How far do you think a race car could go without brakes? In theory, to infinity and beyond? In real life, not far. I wouldn’t bet on that vehicle at the Nürburgring or Le Mans, because we all know it wouldn’t make it past the first turn.
The purpose of brakes isn’t to stop the car — it’s to allow it to go faster safely. A skilled driver with a high-performance braking system can take corners with precision, navigate unexpected hazards, and win the race. That’s exactly what Governance, Risk, and Compliance (GRC) functions are meant to do for the business: enable it to accelerate with control, not bring everything to a grinding halt.
Yet too often, GRC is viewed as the “Department of No,” a compliance burden designed to prevent disaster rather than support success. The better question is: Is your GRC work truly decision-useful — or is it just documentation?
Let’s rethink what GRC should be doing. At its best, it’s not the brake pedal — it’s the braking system. It’s not a roadblock — it’s the navigation. It’s not a watchdog — it’s a co-pilot. It should be built not only for enforcement and audit readiness but also with user experience and business momentum in mind.
Clearing the Runway for Responsible Growth
Think of GRC like an air traffic controller. When we do our work well, we help clear the runway so the business can take off, fly smoothly, and land safely. But if we clog the runway with red tape or outdated controls, we’re not protecting the business — we’re grounding it.
To be effective, GRC work must be objective-centered, not fear-driven. The other side of risk is opportunity. As risk expert Tim Leech reminds us, “we should be instrumental in guiding management and boards in the decision-making process, particularly when it comes to managing risks and uncertainties linked to mission-critical objectives (MCOs).” That means compliance and risk management should focus on helping the business go where it wants to go — safely and swiftly.
Unfortunately, too many systems are designed in response to the threat of enforcement rather than business realities. When compliance is rooted solely in fear of regulatory blowback, we end up building brittle, bloated systems that are high-friction and low-impact. These systems may technically “tick the box,” but they frustrate users, slow things down, and ultimately fail to reduce risk in any meaningful way.
Instead, we need to design GRC with people in mind—systems that make it easy for users to understand risks, comply with expectations, and make informed decisions. Good GRC doesn’t fight the business—it flows with it, providing peace of mind that growth is happening on a strong foundation.
From Roadblocks to Navigation Systems
Let’s evolve the metaphor further: the future of GRC should look like the GPS navigation application Waze, not a roadblock or a rearview mirror.
Waze doesn’t tell drivers to stop — it helps them get to their destination faster and safer, using real-time, crowd-sourced intelligence. It adapts based on traffic, hazards, and the driver’s intent. That’s what GRC should aim to do: enable dynamic, decision-useful navigation for business leaders on their unique journeys.
Like Waze, modern GRC should:
– Tailor information to where the business is trying to go.
– Alert stakeholders to hazards and roadblocks in real time.
– Provide guidance that’s timely, relevant, and easy to act on.
– Effortlessly leverage the collective intelligence of the organization.
When compliance functions act as co-pilots — not controllers — they become valued strategic partners. Instead of issuing static checklists or surveys, they provide adaptive insights. Instead of blocking paths, they help identify better routes in real time.
Designing for Decision-Usefulness and Ease
Decision-useful GRC starts with this question: “Does the information we’re gathering and distributing help someone make a better, safer, or faster decision?”
If the answer is no, then you’re just creating noise — not insight.
Let’s return to the Waze analogy: if the app warns a driver that there’s a dangerous intersection ahead , they can slow down, become more alert, or choose another path. That’s actionable. That’s helpful. That’s smart GRC in action.
Now imagine if that data came from hundreds of other drivers who had experienced close calls. That’s risk intelligence. Not only can the individual act, but the local authority — in this case, the risk owner — can use that insight to fix the intersection, remove the hazard, and make the whole system safer over time.
But none of this is possible if the process of gathering and using risk data is painful, confusing, or disconnected from real workflows. If employees don’t engage with your tools, you don’t get the data. And if you don’t have the data, you can’t produce useful insights.
This is why we must design GRC systems for user experience — not just for audit defensibility.
When we center design around regulators instead of humans, we build clunky tools that people avoid, ignore, or work around. When we design for usability, we get accurate, timely, and complete data, which means better, faster decisions.
GRC as a Human-Centered, Intelligence-Led Enabler
In today’s complex, high-velocity business environment, risk is everywhere — and so is opportunity. We can’t afford to operate with outdated or reactive approaches. We need GRC that is:
– Real-time
– Crowd-informed
– Business-friendly
– Insight-driven
By combining human-centered design with intelligence-led systems and positioning compliance as a service, we can create risk and compliance programs that people trust and use. In the words of Zach Posner, founder of the Legal Tech Fund, “We need to prioritize a gorgeous user experience.” When we do, everyone benefits — the business, the employees, the regulators, and the customers.
We move beyond fear-based compliance to something far more valuable: a culture of informed accountability, where people want to contribute because they see the benefit.
The Call to Action: Rethink GRC for Impact
So, is your GRC work helping the business take off — or keeping the wheels stuck on the tarmac?
It’s time to shift from static controls and reporting to dynamic insight and intelligence. From reactive rules to proactive guidance. From compliance-as-obstacle to compliance-as-co-pilot.
Let’s build GRC systems that are as smart, intuitive, and fast as the businesses they serve — not because we fear risk, but because we’re aiming for a smoother, safer, more successful journey.