Five GRC Priorities for Organizations

4 min read


Given the complexity of the business environment and the interconnectedness of risks, organizations are actively looking at ways to strengthen their GRC strategy. Speaking at the GRC Summit 2022 in London, Michael Rasmussen suggested that GRC strategies involve a combination of left- and right-brain thinking in the coming years.

Traditionally, GRC has been viewed as a left-brain activity that involves collecting and analyzing data, identifying patterns and trends, and making decisions based on data analysis, logical reasoning, and problem-solving. However, Rasmussen believes that while logical and structured thinking, with its risk models and inside-the-box thought processes, can work to a certain extent, they are not fully representative of the real world.

Instead, the real world has far too many variables and inputs to be limited to a model. Therefore, the creative and intuitive thought processes associated with right-brain thinking will be invaluable. Michael Rasmussen also identified the top five strategic priorities for 2023 that require a combination of left- and right-brain thought processes. These are:

  • Agility
  • Resilience
  • Integrity
  • Accountability
  • Engagement

Watch the Video: Building the Best GRC Strategy


During the pandemic and its continuing aftermath, organizations prioritized resilience. However, in 2023, agility is poised to take center stage. Agility is the ability to anticipate what lies ahead and navigate real-time challenges quickly and effectively with minimal downtime. Agility emphasizes the need to prepare organizations to mitigate and avoid exposure and use risk readiness for advantage, opportunity, and gain.

In a business landscape that is constantly changing, agility helps organizations respond in a timely and effective manner by adapting to new laws and regulations, changing market conditions, or evolving customer needs and expectations. Agile GRC strategies allow the organization to be proactive rather than reactive when dealing with issues and remain flexible by adapting to changing circumstances.


Given the global impact of COVID-19, the Ukraine crisis, and the associated inflation and geopolitical risks, resilience has been a critical focus area in the past few years. While the proactive approach encouraged by agility is ideal, unanticipated events are inevitable.

According to Rasmussen, the true strength of an organization is its resilience—its ability to get back up and start running again after falling. Building resilience into the organizational framework involves implementing contingency plans to handle unexpected events, such as natural disasters or data breaches, and quickly adapting to changing circumstances, such as new laws and regulations.


In the GRC context, integrity is the sum of the organization's code of conduct, values, and policies. It encompasses various ESG components, including how organizations deal with energy, resources, and waste; their response to climate change and carbon emissions; their social interactions and reputation among stakeholders; and issues like labor relations, diversity, and inclusion. It also includes elements of governance, such as the company's internal system of policies, processes, and controls for making good decisions, adhering to the law, satisfying stakeholders, and handling bribery, corruption, hospitality, and more.


Across the world, we see a growing emphasis on accountability. Recently, Uber's chief information security officer was held legally liable for information security issues at Uber. In addition, the US Department of Justice emphasizes accountability among executives concerning compliance, while the states of New York State and California require greater accountability among risk compliance control executives.

When individuals or teams are held accountable for their actions and decisions, they are more likely to take these responsibilities seriously and take the necessary steps to ensure compliance. Frontline employees, who are often the most informed individuals about processes and procedures in an organization, play a critical role in effective risk management. Accountability from the frontline can help risk leaders gain better visibility into risks and define appropriate controls. Accountability impacts all aspects of GRC, ensuring that the organization is adhering to relevant laws, regulations, and standards and is taking appropriate action to manage risks.


GRC should transition from a back-office risk and compliance function to a front-office engagement, where risk is discovered, managed, and owned. After all, the bank teller is the first point of contact to make decisions about fraud, cash, privacy, and money laundering; the doctor and nurse are the ones making judgments about patient safety and confidentiality; and the coal miner is making choices regarding environmental health and safety. Organizations can effectively meet the GRC challenges of the future only with this level of engagement and employee buy-in.

As organizations move towards strengthening their GRC strategies, being aware of the latest trends can help foster an intuitive and engaging framework.

Interested in learning more? Watch the summit video here.

You can also request a demo to gain greater insight into how your organization can leverage risk-informed decisions to accelerate business performance.

Over the past 10 years, MetricStream’s GRC Summit has brought together thousands of GRC professionals from various industries, providing opportunities to learn, connect, and succeed.

Registrations are open for the 2023 GRC Summit to be held on June 14 and 15 at the Hyatt Regency in Miami, US. Register now!


Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.