“With value-based GRC, your organization can achieve more and gain a greater competitive advantage.”
— Paul Cadwallader, GRC Strategy Director, CoreStream GRC
Our GRC Strategy Director, and former Deloitte partner, Paul Cadwallader, who leads bespoke workshops for enterprises seeking to enhance and optimize their Governance, Risk, and Compliance (GRC) programs, sat down with our Head of Marketing, Lucy Montague, to share insights on value-based GRC and the key themes explored in enterprise workshops.
Prefer reading the highlights over watching the full session?
No problem, we adapt to your preferences. Check out our handy guide with additional insights from Risk leaders!
Defining Value-Based GRC
OCEG defines GRC as the capability to:
- Reliably achieve objectives (governance)
- Address uncertainty (risk management)
- Act with integrity (compliance)
This framework supports what OCEG calls Principled Performance.Adding the value dimension brings GRC back to its core purpose: enabling performance.
Value-based GRC goes beyond avoiding penalties or saving time through more efficient box-ticking. It aligns governance, risk, and compliance with what matters most, your organization’s strategic goals and objectives.
“GRC is not only about avoiding the downside. It should actively drive value. Value-based GRC enables you to unlock the upside and achieve what your organization truly wants.” — Paul Cadwallader
Full transcription of the value-based GRC webinar conversation
Lucy Montague (00:17):
Welcome, Paul, to this discussion on value-based GRC. We’re here to explore a new concept—connecting value to governance, risk, and compliance—and how we can reframe how GRC is perceived across the broader business.
Paul, could you start by sharing a bit about your background and why you see value-based GRC as so important?
Paul Cadwallader (00:44):
Absolutely. My background spans over 20 years in professional services, including time at 2 of the Big Four firms. I’ve spent my career in the GRC space, helping multinational organizations redesign their risk, compliance, and assurance functions. I also led a significant business that combined framework design with technology implementation to enable those frameworks.
Lucy Montague (01:27):
Thank you. Let’s begin with the definition—what does value-based GRC mean to you?
Paul Cadwallader (01:37):
To understand value-based GRC, we first need to look at the definition of GRC itself. OCEG offers a great one: GRC is the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).
Governance sets the direction and strategy. Risk management identifies, assesses, and monitors uncertainty—aligned with ISO 31000’s definition of risk as uncertainty on objectives. Compliance ensures the organization fulfils regulatory and self-imposed obligations, and follows through on risk treatment plans to confirm controls are in place.
Lucy Montague (02:52):
And how do you layer value on top of that?
Paul Cadwallader (02:56):
If we look at the dictionary definition of “value,” it refers to something useful, important, or beneficial. In a value-based system, the focus is on achieving the best outcomes at the lowest cost.
In healthcare, for example, it’s about improving patient outcomes while optimizing resources. In GRC, I see 3 pillars of value-based approaches:
- Business outcomes: Prioritizing what matters most to stakeholders—customer satisfaction, quality of life, etc.
- Cost effectiveness: Achieving outcomes efficiently, minimizing waste.
- Transparency & accountability: Ensuring decisions are transparent and resources are used effectively.
Value is subjective—it’s in the eye of the beholder.
Lucy Montague (04:58):
So we’re moving beyond just monetary ROI and considering what value means to each stakeholder?
Paul Cadwallader (05:08):
Exactly. Organizations often focus on efficiency when articulating the value of GRC—like saving 40% through automation. But that’s often the least impactful of the 3 dimensions.
True value comes from aligning GRC with business outcomes. Risk management, for example, should be tied to objectives, not just treated as a standalone function. Every part of the organization has objectives, and risks are the barriers to achieving them.
If you don’t link risk to objectives, how can you anticipate challenges or ensure success? That’s the upside of value-based GRC, it helps you achieve strategic goals, not just avoid negatives.
Lucy Montague (10:53):
So with effective value-based GRC, a business can achieve more and gain a competitive edge?
Paul Cadwallader (11:09):
Absolutely. It builds trust with stakeholders, shareholders, and regulators. If you consistently achieve your objectives and manage risks well, you gain credibility. That can lead to improved share prices, investor confidence, and regulatory trust.
Organizations that do GRC right often flourish, but many only get there after a painful event. It shouldn’t take a crisis to realize the value of GRC.
Lucy Montague (13:11):
Let’s go back a bit. Can we talk about traditional GRC, how it’s often seen as a negative, a tick-box exercise, and why we’re now shifting toward value-based GRC?
Paul Cadwallader (13:31):
Great question. In my 25 years in GRC, I’ve seen this evolution unfold, often without people realizing it.
Historically, GRC emerged in response to external pressures, regulations, incidents, and crises. Organizations responded reactively, applying “sticking plasters” to each new issue. Over time, this created siloed systems, different functions doing different things, often disconnected.
