By Head of Client Solution Design, Lionel Matsuya
Almost every organization ends up here eventually: they’ve built good GRC point solutions in silos – and now they want to connect them.
One of the most common use cases I hear when designing an enterprise client’s GRC solution is this:
“We have a number of different functions: Enterprise Risk, Internal Audit and Controls management. I want to bring them together in a single system.”
This is a brilliant aim and exactly the kind of thing GRC platforms like CoreStream GRC are built for.
But there’s a big gap between doing this successfully and doing it in a way that simply adds more complexity.
In the first blog of this series, I used the analogy of building a house to talk about the foundations of a good GRC solution: understanding the organization’s needs and engaging stakeholders. Without that, your structure is shaky from day one.
Now, let’s talk about the next design element: connectedness.
How your GRC system flows and integrates
In a house, you have rooms and corridors. In an organization, you have functions and collaboration.
Most people spend the majority of their time working in a particular function (their ‘room’), whether that’s risk, controls, audit, compliance, or something else. But a house with only rooms and no corridors doesn’t work. It’s clunky, frustrating, and non collaborative.
Corridors matter because they make the house usable. They allow movement, flow, and shared understanding. But not all corridors are good corridors. You can’t just connect rooms anywhere and expect it to work. A badly placed or narrow corridor is just as frustrating as no corridor at all.
A real-world use case
A good example of this emerged in the UK between 2019 and 2024 with the UK Corporate Governance Code.
Early on, many companies assumed the requirements would mirror US Sarbanes–Oxley. They began mapping processes, risks and controls in detail: a classic bottom-up exercise.
Later, the UK government and Financial Reporting Council (FRC) changed direction to a more top-down, risk-led approach (through Provision 29 of the UK Corporate Governance Code), focusing on mission-critical risks and controls.
The result? In many cases, a typical silo effect.
- Two projects
- Two functions
- Two methodologies
- Two definitions of what ‘risk’ and ‘control’ means
And plenty of duplication.
Diagram 1: ERM and Controls Management developed separately
The diagram shows a (very rough) illustration of typical ERM and controls in silos: two separate functions, two separate sets of reporting, and a lot of opportunity for duplication
And when silos appear, someone (rightly) challenges this:
“Why don’t we just integrate them?”
Why corridors alone don’t work – the sticking plaster of the gashing GRC wound
But here’s the trap: connecting two rooms with a corridor doesn’t make a home. It just makes a more complicated floor plan.
And in GRC, connecting two siloed solutions without rethinking the underlying structure does the same thing. You end up with:
- Two different taxonomies for risk and control
- Duplicate data no one fully trusts
- Reports that don’t align
- Users forced to navigate two systems rather than one coherent ecosystem
Diagram 2: Connecting silos helps, but doesn’t integrate
The diagram illustrates this. Just because you make connections between existing silos doesn’t remove the silos. It allows for connectivity, but you often end up with the same situation, but marginally better or even worse than before.
Integration isn’t about corridors. It’s about designing a floor plan that makes movement between rooms natural.
A shared space for both team work and privacy
True integration often means rethinking how your risk and control information is structured so there’s a common language and shared data set underpinning it all.
Each function can still view this information through its own lens:
- ERM might look at risks through a top-down, strategic perspective.
- Controls teams might view them through bottom-up process detail.
- Internal audit might use the same information to plan assurance coverage.
But they’re all looking at the same risk object – not 3 inconsistent versions of it. That’s what strong integration looks like.
Diagram 3: A truly integrated system does not create silos
It’s not a bolt-on corridor added at the end. It’s part of the built-in architecture from the start.
How do you design a cohesive GRC home?
Creating an integrated approach to managing separate parts of your GRC ecosystem looks easy when you represent it on a diagram, but in reality it can be hard. It requires a willingness on the part of the different component parts to play nicely with each other, and may even require some compromise.
What’s important is to ensure that you’re not thinking about ‘adding’ one thing to another. You’re not ‘adding’ controls to ERM, or compliance to controls. You’re thinking about the whole ecosystem in the round.
- Can we map process risks to enterprise risks?
- How do policies link to controls?
- Where and how do we record our regulatory obligations? Are they under one specific risk?
- What about our compliance procedures? Are they controls? Or something else?
These aren’t necessarily easy decisions to make. And sometimes you’re going to need to duplicate – maybe because compliance controls are just at a different level to process controls. But even if you come to that conclusion, you’ll find that talking about it makes a big difference.
Bringing your teams and processes together
Good houses are designed around how people move between rooms.
Good GRC solutions are designed around how information flows between functions.
Weak integration creates confusion, duplication and frustration.
Strong integration creates alignment, shared understanding and insight.
In the next article, I’ll talk about security, and yes, the analogy will heavily revolve around locks!
About Lionel Matsuya
Lionel is the Head of Client Solution Design at CoreStream GRC, where he’s disrupting the traditional approach to Governance, Risk, and Compliance. With 12 years of experience from a Big Four consulting firm, Lionel is all about designing bold, customized solutions that make clients rethink what’s possible with the CoreStream GRC platform. Lionel’s experience spans organizations of all sizes and across various levels of GRC maturity, both locally and globally. A chartered accountant with the ICAEW and a Certified Information Systems Auditor, Lionel is passionate about using technology to make people’s lives easier.
Connect with Lionel on LinkedIn here.
Frequently asked questions
Integration in GRC (Governance, Risk, and Compliance) systems ensures that different functions, like ERM, internal audit, and controls, work from a shared data set and common language. This reduces duplication, improves reporting accuracy, and enhances collaboration across teams.
GRC silos often form when different teams use separate tools and definitions. Breaking them down requires stakeholder collaboration, compromise, and a shift toward shared goals and language across the organization.
Simply linking siloed GRC systems can lead to inconsistent taxonomies, duplicate data, and misaligned reports. Without rethinking the structure, you may create more complexity instead of solving the problem.
Strong GRC integration means different teams view the same risk and control data through their own lenses. It’s not about merging everything, but about creating a shared foundation that supports diverse needs.
