Designing your dream GRC home part 5: how thoughtful experience turns good design into real adoption

By Head of Client Solution Design, Lionel Matsuya So far in this series, I’ve talked about foundations, connectivity, security, and wiring. These are the things that tend to dominate conversations about GRC platforms: scope, features, controls, automation, and capability. But there’s another layer that quietly determines whether any of that effort delivers value: that layer…

Lionel Matsuya Avatar
Lionel Matsuya
Employee Lionel Matsuya infront of CoreStream GRC office logo with a line drawn home graphic over a green and blue gradient

By Head of Client Solution Design, Lionel Matsuya

So far in this series, I’ve talked about foundations, connectivity, security, and wiring. These are the things that tend to dominate conversations about GRC platforms: scope, features, controls, automation, and capability.

But there’s another layer that quietly determines whether any of that effort delivers value: that layer is experience.

Just as you don’t want a house that people don’t want to use, you don’t want your GRC platform to be one that people avoid. Your GRC platform could tick the boxes on features, security and everything else, but be hard to use – which is a surprisingly common occurrence, as platforms cram everything in but still try to offer a one-size-fits-all product.

Read previous blog

A house that’s great on a blueprint, but not a fun place to live in

Most of us have been in a house like this.

It sounds great. Rooms, storage, maybe a garden and a wide, covered porch.
But in reality, it’s not actually nice to live there.

  • The garden looks beautiful from the window, but the layout makes it awkward to actually use. The seating area is tucked away at the back with no clear path to reach it, so after it rains people rarely bother going outside—they don’t want to slog through wet grass or get their shoes muddy.
  • The porch is cosy, but the steep roof makes it dark, and without any wiring there’s not much you can do there. It should be an inviting space, but it isn’t—especially since the kids avoid it because the Wi‑Fi barely reaches.
  • The storage sounds great on paper, but the cupboards are narrow and overly deep, so things get pushed to the back and forgotten. Instead of helping with organisation, they just turn into clutter traps.

None of these are serious flaws, but together, they shape behaviour: over time, people don’t fix the design. They adapt around it.

If these things happened in a house, you might come to realise one day that the house wasn’t as well thought-out as you thought it would be. In the Real Estate window, or when looking around, you didn’t realise, and it might even feel like a waste of money.

watch the webinar

Workarounds aren’t a people problem – they’re a GRC platform problem

In GRC platforms, the equivalents are familiar:

  • “We have the Risks on a system, but over time, people start exporting them and managing them on spreadsheets just to make things easier”
  • “It’s fiddly to assign and track actions, so we track them separately. Oh, but we also copy the action onto the system.
  • “There’s no commenting functionality, so I just send emails, with the controls attached and ask for people’s comments.”

These aren’t signs of poor discipline; they’re signs that the space isn’t comfortable to use.

And here’s the critical point: workarounds don’t appear because functionality is missing: they appear because the platform introduces friction.

The most successful houses don’t draw attention to themselves. No one says:

  • “This corridor is exceptionally well designed”
  • “I really appreciate how intuitive this storage solution is”

They just use them.

And that’s the difference between a GRC platform that exists and one that becomes part of how governance actually happens.

The temptation to select a GRC platform against a feature list

When choosing a house, it’s easy to focus on the feature list:

  • Floorplan
  • Number of rooms
  • Storage capacity
  • Size of the garden

And the same thing happens when selecting GRC technology: feature comparison matrices grow, requirements lists expand, and sometimes it becomes like a gimmick shopping list. The result can be a solution that looks exceptional on paper, but feels heavy in practice.

The user experience takeaway

If you’re looking for a new GRC platform, here are my top tips to ensure that you’re getting something that’s actually going to work for you:

  • Ask the GRC platform vendor whether they offer sandbox environments
  • Pay attention to the feedback that you get from your team members around the look and feel
  • Consider whether the GRC platform you’re getting is tailorable – so that you can ensure that it matches your processes, rather than your people having to change to match the GRC product.

