A cultural guide to GRC

This guide was written by Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

About Rich Eddolls

Richard Eddolls is Chief Product Officer and Co-Founder of CoreStream GRC, and the driving force behind the platform’s product vision. With 20 years’ experience in business-led GRC system design and a background at Deloitte, he focuses on solving real governance and risk problems, not selling theory.

His core belief is simple: technology should enable teams, not get in their way. That principle shapes every product decision, with flexibility and intuition built in from the start. Richard is focused on redefining how enterprises approach governance, risk, and compliance, on their own terms.

That view aligns with a broader shift in how the field is being framed. OCEG defines it as;

“GRC is the integrated collection of capabilities that enable an organization to achieve Principled Performance – the ability to reliably achieve objectives, address uncertainty, and act with integrity.”

OCEG

Here is a preview of the guide:

Introduction: shaping a GRC culture that lasts

“Is GRC a culture, a practice or a program?”

Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

Governance, Risk, and Compliance (GRC) can be many things depending on your organization’s maturity. Some see it as a software category. Others argue over terminology. But the most successful organizations treat GRC as a cultural foundation for how decisions are made and risks are managed.

That is increasingly how risk leaders describe it too. As Marlene Debel, Chief Risk Officer and Head of MetLife Insurance Investment, put it;

“The goal is to build a way of working in terms of capabilities and business partnership that drives responsible growth and will benefit the company for years to come.”

Change programs help implement or revise GRC practice. When done effectively, they move GRC from a tick-box exercise to a habit, deeply embedded in how teams work. There’s no one-size-fits-all approach, but practical steps toward a GRC-aware culture can make all the difference.

Or, as CoreStream GRC’s value-based GRC guide puts it, GRC should not be seen only as a defensive function, but as “a positive force to help organizations drive growth, achieve their goals and sustain their business into the future.”

Want to hear more about unlocking greater value from Governance, Risk, and Compliance programs?

Educate: build awareness, build ownership

“Making an organization risk-conscious is imperative.”

Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

If employees see GRC as a burden, adoption will always be shallow. But when they understand the value, they’re more likely to own the process, not just follow it. GRC becomes accessible when people see it for what it is: formalized decision-making, informed by better data.

Education is essential. Teams should know how GRC affects performance, what risks they influence, and why poor practices matter. With the right awareness, GRC stops being theoretical and starts delivering real value.

Despite the best intentions, recent research shows that only about 53% of organizations report their risk and compliance programs are mature, showing there is still a long way to go before GRC becomes a business-wide habit rather than a siloed function.

Lead and reward: make GRC everyone’s business

“The desired GRC culture is frequently one that is inclusive and collaborative.”

Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

Compliance that’s enforced top-down without involvement risks alienating the very people it needs. GRC works best when leaders set the tone and everyone shares ownership.

Incentivizing GRC through performance metrics, recognition, and leadership alignment embeds it into daily behavior. When GRC goals are linked to company success, they become more than policy; they become part of how success is defined.

Help, don’t hinder: GRC that supports, not slows

“GRC culture should encourage proactive prevention.”

Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

Controls that feel like roadblocks erode engagement and slow the business. GRC should be proportionate, relevant, and focused on minimizing both the likelihood and impact of risk before issues arise.

For context, the average cost of a data breach in 2024 reached about $4.88 million globally, a 10% increase from the year before. That kind of financial hit, on top of operational disruption and reputational damage, shows why proactive risk management matters.

Done right, GRC doesn’t just protect, it empowers. It improves contract outcomes, strengthens ethical reputations, and enhances decision-making. It’s not just about avoiding failure; it’s about building advantage.

That wider upside is important. In PwC’s Global Compliance Survey 2025, respondents said the benefits of stronger compliance capabilities included better visibility of risks and risk management activities, faster identification and response to compliance issues, higher-quality reporting, and faster, more confident decision-making

“GRC is not only about avoiding the downside. It should actively drive value.”

Paul Cadwallader, GRC Strategy Director, CoreStream GRC

Standardize: simplify GRC across the organization

“Standardization will almost always drive significant benefits.”

Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

When GRC processes evolve in silos, you end up with duplicated effort, inconsistent terminology, and audit fatigue. Standardization improves efficiency, clarity, and confidence at all levels.

Whether or not centralization is the goal, a consistent GRC framework with common language and reporting enables better decision-making. It also makes GRC more accessible from the shop floor to the boardroom.

Get the best from technology: use tools to enable, not replace

“Technology should be regarded as an enabler that improves the efficiency of people and processes; not as a substitute for them.”

Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

GRC platforms should enhance your team’s work, not automate them out of it. Used well, technology consolidates information, streamlines repetitive tasks, and makes GRC more intuitive.

But sophistication can create diminishing returns. Often, 80% of the benefit comes from 20% of the effort. Focus on usability, clarity, and efficiency, and avoid creating complexity in the name of automation.

That point matters because poor-fit technology carries its own costs. As per our research 50% of businesses are unsatisfied with their current GRC tools, while one cited risk of the wrong setup is added cost from overlap and unnecessary complexity.

Keep it simple: simplicity drives adoption

“Keeping things simple is overarching and something to be conscious of at all times.”

Rich Eddolls, Chief Product Officer and Co-Founder at CoreStream GRC

Complicated GRC frameworks alienate users and stall adoption. Simplicity of language, process, and controls makes GRC scalable and sustainable. Even complex regulation can be translated into logical, accessible controls.

The most effective GRC cultures are built on clarity. By addressing complexity at the design stage, organizations make it easier for people to engage and own the process.

Want to continue reading?

Download the full guide to explore how you can build a GRC-aware culture that drives engagement, accountability, and long-term value.