At CoreStream GRC, we recently wrapped up a successful GRC implementation with Wickes, and it highlighted something we see time and again.
The difference between a smooth GRC rollout and a painful one is rarely about features alone. It usually comes down to a handful of early decisions. Small choices that either remove friction or quietly create it.
Below are 5 common mistakes we see Heads of Controls make when selecting a GRC platform, and what Wickes did differently.
But first;
Who are Wickes?
For readers outside the UK, Wickes is not a small operation.
- 230+ stores nationwide
- Employees: approximately 7,400
- Average annual revenue: over £1 billion
- Market: DIY customers, trade professionals, and design and installation services across the UK home improvement market
In short, this is a large, complex business with real governance demands.
Mistake 1: Choosing a GRC tool for specialists, not the business
Many GRC platforms look impressive in demos. They work well for risk and compliance specialists who live in the system every day. Then reality hits.
If the wider business cannot use the platform confidently, people fall back to what they know. Usually Excel and email. We see this constantly with new clients who tell us their previous tool was technically capable but practically unusable.
There is also a risk concentration problem. If only one or two people truly understand the system, what happens when they leave or take a holiday? You are left with a very expensive tool that nobody else can run.
The result is predictable. Controls still get chased manually. Assurance is still stitched together by hand. Yet subscription fees keep getting paid.
This can be seen across enterprises right now. Over 30% of organizations are planning to replace or are actively considering replacing their GRC platform, according to KPMG’s 2025 Risk Management Survey. That level of churn is not about features. It is a clear signal of poor user adoption, driven by clunky usability, weak integration, and tools that do not fit how teams actually work.
Your GRC tool must work for occasional users, not just risk or compliance teams.
Wickes recognized early on that control owners would not live in the system daily. Ease of use was non-negotiable and front of mind from the very beginning.
“If you’re facilitating a company-wide process, an over-arching system is a no-brainer versus Excel and email.”
Ryan Lee, Heads of Controls at Wickes
Mistake 2: lifting something off the shelf for a quick easy implementation
Flexibility is not a nice-to-have. It is survival.
Every organization evolves. For example; controls mature, reporting expectations change and a tool that cannot adapt without vendor tickets slows governance instead of enabling it.
At Wickes, they explicitly avoided tools that forced them into a fixed operating model.
“CoreStream GRC is not really out-of-the-box. It’s more like Lego bricks: what would you like to build, and how? That flexibility was attractive because we didn’t want to be fixed to a particular way of working.”
Ryan Lee, Heads of Controls at Wickes
A fast implementation is useful. A rigid one is not.
Mistake 3: underestimating the operational cost of manual chasing
Admin hides in plain sight. Manual reminders, follow-ups, evidence requests, and report compilation quietly drain days every month. These costs rarely show up in business cases, but teams feel them immediately.
At Wickes, automation replaced manual chasing and reporting almost straight away.
There is a reason for that. Studies show automation can cut compliance costs by about 30% and reduce time spent on compliance tasks by 50 to 70% compared with manual processes.
That is time no longer wasted chasing evidence, compiling reports, or nudging people who should not need nudging in the first place.
“Automation is the win. It’s simple to view a live dashboard or run a report that saves time.”
Ryan Lee, Heads of Controls at Wickes
This is where GRC platforms either earn their keep or quietly drain resources.
Mistake 4: Picking a system solely for the point solution you need at the time
Short-term thinking is one of the most expensive mistakes in GRC.
Wickes looked beyond their immediate controls use case. They considered future processes, integrations, and how their GRC maturity might evolve. The system was designed with that in mind from day one.
“The difference between a GRC solution that truly works for you and one that doesn’t is often decided at the very beginning, before a single workflow is mapped or a dashboard is built.”
Lionel Matsuya, Head of Client solution design, CoreStream GRC
Want to hear more from this webinar?
Mistake 5: choosing on software alone instead of a partner
Cultural fit matters more than most vendors admit.
GRC is not just a system rollout. It is a change in how governance works day to day. When the implementation relationship is rigid or transactional, even strong technology will struggle to land.
“We wanted to work with a team that was responsive, collaborative, and easy to deal with.”
Ryan Lee, Heads of Controls at Wickes
That is why values matter. At CoreStream GRC, we care, we challenge, we flex, we simplify, and we deliver. In practice, that means listening first, adapting to how teams actually work, and staying accountable long after go-live.
For Wickes, the decision was as much about people as platform. Beyond implementation, Ryan also benefited from access to the CoreStream GRC leaders community, where GRC practitioners share real experiences, compare approaches, and learn from peers dealing with the same pressures. That ongoing connection helped turn the rollout into a lasting capability, not a one-off project.
Want to hear more from Wickes?
If you’re rethinking your GRC approach or feeling the strain of tools that look good on paper but fall down in practice, now is the right time to step back. A short, focused workshop can help you identify where value is leaking, what to fix first, and how to design GRC that actually works for your business.
FAQ on common mistakes to avoid as a Head of Controls
A Head of Controls looks for a GRC platform that is easy for the wider business to use, not just risk or compliance specialists. Key priorities include usability for control owners, clear ownership, automation of evidence collection and reminders, flexibility to adapt as controls mature, and reporting that shows real-time assurance rather than static snapshots.
Usability is critical. Control owners and business teams typically interact with GRC systems infrequently. If the platform is not intuitive, tasks are delayed, evidence is incomplete, and risk teams end up chasing manually. A usable GRC platform reduces friction and improves compliance without constant follow-ups.
Organizations evolve. Controls change, reporting requirements shift, and governance maturity increases over time. A flexible GRC platform allows teams to adapt workflows, controls, and reporting without costly reimplementation or vendor intervention. Rigid, off-the-shelf tools often slow governance as complexity grows.
No. Choosing a GRC platform solely for an immediate use case is a common and costly mistake. Effective GRC design considers future requirements, integrations, and governance maturity from the outset. Short-term solutions often require replacement as needs expand.
A good GRC platform makes governance part of everyday operations. It provides clarity on ownership, real-time visibility of control performance, and consistent reporting across departments and third parties. This allows leadership to demonstrate control even during periods of disruption or investigation.