This can be the difference between a GRC platform that is ignored, and becomes a burden – and a GRC platform that truly works for you. And next time, I’ll talk about growth and adaptability: how to design a GRC home that can evolve as occupants, expectations, and regulations change, without needing to be torn down and rebuilt.

Check out Lionel’s previous blogs here

Designing your dream GRC home, part 1: the foundations of good GRC design

read blog 1

Designing your dream GRC home, part 2: connectivity and why corridors need to be planned

read blog 2

Designing your dream GRC home part 3: security and access

Read blog 3

Designing your dream GRC home part 4: wiring the house – making automation helpful, not burdensome 

read blog 4

About Lionel Matsuya

Lionel is the Head of Client Solution Design at CoreStream GRC, where he’s disrupting the traditional approach to Governance, Risk, and Compliance. With 12 years of experience from a Big Four consulting firm, Lionel is all about designing bold, customized solutions that make clients rethink what’s possible with the CoreStream GRC platform. Lionel’s experience spans organizations of all sizes and across various levels of GRC maturity, both locally and globally. A chartered accountant with the ICAEW and a Certified Information Systems Auditor, Lionel is passionate about using technology to make people’s lives easier. 

Connect with Lionel on LinkedIn here.

book a workshop

Frequently asked questions about GRC user experiences

Why does user experience matter so much in a GRC platform?

Because even the most feature‑rich GRC platform can fail if it’s uncomfortable or unintuitive to use. Just like a beautifully designed house that’s awkward to live in, a GRC system with poor usability leads to workarounds, frustration, and disengagement. An intuitive user experience removes friction, making it easier for teams to adopt the platform naturally and consistently.

What are signs that our GRC platform is causing friction rather than supporting users?

Common signs include teams exporting risks into spreadsheets, managing actions outside the system, or relying on email threads because commenting or collaboration features are clunky. These behaviors aren’t user errors; they’re indicators that the platform’s design doesn’t fit real workflows, forcing people to build workarounds.

How can we evaluate the user experience of a GRC platform before purchasing it?

Ask vendors for a sandbox environment so your team can test real workflows. Encourage users to explore how intuitive the design feels, how easy it is to navigate, and whether tasks can be completed without hunting for features. Good UX shouldn’t draw attention to itself, it should simply work.

What makes a GRC platform “tailorable,” and why does that matter?

A tailorable GRC platform can be shaped around your processes, rather than forcing your team to change how they work. This includes flexible workflows, adjustable interfaces, configurable fields, and the ability to evolve as your organization grows. Tailorability ensures long‑term fit, reducing both friction and the need for workarounds.

Tags:
  • Why risk and compliance leaders should attend #RISK Expo Europe 2026  

    Why risk and compliance leaders should attend #RISK Expo Europe 2026  

    Introduction: why #RISK Europe 2026 should be on every risk leader’s radar  Risk is moving faster, crossing more business functions and creating pressure than ever before. Cyber risk now touches third-party oversight. Operational resilience depends on supplier visibility. AI governance is becoming a compliance, security and board reporting issue.   This means risk leaders and their teams have a lot to…

  • The Modern CISO’s Compliance Stack: Frameworks, Automation and AI webinar 

    The Modern CISO’s Compliance Stack: Frameworks, Automation and AI webinar 

    Introduction: What should a modern CISO compliance stack actually look like? CISOs are being asked to protect the business across more frameworks, more regulatory expectations and more third-party assessments than many compliance programs were built to handle.  The pressure is not theoretical. PwC’s Global Compliance Survey 2025 found that 85% of respondents said compliance requirements have become more complex in the last 3…

  • Spotlight on Women in GRC: Chief Compliance Officer on accountability, crisis management & leadership

    Spotlight on Women in GRC: Chief Compliance Officer on accountability, crisis management & leadership

    In the latest episode of CoreStream GRC’s Spotlight on Women in GRC podcast, Lucy Montague speaks with Grace Suleyman, Chief Compliance Officer at an asset management company servicing insurance clients.  Grace’s role spans legal, company secretarial, enterprise risk and compliance, giving her a broad view of what modern compliance leadership now requires. The discussion explores why senior GRC roles…