Michael Rasmussen podcast with Richard Eddolls: why CoreStream GRC focuses on value-based GRC technology 

Speakers: Michael Rasmussen, GRC 20/20, and Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC

In this episode of The Hitchhiker’s Guide in the GRC Technology Galaxy, Michael Rasmussen returned to CoreStream GRC’s London office to speak with Richard Eddolls, Co-Founder and Chief Product Officer at CoreStream GRC. 

The conversation explored the origins of CoreStream GRC, why flexibility and usability still matter in enterprise GRC technology, how AI should be approached through value rather than hype, and why the strongest GRC platforms are not always the loudest names in the market. 

If you missed the episode, you can listen to the full podcast here. 

What is the Hitchhiker’s Guide in the GRC Technology Galaxy podcast? 

The Hitchhiker’s Guide in the GRC Technology Galaxy is Michael Rasmussen’s podcast on governance, risk, compliance, and the technology shaping modern GRC programmes. In each episode, Michael speaks with industry leaders, practitioners, and technology experts about how organizations can improve risk visibility, strengthen compliance, connect assurance activity, and make better decisions in a fast-changing environment. For listeners searching for the Michael Rasmussen podcast, it offers a practical view of the GRC market, with conversations that go beyond product claims to explore strategy, architecture, AI, resilience, and real-world business value. 

GRC technology is under pressure to do more than digitize existing processes. It needs to help organizations manage complexity, connect risk and assurance activity, and show evidence that programs are working for their businesses. 

That matters now because compliance functions are being pulled deeper into business change.  

PwC’s Global Compliance Survey 2025 found that 71% of respondents expect digital transformation initiatives over the next 3 years to require compliance skills, including support around cyber and data regulations.  

PwC also found that only 7% of companies currently see themselves as leaders in compliance maturity, while 84% aim to be leading or mature within 3 years.  

In the The Hitchhiker’s Guide in the GRC Technology Galaxy podcast, Richard Eddolls explains why CoreStream GRC was built around a simple principle: technology should enable better governance, risk, and compliance outcomes, not force organizations into rigid ways of working.

“We want technology to be an enabler, not a barrier. We want to make sure that it can flex to your ways of working, your methodology.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC  

That is the real theme of the episode: value-based GRC is not about adding more features. It is about building technology that fits the business, supports better decisions, and helps teams spend time more effectively.  

Why was CoreStream GRC founded? 

Michael begins the podcast, asking Co-Founder, Rich to take us back to the start. CoreStream GRC’s origin story starts with a familiar enterprise problem: the technology available for compliance and risk teams was not matching the way organizations actually worked. 

Richard explains that before founding CoreStream GRC, he was working as a program manager at the BBC via Deloitte, where he was responsible for setting up a compliance function and looking for technology to digitize the process. What he found was frustrating. 

“When we were going to market, it was that typical kind of shiny salesperson who would nod along to every request, not really challenge us in anything that we were thinking of doing, and not really understand the space either.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC   

The problem was not just sales behavior. It was the gap between what the tools promised and what users actually needed. 

“They were selling effectively a widget without really understanding why they were selling it and perhaps who they were selling it to.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC    

That gap still exists across the GRC market today. Many organizations are not short of tools, dashboards, taxonomies, or workflows. They are short of systems that reflect their real operating model, connect activity across functions, and make evidence easier to manage. 

This is why CoreStream GRC’s foundation matters. It was not built from a generic software idea looking for a market. It came from a real enterprise compliance challenge. 

“Most of the things we were finding were, if you want a solution that does compliance or some certain type of workflow, here’s how it works, here’s how it does it, you have to bend your organization to the tech.”

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC    

The CoreStream GRC response was different: build a platform that can support how the organization works, GRC technology without compromise. 

What makes GRC technology valuable? 

In this episode, Rich puts it clearly: 

“We don’t see technology itself as a feature. We look at the business benefit that’s realized through having a particular feature.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC    

That line is important for GRC leaders evaluating GRC platforms, especially in a market where vendors often compete on feature lists, acronyms, and AI claims. 

The better question is not: “What does the tool do?” 

It is: “What problem does it solve, and what value does it create?” 

