response as vendor failures directly hit customer experience. If one in three major incidents involves an external partner, vendor monitoring can’t live on the sidelines. To make this practical, we map the vendor landscape across two dimensions—solution coverage and level of integration—and explain three categories that align to your maturity curve. Integrators like Riskonnect and IBM OpenPages centralize claims, continuity, RCSAs, KRIs, and loss events under strong governance for complex enterprises. Accelerators such as ServiceNow, Hyperproof, and Safe Security embed controls and monitoring into existing workflows fast, moving teams from coordinated to embedded. Pace setters like Fusion Risk Management, ProcessUnity, and Origami Risk deliver targeted wins in resilience mapping, third-party risk, and incident-to-claims operations. The takeaway is simple: aim for defensible operational assurance without drowning in manual work. As AI-native runbooks evolve by simulating impacts, selecting responses, and triggering mitigation with audit-ready evidence the question becomes whether your current telemetry and control data will meet disclosure-grade standards. Subscribe, share with your risk and operations teams, and leave a review with your biggest challenge. Where are you on the maturity curve, and what proof do you still need? Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    17min

  3. 6 DE OUT.

    S5E2: Redrawing Data Lines - DOJ’s DSP and the New National Security Mandate

    Your “encrypted” data may still be regulated and today the rules start to bite. We unpack how the Department of Justice’s Data Security Program moves from guidance to strict enforcement and why it reframes data governance as a national security mandate. From redefining “covered data” to treating anonymized and encrypted datasets as in-scope when they enable linkage or inference, we walk through what changes right now for risk leaders, counsel, and compliance teams. We detail the two buckets that matter: prohibited transfers that stop cold, and restricted transfers that demand verifiable, ongoing controls. You’ll hear how the rule targets six countries of concern, China, Russia, Iran, North Korea, Cuba, and Venezuela, and why your contracts, audits, and vendor oversight must reach beyond first-line providers into sub-processors and hidden supply-chain links. We share a practical playbook: deep data mapping across systems and shadow IT, tiered vendor due diligence that verifies beneficial ownership and jurisdictional exposure, and contract clauses that add audit rights, localization, and explicit DSP obligations. Training becomes the connective tissue so sales, procurement, and operations can spot and halt restricted transactions before they happen. Zooming out, we connect compliance to resilience. Treat this as a defense capability: build architectures that segment sensitive data, constrain cross-border flows, and maintain auditable trails. Prepare for forced decoupling scenarios with diversified providers and kill-switches. The hard question we leave you with: how many tiers deep should your due diligence go to prove control under this new national security lens? Press play to learn the steps to take today, and the mindset shift that will keep you both compliant and resilient. If this was useful, follow the show, share it with your team, and leave a review so more leaders can find it. Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    15min

  4. 30 DE SET.

    S5E1: When AI manages risk, who manages the AI?

    Autonomous IRM is moving from the lab into the core of enterprise risk, compliance, and security and the stakes couldn’t be higher. When a self-learning agent flags threats, scores claims, or polices policy violations, who is accountable, how do we intervene, and what proof can we show regulators and customers? We unpack the three frameworks shaping credible answers: ISO/IEC 42001 as a certifiable management system that embeds AI governance into everyday processes, the EU AI Act as hard law with high‑risk tiers and eye‑watering fines, and the NIST AI Risk Management Framework as a practical playbook for building trustworthy systems. We start with the boardroom view: why ISO 42001 pays off in demonstrable maturity, how the EU AI Act elevates AI to enterprise risk with penalties up to seven percent of global turnover, and where NIST establishes a common language (fairness, transparency, security, and accountability) that unites legal, risk, and engineering. Then we translate strategy into execution. You’ll hear how to build an AI Management System on PDCA, run gap assessments for high‑risk use cases, design human-in/on‑the‑loop oversight, and stand up continuous monitoring, logging, and post‑market incident reporting. We also break down NIST’s Govern‑Map‑Measure‑Manage flow so teams can pilot on a few use cases, validate bias and robustness, and scale with confidence. Finally, we tackle the accountability puzzle of autonomous agents. ISO demands end‑to‑end auditability and explainability across the lifecycle. The EU AI Act limits unchecked autonomy, mandates human oversight, and bans dangerous applications like social scoring and manipulative systems. NIST frames the agent as a socio‑technical system that needs named owners, security guardrails, bias evaluation, and contingency plans. Through scenarios (cyber threat detection in banking, fraud triage in insurance, and an autonomous IRM assistant) we show how to layer the frameworks: law sets the what, ISO and NIST deliver the how. If you’re a leader or operator wrestling with when to certify, where to place the human, and how to future‑proof global deployments, this conversation gives you a clear path forward. Subscribe, share with your risk and engineering teams, and leave a review with the one governance action you’re committing to this quarter. Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    22min

