No leadership, no communication, no governance – just chaos*
Governance, Risk, and Compliance (GRC) is often seen as a structured approach to managing regulatory requirements and mitigating risks. Yet, despite its growing importance, many organizations struggle to implement GRC effectively. The reason? It’s not the complexity of regulations or the pace of legislative change. The real challenge lies within – the fragmentation of the organization itself. Without strong governance to unify different departments and break down silos, GRC becomes a patchwork of isolated efforts, lacking cohesion and strategic direction.
At its core, GRC is not merely about compliance checklists or risk mitigation tactics. It’s about embedding a mindset of accountability and strategic alignment throughout the organization. And that starts at the top. Leadership brings cohesion and direction to a successful GRC framework together. Without it, businesses fall into a cycle of reactive compliance and disjointed risk management, exposing themselves to unnecessary vulnerabilities.
A recent Harvard Business Review article underscores that organizational silos continue to be a major obstacle to effective collaboration, hampering decision-making and overall business performance. According to some reports, 83% of executives acknowledge the presence of silos in their organizations, with 97% stating that these divisions have a “negative impact” on business outcomes. As companies expand, these structural barriers create blind spots, making it harder to detect risks, ensure compliance, and maintain accountability. Without a centralized strategy, governance efforts clash or operate in isolation, leading to a lack of visibility over the organization’s overall risk landscape.
In the context of GRC, these silos create blind spots where risks go unnoticed, compliance gaps widen, and accountability is diluted. Each department – legal, finance, IT, HR – may have its own approach to governance, risk, and compliance, but without a centralized strategy, these efforts often clash or operate in isolation. The result is a fragmented organization where no one has a clear view of the overall risk landscape.
Take, for example, the 2016 Wells Fargo scandal, where unauthorized accounts were created to meet aggressive sales quotas. This wasn’t simply a compliance failure; it was a breakdown of governance. Different parts of the organization were operating under conflicting priorities, and without strong leadership to oversee and integrate compliance efforts, unethical practices went unchecked. The fallout was severe: fines, reputational damage, and a massive overhaul of leadership and policies. The lesson here is clear: GRC cannot function in silos.
Why leadership must break down silos
To break down these silos, organizations need more than policies and procedures; they need a cultural shift that starts with leadership. Strong governance ensures that compliance isn’t seen as an isolated function but as an intrinsic part of how the business operates. It fosters an environment where information flows freely between departments, risk awareness is heightened, and decision-making is based on a comprehensive understanding of the company’s exposure to threats.
A 2023 McKinsey research highlights that organizations with strong governance structures and integrated risk management practices are significantly better equipped to anticipate and respond effectively to emerging risks. As businesses face growing uncertainty, those with proactive governance and risk frameworks demonstrate greater resilience and adaptability in navigating disruptions. This doesn’t happen by chance – it’s a direct result of leadership fostering a collaborative approach to GRC. When executives take ownership of GRC initiatives and embed them into corporate strategy, they eliminate the fragmentation that undermines compliance and risk management efforts.
The overlooked aspect: communication
While many organizations focus on establishing strong policies and procedures, they often overlook the vital role of communication in ensuring GRC’s success. Without it, even the most well-structured governance frameworks can fail, leaving departments to work each on their own, missing the broader picture of risk, compliance, and accountability.
Take, for example, a prominent global bank that faced significant regulatory penalties due to a lack of communication around new compliance measures. Despite having the right policies in place, employees were unclear on how to implement these changes, leading to widespread non-compliance. It wasn’t a matter of missing policies; it was a communication breakdown that left staff unaware of their responsibilities. To address this, the bank introduced regular cross-departmental meetings and clear channels for feedback, allowing them to ensure that the entire organization was aligned in real-time with regulatory requirements.
Similarly, a healthcare system in Europe struggled to enforce consistent compliance with General Data Protection Regulation (GDPR) due to fragmented communication across its departments. Different divisions, from IT to patient care, had their own interpretations of the rules. The organization responded by creating a centralized communication platform that facilitated better understanding and alignment, ensuring that every team was on the same page regarding patient data privacy. This integration helped the organization avoid costly fines and strengthened its overall compliance posture.
Communication in GRC must be an ongoing conversation, not a one-time message or static set of instructions. It requires leaders to continuously engage with employees, ensuring that they understand their roles in managing risk and adhering to policies. Furthermore, organizations should leverage technology to streamline communication efforts, such as compliance management platforms that allow for the easy distribution of updates, tracking of compliance activities, generating reports, and setting up alerts, as well as collecting feedback.
Communication in AI Governance
As organizations increasingly incorporate Artificial Intelligence (AI) into their operations, communication becomes even more critical. AI introduces complex risks that traditional GRC frameworks may not be fully equipped to address. For example, Amazon faced public backlash when its AI-based recruitment system was found to be biased against women. The issue stemmed not from the technology itself but from the lack of transparency around how the AI system was used, the data it was trained on, and how its results were interpreted. The system, which was trained on resumes submitted to the company over a decade, inadvertently favored male candidates, as the data reflected a historical gender imbalance. This highlights the need for greater openness and oversight when implementing AI systems, especially in sensitive areas like hiring.
To prevent similar issues, organizations must ensure that AI governance is clearly communicated at all levels. This means explaining not just the risks associated with AI but also the measures being taken to mitigate those risks. It’s essential for leadership to foster a culture where AI ethics and governance are openly discussed, ensuring that all employees understand their role in making responsible, transparent decisions when using AI technologies.
From my experience, the most successful GRC frameworks are those where communication isn’t an afterthought but a central pillar of governance. Organizations that prioritize communication can break down silos, foster transparency, and create an environment where compliance is a shared responsibility.
As Warren Buffet once said, “It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that, you’ll do things differently.” This is especially true in the domain of GRC, where strong communication and strong leadership can make the difference between a solid, unified approach and a fragmented, reactive strategy.
* This article was originally published in Corporate Compliance Insights.