In the podcast, Richard identifies 3 core foundational pillars that have carried Rich and the team through the last 13 years of CoreStream GRC:

• Flexibility: The platform should flex to the organization’s methodology and ways of working. 
• Intuitiveness: The interface should be clean, uncluttered, and straightforward enough for users to engage with quickly. 
• Quality: The technology matters, but so does the advice, delivery process, and support wrapped around it. 

“Technology is only part of it. It’s all of the advice. It’s the delivery process. It’s the support that you provide once you’ve handed it over into BAU.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC    

That matters because GRC technology is no longer a back-office efficiency project. It is increasingly connected to board reporting, risk visibility, third-party oversight, regulatory evidence, AI governance, and operational resilience. 

If compliance, risk, controls, and audit activity cannot be connected and reported clearly, leadership may see activity, but not meaningful assurance. 

Why does flexibility matter in enterprise GRC software? 

Enterprise GRC is unique for every business. 

Different teams have different methodologies. Different jurisdictions have different obligations. Different risk owners engage with the process in different ways. And different industries bring different expectations around assurance, auditability, resilience, and evidence. 

That is why rigid GRC technology can become a problem. It may look organized in a demo, but it can struggle when the business needs to adapt, evolve and scale. 

In this episode, Richard explains that flexibility has been at the heart of CoreStream GRC from the beginning: 

“We want to make sure that it can flex to your ways of working, your methodology.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC  

Michael Rasmussen reinforces this in the podcast when he celebrates CoreStream GRC’s approach as a “Lego building blocks type approach” to GRC technology. Michael has previously recognized CoreStream GRC with the 2025 GRC Innovation Award in the Enterprise Integrated GRC Architecture & Platforms category. 

Richard then explains why configurability is different from customization. 

“You will never end up in a situation where you’re entirely blocked and can’t upgrade because we’ve customized… 

We don’t branch code. We don’t write specific code for specific clients because that then leads to those horror stories.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC  

This is a crucial distinction for buyers. Customization can create technical debt. Configurability, done properly, gives organizations flexibility without trapping them on a broken or outdated version of the platform. 

For GRC leaders, that distinction should be part of the buying conversation. The risk is not just whether the platform can meet today’s requirements. It is whether it can keep working as the business changes.

How should GRC leaders think about AI? 

AI is one of the biggest topics in governance, risk, and compliance right now, but Richard Eddolls’s message in the podcast is refreshingly grounded. 

CoreStream GRC is not taking an “AI-first” approach for the sake of the label. Instead, Richard explains that the company is focused on outcomes and value. 

“Our AI strategy has been to remain effectively AI agnostic.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC

That means giving clients choice: whether to use AI, which AI capability to use, and how it should connect into their wider governance and technology environment. 

“We want to provide clients with the choice so they can choose whether to use AI or not.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC

This matters because AI adoption is moving faster than many governance programs can control.  

In GRC, that means AI cannot simply be switched on because it sounds impressive. It has to be governed, evidenced, and connected to real use cases. 

Richard makes this point through the lens of data privacy and client control: 

“One of the main challenges of the use of AI is data privacy and making sure that you’re not potentially leaking data that you shouldn’t be.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC 

That is why an AI-agnostic model is strategically useful. It lets organizations adopt AI in a way that fits their risk appetite, governance model, data controls, and internal policies. 

How does the CoreStream GRC and SANNOS partnership support evidence-led compliance?

The podcast also covers CoreStream GRC’s partnership with SANNOS, an introduction Michael Rasmussen facilitated, and a clear example of value-based AI in practice. 

Richard explains that the integration brings together the CoreStream GRC platform and SANNOS’ capability to assess evidence against frameworks. 

“Users in CoreStream GRC can be uploading the evidence that they want to assess against any number of frameworks, including completely custom frameworks that SANNOS is trained on.” 

“Within half an hour, [users can] have a full report back of your level of compliance against that particular standard or framework.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC 

The real value is not just speed. It is the connection between what happens before, during, and after the assessment. 

CoreStream GRC can support risk profiling, evidence management, assessment, action tracking, and risk management across the full process. 

That is the important shift. AI should not sit outside the GRC operating model as a standalone chatbot. It should help teams evaluate real documentation, identify gaps, and move the work into accountable remediation and risk management workflows. 

This is particularly relevant as compliance teams deal with multiple overlapping frameworks.  

