GRC and the Plumbing Problem: Why “What’s Out of Sight Shouldn’t Be Out of Mind”

Governance, Risk and Compliance works the same way today. Most organisations treat it like plumbing: essential, but out of sight. As long as it hums quietly in the background, it’s taken for granted. But when something bursts; a regulatory breach, a hefty fine, or a reputational crisis - the damage is immediate, expensive, and potentially devastating.

Boards do discuss risk and compliance - it’s a standing agenda item. But too often, the conversation lacks the insight needed to drive meaningful decisions. Like plumbing behind the walls, GRC is essential but rarely examined in depth. Unless there’s a breach or audit disaster, it risks being treated as routine rather than strategic.

Why GRC Slips Off the Radar

The problem isn’t that GRC lacks value, it’s that its value is hidden. When something is invisible, it’s easy to underfund or postpone maintenance. Pipes corrode behind walls, and processes fragment across legal, audit, risk, and compliance teams. Because GRC often lacks the narrative clarity or strategic framing of cyber or ESG initiatives, it may not receive the same level of boardroom focus - even though it’s just as critical.

History offers a cautionary tale: In Victorian London, sewers were ignored until the “Great Stink” of 1858 forced Parliament to act. Businesses do the same when they wait for a compliance disaster before investing. The reactive approach is always costlier and riskier than proactive care.

Reframing GRC as a risk intelligence system, not a box-ticking exercise, helps leadership see it as a tool for smarter, faster decision-making - one that can even create competitive advantage.

Making GRC Visible: Three Levers to Pull

To elevate GRC within board discussions, it needs to be connected to what leadership already values - and presented in a way that enables strategic decision-making. Here are three powerful levers:

• Resilience: GRC helps your organisation withstand disruption, whether regulatory, reputational, or operational. Just as the aqueducts allowed Rome to thrive through droughts, strong GRC keeps your business steady during turbulence.
• Defensibility: Modern regulators expect evidence on-demand. A robust GRC framework demonstrates that your controls are effective, and your business is audit-ready - like showing a building inspector perfectly maintained pipes.
• Opportunity: GRC isn’t just about plugging leaks. Use examples where risk insights helped your business pivot faster than competitors. Smart compliance can unlock opportunities and position your organisation as a leader, not a laggard.

Metrics That Speak the Board’s Language

Raw data doesn’t persuade - it overwhelms. Boards want meaningful insight, and these three metrics translate GRC into strategic value:

• Time to Escalate: How quickly can an issue move from detection to executive awareness? The faster you respond, the smaller the mess.
• Control Effectiveness Rate: What percentage of your controls are functioning as intended? This says a lot about organisational reliability.
• Audit Preparation Time: How much staff time and disruption does evidence-gathering cause? Fewer hours spent here signals efficiency and maturity.

Seven Tips to Win GRC Investment

1. Speak Their Language: Align GRC language with board-level priorities like resilience, agility, and reputation. Boards already value GRC - what’s needed is framing that connects it to strategic outcomes, not just operational compliance.
2. Use Relatable Analogies: Reinforce GRC’s role as strategic infrastructure. For example: “Just as a hotel’s plumbing underpins guest experience, GRC underpins trust, resilience, and operational continuity
3. Leverage External Events: Use recent breaches or regulatory shifts to ask, “Could this happen to us?” and “Would we be ready?”
4. Tell Stories: Data informs, but stories persuade. Share times when proactive GRC prevented costly damage or revealed a valuable insight.
5. Quantify the Value: Use clear ROI: costs avoided, risks mitigated, and hours saved. Make GRC’s impact measurable.
6. Highlight Scalability: Stress how modern platforms grow with the business without adding headcount. Automation and centralisation prevent overwhelm.
7. Address Concerns Upfront: Tackle objections about complexity or adoption. Modern GRC platforms are intuitive, configurable, and designed for cross-functional teams.

Invisible Infrastructure, Visible Results

Think of a high-rise hotel. Guests admire the architecture, the views, and the restaurant. However, no one praises the plumbing. Yet, without it, the whole operation would grind to a halt. GRC plays the same role in your business: unseen, but critical to everything above it.

The Romans knew that aqueducts weren’t glamorous, but they built them anyway because they understood their civilisation depended on reliable water flow. Forward-thinking businesses should take the same long view.

Final Thought: Don’t Wait for a Flood

GRC is the infrastructure that keeps your organisation watertight. By treating it as an afterthought, you risk costly and avoidable damage. By reframing GRC as a proactive, insight-driven capability; supported by relatable metaphors, strategic metrics, and historical lessons -you elevate its visibility and secure the investment needed for a resilient, compliant, and agile organisation.

Boards understand the importance of infrastructure. The challenge is ensuring GRC systems are modernised before a breach exposes gaps. The right insights, presented clearly, make that investment easier to justify. Strengthen your foundations now, and when disruption inevitably comes, you’ll be ready - not mopping up the mess.