CoreStream GRC offers a set of considerations when implementing or refining a practice, be it integrated governance, risk & compliance (GRC) or a single risk or compliance area, with the primary aim of fostering the right culture. There isn’t a one-size-fits-all approach to effective GRC, but there are common threads that will have a significant impact on the likelihood of success

This article was first published in the November edition of the Operational Risk and Regulation Magazine.

The term governance, risk and compliance (GRC) means different things to different people. To some, GRC is a vendor-driven term to categorize products and services. Others suggest the scope of GRC is flawed and should encapsulate ‘performance’ or that the reference to ‘governance’ should be removed. Is GRC a culture, a practice or a program?

In truth, it is probably a combination of all three, depending on the level of organizational maturity. Change programs help implement or revise GRC practice. This practice, if implemented effectively, will help the firm develop a desirable GRC culture. What matters is that the scope of a firm’s GRC activity is based on what is optimal for the organization and the environment in which it operates. Endlessly debating nomenclature will do little for you. Instead, firms would be well advised to focus on a number of practical considerations as they work towards a GRC-aware culture.

Educate employees on GRC

Making an organization risk-conscious is imperative. Without this, GRC can become a mandatory bolt-on, viewed as a cumbersome burden on ‘real’ jobs. Employees who are risk-aware and understand the importance and value of effective GRC are more likely to embrace the content, rather than simply comply by following due process. Education is necessary to create this awareness. Employees need to understand the importance of GRC, the benefits of an effective approach and the potentially damning consequences of an ineffective one. They also need to be aware of how they contribute to its success. This awareness helps dispel the myth that GRC is some mythical hard-to-conceptualise theory. People make risk-based decisions several times each day, for example, when crossing the road or deciding on what time to leave for an important meeting. An effective GRC practice formalizes  this way of thinking and improves the availability and quality of information that informs future decisions.

Lead and reward GRC initiatives

The desired GRC culture is frequently one that is inclusive and collaborative. Mandating policies and rigorously policing them will seldom encourage the desired culture and will likely create an ‘us’ (the business) and ‘them’ (audit or risk management teams) relationship that is actually counterproductive. Adoption is encouraged by leadership setting the correct tone from the top and furthered by incentivising. Embedding GRC within balanced scorecard objectives, for example, helps ensure the spotlight is focused on performance. Remuneration packages directly attributable to these metrics goes a stage further towards encouraging individuals to make GRC considerations on a routine basis. To reinforce the message, senior management should consider explicitly linking company successes to GRC performance whenever appropriate (commenting on annual results, for example) so a clear benefit is demonstrated to those who operate the processes on a daily basis. In order to be sustainable, GRC should rely on repeatable processes and knowledge sharing, not on a limited number of specialist risk or compliance professionals operating in isolation. To this end, the business should be encouraged to take ownership and be involved at the control design stage. Processes dictated by remote compliance departments will seldom be as effective as those designed collaboratively, with due consideration for business-as-usual activity. The role of an effective risk or compliance team is to facilitate, advise and review, not independently own the content or approach.

Help, don’t hinder

Organizations should know what it is they are trying to guard against and prioritize controls accordingly. Unnecessary roadblocks that create a compliance burden but do not deliver on specific objectives should be avoided. Disproportionate controls can result in compliance fatigue and be detrimental to developing the desired culture.

GRC culture should encourage proactive prevention. It is less helpful to review what caused the fire once the building has burned down, and so GRC should minimise the likelihood of issues occurring and the impact of them if they do. Processes to detect, report and address issues are important – you don’t want the house to burn down repeatedly– but prevention is more beneficial than simply dealing with the clean-up exercise effectively.

Beyond minimizing  the likelihood or impact of negative events, GRC objectives should comprise positive benefits. Consider the negotiation of a complex contract; an organization with a deep understanding of risk is able to flex the risk-reward balance more proactively, building a position of strength relative to competitors. More simply, building a reputation as an ethical, compliant, risk-conscious organization can in itself provide competitive advantage. Communicating these benefits internally helps employees recognize that GRC is not simply a line of defence – it can potentially improve an organization’s performance. GRC is not just about staying out of the headlines.

Standardize GRC

In organizations where compliance has typically been a reactive undertaking, it is common for a series of silos to have formed. Something goes wrong, regulators or shareholders insist on action and a process change, technology or a particular department is put in place to address the problem. Aside from not benefiting fully from economies of scope, there are other issues attributable to this reactive behaviour.

Multiple review functions digging up the same stretch of road repeatedly, but for different reasons, is not only inefficient but can also cause audit fatigue within an organization. The more burdensome GRC becomes, the more difficult it is to develop the desired culture. One option is to centralize. A compelling business case can be put forward as technology and resource cost savings are measurable, as are the efficiency gains through reducing duplication. However, the significant cultural, political and operational challenges in centralizing disparate units may outweigh the benefits. Whether an organization chooses to centralize or not, standardization will almost always drive significant benefits.