Technology wasn’t mature enough a decade ago to support seamless integration. But now, we have the opportunity to shift from reactive to proactive, and to drive real business value.
Lucy Montague (16:48):
It’s an exciting time.
Paul Cadwallader (16:51):
Absolutely.
Lucy Montague (16:56):
You’ve worked in GRC for 25 years. Can you share examples of companies that have outgrown traditional GRC and are embracing this new approach, across people, process, or technology?
Paul Cadwallader (17:19):
You need all three, people, process, and technology, to make it work.
I’ve worked with global conglomerates that faced existential threats. That forced them to rethink and align GRC with how they run the business. I’ve seen organizations evolve from decentralized to centralized models and back again, with GRC capabilities evolving alongside.
One analogy I love: imagine a fleet of ships. The group defines the strategic direction and the major risks, the icebergs. But each ship (business unit) is responsible for its own operations. That’s how governance, risk, and compliance should work, central oversight with local accountability.
Younger, fast-growing companies are also leading the way. They’re building interconnected GRC systems from the start, creating a “digital twin” of their organization. This allows them to trace risks, policies, controls, and objectives in real time, and even simulate scenarios to anticipate future challenges.
Lucy Montague (23:28):
So it’s about moving from reactive “sticking plasters” to proactive scenario planning, giving leaders the confidence to say, “If we do X, we’ll likely get Y”?
Paul Cadwallader (23:50):
Exactly. That’s how you get buy-in and alignment.
Lucy Montague (23:55):
Let’s talk about technology. You mentioned flexibility and interconnectedness. What have you seen in the market in terms of how vendors are supporting this shift?
Paul Cadwallader (24:22):
That’s a big challenge. Most vendors offer predefined modules with limited flexibility. But every organization is different, even within the same industry and country.
Their operating models, histories, and leadership expectations vary. So a one-size-fits-all approach doesn’t work.
That’s why we’re seeing more RFPs, organizations are looking for vendors that can adapt to their specific needs. They want a platform that supports interconnected GRC, aligns with their strategy, and evolves with them.
Lucy Montague (27:01):
Do you think buyers are becoming more aware of this, wanting future-proof solutions rather than just meeting today’s needs?
Paul Cadwallader (27:26):
Yes, but it’s still a relatively new trend. More organizations are thinking long-term, but few are overhauling everything at once.
Most are starting a journey, making decisions today that will support future growth. They’re looking for platforms that can scale and adapt over time.
Lucy Montague (28:21):
So when it comes to planning, is it better for a company to start with one use case or to map out the full GRC ecosystem from the beginning?
Paul Cadwallader (28:39):
To maximize success, you need your entire leadership team on board. That starts with mapping out a vision, helping them understand the value of GRC.
You won’t deliver everything in one go, but you’re setting the roadmap. Typically, I recommend starting with two or three use cases. That way, you demonstrate value early and build momentum.
If you only start with one, it may take longer to show impact, and you risk staying in a siloed mindset.
Lucy Montague (29:58):
Can you share an example of a company that started with a few use cases and unlocked broader value?
Paul Cadwallader (30:09):
Yes, a FTSE 100 company we worked with began with risk, internal control, and internal audit, driven by the UK Corporate Governance Code, especially Provision 29.
They linked their GRC platform directly to their strategic pillars. Executives could log in and see risks tied to their objectives.
From there, they expanded into policy management, integrating with their HR system so employees only saw policies relevant to their roles.
Then they added third-party risk and data privacy. The dots started connecting, and they built a truly integrated GRC ecosystem.
Lucy Montague (31:54):
For global enterprises, would you recommend starting with one region or going global from day one?
Paul Cadwallader (32:15):
It depends on the organization’s maturity and existing processes. Some prefer piloting in one region; others go for a global rollout.
It comes down to change management and capacity. Technology is just the enabler, you need people and processes aligned.
Digitization unlocks the ability to improve processes, but without proper communication and change management, you won’t realize the full value.
Lucy Montague (34:09):
And that ties back to your earlier point, value is in the eye of the beholder. Every jurisdiction needs to understand how the project benefits them.
Paul Cadwallader (34:22):
Exactly.
Lucy Montague (34:24):
Let’s talk strategy. How do you tie GRC to business objectives?
Paul Cadwallader (34:41):
Start by sitting down with those who own the objectives. Ask: What are we trying to achieve? What could go wrong?
Unpack risks and mitigation strategies. It’s not always about controls, you might transfer or insure the risk.
This applies at every level, from group strategy to individual processes.
Even basic processes like purchase-to-pay have clear objectives and risks. Apply the same thinking to strategic goals.
Lucy Montague (37:22):
And decision-making?
Paul Cadwallader (37:23):
Every decision involves risk. Whether it’s crossing the road or launching a product, we assess risk based on experience and appetite.
