,

A conversation with our GRC Strategy Director: how to achieve value-based GRC

“With value-based GRC, your organization can achieve more and gain a greater competitive advantage.”— Paul Cadwallader, GRC Strategy Director, CoreStream GRC Our GRC Strategy Director, and former Deloitte partner, Paul Cadwallader, who leads bespoke workshops for enterprises seeking to enhance and optimize their Governance, Risk, and Compliance (GRC) programs, sat down with our Head of…

Lucy Montague Avatar
Lucy Montague
Value-based GRC webinar | CoreStream GRC

“With value-based GRC, your organization can achieve more and gain a greater competitive advantage.”
— Paul Cadwallader, GRC Strategy Director, CoreStream GRC

Our GRC Strategy Director, and former Deloitte partner, Paul Cadwallader, who leads bespoke workshops for enterprises seeking to enhance and optimize their Governance, Risk, and Compliance (GRC) programs, sat down with our Head of Marketing, Lucy Montague, to share insights on value-based GRC and the key themes explored in enterprise workshops.

learn more about our workshops

Prefer reading the highlights over watching the full session?
No problem, we adapt to your preferences. Check out our handy guide with additional insights from Risk leaders!

Download guide

Defining Value-Based GRC

OCEG defines GRC as the capability to:

  • Reliably achieve objectives (governance)
  • Address uncertainty (risk management)
  • Act with integrity (compliance)

This framework supports what OCEG calls Principled Performance.Adding the value dimension brings GRC back to its core purpose: enabling performance.

Value-based GRC goes beyond avoiding penalties or saving time through more efficient box-ticking. It aligns governance, risk, and compliance with what matters most, your organization’s strategic goals and objectives.

“GRC is not only about avoiding the downside. It should actively drive value. Value-based GRC enables you to unlock the upside and achieve what your organization truly wants.” — Paul Cadwallader

Full transcription of the value-based GRC webinar conversation

Lucy Montague (00:17):
Welcome, Paul, to this discussion on value-based GRC. We’re here to explore a new concept—connecting value to governance, risk, and compliance—and how we can reframe how GRC is perceived across the broader business.
Paul, could you start by sharing a bit about your background and why you see value-based GRC as so important?

Paul Cadwallader (00:44):
Absolutely. My background spans over 20 years in professional services, including time at 2 of the Big Four firms. I’ve spent my career in the GRC space, helping multinational organizations redesign their risk, compliance, and assurance functions. I also led a significant business that combined framework design with technology implementation to enable those frameworks.

Lucy Montague (01:27):
Thank you. Let’s begin with the definition—what does value-based GRC mean to you?

Paul Cadwallader (01:37):
To understand value-based GRC, we first need to look at the definition of GRC itself. OCEG offers a great one: GRC is the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).

Governance sets the direction and strategy. Risk management identifies, assesses, and monitors uncertainty—aligned with ISO 31000’s definition of risk as uncertainty on objectives. Compliance ensures the organization fulfils regulatory and self-imposed obligations, and follows through on risk treatment plans to confirm controls are in place.

Lucy Montague (02:52):
And how do you layer value on top of that?

Paul Cadwallader (02:56):
If we look at the dictionary definition of “value,” it refers to something useful, important, or beneficial. In a value-based system, the focus is on achieving the best outcomes at the lowest cost.
In healthcare, for example, it’s about improving patient outcomes while optimizing resources. In GRC, I see 3 pillars of value-based approaches:

  1. Business outcomes: Prioritizing what matters most to stakeholders—customer satisfaction, quality of life, etc.
  2. Cost effectiveness: Achieving outcomes efficiently, minimizing waste.
  3. Transparency & accountability: Ensuring decisions are transparent and resources are used effectively.

Value is subjective—it’s in the eye of the beholder.

Lucy Montague (04:58):
So we’re moving beyond just monetary ROI and considering what value means to each stakeholder?

Paul Cadwallader (05:08):
Exactly. Organizations often focus on efficiency when articulating the value of GRC—like saving 40% through automation. But that’s often the least impactful of the 3 dimensions.