In that environment, evidence-led AI can help reduce manual review effort, but only if it is connected to a wider GRC process. 

Learn about the CoreStream GRC and SANNOS partnership in more detail:

Why should GRC technology providers also act as advisors? 

One of the most interesting moments in the podcast comes when Michael shares a story about a large European manufacturer choosing CoreStream GRC after an enterprise risk RFP process. 

Michael explains that both final vendors could meet the requirements. Both had strong teams. But CoreStream GRC stood out because it challenged the organization to think differently. 

“You came in and said, we can meet the requirements, but have you thought of doing it this way? We think your program can be improved.” 

Michael Rasmussen, Pundit and Founder of GRC 20/20  

Richard’s response goes to the heart of CoreStream GRC’s value. 

“You’re only able to provide that challenge if you understand the requirements, not just at the surface level, but how they’re actually going to be operationalized.” 

Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC  

This matters because enterprise GRC buying decisions often begin with long requirements lists. But a requirement list does not always tell the full story. 

A stronger GRC partner should be able to ask: 

• Are these the right requirements?  
• How will this work in practice?  
• Who needs to own the process?  
• What evidence needs to be produced?  
• Where will reporting break down?  
• What can we learn from other industries?  
• What will still work in 3 years?  

Richard describes this as a shift in the market. 

“Tech providers, if you put us in that category, are going to also need to ensure that they are advisors, because there needs to be a reason to select your organization.” Richard Eddolls, Co-Founder and Chief Product Officer, CoreStream GRC

That advisory layer matters because GRC technology is only useful when it is implemented around the right operating model. Software alone does not fix weak ownership, disconnected controls, poor evidence, or unclear reporting. 

What can GRC teams take from Michael Rasmussen’s podcast episode with CoreStream GRC?

The episode is not just about us at CoreStream GRC. It is also a useful buying checklist for governance, risk, and compliance leaders. 

If you are reviewing GRC technology, the conversation points to several practical questions: 

• Does the platform fit your operating model, or force your organization to bend around it?  
• Can it support multiple GRC use cases without creating disconnected silos?  
• Is it configurable without creating technical debt?  
• Does the provider challenge your thinking, or simply agree with your requirements?  
• Can AI be adopted on your terms, with the right data privacy and governance controls?  
• Does the platform connect evidence, assessment, action tracking, and reporting?  
• ill the interface be easy enough for the business to actually use?  

Michael closes the episode with a similar message. GRC technology cannot be reduced to a market grid, a framework, a taxonomy, or a single feature set. It has to be judged by how it works in the real world. 

“We need to really look at how we approach this and what’s the right technology and its flexibility and value and how it actually delivers to the organization.” 

Michael Rasmussen, Pundit and Founder of GRC 20/20   

That is the real takeaway. The strongest GRC technology is not always the loudest. It is the technology that helps teams ask better questions, design smarter systems, connect what matters, and prove value over time.

Meet the podcast speakers

Michael Rasmussen

GRC analyst and podcast host, GRC 20/20 

Michael Rasmussen is a globally recognized GRC analyst and commentator. In The Hitchhiker’s Guide in the GRC Technology Galaxy, he explores the expanding universe of governance, risk management, compliance, AI, digital twins, audit, third-party risk, and GRC technology. 

In this episode, Michael returns to the CoreStream GRC office in London for a follow-up conversation on the role of CoreStream GRC in the wider GRC technology market.  

Richard Eddolls

Co-Founder and Chief Product Officer, CoreStream GRC 

Richard Eddolls is Co-Founder and Chief Product Officer at CoreStream GRC. 

Before founding CoreStream GRC, Richard worked at Sun Microsystems, Deloitte Consulting, and later as a program manager at the BBC, where his experience setting up a compliance function helped shape the original CoreStream GRC opportunity.  

Today, Richard leads product strategy with a focus on flexibility, usability, quality, integration, and value-based GRC outcomes.

Condensed podcast transcript

Michael: Interstellar Travelers, welcome to the Hitchhiker’s Guide to the GRC Technology Galaxy—your improbable companion to the expanding universe of governance, risk, and compliance technology. In a cosmos where regulations multiply faster than cyber incidents and third parties arrive with Vogon-like timing, this podcast is your towel—your improbability drive through it all. 