Organizations often focus on upside but neglect the downside.
We need frameworks that help decision-makers, especially those lower down, consider risks properly.
Many failures trace back to poor decisions made without risk consideration.
Lucy Montague (40:28):
So it’s about going back to basics, aligning risk appetite with strategic focus.
Paul Cadwallader (40:45):
Exactly. Keep it simple and actionable.
Lucy Montague (40:46):
What are some quick wins people can take away from this conversation?
Paul Cadwallader (41:08):
Start by sketching out your GRC architecture. Socialize the concept, show how GRC adds value beyond compliance.
It doesn’t need to be complex. A whiteboard mindmap and the right questions can spark meaningful conversations.
Get your fellow GRC functions together. Paint a vision.
Talk to your CFO, get buy-in, and build momentum across the executive team.
Lucy Montague (43:13):
What kind of metrics or reporting does value-based GRC unlock?
Paul Cadwallader (43:31):
It’s about showing risk reduction and proactive management.
If it feels bureaucratic, the process is too complex.
You won’t see quantitative benefits immediately, many are qualitative and intangible.
But if board members feel confident in their peers’ ability to manage risks and achieve objectives, that’s powerful.
Confidence leads to better decisions and resource planning.
Lucy Montague (45:45):
One of our healthcare clients said they couldn’t justify hiring before. Now, with informed data-led insight from the CoreStream GRC platform, they can.
Paul Cadwallader (46:09):
Exactly.
Lucy Montague (46:11):
Final question, what should GRC professionals look for in value-based GRC technology?
Paul Cadwallader (46:31):
Look for the ability to connect all GRC components and build a digital twin of your organization.
It must fit your operating model, centralized, decentralized, or hybrid.
Don’t just list features. Define the processes you want to digitize and the model they operate within.
Challenge vendors to prove flexibility. Ask them to demonstrate how their platform supports your specific needs.
If they can do that, they’re the right fit.
Lucy Montague (49:02):
So process-led, not just functionality-led.
Paul Cadwallader (49:05):
100%.
Lucy Montague (49:06):
Thank you, Paul. We offer complimentary workshops with Paul, for companies who bring at least 3 senior stakeholders to the sessions, and of course demos too.
As a final takeaway, what should the audience leave with?
Paul Cadwallader (49:37):
Think about your vision.
What does your GRC architecture look like, not just for your function, but across all GRC functions?
How do you work together to deliver value and support business viability?
And if you’re looking at technology, prioritize process and operating model over features.
Features are nice, but process is everything.
Lucy Montague (50:14):
Brilliant. Thank you very much, Paul.
Paul Cadwallader (50:17):
Pleasure.
Frequently Asked Questions: Value-Based GRC
Value-based GRC, as defined by CoreStream GRC, is an approach that aligns governance, risk, and compliance to strategic business outcomes—driving performance, trust, and resilience instead of just ticking compliance boxes.
Traditional GRC centers on risk avoidance and audits; value-based GRC at CoreStream GRC connects risks, controls, and policies to objectives and decisions, unlocking upside (growth, agility) as well as managing downside.
Enterprises use CoreStream GRC to achieve goals with confidence, improve stakeholder trust, reduce duplicated effort, and make faster, better-informed decisions across functions.
CoreStream GRC frames value-based GRC around: strategic alignment, integrated risk, transparent compliance, real-time insight, and scenario/decision support.
CoreStream GRC links risks, controls, and processes directly to strategic pillars, enabling objective-based risk management, outcome tracking, and board-ready reporting that proves impact.
A digital twin in CoreStream GRC is a live model of structures, risks, controls, policies, and objectives—powering real-time monitoring, scenario testing, and predictive insight for proactive governance.
CoreStream GRC suggests: map your current GRC architecture, align to key objectives, pick 2–3 pilot use cases (e.g., TPRM, policies, incidents), and define a blended metric set (qual + quant).
CoreStream GRC uses a blended scorecard: risk reduction, time-to-insight, faster regulatory/board reporting, stakeholder confidence, and contribution to strategic goal attainment.
CoreStream GRC’s no-code, integrated platform connects risk, compliance, audit, and policy; integrates with HR/finance/third-party tools; and delivers real-time dashboards and automation.
CoreStream GRC adapts to centralized, decentralized, or hybrid models, supporting regional hosting, flexible workflows, and configurable data structures that evolve as the business changes.
CoreStream GRC advises choosing platforms that connect end-to-end GRC, fit your operating model, enable scenario planning, provide real-time reporting, and are process-led (not feature-led).
CoreStream GRC offers a complimentary workshop with Strategy Director Paul Cadwallader to design pilots, metrics, and a roadmap for outcome-driven GRC. Book a workshop or request a demo.