True value comes from aligning GRC with business outcomes. Risk management, for example, should be tied to objectives, not just treated as a standalone function. Every part of the organization has objectives, and risks are the barriers to achieving them.
If you don’t link risk to objectives, how can you anticipate challenges or ensure success? That’s the upside of value-based GRC, it helps you achieve strategic goals, not just avoid negatives.

Lucy Montague (10:53):
So with effective value-based GRC, a business can achieve more and gain a competitive edge?

Paul Cadwallader (11:09):
Absolutely. It builds trust with stakeholders, shareholders, and regulators. If you consistently achieve your objectives and manage risks well, you gain credibility. That can lead to improved share prices, investor confidence, and regulatory trust.
Organizations that do GRC right often flourish, but many only get there after a painful event. It shouldn’t take a crisis to realize the value of GRC.

Lucy Montague (13:11):
Let’s go back a bit. Can we talk about traditional GRC, how it’s often seen as a negative, a tick-box exercise, and why we’re now shifting toward value-based GRC?

Paul Cadwallader (13:31):
Great question. In my 25 years in GRC, I’ve seen this evolution unfold, often without people realizing it.
Historically, GRC emerged in response to external pressures, regulations, incidents, and crises. Organizations responded reactively, applying “sticking plasters” to each new issue. Over time, this created siloed systems, different functions doing different things, often disconnected.
Technology wasn’t mature enough a decade ago to support seamless integration. But now, we have the opportunity to shift from reactive to proactive, and to drive real business value.

Lucy Montague (16:48):
It’s an exciting time.

Paul Cadwallader (16:51):
Absolutely.

Lucy Montague (16:56):
You’ve worked in GRC for 25 years. Can you share examples of companies that have outgrown traditional GRC and are embracing this new approach, across people, process, or technology?

Paul Cadwallader (17:19):
You need all three, people, process, and technology, to make it work.
I’ve worked with global conglomerates that faced existential threats. That forced them to rethink and align GRC with how they run the business. I’ve seen organizations evolve from decentralized to centralized models and back again, with GRC capabilities evolving alongside.
One analogy I love: imagine a fleet of ships. The group defines the strategic direction and the major risks, the icebergs. But each ship (business unit) is responsible for its own operations. That’s how governance, risk, and compliance should work, central oversight with local accountability.
Younger, fast-growing companies are also leading the way. They’re building interconnected GRC systems from the start, creating a “digital twin” of their organization. This allows them to trace risks, policies, controls, and objectives in real time, and even simulate scenarios to anticipate future challenges.

Lucy Montague (23:28):
So it’s about moving from reactive “sticking plasters” to proactive scenario planning, giving leaders the confidence to say, “If we do X, we’ll likely get Y”?

Paul Cadwallader (23:50):
Exactly. That’s how you get buy-in and alignment.

Lucy Montague (23:55):
Let’s talk about technology. You mentioned flexibility and interconnectedness. What have you seen in the market in terms of how vendors are supporting this shift?

Paul Cadwallader (24:22):
That’s a big challenge. Most vendors offer predefined modules with limited flexibility. But every organization is different, even within the same industry and country.
Their operating models, histories, and leadership expectations vary. So a one-size-fits-all approach doesn’t work.
That’s why we’re seeing more RFPs, organizations are looking for vendors that can adapt to their specific needs. They want a platform that supports interconnected GRC, aligns with their strategy, and evolves with them.

Lucy Montague (27:01):
Do you think buyers are becoming more aware of this, wanting future-proof solutions rather than just meeting today’s needs?

Paul Cadwallader (27:26):
Yes, but it’s still a relatively new trend. More organizations are thinking long-term, but few are overhauling everything at once.
Most are starting a journey, making decisions today that will support future growth. They’re looking for platforms that can scale and adapt over time.

Lucy Montague (28:21):
So when it comes to planning, is it better for a company to start with one use case or to map out the full GRC ecosystem from the beginning?

Paul Cadwallader (28:39):
To maximize success, you need your entire leadership team on board. That starts with mapping out a vision, helping them understand the value of GRC.
You won’t deliver everything in one go, but you’re setting the roadmap. Typically, I recommend starting with two or three use cases. That way, you demonstrate value early and build momentum.
If you only start with one, it may take longer to show impact, and you risk staying in a siloed mindset.

Lucy Montague (29:58):
Can you share an example of a company that started with a few use cases and unlocked broader value?

