“One of the things I like to do is encourage my clients to be in each other’s design sessions… You’re much more likely to build a solution that works for everyone and isn’t six different solutions cobbled together.”
– Lionel Matsuya
Lionel Matsuya, our Head of Client Solution Design and former PwC consultant, leads CoreStream GRC’s expert GRC workshops for enterprises looking to optimize their governance, risk, and compliance programs. In this blog, our Head of Marketing, Lucy Montague, sits down with Lionel to explore the thinking behind CoreStream GRC’s configuration builds, from simple use cases to complex enterprise-wide solutions.
Prefer highlights over the full webinar? We’ve got you covered. Catch up with Blog 1 in the series
What is GRC solution design at CoreStream GRC?
The process of planning and building a governance, risk, and compliance (GRC) system that aligns with business goals, integrates stakeholder needs, and ensures scalability. It focuses on creating a cohesive, secure, and user-friendly platform that supports collaboration, avoids silos, and adapts to future regulatory and operational changes.
“What’s important is to build an ecosystem that’s cohesive, that feels the same to use, and uses the data in a sensible way.”
Full transcription of the designing your GRC home webinar
Lucy Montague (0:03)
Hello Lionel, can you first just introduce yourself? Tell me about your experience in governance, risk and compliance, and your current role at CoreStream GRC.
Lionel Matsuya (0:15)
Sure. I’ve been in GRC for about 13 years now. I started at one of the Big Four as an accountant, working in external audit, before moving into risk advisory, which is where I spent most of my time.
In that role, I advised clients of all sizes and complexities on their strategies for implementing risk, controls, and compliance. I saw what worked, what didn’t, and really came to understand the challenges our clients face.
Just over a year ago, I joined CoreStream GRC as Head of Client Solution Design. It’s an ideal role for me because I get to talk to clients about how they do GRC, implement great technology through the CoreStream GRC platform, and align good strategy and processes with a powerful system.
My time is spent understanding how clients work and developing solutions that fit them — because we don’t just offer an off-the-shelf product. Everything we do is tailored to our clients’ needs.
Lucy Montague (1:43)
I love that you said the role is tailored for you because you tailor solutions for everyone else — that’s lovely.
These conversations came about after I overheard you using the metaphor of the “GRC house” when talking to a client, and I loved that idea. I wanted to record this discussion to explore how design and implementation fit into the wider GRC ecosystem.
You started with the concept of foundations — can you talk about where you begin with design projects and how that fits into your house metaphor?
Lionel Matsuya (2:29)
Yes. What I often see is clients wanting to jump straight to the finished product — their “dream house.” But you can’t go from nothing to a dream house without planning and laying the foundations first.
The same applies to a GRC solution. You need to think about the overall plan and the environment you’re building it into. That starts with two things:
- A clear long-term strategy — What are you trying to achieve with your GRC solution? What are the business objectives?
- Stakeholder engagement — Too often, a couple of people start implementing a solution on their own. It’s far more effective to engage stakeholders across the business and understand their needs.
If you’re building a holistic, enterprise-wide GRC system, you need to include everyone from the start. That ensures you build on a solid foundation rather than heading off in a direction that doesn’t work for others.
Lucy Montague (4:29)
That makes sense. But we often see different teams — risk, compliance, audit — all going off to buy their own tools. Is that where the danger lies, when each department gets its own solution instead of aiming for an integrated approach?
Lionel Matsuya (5:02)
Exactly. Stretching the house analogy a bit — if six people are living together, each might want something different: a swimming pool, a BBQ area, a games room. But you can’t have six separate blueprints.
If risk, audit, and compliance all design their own systems, you end up with disconnected parts that don’t fit together. One practical way to prevent that is to have shared design sessions — get audit attending risk sessions, and vice versa. It’s the best way to build a cohesive, connected solution rather than six different systems cobbled together.
Lucy Montague (6:49)
So the goal is a GRC “dream home” — one that serves every stakeholder, but still feels cohesive across the board.
Lionel Matsuya (7:03)
Exactly. Treehouses might be fun, but they’re not practical for running GRC across a business!
