In the latest episode of CoreStream GRC’s Spotlight on Women in GRC podcast, Lucy Montague speaks with Grace Suleyman, Chief Compliance Officer at an asset management company servicing insurance clients.
Grace’s role spans legal, company secretarial, enterprise risk and compliance, giving her a broad view of what modern compliance leadership now requires. The discussion explores why senior GRC roles demand more than technical expertise, how firms should approach SMCR and non-financial misconduct, why AI governance will test human judgment, and how women can build confidence, visibility and progression in governance, risk and compliance.
The message is clear: the next era of compliance leadership will be defined by accountability, judgment, empathy and the ability to operate in ambiguity.
What does the modern Chief Compliance Officer role look like?
Grace Suleyman describes her current role simply, but the scope is broad.
“I oversee legal, company secretarial, enterprise risk and compliance. So, I wear multiple hats.”
Grace Suleyman, Chief Compliance Officer
That breadth reflects how governance, risk and compliance roles are changing. The modern Chief Compliance Officer is not only responsible for policies, advice and regulatory interpretation. They are expected to help the business understand risk, make better decisions, manage accountability and respond when something goes wrong.
For Grace, the move into GRC came after a legal career that included time in private practice and then in-house roles across financial services. She moved in-house because she wanted more variety and better work-life balance. What she found was a wider view of the business and a role that touches almost every part of the organization.
That is an important point for anyone considering a career in GRC.
“There’s a misunderstanding that you’re sort of sitting in the back office and you’re very much in a silo. That is absolutely not the case.”
Grace Suleyman, Chief Compliance Officer
In GRC aware organizations, risk and compliance teams are involved early. They help shape projects, challenge assumptions, build relationships and protect the business while enabling it to achieve its objectives.
That is where GRC becomes more than oversight. It becomes a way of helping the business move forward safely.
Why does GRC leadership require more than technical knowledge?
“At this sort of level, my technical experience and knowledge was there and it’s assumed to be there. And it’s the softer skills where leadership training can come in really valuable.”
Grace Suleyman, Chief Compliance Officer
That is one of the clearest messages from the conversation. Technical expertise may get someone into senior GRC leadership, but it is not enough to make them effective once they are there.
As Grace explains:
“How do you influence when you don’t necessarily have the authority? How do you lead with empathy? How do you manage the relationships, particularly in risk and compliance?”
Grace Suleyman, Chief Compliance Officer
Those skills are rarely taught through a rulebook. They are built through experience, coaching, mentoring and practical leadership development.
This matters for succession planning. If organizations want stronger GRC leaders, they cannot wait until someone reaches a senior role before helping them build leadership capability. They need to develop those skills earlier, especially for professionals moving from technical specialist roles into accountable leadership positions.
How do more women become Chief Compliance Officers?
There is a persistent leadership gap across governance, risk and compliance. Women make up roughly 50% of entry-level roles in GRC, yet only 17% of Chief Risk Officers and 14% of Chief Compliance Officers are women.
Grace describes those figures as shocking.
“It just shows how much more work needs to be done across the various industries and sectors, specifically in financial services.”
Grace Suleyman, Chief Compliance Officer
For Grace, part of the answer for bridging this gap is sponsorship. Mentorship is useful, but sponsorship goes further. A sponsor actively advocates for someone when they are not in the room. They make their contribution visible. They help build credibility with senior decision-makers.
“If you can find a sponsor in your organization to mentor you, to speak about you and the work that you do, the delivery that you’ve brought, that can be really helpful.”
Grace Suleyman, Chief Compliance Officer
Grace’s own progression into a CCO role was shaped by that kind of support. Her predecessor became a sponsor, advocated for her and helped the business recognize her capability. When the opportunity came to step up, that credibility mattered.
But sponsorship alone is not enough. Women also need to advocate for themselves. Grace points to a familiar pattern: women often wait until they meet almost every requirement before applying for a role, while men may apply with far less certainty.
“Stretching yourself in that way is really key. Advocate for yourself. Get your accomplishments front and center.”
Grace Suleyman, Chief Compliance Officer
The practical lesson is simple. Progression requires visibility. Good work matters, but leaders also need to be able to explain the impact of that work, where they want to go next and why they are ready for more responsibility.
How can women back themselves into senior GRC roles?
Grace’s move into senior leadership came with a significant increase in accountability. Her title changed, her regulatory responsibilities expanded and she became personally accountable to the FCA under senior management responsibilities.
It was a major leap.
“That was a massive leap and I didn’t get any training or development to make that jump.”
Grace Suleyman, Chief Compliance Officer
That experience forced Grace to back herself, even while dealing with imposter syndrome. She is honest that the confidence did not arrive all at once. It had to be built while doing the role.
