Governance, risk, and compliance as a strategic advantage

IN BRIEF:

• Governance, risk, and compliance (GRC) is shifting from back-office control to a strategic function that anticipates risks, protects value, and guides executive decisions in a volatile world.

• Mature GRC programs feature strong leadership, fast and reliable information, clear ownership by the first line, and GRC leaders who challenge board and management decisions.

• While AI and new technologies improve risk detection, the real advantage comes from integrating risk insights across the organization to enable timely, practical governance for boards and management.

In November, board members, senior executives, chief audit executives, compliance officers, chief risk officers, and other professionals gathered at the SGV Knowledge Institute and SGV Consulting forum, “Navigating Enterprise Resilience through the Synergy of Governance, Risk, and Compliance.” It examined how governance, risk, and compliance (GRC) is being reshaped by business realities that are faster, more volatile and less forgiving than ever.

The first panel session, “GRC Integration: Aligning Governance, Risk, and Compliance with Business Strategy,” centered on how GRC can evolve from a defensive control function into a source of strategic clarity.

REDEFINING RISK
One theme dominated the discussion: the traditional definition of risk has become inadequate. Compliance risk, once the focal point of GRC programs, is now only one part of a broader risk universe that includes liquidity, market and operational exposures. Above these sit strategic and reputational risks, which panelists describe as one of the most consequential threats to long-term value.

Risk today, they argued, is best described as NAVI: nonlinear, accelerated, volatile and interconnected. A single disruption can rapidly propagate across functions, geographies and stakeholders. A cyber breach becomes an operational and a regulatory issue; an operational or regulatory issue becomes a reputational crisis; a reputational crisis erodes shareholder confidence.

“Mature GRCs ensure collaboration and are capable of addressing events that trigger multiple risks,” said Vicky Lee Salas, Senior Vice-President for Special Projects and Chief Risk and Compliance Officer of SM Investments Corp. The implication for executives is clear: managing risks in silos is not merely inefficient, it is also dangerous.

SPEED AS A STRATEGIC ASSET
In a NAVI risk environment, speed of information is important. The panel repeatedly returned to the idea that effective GRC programs are those that move relevant insights to decision-makers before choices are constrained.

Narlette Manacap, Compliance Risk Country Officer of Citibank Philippines, framed the shift as follows: “If you have a mature GRC, information flow is faster, reaching stakeholders on time to make smarter choices,” she said. “GRC has shifted from defensive to proactive: we identify pain points early and appropriately plan for situations. In some cases, controls are there to prevent, not mitigate, crises. A healthy GRC helps manage crises and control disruptions.”

Despite the abundance of frameworks, the panelists converged on a simple view of what constitutes GRC maturity, which rests on three identified pillars.

First, leadership must be strong, visible and unambiguous. GRC cannot operate effectively when its mandate is unclear or inconsistently supported at the top. Second, information must flow quickly and credibly to those empowered to act. Risk insights that arrive late, or are filtered to avoid discomfort, serve little purpose. Third, the organization must be proactive, that is, able to identify emerging risks early enough to prevent a crisis rather than merely respond to one. Without all three, even well-designed GRC structures struggle to deliver value.

LEADERSHIP AND ACCOUNTABILITY
Beyond structure, the panel emphasized mindset. Effective risk leaders must operate with a “positive intent mindset,” defined as an ability to appreciate differing perspectives, remain open during debate, and engage constructively with business leaders whose intentions may not always align with risk considerations.

Clear accountability is equally critical. A well-defined RACI grid — clarifying who is responsible, accountable, consulted and informed — becomes indispensable during moments of stress, when ambiguity can paralyze response. Indeed, human behavior remains the persistent roadblock. Differing interpretations of risk appetite, uneven risk awareness and organizational politics can undermine even the most sophisticated systems. In such moments, risk leaders must be willing to stand their ground. Knowing when to say “no,” and articulating why, is a defining leadership skill in modern GRC.

FROM DEFENSE TO VALUE CREATION
The panel described the evolution from three lines of defense to the three lines model, a subtle but significant shift in language. The new emphasis is not solely on prevention and control, but on value creation. For the three lines to function effectively, they must share objectives, operate within a common framework and be supported by effective enablers: leadership, culture and technology.

Manacap underscored the importance of empowering the first line. When business units own risks, the organization becomes more agile and less dependent on second-line intervention. Risk, in this model, is shared responsibility rather than a centralized policing function.

That shift also has implications for how risk leaders are positioned. Salas stated that credibility starts with recognition. Chief risk officers and senior risk leaders, she said, need to be “paid well, credible enough to mean business.” Too often, risk is viewed as a cost center. In reality, strong GRC functions act as “revenue protectors,” safeguarding value that might otherwise be lost to disruption, fines, or reputational damage.

THE EXPANDING ROLE AND LIMITS OF TECHNOLOGY
Artificial intelligence and emerging technologies featured prominently in the discussion. Sing Hwee Neo, EY Global Client Service Partner for Government and Public Sector, reflected on the transformation he has witnessed throughout his career. “GRC has gone a long way since I started,” he said. “When I look back at when I started internal audit, the tools were very rudimentary. Experienced practitioners can now use AI to detect control failures in real time.”

He pointed to autonomous risk management agents that monitor multiple data sources, dynamically adjust risk scoring and help organizations prioritize and respond to potential incidents more effectively.

However, the panel was careful to temper enthusiasm with caution. Integration is more important than any individual tool, as technology that reinforces silos merely accelerates confusion. Aligning risk categories, consolidating assurance activities, and enabling senior management to see a comprehensive, timely picture of enterprise risk remain the real differentiators.

INSIGHTS FOR BOARDS
Audience questions reflected common executive concerns, including the availability of combined assurance tools and how organizations can preserve the independence and strength of second and third-line functions. The responses returned to familiar themes: empowerment of the first line, clarity of roles and visible support from the top.

One clear message was directed at boards. The panelists urged that governance should be implemented consistently across the group, but in a proportional and practical manner. Over-engineering governance can be damaging as under-governance, particularly in complex organizations.

SYNERGY IN GRC
The session closed with a set of succinct reflections that captured the panel’s shared philosophy. Governance sets direction, risk provides foresight and compliance ensures alignment, said Neo. Manacap described GRC as “one in action, moving in sync.” Salas offered a phrase likely to resonate with executives: “risk in rhythm.”

What ultimately distinguishes effective GRC is not sophistication for its own sake, but synergy. It is about open dialogue, shared accountability and leadership willing to treat risk not as a constraint but as a strategic instrument.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Joseph Ian M. Canlas and Christiane Joymiel C. Say-Mendoza are risk consulting partners of SGV & Co.