Many clients we meet have this problem — one system for risk, spreadsheets for controls, another tool for process mapping, and so on. The ambition is often to wipe the slate clean, but even then, people risk creating disconnected modules.
What’s needed instead is a cohesive ecosystem that uses a shared data structure and unified logic. That way, reports are consistent, users share a common language, and you avoid duplication.
We recently helped a client design a structure that connects risks and controls coherently, avoiding duplication and creating a “top-down” view of the business. It did require compromise, but that compromise led to a much stronger, more usable system overall.
Lucy Montague (12:18)
That’s really interesting — especially your point about future planning. It’s like planning your dream house: you might not build the swimming pool on day one, but you design with the extension in mind.
Lionel Matsuya (13:13)
Exactly. For many organisations, going straight to a full-scale GRC implementation is too much to take on at once. It’s better to phase it — build the essentials first, but design the data structures and processes with the long-term goal in mind. That way, when you add modules later, everything fits together.
Lucy Montague (14:39)
And that’s how you make sure there are no “missing rooms or corridors,” right?
Lionel Matsuya (14:44)
Yes — and that starts with clear objectives. I often ask clients to describe their ideal solution in two minutes. It forces them to focus on what really matters, instead of diving straight into technical details.
That clarity helps ensure nothing critical gets left out and keeps everyone focused on the outcomes the system needs to deliver.
Lucy Montague (17:25)
So the key is to let objectives lead the design, rather than small technical details that only matter to one team.
Lionel Matsuya (17:36)
Exactly. That’s also why I like to have cross-functional workshops — when risk, audit, and compliance teams hear each other’s needs, they often realise they’re solving similar problems. Collaboration at that stage can lead to real innovation.
Lucy Montague (18:19)
That ties into connectivity. When you’re in these design workshops, how do you get people to care about what’s happening outside their own team?
Lionel Matsuya (19:04)
The first step is simply getting the right people in the room. Once audit hears from risk, and risk hears from controls, they start to see how their work overlaps.
I’ve seen this play out in practice — particularly with regulations like the UK Corporate Governance Code. Many organisations built detailed process-level controls, only to realise later they also needed to identify their top, material risks.
The challenge is connecting those layers — creating a single, coherent structure instead of multiple silos. When you do that, you can truly see how everything fits together, from top to bottom.
Lucy Montague (22:42)
Right — because otherwise, everyone’s just trying to solve their own piece in isolation.
Lionel Matsuya (23:02)
Exactly. Everyone’s under pressure, with limited time and budget, so it’s natural to focus on their own area. But when you collaborate and share data, you actually save time, reduce duplication, and get more valuable insights.
Lucy Montague (23:39)
I imagine you sometimes have to rein people in a bit — when they suddenly have a budget and want to do everything at once.
Lionel Matsuya (24:11)
Yes, absolutely! Everyone dreams big — just like with a house, you might want a BBQ wing and a fitness suite, but you have to stay realistic.
Dreaming is important; it drives ambition. But part of my role is to challenge those ideas and “right-size” them — to ensure the solution is practical, usable, and delivers value now, while leaving room to grow later.
Lucy Montague (27:33)
So it’s about focusing on the everyday essentials first — the “kitchen,” not the “swimming pool.”
Lionel Matsuya (28:04)
Exactly. It’s fine to dream, but we need to make sure we’re prioritising what’s going to deliver value and actually be used. My job is to help clients find that balance — something realistic, effective, and future-ready.
Lucy Montague (28:41)
Let’s move on to security, since that’s critical given the sensitive data in GRC systems. How does security fit into design — even from the evaluation stage, when clients are thinking about where data is hosted?
Lionel Matsuya (29:14)
Security is a top priority and something we take incredibly seriously. It applies at every level — from who can access the platform, to where data is stored, to who can view individual records.
We have the flexibility to host on cloud, on-premises, or in specific jurisdictions, depending on client needs and data residency requirements.
Lucy Montague (31:17)
And when it comes to permissions and accessibility — how does that work in practice?
Lionel Matsuya (31:30)
Security is built in by design. By default, no one has access to anything until permissions are applied, which is a great fail-safe.