The majority of GRC efficiencies are actually gained from having a common framework, common terminology and common reporting. A standardized approach breeds familiarity from shop floor to board level. The former are more likely to embrace something that is less convoluted and the latter can more easily review performance and make decisions using management information (MI) with common categorization, structure and format.

Get the best from GRC technology

Irrespective of the level of investment or sophistication, technology is not a self-contained GRC solution. It should be regarded as an enabler that improves the efficiency of people and processes; not as a substitute for them. Technology improves the management of information, highlights potential issues and automates what is repetitive and inefficient. A previously cumbersome process for reporting enterprise-wide operational risk, for example, is far more efficient when data is input to a single register and MI is produced automatically and in a consistent format. The automation of decision-making should be handled with care. Decisions that lend themselves to automation will typically have few variables and are generally based on a static response to a threshold; when x happens, the consistent response is y. Even when this is the case, the automation is usually only the short-term reaction, and the longer-term response will still need to be determined by management. Absolving people from the responsibility of making decisions is not only impractical, it also serves to distance them from GRC if they believe ‘the technology takes care of that’.

The use of GRC technology is also susceptible to the law of diminishing returns. At a basic level, it is notable how many organizations would benefit from simply providing access to central repository for policies, processes and risks. The next step might be to use technology for assigning ownership of controls, or raising and tracking audit issues and associated remedial actions. As the use of technology begins to address more sophisticated areas, management should consider the net benefit of implementing and maintaining a technology-based solution. If 80% of the benefits can be realized with 20% of the effort, it might be wise to stop there. If the technology itself is becoming a burden, then the GRC culture will suffer.

Deployed effectively, technology can contribute towards establishing a GRC culture. Technology encourages user adoption and collaboration through being accessible, intuitive and uncomplicated. Experience tells us that the more pleasurable something is to use, the more likely we are to use it. Implemented properly, technology can contribute towards making GRC a habit.

If you would like a demo of CoreStream GRC’s platform to understand more about how technology could support your GRC culture, click here.

“Our life is frittered away by detail. Simplify, simplify” Henry David Thoreau

Keep GRC simple

Keeping things simple is overarching and something to be conscious of at all times. Education can only be effective, collaboration only encouraged and technology only successfully adopted if the content, approach and associated benefits are understandable. You can’t expect to foster a culture outside of GRC professionals if the practice is too complicated to be understood by a wider audience. While regulation and risks can be inherently complicated, there is no need to add to this complexity by adopting a convoluted response. The most complicated regulation can still often be boiled down to a set of logical controls that are embedded in well-thought-out processes. The most effective GRC practices will address the complexity at the design stage and avoid reflecting it in the controls themselves. Keep the implementation simple and it unlocks the potential to foster the desired culture

About CoreStream GRC

The intuitive, flexible GRC platform that delivers efficiency and value – your way.

Driven by the belief that technology should be an enabler—not a barrier—we created the CoreStream GRC platform: a flexible, no-code solution that empowers organizations to design their perfect GRC system with our expert team. You tell us what you need, and we deliver it—quickly and without unnecessary complexity. Using pre-built, customizable features, it’s as intuitive and versatile as building with Lego bricks – the solutions are limitless.

With seamless scalability, an intuitive interface, and rapid implementation, CoreStream GRC turns GRC from an administrative burden into a powerful enabler for your business. Trusted by leading organizations like the BBC, Deloitte, NHS, PwC Middle East and Shell Energy, CoreStream GRC consistently delivers real, measurable value for all your risk, and compliance management needs.

F&Q

Is GRC a culture, a practice, or a program?
It can be all three. GRC can represent a set of practices, a change program for improvement, or an organizational culture that prioritizes risk awareness and compliance. The maturity and needs of an organization determine how GRC is defined and implemented.

How can GRC practices benefit my organization?
Effective GRC practices do more than ensure compliance; they help build a risk-aware culture, reduce negative incidents, and improve decision-making. By streamlining processes, GRC can enhance efficiency, foster collaboration, and even provide competitive advantages like better contract negotiations and a stronger ethical reputation.

How can employees be encouraged to embrace GRC?
Education is key. Employees must understand the importance of GRC, its benefits, and how their roles contribute to its success. Clear communication, leadership support, and linking GRC performance to rewards, like balanced scorecards or bonuses, also help foster engagement.

What role does technology play in GRC?
Technology is an enabler, not a standalone solution. It can simplify processes, improve data management, and enhance decision-making. Tools like CoreStream GRC provide centralized platforms for managing risks, policies, and compliance. However, successful implementation requires user-friendly design and a focus on addressing the organization’s unique needs.

How can organizations prevent compliance fatigue?
Avoid overburdening teams with unnecessary or redundant controls. Focus on what truly mitigates risks and aligns with business goals. By prioritizing effective, streamlined processes, organizations can foster a positive GRC culture and reduce resistance.

How does CoreStream GRC simplify GRC implementation?
CoreStream GRC offers a no-code platform that adapts to your needs with pre-built, customizable features. Its intuitive interface and rapid deployment help organizations design effective, scalable solutions quickly, making GRC simple, efficient, and impactful.