The future of GRC: what principles-based regulation means for GRC teams

Key takeaways  Introduction: the GRC rulebook is getting smaller, as accountability grows  Ask any compliance officer what’s changed in their job over the last two years, and few will point to a single new regulation. They will point to something harder to pin down: a growing expectation that they explain and defend their own judgment, rather than simply follow a rule written by someone…

Lucy Montague Avatar

Key takeaways 

  • Regulators across the UK, the EU and the US are all moving the same direction: shorter rulebooks, less prescription, and a bigger burden on organizations to define, defend and evidence their own judgment. 
  • Traditional enterprise risk management approaches often create a false sense of security. A populated risk register is not the same as understanding what could stop the business achieving what matters most. 
  • Firms that treat this shift as a compliance problem will fall behind. Firms that treat it as a strategic opportunity will build genuine resilience and a real competitive edge. 
  • Value-based GRC gives organizations a practical way to make this real, connecting governance, risk and compliance to business outcomes rather than paperwork. 

Introduction: the GRC rulebook is getting smaller, as accountability grows 

Ask any compliance officer what’s changed in their job over the last two years, and few will point to a single new regulation. They will point to something harder to pin down: a growing expectation that they explain and defend their own judgment, rather than simply follow a rule written by someone else. 

It’s a change that’s visible everywhere you look.  

Just this week (10 July 2026), the UK’s Financial Conduct Authority (FCA) makes live the latest simplifications to SMCR (the Senior Managers and Compliance Regime) while stating plainly that the underlying accountability framework hasn’t changed

Similarly, the EU has just cut back years of prescriptive sustainability reporting rules in favor of a leaner, risk-based approach while the US Department of Justice has spent nearly a decade telling prosecutors to look past the policy binder and ask whether a compliance program actually works in practice. 

Three different regulators, three different jurisdictions, three different rulebooks. But all converging on the same idea: prescription is retreating and evidenced, defensible judgment is taking its place. 

For governance, risk and compliance teams, this changes the meaning of “being compliant”. A checklist, however thoroughly completed, no longer proves very much. What matters is whether an organization can show it identified its own risks, made a sound call, and can produce the evidence behind that call when someone asks.  

This article looks at where that shift is showing up across different sectors and geographies, why traditional risk management often leaves organizations more exposed than they realize, and what a genuinely value-based approach to governance, risk and compliance looks like when the rulebook stops giving you the answer. 

Three governance jurisdictions, one direction of travel 

Start in Brussels. In February 2026, the EU formally adopted its Omnibus I directive, a sweeping simplification of the Corporate Sustainability Reporting Directive and the Corporate Sustainability Due Diligence Directive. The changes cut the number of mandatory reporting data points by roughly 70%, narrowed which companies are in scope, and replaced a tier-based approach to supply chain due diligence with a risk-based one, letting companies focus on the impacts most likely to occur and be most severe, rather than mapping every tier of every supply chain with equal intensity. As law firm White & Case summed it up: “simplified, not abandoned.” Fewer boxes to tick, but the same underlying duty to know your risks and be able to show your working. 

Across the Atlantic, the same principle sits at the heart of the US Department of Justice’s guidance on evaluating corporate compliance programs, the benchmark prosecutors use across every industry. The guidance asks three simple questions:  

  1. is the program well designed,  
  1. is it applied in good faith,  
  1. does it actually work in practice.  

Prosecutors are instructed to “probe specifically whether a compliance program is a ‘paper program’ or one implemented, resourced, reviewed, and revised, as appropriate, in an effective manner.” A beautifully drafted policy sitting untouched in a shared drive counts for very little. 

Back in Britain, there’s an interesting example that’s been running for half a century. The Health and Safety at Work Act 1974 has always been what regulators call “goal-setting” legislation. It specifies the outcome – a  safe workplace – rather than prescribing exactly how to get there, and it puts the burden of proof squarely on the employer, who must show their risk assessment was “suitable and sufficient”.  

Recently however, through 2025 and 2026, the Health and Safety Executive has signaled it will treat psychosocial risks, workplace stress, excessive workload, burnout, with the same seriousness as a faulty guard rail or an unmarked fire exit. It will therefore expect employers to assess and evidence those risks under the same fifty-year-old legal duty. No new law was needed. The regulator simply pointed an existing, outcomes-based duty at a newly serious risk, and left it to employers to prove they had taken it seriously too. 