We have very granular control — down to who can view specific data or even which options appear in dropdown menus. That ensures sensitive information stays protected.
But alongside security, we also prioritise accessibility — making sure the right people can see the right information when they need it. For example, risk teams might benefit from visibility into internal audit data, even if they can’t edit it.
We often create “viewer areas” that allow this kind of transparency — ensuring collaboration and insight without compromising confidentiality.
Lionel Matsuya (34:42)
What you find in those scenarios is that when people have greater access to information, they start to really see the data — and that leads to learning, insight, and empathy for colleagues in different functions. It helps build that “one team” mindset rather than six separate teams.
It also means they can make better, more informed decisions. So we don’t want to lock everything down too tightly. “Zero access unless…” isn’t always the right solution. The goal is to balance security with accessibility — ensuring information is protected, but not hidden away from those who need it.
Lucy Montague (35:24)
Thinking back to the house metaphor — which I love — it’s almost like having a living room where everyone can come together and collaborate, even though they still have their own bedrooms or suites.
And on accessibility, it’s also about ease of use — like single sign-on for users who might not use CoreStream every day. They can just log in quickly, do what they need to do, and log out. That’s just as important as permissions.
Lionel Matsuya (36:05)
Absolutely. Accessibility needs to be built in by design — like doors and locks in a real house.
I once worked in a company that had a really clever key system. The building was a bit of a maze, but each key opened a different combination of doors. The keys all looked identical, but the notches and grooves were slightly different.
It meant, for example, that we could give a visitor a key that opened the front door and the bathrooms, but not the archive room or certain offices.
In many ways, user permissions and access groups in CoreStream work the same way. We can give people access where they need it, and hide access where they don’t. I always admired how those locksmiths designed that system — and while I never worked out how they did it mechanically, I can now do something similar in GRC design.
Lucy Montague (37:34)
You’ve found your niche!
Lionel Matsuya (37:38)
I have!
Lucy Montague (37:42)
Okay, I’m going to bring up the big scary word that everyone’s hearing every day — AI.
So, in our house metaphor — when you’re fitting out your home, are you installing smart heating? A smart fridge that tells you when you’re out of milk? Smart lighting you control from your phone?
It’s the same with AI in GRC — there are so many potential use cases. How much has that dominated conversations recently, and how has it shifted where people are focusing their design efforts?
Lionel Matsuya (38:26)
You really can’t have a conversation these days without talking about AI!
Just like with smart homes, AI has been creeping into our lives for years. I remember moving into my house about ten years ago and wanting one of those smart thermostats that learned your habits. They were exciting, and they genuinely made life easier.
Now, AI’s going even further — I’ve heard of systems that can summarise your day: “At 3:50 PM, so-and-so entered the house, stayed ten minutes, and left.” It sounds a bit crazy, doesn’t it?
It’s similar in business. We’re surrounded by promises of how AI will make everything easier — but when you get into the practicalities, you realise there are challenges around data security, accuracy, and reliability.
Large language models can “hallucinate,” giving confident but incorrect answers. It’s easy to forget that when you’re chatting with something that feels human. So we need to stay grounded in reality.
At CoreStream, our approach is to stay AI-agnostic — not tying ourselves to one provider or platform. Instead, we focus on incremental gains that genuinely make users’ lives easier.
For example:
- If you write a risk description, AI can suggest possible controls.
- For a control, it can propose test steps.
- For a deficiency, it can suggest remediation actions.
All of this is done through whichever AI model our client prefers — whether that’s their own enterprise solution or a secure hosted model. It’s about usefulness and flexibility, not hype.
Lucy Montague (41:57)
If you used a public GPT for that, it would be a house of mirrors!
Lionel Matsuya (42:02)
Exactly! And that’s why we focus on being helpful, not flashy. Too many people buy into technology dreams and end up locked into a single provider. I’ve done that myself — invested in one ecosystem, only to find a few years later the devices are no longer supported and the subscription has doubled.
That’s why CoreStream stays technology-agnostic — so clients aren’t backed into corners.