  5. 24 DE SET.

    S4E11: Behind Boardroom Doors - The New Era of UK Corporate Transparency

    Corporate governance is undergoing a revolution in the UK, and Provision 29 of the 2024 Corporate Governance Code stands at the epicenter of this transformation. Far beyond traditional financial oversight, this groundbreaking rule mandates unprecedented transparency from company boards about their internal controls across all domains – financial, operational, compliance, and critically, technology. Taking effect in 2026, Provision 29 requires boards to actively monitor and review their risk management frameworks, describe their methodology in annual reports, and make clear declarations about control effectiveness. The scope extends well beyond balance sheets to embrace cybersecurity, data protection, and even AI governance – reflecting a world where digital vulnerabilities can pose greater material risks than accounting errors. Our deep dive reveals that while 82% of FTSE 350 companies are planning for implementation, only 30% clearly address non-financial reporting controls, and the number confidently declaring effective systems has dropped from 50% to just 32% as companies apply more rigorous self-assessment. The financial commitment is substantial – £300,000 to £1.5 million for initial implementation depending on company size and complexity, with ongoing annual costs between £125,000 and £250,000. Yet market trends show approximately half of companies will voluntarily seek external assurance despite no mandate, recognizing this as strategic reputation insurance. Forward-thinking organizations are leveraging Integrated Risk Management platforms to create unified control frameworks, typically reducing redundant controls by 15-30% while enabling automated evidence collection and continuous monitoring. By 2027, experts predict two-thirds of FTSE 350 companies will manage financial and non-financial controls within single integrated systems. This shift toward comprehensive transparency isn't just another compliance exercise – it represents a fundamental rethinking of corporate accountability. As boards become more forthcoming about what's working and what isn't, we're left with a provocative question: Will this unprecedented visibility foster greater trust in business, or simply invite more intense scrutiny? For investors, business leaders, and governance professionals alike, understanding these changes is essential for navigating the new landscape of corporate transparency and trust. Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    22min

  6. 19 DE SET.

    S4E10: From Boardroom to Code Base - How the EU AI Act Reshapes Business Strategy

    Artificial intelligence stands at a crossroads of breathtaking innovation and urgent need for responsible guardrails. Every breakthrough brings questions about safety, fairness, and accountability that can no longer be afterthoughts. The European Union has responded with the AI Act – the world's first comprehensive legal framework for artificial intelligence – and its General Purpose AI Code of Practice has already secured commitments from tech giants like OpenAI, Google, Microsoft, and Anthropic. We unpack what this means for anyone building, deploying, or investing in AI systems. The EU's risk-based approach categorizes AI into four tiers, from banned practices (social scoring, emotion detection in workplaces) to high-risk applications requiring strict oversight (recruitment, medical devices) to systems needing basic transparency. For general purpose AI models, key requirements include detailed documentation using specific templates, energy consumption reporting, comprehensive copyright compliance including respecting robots.txt opt-outs, and robust security measures. The stakes couldn't be higher – violations can trigger fines up to €35 million or 7% of global annual turnover. This isn't just another compliance exercise; it represents a fundamental shift in how organizations must approach AI governance. We outline a practical roadmap for implementation, from urgent model inventories to establishing cross-functional AI risk councils and integrating these requirements into existing risk management frameworks aligned with standards like NIST AI RMF and ISO 42001. Whether you're a CFO allocating budget for new compliance measures, a CRO assessing emerging risks, or a developer navigating technical requirements, this deep dive provides actionable insights to transform regulatory challenges into strategic advantages. The tension between rapid innovation and responsible deployment defines our AI future – understanding these new rules provides essential context for shaping that future wisely. Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    26min

  7. 10 DE SET.