This focus on forethought and accountability rather than tick-boxes is seen in the UK’s reform of its Senior Managers and Certification Regime, and through Provision 29 of the UK Corporate Governance Code which, since January 2026, has required the boards of all companies (not just financial services) with a Premium Listing to declare the effectiveness of their material controls each year

Grace Suleyman, Chief Compliance Officer at MS Amlin, put the underlying dynamic well on a recent Spotlight on Women in GRC podcast episode:  

“Whilst the FCA prescribes less, the onus is very much shifting to firms interpreting the rules and being able to demonstrate that their SMCR framework is actually more robust than it was historically.” 

Grace Suleyman, Chief Compliance Officer, MS Amlin

It’s a good, precise summary of the change that, while currently most visible in financial services, is coming to GRC teams in every country and every sector. 

Why the Enterprise Risk Management (ERM) risk register isn’t the safety net it seems 

If prescriptive rules are retreating, the obvious question is what replaces them. For many organizations, the honest answer is: not enough. 

Enterprise risk management (ERM), the discipline meant to give leaders a clear view of what could derail the business, has too often become exactly the kind of tick-box exercise regulators are now moving away from. Tim Leech, pioneer of Objective Centric Risk and Uncertainty Management and an outspoken critic of the ERM approach, made this point sharply on a recent episode of the Risk Is Our Business podcast.  

“The problem is the creation of ‘risk list management’ … Consultants were called in. They asked what do you see as the biggest risks. They put them into a risk register and analyzed them. Then they presented the risk register and heat map to the board and called it ERM.” 

Tim Leech, Managing Director, Risk Oversight Solutions Inc.

Leech’s argument is that most organizations never ask or answer the harder question: what is genuinely uncertain about the objectives that matter most to this business.  

A long list of generic risks, he suggests, creates a false sense of security. It reassures the board without telling anyone whether the business will actually hit the targets it depends on. His sharpest point is about disconnection: risk registers are too often built in isolation from strategic planning, with nobody asking what a department’s mission-critical objective really is, and what could get in its way. 

This is exactly what the DOJ flags as a warning sign of an ineffective compliance program: risk assessments built from generic templates, with limited input from the people who actually run the business, and no real link to what the compliance function then does. 

And the problem is compounded: 

Regulatory complexity is rising at the same time as the tools for managing it are being shown to fall short. 

How value-based GRC replaces the tick-box mentality 

The trend away from prescription towards a shrinking rule-book means, as Grace Suleyman says, the onus is shifting onto risk, compliance and audit teams to connect governance, risk and compliance directly to what the business is trying to achieve, and to be able to show their working. That’s the starting point for CoreStream GRC’s value-based GRC methodology. 

In the view of Paul Cadwallader, GRC Strategy Director at CoreStream GRC, traditional GRC focuses on the mechanics of compliance and reporting: avoiding fines, meeting regulatory obligations, satisfying auditors. Value-based GRC asks a different question.  

“GRC is not only about avoiding the downside,” he says. “It should actively drive value. Value-based GRC enables you to unlock the upside and achieve what your organization truly wants.” 

Paul Cadwallader, GRC Strategy Director, CoreStream GRC

That reframing is important in a world where the rulebook stops telling you exactly what to do. If governance, risk and compliance exist only to avoid a fine, an organization has no compass once the fine-avoiding checklist disappears. If they exist to help the business achieve its goals with confidence, the compass still works. 

There is a harder-nosed commercial case too, one that speaks directly to the accountability that boards and regulators are now demanding. Cadwallader explains:  

“Value-based GRC is about enabling your investors to back you and help you move faster. Various stakeholders, including regulators, trust you because they know you’ll do the right thing and act with integrity; they’ve seen it and believe in your capability. Rather than hindering progress, these engaged parties actively support you, making processes and approvals significantly quicker.”  

Paul Cadwallader, GRC Strategy Director, CoreStream GRC

In a principles-based regulatory environment, that trust is the thing that determines how a regulator, an investor or an auditor responds the first time something goes wrong. 

You can see this working in practice. UNT Health, a healthcare provider and CoreStream GRC client, built its conflict of interest program directly around one of its core values – what it calls “Courageous Integrity” – rather than treating disclosure as a compliance chore bolted on from the outside. The result was more than simply cleaner paperwork. In the first campaign run through the new system, 52 potential conflicts of interest were raised that would very likely have gone unnoticed under the old, informal process. Desiree Ramirez, Chief Integrity and Privacy Officer at UNT Health, explained the impact: 

“[The value-based GRC approach] gave me faith in my campus. People were being honest. It helped people live the values, not just hang them on a wall.”  

Desiree Ramirez, Chief Integrity and Privacy Officer, UNT Health

UNT Health Conflict of Interest case study download

That’s what it looks like when governance, risk and compliance tools are built around genuine organizational values rather than around the minimum the regulator requires: people surface problems earlier, because the system was designed to make that easy rather than merely mandatory. 

