Designing your dream GRC home part 5: how thoughtful experience turns good design into real adoption

By Head of Client Solution Design, Lionel Matsuya So far in this series, I’ve talked about foundations, connectivity, security, and wiring. These are the things that tend to dominate conversations about GRC platforms: scope, features, controls, automation, and capability. But there’s another layer that quietly determines whether any of that effort delivers value: that layer…

Lionel Matsuya Avatar
Lionel Matsuya
Employee Lionel Matsuya infront of CoreStream GRC office logo with a line drawn home graphic over a green and blue gradient

By Head of Client Solution Design, Lionel Matsuya

So far in this series, I’ve talked about foundations, connectivity, security, and wiring. These are the things that tend to dominate conversations about GRC platforms: scope, features, controls, automation, and capability.

But there’s another layer that quietly determines whether any of that effort delivers value: that layer is experience.

Just as you don’t want a house that people don’t want to use, you don’t want your GRC platform to be one that people avoid. Your GRC platform could tick the boxes on features, security and everything else, but be hard to use – which is a surprisingly common occurrence, as platforms cram everything in but still try to offer a one-size-fits-all product.

Read previous blog

A house that’s great on a blueprint, but not a fun place to live in

Most of us have been in a house like this.

It sounds great. Rooms, storage, maybe a garden and a wide, covered porch.
But in reality, it’s not actually nice to live there.

  • The garden looks beautiful from the window, but the layout makes it awkward to actually use. The seating area is tucked away at the back with no clear path to reach it, so after it rains people rarely bother going outside—they don’t want to slog through wet grass or get their shoes muddy.
  • The porch is cosy, but the steep roof makes it dark, and without any wiring there’s not much you can do there. It should be an inviting space, but it isn’t—especially since the kids avoid it because the Wi‑Fi barely reaches.
  • The storage sounds great on paper, but the cupboards are narrow and overly deep, so things get pushed to the back and forgotten. Instead of helping with organisation, they just turn into clutter traps.

None of these are serious flaws, but together, they shape behaviour: over time, people don’t fix the design. They adapt around it.

If these things happened in a house, you might come to realise one day that the house wasn’t as well thought-out as you thought it would be. In the Real Estate window, or when looking around, you didn’t realise, and it might even feel like a waste of money.

watch the webinar

Workarounds aren’t a people problem – they’re a GRC platform problem

In GRC platforms, the equivalents are familiar:

  • “We have the Risks on a system, but over time, people start exporting them and managing them on spreadsheets just to make things easier”
  • “It’s fiddly to assign and track actions, so we track them separately. Oh, but we also copy the action onto the system.
  • “There’s no commenting functionality, so I just send emails, with the controls attached and ask for people’s comments.”

These aren’t signs of poor discipline; they’re signs that the space isn’t comfortable to use.

And here’s the critical point: workarounds don’t appear because functionality is missing: they appear because the platform introduces friction.

The most successful houses don’t draw attention to themselves. No one says:

  • “This corridor is exceptionally well designed”
  • “I really appreciate how intuitive this storage solution is”

They just use them.

And that’s the difference between a GRC platform that exists and one that becomes part of how governance actually happens.

The temptation to select a GRC platform against a feature list

When choosing a house, it’s easy to focus on the feature list:

  • Floorplan
  • Number of rooms
  • Storage capacity
  • Size of the garden

And the same thing happens when selecting GRC technology: feature comparison matrices grow, requirements lists expand, and sometimes it becomes like a gimmick shopping list. The result can be a solution that looks exceptional on paper, but feels heavy in practice.

The user experience takeaway

If you’re looking for a new GRC platform, here are my top tips to ensure that you’re getting something that’s actually going to work for you:

  • Ask the GRC platform vendor whether they offer sandbox environments
  • Pay attention to the feedback that you get from your team members around the look and feel
  • Consider whether the GRC platform you’re getting is tailorable – so that you can ensure that it matches your processes, rather than your people having to change to match the GRC product.

