#RISK Europe 2025 brought together senior voices from across governance, risk, compliance, data and regulation to the Excel, London. CROs, Heads of Risk, AI governance leads and senior regulators from major organizations including; Barclays, BT Co-Op and the Chartered Insurance.
Across their sessions, the message was consistent. Real value comes when governance, risk, and compliance is simple, culturally embedded, and aligned with business growth. GRC is moving into the heart of business performance, not sitting beside it.
Here are a few of the key takeaways we discovered through sitting in the keynote sessions and chatting with visitors on the CoreStream GRC stand:
1. Real GRC value is created by culture and accountability
Culture came up in almost every session for a reason. Many organizations still rely on fear driven admin, where compliance is something teams do because they are told to, not because they believe it truly supports business success. The leaders on stage argued that this is the moment to reframe GRC as part of how employees think, decide and work.
“Principles underpin good governance, transparency, ethical decision making and risk awareness. However, a performance culture treats compliance like a checklist. Value cultures ask whether it aligns with strategy.”
John Hetherington, Head of Risk, Controls and Insurance at Elementis
“We don’t just do it for the regulator. We do it to help people be sustainable and operate within our risk appetite.”
Jessie Williams, Director of Compliance and Risk at Excello Law
Williams stressed that while fear can push people toward compliance, it does not build commitment to doing the right thing.
What speakers across the event said real risk culture requires.
- Leaders must define and model accountability. People need to understand not only what they are responsible for, but how that responsibility links into the organization’s objectives.
- Delegation must be clear. Without clarity, teams default to caution or avoidance, which slows decisions and dilutes ownership.
- Risk teams must be at the strategy table. If risk joins the conversation after decisions are made, it becomes a blocker. When risk is involved from the start, risk professionals becomes an assurance enabler.
- Culture is visible through behavior, not documents. Speakers advised analyzing risk by looking at behavior. For example, looking at whistleblowing trends, psychological safety, the quality of conversations, and day-to-day choices. These signals say far more about maturity than policy libraries.
In summary, a strong risk culture is not built through controls alone. It is built by helping people understand the why, embedding risk into decision making and creating an environment where doing the right thing is the default.
Want to learn about building a GRC culture?
2. Why GRC industry leaders see risk as opportunity
Senior leaders across #RISK Europe stressed that risk is no longer something to minimize but something that can create advantage. Boards are asking not only how much risk they can tolerate, but how much uncertainty they are willing to embrace in order to grow.
“We must shift from how much risk we tolerate to how much opportunity we are willing to embrace”
John Hetherington, Head of Risk, Controls and Insurance, Elementis
Giving this a wider context, in the current corporate environment, horizon scanning becomes essential. It turns risk from hindsight into foresight and gives leaders the information to anticipate what is coming next.
“Volatility is the new baseline.”
Emma Price, UK Enterprise Risk Management Expert, Enterprise Risk Management Partner at Deloitte
This exacerbated by the fact that boards respond to resilience through risk more than risk recovery. Michael Rasmussen, GRC Analyst and Pundit, argued that traditional continuity planning no longer fits the moment
“The world of business continuity is dead. Resilience is taking over.”
Michael Rasmussen, GRC Analyst & Pundit at GRC 20/20 Research, LLC
This is needed as resilience better tackles the current climate, in which leaders do not just worry about new risks, but the interplay of multiple risks creating new complexities. However, to combat this, the concept of resilience links risk, performance and strategy and gives executives a way to understand how the organization will absorb shocks and keep moving.
Leaders also pointed to what comes next. Digital twins, orchestration layers, and AI driven insight will shape GRC through 2030. Real time intelligence will matter more than static reporting cycles. Framed through resilience, these capabilities become tools that help organizations move faster, not just stay safe.
Risk as opportunity and resilience as strategy is the combination driving the next chapter of GRC.
Want to hear more about the future of GRC with CoreStream GRC?
3. Board engagement and communication: making risk land
If there was one universal message about board engagement, it was this. Boards do not want technical reporting. They want insight that helps them steer the business and cuts through the noise.
To sum up some key takeaways;
- Keep reporting to one page. Boards respond to clear, concise summaries rather than long technical documents.
- Focus on outcomes, not regulation. Boards do not want narrative for narrative’s sake. They want the signal, not the noise.
“If you are presenting, do not read the news. Give the highlights.”
Ross Osborne, Chief Risk Officer at Rippling
- Speak in the language of impact. Boards engage when risk feels connected to strategy, resilience, and opportunity.
- Use metrics that link directly to business value. Boards want performance context and expect clarity and insight that shows how risk feeds into performance.
“Risk reporting on a spreadsheet is no longer enough.”
Jennifer Geary, Author of How to be a Chief Operating Officer
“GRC professionals shouldn’t be seen as gatekeepers. They’re growth and profit partners.”
Paul Cadwallader, GRC Strategy Director
- Avoid fear based messaging. You should be cautious that unnecessary alarm erodes trust faster than it gets attention.
“Do not shout fire when there is none. Boards stop trusting you.”
Dan Rhodes, Senior Director, Legal and DPO, Granicus
In summary, oards engage when they can see how risk shapes performance, strategy and resilience. Anything that feels inflated, overly technical or fear based loses credibility fast.
Conclusion: what strategic GRC looks like going forward
The direction of travel is clear. The organizations gaining the most value from GRC are the ones that keep it simple, embed it culturally and connect it directly to strategy. They treat GRC as a lever for resilience and performance, supported by intuitive no code technology, not as an administrative obligation.
“GRC shouldn’t be the handbrake and the department of no, GRC should be the sat nav that guides you.”
Michael Rasmussen, GRC Analyst & Pundit at GRC 20/20 Research, LLCi
This is the moment for GRC leaders to move beyond checklists and build systems, cultures, and conversations that support better decisions at every level. Those who do will turn GRC from a requirement into an advantage.
Want to learn more about how to pivot to value-based GRC?
Book a workshop with our ex-big 4 consultants today.
Want to learn what value-based really looks like, in practice, with our strategy director?
FAQ
Value-based GRC (Governance, Risk, and Compliance) moves beyond checklist compliance to become a strategic enabler for business growth. Instead of treating GRC as an administrative burden, leading organizations embed it into culture and decision-making, aligning risk management with performance and resilience.
True GRC value comes from:
Culture and accountability: Employees understand why compliance matters and how it supports strategy.
Clear delegation: Defined roles prevent decision paralysis.
Risk at the strategy table: Involving risk teams early turns them into enablers, not blockers.
Behavior-driven insights: Monitoring whistleblowing trends, psychological safety, and decision quality reveals maturity better than policy documents.
Risk is no longer just something to minimize—it’s a lever for growth. Boards now ask:
How much uncertainty can we embrace to innovate?
How can resilience help us absorb shocks and stay competitive?
Modern GRC uses horizon scanning, real-time intelligence, and AI-driven insights to anticipate risks and convert them into strategic advantage.
Resilience replaces traditional continuity planning. It links risk, performance, and strategy, ensuring organizations can adapt to volatility and complexity. Future-ready GRC will leverage:
Digital twins
Orchestration layers
AI-powered analytics to enable faster, smarter decisions.
Boards want clarity, not technical jargon. Best practices include:
One-page summaries with actionable insights.
Metrics tied to business value, not just compliance.
Outcome-focused reporting that connects risk to strategy and performance. Avoid fear-based messaging—alarmist reporting erodes trust.
Strategic GRC is:
Simple and culturally embedded
Aligned with growth and resilience
Supported by intuitive, no-code technology
It transforms GRC from a “department of no” into a sat nav for business performance.