    S4E9: The SaaS Domino Effect - How Compromised OAuth Tokens Created a Cybersecurity Nightmare

    Behind every digital business lies an invisible web of trust: the OAuth tokens silently connecting your applications. What happens when these trusted connections become your greatest vulnerability? A sophisticated attack campaign recently exploited these connections, bypassing traditional security measures to breach major cybersecurity companies including Cloudflare, Palo Alto Networks, and Proofpoint. Rather than directly attacking primary platforms, threat actors targeted Drift's OAuth integration tokens, effectively stealing the keys that allowed them to impersonate this trusted web chat tool when connecting to enterprise Salesforce instances. The consequences were startling. Once inside, attackers rapidly extracted thousands of support case records using Salesforce's bulk API capabilities, then deleted the logs to cover their tracks. Cloudflare later discovered 104 of their own API tokens sitting in plain text within their compromised support cases - creating potential pivot points to even more critical systems. This wasn't just a data breach; it was what experts now call the "SaaS Domino Effect" - where one compromised connection can cascade into multiple system compromises. Not all companies suffered equally. Okta successfully blocked the attackers through one crucial defense: enforcing inbound IP restrictions on their integrations. This contrast highlights how proper integration hygiene can make all the difference between a devastating breach and a thwarted attempt. We unpack how Integrated Risk Management (IRM) provides a comprehensive framework for addressing these structural vulnerabilities, spanning technical controls, operational processes, enterprise risk modeling, and governance policies. Our discussion includes a practical 90-day roadmap with specific actions organizations can take to protect themselves. Examine your own digital ecosystem today. What invisible connections might be putting your organization at risk? Understanding and securing these machine-to-machine relationships isn't just an IT concern - it's a critical business imperative in our interconnected world. Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    17min

  8. 5 DE SET.

    S4E8: Beyond Binders: GRC's Radical Shift to Integrated Risk Management and Enterprise Trust

    Governance, Risk, and Compliance (GRC) has undergone a remarkable transformation. What was once the "department of no" – characterized by manual checklists, endless audits, and rooms full of binders – has evolved into a strategic verification backbone powering trust across organizations. This radical shift positions GRC at the center of Integrated Risk Management (IRM), where policies, controls, and compliance data flow dynamically through organizations to provide real-time assurance. The market reflects this evolution, with GRC projected to grow from $12.1 billion in 2025 to $25.1 billion by 2032 – not as an unavoidable cost, but as a strategic investment that builds market-enhancing trust and enables bolder innovation. The IRM Navigator™ Vendor Compass for Governance, Risk and Compliance - 2025 Edition reveals how modern GRC anchors the policies integration point within a framework organized around Performance, Resilience, Assurance, and Compliance (PRAC). Acting as an organizational immune system, GRC provides auditable evidence linking Enterprise Risk Management (ERM), Operational Risk Management (ORM), and Technology Risk Management (TRM) into a cohesive ecosystem where information flows seamlessly across previously siloed functions. Selecting the right solution requires evaluating platforms on solution coverage and integration capabilities. Vendors fall into three categories – Integrators, Accelerators, and Pacesetters – aligned with an organization's position on the maturity curve from Foundational (manual processes) to Autonomous (AI-driven sensing with real-time assurance). Leadership perspectives have expanded beyond traditional risk leaders to include Legal, Finance, HR, and Data executives, all shaping requirements and demanding specific evidence types. The future of GRC hinges on continuous assurance, robust AI governance, and seamless integration. Ask yourself: Is your organization still ticking compliance boxes, or building an adaptive, intelligent assurance system capable of navigating tomorrow's complex risk landscape? Transform your GRC function into the foundation of enterprise trust that empowers your organization to thrive amid uncertainty. Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music. Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com. Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.

    21min
Ver tudo (47)

Sobre

The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.

Informações

  • Criado por
    Wheelhouse Advisors LLC
  • Anos de atividade
    2024 - 2025
  • Episódios
    47
  • Classificação
    Livre
  • Copyright
    © 2025 Wheelhouse Advisors LLC
  • Site do podcast
    The Risk Wheelhouse

Você também pode gostar de