This can be the difference between a GRC platform that is ignored, and becomes a burden – and a GRC platform that truly works for you. And next time, I’ll talk about growth and adaptability: how to design a GRC home that can evolve as occupants, expectations, and regulations change, without needing to be torn down and rebuilt.

Check out Lionel’s previous blogs here

Designing your dream GRC home, part 1: the foundations of good GRC design

read blog 1

Designing your dream GRC home, part 2: connectivity and why corridors need to be planned

read blog 2

Designing your dream GRC home part 3: security and access

Read blog 3

Designing your dream GRC home part 4: wiring the house – making automation helpful, not burdensome 

read blog 4

About Lionel Matsuya

Lionel is the Head of Client Solution Design at CoreStream GRC, where he’s disrupting the traditional approach to Governance, Risk, and Compliance. With 12 years of experience from a Big Four consulting firm, Lionel is all about designing bold, customized solutions that make clients rethink what’s possible with the CoreStream GRC platform. Lionel’s experience spans organizations of all sizes and across various levels of GRC maturity, both locally and globally. A chartered accountant with the ICAEW and a Certified Information Systems Auditor, Lionel is passionate about using technology to make people’s lives easier. 

Connect with Lionel on LinkedIn here.

book a workshop

Frequently asked questions about GRC user experiences

Why does user experience matter so much in a GRC platform?

Because even the most feature‑rich GRC platform can fail if it’s uncomfortable or unintuitive to use. Just like a beautifully designed house that’s awkward to live in, a GRC system with poor usability leads to workarounds, frustration, and disengagement. An intuitive user experience removes friction, making it easier for teams to adopt the platform naturally and consistently.

What are signs that our GRC platform is causing friction rather than supporting users?

Common signs include teams exporting risks into spreadsheets, managing actions outside the system, or relying on email threads because commenting or collaboration features are clunky. These behaviors aren’t user errors; they’re indicators that the platform’s design doesn’t fit real workflows, forcing people to build workarounds.

How can we evaluate the user experience of a GRC platform before purchasing it?

Ask vendors for a sandbox environment so your team can test real workflows. Encourage users to explore how intuitive the design feels, how easy it is to navigate, and whether tasks can be completed without hunting for features. Good UX shouldn’t draw attention to itself, it should simply work.

What makes a GRC platform “tailorable,” and why does that matter?

A tailorable GRC platform can be shaped around your processes, rather than forcing your team to change how they work. This includes flexible workflows, adjustable interfaces, configurable fields, and the ability to evolve as your organization grows. Tailorability ensures long‑term fit, reducing both friction and the need for workarounds.

Tags:
  • HF Sinclair’s CFO exits amidst a wave of prominent C-suite exits: breaking down the GRC trend behind the headlines

    HF Sinclair’s CFO exits amidst a wave of prominent C-suite exits: breaking down the GRC trend behind the headlines

    HF Sinclair’s CFO, Atanas Atanasov, took a voluntary leave of absence after concerns raised by the audit committee, one week after CEO Tim Go did the same. The internal review started after concerns were raised about the company’s 2025 disclosure process and “tone at the top,” and the audit committee ultimately reported no deficiencies in financial reporting controls or disclosure…

  • Director of Compliance & Information Governance, Sophie Lis included in Risky Women’s “Women to Watch”

    Director of Compliance & Information Governance, Sophie Lis included in Risky Women’s “Women to Watch”

    CoreStream GRC is delighted to announce that Sophie Lis, our Director of Compliance and Information Governance, has been recognized as a Risky Women “Women to Watch”. This follows after her win as Innovator of the Year at the Women in GRC 2025 awards.  Risky Women has been connecting, celebrating and championing women in governance, risk…

  • How ISO 31000 makes your business faster, more confident, and more competitive 

    How ISO 31000 makes your business faster, more confident, and more competitive 

    “ISO 31000 is an international standard that provides principles and guidelines for risk management. It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization. “ International Standard on Governance of Organizations (ISO)   ISO frames risk as the “effect of uncertainty on objectives.”   That is a big shift from the traditional approach of asking “what…