Lucy Montague (42:50)
And in those AI use cases, there’s still a human in the loop, right? It’s not fully automated — people still review and approve what AI suggests?
Lionel Matsuya (43:14)
Exactly. And Lucy, that’s what’s great about your perspective — you always bring it back to the human element.
We absolutely keep a person in the loop. AI can be brilliant, but it’s like a very enthusiastic junior team member — one who’s fast, eager, and has access to endless information, but doesn’t always understand context.
You wouldn’t take everything that person says at face value; you’d review their work, edit it, and use it as a starting point. That’s how AI should work in GRC — as an assistant that prompts your thinking, not a replacement for it.
Lucy Montague (44:28)
So, you’ve got your smart heating, but you’re still using your remote to turn on the TV. It’s about balance.
Lionel Matsuya (44:42)
Exactly. I used to voice-control my TV — it was fun, but you don’t feel fully in control. And if something goes wrong, it’s a headache. That’s why human oversight is essential.
Lucy Montague (45:05)
Speaking of design — I love interior design, and it reminds me of something I saw on Interior Design Masters. One designer created a beautiful children’s room, but the judge said, “You didn’t design this for a child.” The mirror was at adult height — the child couldn’t even see themselves!
So when you’re designing user experiences, how do you make sure every “inhabitant of the house” — every type of user — feels comfortable in their space?
Lionel Matsuya (45:53)
That’s such a great analogy.
We all have parts of our homes that frustrate us — a towel rail behind a door, a light switch in the wrong place, a low doorway you keep bumping into. Over time, you change your behaviour to avoid those annoyances.
It’s the same with software. If something feels clunky, users stop using it — even if they can’t articulate why. The look and feel matter too: if it’s cluttered or mismatched, people subconsciously disengage.
Your interior design instincts are spot on, Lucy. You’d probably do a better job decorating my house than I have!
Lucy Montague (48:12)
I’m spotting that flag in the corner, and I have questions!
Lionel Matsuya (48:16)
Yeah — it clashes horribly, but it makes me happy, so it stays!
And that’s the point: it’s my room, designed for me. In GRC, it’s the same — the experience has to feel right for the person using it.
We all know the difference between software that’s a joy to use and software that feels like a chore. I’m not a UX designer myself, but I work with brilliant people who make sure the CoreStream platform feels intuitive — smooth, responsive, and logical.
When I design a process or form, I think about the user: Is this clear? Is it simple? Are we guiding them logically? Those design principles make a massive difference to adoption.
If something doesn’t feel right, we can tweak it — often within a day. Just like rearranging furniture, a small change can make the whole experience feel better.
Lucy Montague (51:58)
That’s great. And of course, with GRC, you can test the house before moving in — through UAT and proof of concept. How does that testing feed back into design?
Lionel Matsuya (52:23)
User Acceptance Testing is so important. It’s not just about ticking boxes — it’s another design phase in disguise.
During UAT, users often realise what feels clunky or confusing, and we can quickly adjust. Obviously, you don’t want to tear the whole house down and rebuild it, but thoughtful tweaks at this stage can elevate a system from “good” to “excellent.”
Lucy Montague (54:15)
Right — there are things you just can’t predict until you live in it.
Lionel Matsuya (54:29)
Exactly. That’s why I tell clients: let’s not pick every “light fitting” up front. We’ll build the structure, then test and adjust once you can click around and feel how it works.
Lucy Montague (56:59)
We recently had a client who shared feedback about design choices like notifications — things you can only really appreciate once you’re using the system. That’s why I love our CoreStream community.
We’re launching a private LinkedIn group so clients can share these insights and avoid repeating the same mistakes. It’s a bit of a passion project for me — helping our community learn from each other.
Lionel Matsuya (58:03)
That’s brilliant, Lucy — and that’s why you’re so good at what you do. You bring people together and help them learn from each other. GRC really is a community, and the more we share experiences, the stronger everyone’s “house” becomes.
Lucy Montague (58:45)
Thank you! My final question is about growth and scalability.
