Subscribe

Embedding culture of governance, risk, compliance across organisation
The writer
Featured

Embedding culture of governance, risk, compliance across organisation

Frederick Pokoo-Aikins Business News

In any organisation, success doesn’t just come from having smart people or great products. It also comes from doing things the right way. 

That means making good decisions, managing risks properly, and following rules and standards. These ideas are at the heart of Governance, Risk, and Compliance, or GRC for short.

But having policies and procedures isn’t enough. To truly make a difference, GRC needs to become part of the organization’s culture, that is, something everyone lives and breathes every day. This article explains what GRC is, why it matters, and how to build a culture that supports it across the entire organisation.

What is GRC?

Governance is about how decisions are made in the organization. It involves setting the right rules, roles, and responsibilities. 

Good governance helps make sure that the company is being run in a way that is fair, responsible, and aligned with its goals.

Risk management means identifying things that could go wrong (risks), figuring out how likely they are, and finding ways to reduce or prepare for them. 

Risks can come from anywhere: cyber attacks, economic changes, staff errors, or even bad weather.

Compliance is making sure the company follows all the rules, laws, and industry standards that apply to it. 

This includes everything from financial reporting laws to health and safety regulations.

When you put governance, risk, and compliance together, you get a powerful approach to running a responsible and resilient business.

Why does culture matter?

Many organisations already have policies and procedures in place for governance, risk, and compliance. But policies alone aren’t enough. 

What really makes the difference is culture, which the shared beliefs, values, knowledge, attitudes and behaviors of people across the organisation.

A strong GRC culture means:

• People understand why governance, risk, and compliance matter.

• They follow the rules not because they must, but because they want to.

• They speak up when they see problems or risks.

• They think about risks before making decisions.

• Everyone, from the CEO to junior staff, takes responsibility.

This is because without the right culture, even the best systems will fail.

Signs of a weak GRC culture

The question is, how do you know if your organisation has a weak GRC culture? Some of the red flags are as follows:

• People are afraid to report mistakes or bad behavior.

• Rules are often bent to meet targets.

• Risk is only discussed by a few people, not the whole team.

• Compliance is seen as a burden, not a shared responsibility.

• Governance structures exist on paper but are ignored in practice.

When these things happen, the organisation becomes exposed to bigger risks, including fraud, reputational damage, legal issues, or even collapse.

How to embed a GRC culture

Building a GRC culture doesn’t happen overnight. It requires commitment, communication, and consistency. The following are some important steps you may consider:

1. Leadership must set the tone

Culture starts at the top. Leaders need to model ethical behavior, follow the rules themselves, and show that GRC is important through their actions. They should not just talk about it. If senior leaders cut corners or ignore and bypass controls, others will do the same.

2. Communicate clearly and often

People need to know what GRC is, why it matters, and how it affects their daily work. Use simple language. Share engaging stories and examples. Keep the message alive through interesting newsletters, team meetings, and onboarding.

3. Make training practical

Training shouldn’t be a tick-box exercise. Make it relevant, interactive, and easy to apply. Use real-life scenarios, case studies, and role-playing to help employees understand risks and make better decisions.

4. Reward good behavior

Recognise and reward people who follow good governance, manage risks well, or speak up about problems. It shows that the organisation values doing the right thing. Let employees know that it’s not just about hitting targets. That is Principled Performance, a topic we will discuss next week.

5. Encourage open communication

Create a safe environment where people can speak up without fear. This might mean having anonymous whistleblower channels or open-door policies. Listen to concerns and act on them quickly.

6. Integrate GRC into Everyday Processes

GRC should not be something separate from the work people do every day. It should be part of planning, budgeting, hiring, marketing, and all other activities. This helps people see that GRC is not extra work, but rather, the work itself.

7. Monitor and Improve

Use surveys, audits, and assessments to check how the culture is doing. Ask questions such as “Do people feel safe reporting issues? Do they understand their GRC responsibilities?” And then use the feedback to improve.

Challenges you might face

Let’s be honest, embedding a GRC culture isn’t easy. You will face resistance, especially if people see it as just another layer of bureaucracy. People will have to change long-standing habits and attitudes and that’s not easy at all.

Here are a few common challenges and some tips on how to handle them:

•    Resistance to Change: People may say, “We’ve always done it this way.” Explain why change is needed and how it benefits them and the company.

•    Lack of Resources: Building culture takes time and effort. You need to invest in training, tools, and people who can support the GRC agenda.

•    Inconsistent Messaging: If different leaders send mixed messages, people will be confused. Make sure leadership is aligned and unified in the message.

•    Over-focus on Compliance Alone: Compliance is important, but culture is more than just following rules. Focus on values and behaviours too. Let people live it.

The long-term benefits

When you build a strong GRC culture, the whole organisation benefits. 

• Better decision-making: People think about risks before acting, which reduces costly mistakes.

• Stronger reputation: Stakeholders trust the organisation more.

• Lower risk exposure: Problems are identified and fixed early.

• Greater employee engagement: Staff feel proud to work for an ethical, responsible organisation.

• Regulatory confidence: Regulatory authorities and auditors see that the company is serious about doing the right thing.

In simple terms, GRC becomes part of the organisation’s DNA.

Final thoughts

Building a strong culture around governance, risk, and compliance isn’t something that happens overnight, and it doesn’t come from a checklist. It happens when people at all levels understand why GRC matters and how their actions make a difference.

When GRC becomes part of everyday thinking and decision-making, it strengthens the whole organisation. It helps people feel confident, trusted, and ready to face challenges. And in the long run, it leads to better result, not just on paper, but in the way people work, grow, and succeed together. Start small, stay consistent, and lead by example. That’s how real change takes root.

The writer is an independent Internal Audit Advisor, Enterprise Risk Management Consultant, and professional trainer. He is the founder and Chief Operating Officer of Redric Consulting, your trusted partner for comprehensive training and consulting services in the fields of Governance, Risk, and Compliance (GRC).

With a proven record of accomplishment in Internal Audit, Internal Control, Compliance, Fraud Risk Management, and Cybersecurity, Redric Consulting empowers your organization and ensures its success.

You may reach out to Frederick on fpaikins@redricconsulting.com


Our newsletter gives you access to a curated selection of the most important stories daily. Don't miss out. Subscribe Now.

You May Like These

Connect With Us : 0242202447 | 0551484843 | 0266361755 | 059 199 7513 |