“Sometimes I think you have to do things before you’re ready for them. That’s how we grow. That’s how we develop.”
Grace Suleyman, Chief Compliance Officer
That point is especially relevant for women in GRC who may be waiting to feel fully ready before pursuing senior roles. In reality, leadership often involves stepping into uncertainty before every skill feels complete.
The right support can make that transition smoother. Grace now wants to support other risk and compliance professionals with coaching and mentoring, particularly those looking to step into senior function head, SMF 16 or SMF 4 roles.
That is an important gap. GRC professionals are often technically strong, but may not have a clear pathway into senior leadership. More structured development could help talented professionals make that leap with more confidence and less isolation.
How should firms prepare for non-financial misconduct rules?
One of the most practical regulatory themes in the conversation is non-financial misconduct.
Grace explains that conduct issues such as bullying, discrimination and harassment have traditionally sat mainly with HR. That is changing.
“This is something that was typically very much something that sat with HR and it’s now coming into the regulatory framework.”
Grace Suleyman, Chief Compliance Officer
The FCA’s non-financial misconduct rules and guidance come into effect on 1 September 2026. Firms will need to review staff policies, conduct breach reporting, fit and proper assessments and regulatory references.
That creates a practical governance challenge. Compliance teams need to work closely with HR, legal, senior managers and the business to decide how these issues are identified, assessed, escalated and evidenced.
For Grace, the challenge is to make the framework meaningful.
“We’re navigating how to build that into our governance framework so that it’s actually really impactful and effective in reality and not a box ticking exercise.”
Grace Suleyman, Chief Compliance Officer
That is the key point. Non-financial misconduct cannot be handled as a documentation exercise. Firms need clear ownership, reporting routes, decision criteria and evidence of how judgments are made.
The FCA has also emphasized that guidance cannot cover every situation and that firms “will always need to exercise their judgement”. That makes evidence, consistency and governance even more important.
This is where connected GRC matters. If conduct, HR, compliance, risk and senior manager accountability sit in different systems and conversations, it becomes harder to evidence a consistent approach. Strong governance depends on visibility, traceability and clear lines of responsibility.
What does SMCR reform mean for accountability?
Grace also highlights changes to the Senior Managers and Certification Regime.
Her view is that while some reforms may appear to reduce prescription, they may increase the need for firms to exercise judgment and evidence their reasoning.
“Whilst the FCA prescribes less, the onus is very much shifting to firms interpreting the rules and being able to demonstrate that their SMCR framework is actually more robust than it was historically.”
Grace Suleyman, Chief Compliance Officer
That is a useful warning. Less prescription does not mean less responsibility. A principles-based regime can create more flexibility, but it also requires stronger internal interpretation, clearer rationale and better evidence.
For firms, that means asking practical questions:
- Who is accountable for each area of responsibility?
- How are senior manager and certification decisions made?
- What evidence supports those decisions?
- How often are responsibilities refreshed?
- Can the firm explain its framework clearly to the regulator?
Grace makes the point that firms should not treat this as a one-time review.
“You don’t just do it once. You have to refresh that on an ongoing basis.”
Grace Suleyman, Chief Compliance Officer
That is the direction of travel across GRC more broadly. Accountability frameworks need to be live, reviewed and evidenced. Static documents are not enough.
Why will AI governance test human judgment?
AI is one of the biggest themes shaping the future of GRC, but Grace’s view is refreshingly practical. She does not frame AI as a replacement for compliance judgment. She frames it as something that makes judgment even more important.
The FCA’s approach to AI focuses on supporting safe and responsible AI adoption in UK financial markets while explaining how existing rules apply. In a January 2026 speech, the FCA said it remains outcomes-based and technology-neutral, and that it is “not unveiling new rules” or prescribing exactly how AI should be deployed.
Grace sees that as part of a wider shift.
“I don’t think the rule books will get more prescriptive. I think, if anything, there will be more and more on a principles basis.”
Grace Suleyman, Chief Compliance Officer
That creates a harder task for GRC leaders. They need to understand the regulatory principle, apply it to their business context and explain how decisions were made.
“What’s really key is those GRC leaders being able to use sound judgment to apply these regulatory principles in that ambiguity.”
Grace Suleyman, Chief Compliance Officer
AI governance will test exactly that. Firms will need to know where AI is being used, who owns the output, how the risks are assessed, when human review is required and what evidence supports the decision-making process.
Grace is clear that AI can help, but it does not remove accountability.
“If something is to go wrong, what are you going to say to your regulator? ‘Oh, the AI came out with this’? The first question the regulator is going to say is, who’s overseeing the AI?”
Grace Suleyman, Chief Compliance Officer
That is the governance issue. AI can produce outputs, but organizations still need accountable owners. They still need human oversight. They still need review routes, documented decisions and risk understanding.