As Cadwallader says: 

“True value-based GRC connects integrity to impact. It’s how technology, people, and governance come together to make doing the right thing the easiest thing.” 

Paul Cadwallader, GRC Strategy Director, CoreStream GRC

That is the gap, and the opportunity, that opens up once prescriptive rules retreat. An organization that has made doing the right thing the easiest thing doesn’t need a detailed rulebook to fall back on. One that hasn’t will find every shortened checklist an invitation to cut corners. 

In practical terms, this comes down to 3 things CoreStream GRC’s own guidance sets out clearly:  

  • Connecting GRC activity like your principle risks to genuine business outcomes rather than treating it as a parallel process;  
  • Building transparency and trust, so that regulators, investors and partners can see evidence rather than assertion; and  
  • Achieving this without piling on cost and admin that a lean team can’t sustain.  

Value-based GRC doesn’t require an enterprise-scale program. It simply requires clear ownership, a connected view of risk and evidence, and the discipline to revisit it, not just once a year, but continuously, as circumstances change.

Conclusion: build the value-based GRC judgment now, not when a regulator requests it 

The direction of travel is clear and consistent across the UK, Europe and the USA. Regulators are prescribing less and expecting more. 

Organizations that respond by doing the bare minimum, hoping perhaps that a shorter rulebook means an easier ride, will find themselves exposed the first time something goes wrong and a regulator asks the simple question: how do you know, and can you prove it?  

Organizations that respond by building genuine ownership, live evidence and a connected view of risk will be the ones that can answer that question with confidence, and use that same clarity to move faster. 

That is the essence of value-based GRC. Not a compliance framework bolted on to satisfy a regulator, but a way of connecting governance, risk and compliance directly to the outcomes a business is trying to achieve, so that when prescription fades, judgment is ready to take its place. 

If you would like to explore what a value-based approach to governance, risk and compliance could look like in your organization, book a workshop with the CoreStream GRC team. It’s a practical, one-hour session with our GRC Strategy Director to talk through where the pressure points are in your business and what a more connected approach could achieve. 

Frequently asked questions about principles-based regulation and value-based GRC 

What is ERM (enterprise risk management)?  

Enterprise risk management is the discipline of identifying, assessing and managing risks that could prevent an organization achieving its objectives. Done well, it connects directly to strategic planning. Done poorly, it becomes a static risk register that creates a false sense of security without informing real decisions. 

What does “principles-based regulation” mean?  

Principles-based regulation sets out the outcome a regulator expects, rather than prescribing the exact steps to get there. It gives organizations flexibility, but requires them to interpret the principle, apply sound judgment, and evidence how they reached their decision. 

Does less regulatory prescription mean less compliance risk? 

No. Less prescription shifts responsibility onto the organization to define its own robust approach and prove it works. Regulators from the FCA to the European Commission to the US Department of Justice have all been explicit that reduced administrative burden does not mean reduced accountability. 

What is value-based GRC?  

Value-based GRC connects governance, risk and compliance directly to an organization’s strategic goals and values, rather than treating them as a separate exercise in avoiding fines. It replaces static checklists with genuine ownership, live evidence and continuous review, so an organization can demonstrate sound judgment even where regulators no longer spell out every step. 

How can CoreStream GRC help organizations manage this shift?  

CoreStream GRC’s value-based approach connects governance, risk and compliance tools so organizations can show clear ownership, live evidence and a connected view of risk, rather than static registers and disconnected spreadsheets, ready to withstand scrutiny from any regulator, auditor or board. 

  • The future of GRC: what principles-based regulation means for GRC teams

    The future of GRC: what principles-based regulation means for GRC teams

    Key takeaways  Introduction: the GRC rulebook is getting smaller, as accountability grows  Ask any compliance officer what’s changed in their job over the last two years, and few will point to a single new regulation. They will point to something harder to pin down: a growing expectation that they explain and defend their own judgment, rather than simply follow a rule written by someone…

  • Board governance

    Board governance

    What is board governance? Board governance is the way a board of directors directs, oversees, and holds an organization accountable. It covers how the board sets strategic direction, challenges management, monitors performance, oversees risk and internal controls, and makes decisions in the interests of the organization and its stakeholders.  In governance, risk, and compliance (GRC), board governance…

  • Board oversight

    Board oversight

    What is board oversight? Board oversight is the process through which a board of directors monitors, challenges, and holds an organization’s leadership accountable. It helps directors understand whether strategy is being delivered, risks are being managed, controls are operating effectively, and issues are being escalated and resolved.  In governance, risk, and compliance (GRC), board oversight matters because directors cannot…