Paul Cadwallader (30:09):
Yes, a FTSE 100 company we worked with began with risk, internal control, and internal audit, driven by the UK Corporate Governance Code, especially Provision 29.
They linked their GRC platform directly to their strategic pillars. Executives could log in and see risks tied to their objectives.
From there, they expanded into policy management, integrating with their HR system so employees only saw policies relevant to their roles.
Then they added third-party risk and data privacy. The dots started connecting, and they built a truly integrated GRC ecosystem.

Lucy Montague (31:54):
For global enterprises, would you recommend starting with one region or going global from day one?

Paul Cadwallader (32:15):
It depends on the organization’s maturity and existing processes. Some prefer piloting in one region; others go for a global rollout.
It comes down to change management and capacity. Technology is just the enabler, you need people and processes aligned.
Digitization unlocks the ability to improve processes, but without proper communication and change management, you won’t realize the full value.

Lucy Montague (34:09):
And that ties back to your earlier point, value is in the eye of the beholder. Every jurisdiction needs to understand how the project benefits them.

Paul Cadwallader (34:22):
Exactly.

Lucy Montague (34:24):
Let’s talk strategy. How do you tie GRC to business objectives?

Paul Cadwallader (34:41):
Start by sitting down with those who own the objectives. Ask: What are we trying to achieve? What could go wrong?
Unpack risks and mitigation strategies. It’s not always about controls, you might transfer or insure the risk.
This applies at every level, from group strategy to individual processes.
Even basic processes like purchase-to-pay have clear objectives and risks. Apply the same thinking to strategic goals.

Lucy Montague (37:22):
And decision-making?

Paul Cadwallader (37:23):
Every decision involves risk. Whether it’s crossing the road or launching a product, we assess risk based on experience and appetite.
Organizations often focus on upside but neglect the downside.
We need frameworks that help decision-makers, especially those lower down, consider risks properly.
Many failures trace back to poor decisions made without risk consideration.

Lucy Montague (40:28):
So it’s about going back to basics, aligning risk appetite with strategic focus.

Paul Cadwallader (40:45):
Exactly. Keep it simple and actionable.

Lucy Montague (40:46):
What are some quick wins people can take away from this conversation?

Paul Cadwallader (41:08):
Start by sketching out your GRC architecture. Socialize the concept, show how GRC adds value beyond compliance.
It doesn’t need to be complex. A whiteboard mindmap and the right questions can spark meaningful conversations.
Get your fellow GRC functions together. Paint a vision.
Talk to your CFO, get buy-in, and build momentum across the executive team.

Lucy Montague (43:13):
What kind of metrics or reporting does value-based GRC unlock?

Paul Cadwallader (43:31):
It’s about showing risk reduction and proactive management.
If it feels bureaucratic, the process is too complex.
You won’t see quantitative benefits immediately, many are qualitative and intangible.
But if board members feel confident in their peers’ ability to manage risks and achieve objectives, that’s powerful.
Confidence leads to better decisions and resource planning.

Lucy Montague (45:45):
One of our healthcare clients said they couldn’t justify hiring before. Now, with informed data-led insight from the CoreStream GRC platform, they can.

Paul Cadwallader (46:09):
Exactly.

Lucy Montague (46:11):
Final question, what should GRC professionals look for in value-based GRC technology?

Paul Cadwallader (46:31):
Look for the ability to connect all GRC components and build a digital twin of your organization.
It must fit your operating model, centralized, decentralized, or hybrid.
Don’t just list features. Define the processes you want to digitize and the model they operate within.
Challenge vendors to prove flexibility. Ask them to demonstrate how their platform supports your specific needs.
If they can do that, they’re the right fit.

Lucy Montague (49:02):
So process-led, not just functionality-led.

Paul Cadwallader (49:05):
100%.

Lucy Montague (49:06):
Thank you, Paul. We offer complimentary workshops with Paul, for companies who bring at least 3 senior stakeholders to the sessions, and of course demos too.

book workshop


As a final takeaway, what should the audience leave with?

Paul Cadwallader (49:37):
Think about your vision.
What does your GRC architecture look like, not just for your function, but across all GRC functions?
How do you work together to deliver value and support business viability?
And if you’re looking at technology, prioritize process and operating model over features.
Features are nice, but process is everything.