For GRC leaders, the question is not simply “Can we use AI?” It is “Can we explain how we govern it?”
How can compliance leaders prove value?
One of the hardest challenges in compliance is proving the value of prevention. When compliance works well, the worst outcomes do not happen. But that can make value harder to measure.
Grace frames it clearly.
“One way you can frame it is what didn’t go wrong and had it gone wrong, what would have been the cost to the business?”
Grace Suleyman, Chief Compliance Officer
That cost is not only financial. It includes reputational damage, loss of client trust, regulatory scrutiny, legal fees, remediation costs, and management distraction.
The challenge is that prevention can look invisible until a failure happens elsewhere. That is why external incidents can be useful lessons for boards and executives. They show what weak controls, poor culture, or unclear accountability can cost.
“It’s awful for those firms, but it can serve as a good lessons learned for other firms.”
Grace Suleyman, Chief Compliance Officer
This is where value-based GRC becomes important. Compliance leaders need better ways to show how their work reduces exposure, strengthens trust, and supports better business decisions.
That means moving beyond activity metrics alone. The number of policies reviewed, meetings held or issues logged does not tell the full story. Leaders need to show whether the organization has stronger visibility, clearer accountability, faster escalation, and better evidence when things change.
Closing: The next era of GRC needs judgment in ambiguity
Grace’s episode points to a clear conclusion. The future of GRC will not be defined by more rules alone. It will be defined by how well leaders apply principles, evidence decisions and guide organizations through ambiguity.
AI will increase that need, not reduce it. SMCR and non-financial misconduct will require firms to show clear accountability. Crisis events will test whether governance works in practice. Boards and CEOs will continue to ask compliance leaders to prove value, even when the value lies in what did not go wrong.
The strongest GRC leaders will be technically credible, commercially aware, and emotionally intelligent. They will know how to challenge without damaging trust. They will be able to influence without always relying on authority. They will build cultures where people can raise issues early, learn from mistakes, and make better decisions.
Grace’s advice captures that shift well:
“Being able to develop that judgment in ambiguity and that influence without authority, I think, are really key.”
Grace Suleyman, Chief Compliance Officer
That is the future of compliance leadership. Not just knowing the rules, but knowing how to apply them when the answer is not black and white.
About Grace Suleyman
Grace Suleyman is Chief Compliance Officer at an asset management company, MS Amlin, servicing insurance clients. Her role spans legal, company secretarial, enterprise risk and compliance.
Grace has a legal background and began her career in private practice, including time at Linklaters and a US law firm, before moving in-house in financial services. Her career has included investment banking, asset management, senior compliance leadership and accountable regulatory roles.
Her leadership perspective is shaped by technical expertise, crisis experience, sponsorship, resilience and a strong belief in helping more women progress into senior GRC roles.
About the Spotlight on Women in GRC podcast
CoreStream GRC’s Spotlight on Women in GRC podcast series has been created in the lead-up to the Women in GRC Awards on 2 July 2026.
Across the series, CoreStream GRC Head of Marketing Lucy Montague speaks with women working across governance, risk and compliance to explore their career paths, leadership lessons and views on the future of the profession.
Condensed transcript of the episode
Lucy Montague:
Welcome to Spotlight on Women in GRC, a podcast series counting down to the Women in GRC Awards 2026 on July 2nd, supported by CoreStream GRC. I’m your host, Lucy Montague, and today I’m joined by Grace Suleyman. Grace, thank you for being here.
Grace Suleyman:
Thank you for having me.
Career Journey & Role
Lucy Montague:
Tell us about your role.
Grace:
I’m Chief Compliance Officer at an asset management firm serving insurance clients. I oversee legal, company secretarial, enterprise risk, and compliance—so I wear multiple hats.
Lucy:
And how did you get there?
Grace:
I started in private practice after law school, including time at Linklaters and a US firm. I moved in-house for more variety and better work-life balance, joining an investment bank in 2011 and later transitioning into asset management. I joined my current firm in 2019 after maternity leave in what initially began as a new role.
Work-Life Balance
Lucy:
Has moving in-house improved balance?
Grace:
Definitely. It can still be busy, but I have far more control over my time and clearer boundaries—unless there’s a crisis.
Women in GRC Leadership
Lucy:
Women make up about 50% of entry-level GRC roles, but only 14% of CCOs. Why the gap?
Grace:
The statistics are stark. Part of it comes down to self-advocacy—women may hesitate to apply unless they meet most criteria, whereas men often apply with far less. Sponsorship is also critical. Having someone advocate for you when you’re not in the room can make a huge difference.
Stepping into Leadership
Lucy:
How did you step into your CCO role?