Each episode, I, Michael Rasmussen—field researcher and GRC Hitchhiker—explore the constellations of GRC technology. From AI copilots to digital twins, compliance nebulae to audit wormholes, we decode the jargon and help you navigate a space where vendor promises often outshine reality. 

Today, the improbability drive brings me back to London, to the CoreStream GRC office—the place we recorded our very first episode. This time, I’m joined by one of the founders, Richard. Richard, tell us about yourself and how CoreStream began. 

Richard: Thanks, great to be here. I’m Rich Eddolls, co-founder and Chief Product Officer at CoreStream. I left my job in 2013 to start the company. It wasn’t a perfectly mapped-out plan—we’ve evolved a lot—but the core idea came from real frustration with GRC tools. 

Before that, I worked at Sun Microsystems in Silicon Valley, then Deloitte Consulting, and later in program management. It was during a role at the BBC, where I was building a compliance function, that I saw the gap. 

The tools we looked at were clunky, hard to use, and inflexible. Vendors didn’t truly understand the space—they just sold software. That led us to create something different: a system that adapts to organizations, not the other way around. 

Michael: That’s been consistent over the years. How would you define CoreStream’s DNA? 

Richard: Three things: flexibility, intuitiveness, and quality. 

Flexibility—technology should enable, not constrain.   

Intuitiveness—systems should be easy to use; even a non-expert should navigate them.   

Quality—not just the tech, but the service and outcomes around it. 

And underlying all of that is care. It’s part of our culture and something we work hard to maintain as we grow. 

Michael: You also emphasize value, especially when it comes to AI. 

Richard: Exactly. We don’t treat technology as the feature—value is the feature. Our AI approach is AI-agnostic. Clients choose whether to use it, which tools, and how. 

That’s important, particularly around data privacy. It gives clients control and confidence. 

Michael: A great example is your work with Sannos. 

Richard: Yes—together we combine CoreStream’s platform with AI-driven compliance  

We also connect the full process—risk profiling before, and action tracking after—so it’s not just analysis, it’s an end-to-end solution. 

Michael: Let me share a quick story. A global manufacturer asked me to help choose between vendors. CoreStream made the final cut and ultimately won. 

The deciding factor? You challenged them. You didn’t just meet requirements—you improved them. 

Richard: That’s key for us. We believe technology providers also need to act as advisors. You can’t add value unless you truly understand the context and challenge assumptions. 

Michael: Let’s talk about your platform approach; particularly configurability. 

Richard: That’s fundamental. We don’t customize code—we configure. Think of it like Lego blocks. 

Everything runs on the same core platform, but clients shape it through configuration. That means no upgrade issues, no broken systems—just flexibility at scale. 

And importantly, everything connects—risk, audit, controls—it’s one integrated ecosystem, not siloed modules. 

Michael: You’re also part of Axiom GRC now. 

Richard: Yes, and they’ve been hugely supportive, giving us room to grow while helping us invest and mature as a business. 

Michael: Looking ahead—say 2030—what does CoreStream look like? 

Richard: The core principles stay. But how we deliver evolves. 

AI will make systems more conversational—you’ll be able to configure platforms just by describing what you need. And digital twin capabilities will allow organizations to simulate risks and scenarios in real time. 

Michael: Final thoughts for the audience? 

Richard: Don’t just default to big names. Explore options. There are strong solutions out there and CoreStream is one worth considering. 

Michael: And you’re truly global. 

Richard: Yes—UK, US, Middle East—and expanding further. 

Michael: Richard, thanks for joining us. 

Richard: Thank you. 

Michael: Across the GRC galaxy, the search for the ultimate answer continues. Some look to analyst quadrants. Others to frameworks or taxonomies. But the truth is—it’s not one thing. 

It’s a combination of smart architecture, context, discipline, and the ability not to panic. 

Because the GRC universe isn’t conquered by those promising simplicity—it’s navigated by those asking better questions, designing smarter systems, and connecting what matters. 

So keep exploring. The answer may still be 42—but the real challenge is understanding the question. 

Do not panic. Keep your towel close. And remember—it’s rarely the visible asteroid that causes the problem, but the unseen assumption moving quietly at speed. 

So long and thanks for all the risk. 

Frequently asked questions