Lucy Montague (50:14):
Brilliant. Thank you very much, Paul.

Paul Cadwallader (50:17):
Pleasure.

watch the webinar

Frequently Asked Questions: Value-Based GRC

What is value-based GRC?

Value-based GRC (Governance, Risk, and Compliance) is an approach that aligns GRC activities with an organization’s strategic objectives. It goes beyond compliance and risk mitigation to actively drive business value, improve outcomes, and support long-term performance.

How is value-based GRC different from traditional GRC?

Traditional GRC often focuses on regulatory compliance and risk avoidance, typically in siloed functions. Value-based GRC integrates governance, risk, and compliance into a unified framework that supports strategic decision-making, enhances transparency, and enables proactive risk management.

Why is value-based GRC important for enterprise organizations?

Value-based GRC helps enterprises:

  • Achieve strategic goals more effectively
  • Improve stakeholder trust and regulatory confidence
  • Reduce risk while unlocking growth opportunities
  • Make better, data-informed decisions
  • Build resilience and agility in a changing environment

What are the key components of a value-based GRC framework?

A value-based GRC framework typically includes:

  • Strategic alignment with business objectives
  • Integrated risk management
  • Transparent compliance processes
  • Real-time data and reporting
  • Scenario planning and decision support

How does value-based GRC support business performance?

By linking GRC activities to business outcomes, organizations can:

  • Identify and manage risks that impact growth
  • Optimize resource allocation
  • Improve operational efficiency
  • Enhance decision-making confidence at all levels

What is a digital twin in the context of GRC?

A digital twin in GRC is a virtual representation of an organization’s structure, processes, risks, controls, and objectives. It enables real-time monitoring, scenario analysis, and predictive insights to support proactive governance and risk management.

What role does technology play in value-based GRC?

Technology is a key enabler of value-based GRC. Modern GRC platforms provide:

  • Interconnected modules for risk, compliance, audit, and policy management
  • Flexibility to adapt to different operating models
  • Real-time dashboards and analytics
  • Integration with HR, finance, and third-party systems

How do you measure the ROI of a GRC program?

Return on investment (ROI) in GRC is measured not just by cost savings or avoided fines, but by:

  • Risk reduction
  • Strategic goal achievement
  • Improved stakeholder confidence
  • Faster, more informed decision-making

What are some quick wins to start a value-based GRC journey?

  • Map your current GRC architecture
  • Identify key business objectives and associated risks
  • Engage leadership in defining a shared vision
  • Start with 2–3 interconnected use cases
  • Choose flexible technology that supports your operating model

What should you look for in a value-based GRC platform?

Look for a platform that:

  • Supports end-to-end GRC integration
  • Adapts to your organizational structure and processes
  • Enables scenario planning and risk modeling
  • Offers real-time reporting and insights
  • Is process-led, not just feature-led
Tags:
  • CoreStream GRC 3.2 Release Notes

    CoreStream GRC 3.2 Release Notes

    1.0 Document Purpose This document provides a summary of the highlights of the CoreStream GRC Release ​3.2​ release. Major Platform releases are finalized every 2-3 months depending on client and strategic priorities. These release notes are part of CoreStream GRC’s approach to keeping clients and partners informed of the improvements we are delivering.  This document…

  • CoreStream GRC integrates with AscentAI to simplify financial services compliance

    CoreStream GRC integrates with AscentAI to simplify financial services compliance

    CoreStream GRC has announced a new partnership and integration with AscentAI’s Regulatory Lifecycle Management (RLM) Platform, aimed at improving how financial services organizations in the United States manage regulatory change and link obligations to internal policies and controls. This integration responds to a growing need among compliance teams for more efficient, automated, and connected systems…

  • Where GRC conversations continue: Hawksmoor dinner after #RISK Europe

    Where GRC conversations continue: Hawksmoor dinner after #RISK Europe

    Date: Wednesday, 12th November 2025 Time: 6:00 PM – 9:00 PM Location: Hawksmoor Wood Wharf, Canary Wharf, London After a packed first day at #RISK Europe at ExCeL London, it’s time to step away from the buzz of the exhibition hall and join CoreStream GRC for an evening of real conversation, real connection, and real…