Grace:
It was initially an interim role covering a colleague on paternity leave, but it became permanent. That colleague had been a strong sponsor for me, which was pivotal.
Lucy:
How did you feel taking that leap?
Grace:
It was daunting. I underestimated the shift from technical expertise to leadership capability. I had to learn on the job—particularly influencing without authority, managing relationships, and leading with empathy. These aren’t taught easily but are essential in GRC leadership.
Imposter Syndrome & Growth
Grace:
Imposter syndrome doesn’t disappear—you learn to manage it. Sometimes you have to step into roles before you feel ready. That’s how growth happens.
Barriers & Bias
Lucy:
Have you faced bias?
Grace:
Yes—comments about appearance, assumptions about my background as a Muslim woman, and even being told taking more than three months’ maternity leave would harm my career. These experiences can be discouraging, but resilience and confidence are key. You have to trust your value and capabilities.
Advice for Others
Grace:
Be bold. Advocate for yourself. Surround yourself with role models who show what’s possible.
Why Choose GRC?
Grace:
GRC offers incredible variety and exposure across the business. It’s not a back-office silo—it’s deeply collaborative, commercial, and full of transferable skills.
Leadership Perspective
Grace:
Women often bring strong emotional intelligence and empathy, which are critical in stakeholder management. In GRC, influencing outcomes while maintaining relationships is essential.
Supporting Women in Leadership
Grace:
Organizations need to be genuinely open-minded—embracing diverse backgrounds and flexible working. Flexibility in particular is critical for retaining talent and supporting progression.
Taking Big Leaps
Grace:
When I formally stepped into leadership, I became personally accountable under SMCR without formal training. It was challenging, but over time I built confidence and capability. Support structures would make that transition smoother for others.
Crisis Leadership
Lucy:
Tell us about a crisis moment.
Grace:
We identified a regulatory breach—highly stressful. But we acted quickly, remediated effectively, and maintained transparency with the regulator. I leaned heavily on resilience and my team. It reinforced the importance of openness—acknowledging stress and supporting each other.
Evolving GRC Landscape
Grace:
We’re seeing a move toward principles-based regulation. Firms must interpret and apply rules with sound judgment, particularly with emerging areas like AI. Human oversight and accountability remain critical.
The Value of GRC
Grace:
It’s challenging to quantify value when nothing goes wrong. But preventing financial and reputational damage is significant. Organizations are becoming more aware of this, though there’s still work to do in articulating it.
Personal Impact
Grace:
My role has strengthened my integrity, empathy, and communication skills—qualities that carry into my personal relationships as well.
Recommendations
Grace:
- Lean In by Sheryl Sandberg
- How Women Rise by Sally Helgesen & Marshall Goldsmith
- The Mel Robbins Podcast
Lucy:
Thank you, Grace—this has been incredibly insightful.
Grace:
Thank you for having me.
Lucy:
And thank you for listening. We hope to see you at the Women in GRC Awards on July 2nd.
Frequently asked questions about CoreStream GRC, GRC & female leadership
A Chief Compliance Officer is responsible for helping an organization meet its legal, regulatory and ethical obligations. In practice, the role often includes regulatory interpretation, governance, compliance monitoring, advisory work, senior stakeholder engagement, reporting, culture, conduct and accountability.
Human judgment is essential because regulatory requirements are rarely completely black and white. Compliance leaders need to interpret principles, understand business context, assess risk, challenge decisions and explain why a chosen approach is appropriate.
The Senior Managers and Certification Regime creates clear accountability for senior individuals in regulated firms. Compliance leaders need to understand who owns key responsibilities, how those responsibilities are documented and how the firm evidences that its accountability framework is robust.
Non-financial misconduct refers to serious workplace behavior such as bullying, harassment, discrimination or violence. In financial services, these issues can now have regulatory significance because they may raise questions about culture, conduct, fitness and propriety.
Firms should govern AI through clear ownership, risk assessment, human oversight, documented decisions and evidence of review. AI should not remove accountability. If an AI output affects customers, markets, controls or decisions, firms need to know who is responsible and how the output is checked.
Sponsorship helps women gain visibility and credibility at senior levels. A sponsor advocates for someone’s work, highlights their impact and supports progression when opportunities arise. This can be especially important in organizations where leadership pathways are not always transparent.
Organizations can support women in GRC by offering flexible working, leadership development, sponsorship, mentoring, fair progression routes and open-minded hiring practices. They should also challenge assumptions around career breaks, caregiving responsibilities, background and leadership style.
Yes. GRC can be a strong career path for graduates because it offers exposure across the business. Professionals can work on regulation, risk, controls, projects, technology, culture, reporting and strategy while developing transferable skills in communication, judgment and stakeholder management.