Let’s say someone thought they were done building their house — and then life changes. Maybe a new regulation comes in, or a new “family member” arrives unexpectedly. How do you help GRC professionals adapt without ending up with a Frankenstein house?
Lionel Matsuya (59:22)
That’s a perfect example.
The key is to design generically — not for one very specific use case or regulation. The more bespoke you make something, the harder it is to adapt later.
It’s like building a staircase that looks beautiful but is too narrow to carry boxes up, or doesn’t fit a stair gate later on. You only discover those limitations when life changes.
So we think long-term — about scalability, flexible data structures, and future needs. We design reference data so clients can update dropdowns or questionnaires themselves without breaking anything. That flexibility is crucial for growth.
Lucy Montague (1:02:35)
And integrations play a role too, right? Especially when clients want to connect CoreStream to tools they already use, like HR or finance systems.
Lionel Matsuya (1:03:21)
Absolutely. Integrations are key to creating a connected ecosystem.
What’s great is that the same design principles we apply for clients also apply to our own CoreStream platform. It’s been built from the ground up as a flexible, scalable box of “Lego bricks.”
And funnily enough, when I was hired, someone described CoreStream to me as “building a house out of Lego bricks.” So the house metaphor really has come full circle!
Lucy Montague (1:05:24)
Very good — and thank you, Lionel. This has been such an insightful conversation.
For anyone watching, we’ll be publishing follow-up blogs on these topics, and teams can also book a Lunch & Learn with Lionel for a one-to-one deep dive into their own GRC “house.”
Lionel Matsuya (1:06:27)
Thanks, Lucy. This has been wonderful — I’ll happily talk about risk anytime, but next time, let’s do interior design at the pub!
Lucy Montague (1:06:33)
Deal! Thanks, Lionel.
Lionel Matsuya (1:06:39)
Brilliant — thanks.
Frequently Asked Questions for GRC solution design (FAQ section)
CoreStream GRC is built on the principle that security and accessibility can coexist. Rather than restricting all access by default, the platform uses permission groups and access controls — similar to giving keys to specific rooms in a house. This approach ensures that users can reach the data they need to work effectively, while keeping sensitive areas secure.
AI is integrated into CoreStream GRC to enhance productivity and streamline decision-making. It can suggest risk controls, remediation plans, and test steps, saving time and improving consistency. However, there is always a human in the loop to review, edit, and approve outputs. CoreStream focuses on useful, practical AI, not automation for automation’s sake.
No. CoreStream GRC follows an AI-agnostic approach, meaning it can work with a range of large language models depending on client preference. Whether using a private, enterprise-secure model or a public option (not advised), CoreStream GRC ensures flexibility, data security (for private), and future-proofing.
User experience is at the heart of CoreStream GRC design. Every interaction is crafted to be intuitive, logical, and enjoyable. Much like a well-designed home, a great GRC solution should feel natural to navigate. The design team continuously refines layouts, guidance, and workflows based on feedback and testing to create a seamless experience for all users.
User Acceptance Testing (UAT) in CoreStream GRC goes beyond simple functionality checks. It’s an opportunity for users to explore the system, provide feedback, and fine-tune design elements. This phase ensures that the final solution doesn’t just work — it works beautifully and feels right to use.
CoreStream GRC is designed to evolve with your organization. The platform’s modular structure allows new elements to be added easily as business needs change or new regulations emerge. Using flexible reference data and scalable architecture, clients can adapt their environment without having to rebuild from scratch.
CoreStream GRC supports open API integrations, allowing seamless connections with HR, IT, and other departmental tools. These integrations ensure that data flows smoothly across the organization, reducing duplication, improving accuracy, and strengthening collaboration between teams.
CoreStream GRC clients are part of a collaborative community. Through community events, lunch & learn sessions, and a private LinkedIn group, users share insights, best practices, and design tips. This network helps clients avoid repeating challenges and make the most of their GRC investment.
CoreStream GRC stands out for its agility, human-centred AI, and strong focus on user experience. The platform can be reconfigured quickly, supports scalable growth, and encourages collaboration through its community. It’s designed to evolve with your organisation and empower people to make better, more informed decisions.
