The #RISK London 2024 event brought GRC (Governance, Risk, and Compliance) experts from various industries to London’s Excel for networking, learnings and a free cup of coffee. The SMEs provided actionable insights and highlighted the future of GRC in an evolving landscape. As Head of Marketing at CoreStream GRC, I had the opportunity to attend several sessions over the two-day conference. 3 key themes emerged that GRC professionals should take note of: humanizing GRC, building a risk-based approach with a compliance culture, and the magic of technology. 

1. Thinking Outside the Tick Box: Making GRC Human 

GRC is often seen as a bureaucratic exercise filled with endless checklists for those outside of the risk and compliance teams. However, the underlying message at #RISK London 2024 was clear: we need to humanize GRC by making it meaningful and engaging for employees. GRC needs a rebrand! Eoin Fahy, Security and Compliance Specialist at Microsoft UK, spoke to this: “Non-GRC professionals see risk as negative and filled with red tape—you need to change this mindset.” 

GRC Pundit, Michael Rasmussen, provided several great quotes and metaphors to illustrate the benefits of risk and how it creates opportunities; after all, you can’t do business without risk. “Risk is like fire: If controlled, it will help you; if uncontrolled, it will rise up and destroy you,” he quoted, attributing the saying to Theodore Roosevelt. He also spoke about how the CRO of a large enterprise secured his role by defining risk management as essentially ensuring that the CEO has no surprises in achieving their objectives. Consider how risk is communicated internally at your organization—can it be reframed? 

Another way to humanize GRC was illustrated during a session on Data Protection Training led by Lorraine Pintér, Group Privacy Manager at Vodafone, and Henry Davies, Data Protection Lead at Likewize. Henry emphasized that effective training shouldn’t be a one-size-fits-all, annual tick-box exercise. “You need to know your audience. A warehouse worker requires different training than the legal team,” he explained, stressing the importance of segmentation and personalization. 

CISO Glen Hymers from the Cabinet Office reinforced this with a memorable point: “Never let a good crisis go to waste.” This means learning from past mistakes, leveraging real-world case studies, and turning these experiences into valuable lessons for the future for all employees. Dynamic and targeted training can prevent burnout while fostering a culture of accountability, ensuring employees understand their role in safeguarding sensitive information. Additionally, by analyzing your incidents and data breaches, you can diversify your training content with fresh examples and focus on mitigating your business’s weaknesses, doing targeted training to achieve the improvements you need. 

The takeaway for GRC professionals? Training needs to evolve from generic compliance modules into engaging, relevant experiences that speak the language of your business and workforce. 

2. Building a Risk-Based Approach: Prioritizing What Matters 

The complexity of modern organizations, especially those as vast as the NHS or Jaguar Land Rover, makes a risk-based GRC approach essential. During the High-Impact Risks session, Anthony Attwood, Senior Risk Manager at Jaguar Land Rover, and Oliver Stopnitzky, Fraud Prevention Lead at the NHS Counter Fraud Authority, highlighted the importance of focusing on high-impact risks by building the right infrastructure. “Without a solid infrastructure,” Oliver noted, “it’s impossible to act quickly, especially in crises like COVID.” He explained that in an organization as large and complex as the NHS, risk assessments need to be strategic, linking resource allocation to the severity of the risk. 

Attwood shared how Jaguar Land Rover manages risks by creating a “top 10 risk matrix” that goes directly to the board, ensuring that stakeholders are aware of the most pressing issues. Both experts agreed on the importance of stakeholder engagement, with Attwood emphasizing that “trust and integrity are key—don’t be the boy who cried wolf.” Getting risks on the agenda and demonstrating successful mitigations with tangible metrics builds trust and drives strategic decisions. 

Samantha Smith, Head of Data Compliance at Merlin Entertainments, also spoke to the importance of speaking the board’s language. “The board cares about one thing—risk. They want to know where the holes are and how we plan to fix them.” GRC professionals must prioritize risks that pose the greatest threat to business objectives. This not only ensures resilience but also helps in resource allocation, ensuring that organizations are prepared for both traditional and emerging risks. 

3. From Chaos to Clarity: Tech-Empowered GRC 

Another central theme at #RISK London 2024 was the importance of technology in enhancing GRC programs. In the Tackling Silos in Enterprise Risk Management session, led by Andy Gilroy from RAF Air Command, he underscored the impact of digital solutions on GRC. “The adoption of a digital platform has allowed us to link strategic objectives directly with risks, providing a fully auditable, transparent system,” Andy explained. He emphasized that digital tools not only reduce duplication but also enable real-time data aggregation, enhancing overall productivity. By automating GRC workflows and integrating risk dashboards, organizations can ensure they are not only compliant but also agile, ready to respond swiftly to emerging risks. As Gilroy put it, “Everyone needs to buy in, so they feel involved rather than avoiding risk teams.” This collaborative approach, powered by technology, ensures that GRC is embedded across all business areas, creating a culture of proactive risk management. 

Victoria Brasier, Director of Information Management at Sky, agreed, pointing out that visibility is crucial. “If you understand your risks, you’re much more likely to achieve your planned objectives,” she said, underscoring the role of technology in improving transparency and decision-making. This perspective aligns closely with Michael Rasmussen’s keynote on Building GRC for Tomorrow, where he urged organizations to break away from siloed practices. “GRC is a capability that allows organizations to reliably achieve objectives, address uncertainty, and act with integrity,” he explained, stressing the need for a cohesive, integrated approach to avoid creating a “GRC mystery house”—a fragmented and inconsistent system with no clear blueprint. He emphasized the importance of working with low-code GRC technology platform providers, who listen to your requirements and act accordingly. Together, these insights reinforce the idea that technology is not just a tool for risk and compliance but a strategic enabler of business resilience and success. 

Conclusion: From Compliance to Competitive Advantage 

The overarching message from #RISK London 2024 was that GRC, when done right, can be a powerful tool for achieving business objectives and driving growth. By humanizing GRC, building a risk-based approach, and streamlining with the help of technology, organizations can move beyond mere compliance and turn GRC into a competitive advantage. The women in GRC panelist Sophie Walsh, Head of Trust and Safety at Depop, illustrated this point at the end of the session, stating, “GRC professionals can make real change. You can help the business and make a real impact on the world.” For GRC professionals, the key takeaway is clear: GRC is no longer just about ticking boxes; it’s about enabling your organization to thrive in uncertainty while acting with integrity. 

Didn’t get to meet the team at #RISK London? Don’t worry! Contact us here, and let’s discuss your GRC program today!