Sign In
In this section

The GRC Triad as an Operating System

2-3 hours · Module 1 · Free
What you already know
You know what governance, risk management, and compliance are as individual concepts. You've seen them operate in your organization, possibly as separate activities run by different people. This section shows you what happens when the three disciplines connect as a single system, and gives you the diagnostic to assess whether your organization has that integration.

The system: how the three disciplines feed each other

The failure of most GRC programs starts with a structural mistake: treating governance, risk management, and compliance as three separate filing cabinets. Governance produces policies. Risk management produces a register. Compliance produces audit evidence. Three teams, three outputs, zero integration. The policies don't reference the risks. The risk register doesn't reference the controls. The audit evidence doesn't trace to either.

Scenario

Your SOC handled a business email compromise attempt last month. The detection rule fired, the analyst contained it, the incident was closed. Your risk register still shows "email-based threats: Medium likelihood, Medium impact" because nobody connected the incident data to the risk assessment. Your compliance evidence for ISO 27001 A.5.24 (incident management) shows the incident report but doesn't connect it to the risk treatment that funded the detection rule. Three teams produced three outputs. None of them referenced each other.

An integrated GRC system works differently. Risk management is the engine. It identifies what can go wrong, assesses the likelihood and impact, and determines what to do about it. Governance is the steering mechanism. It makes the decisions: which risks to treat, which to accept, what policies to enforce, how to allocate resources. Compliance is the evidence layer. It proves the decisions were implemented and the controls are working.

The system becomes powerful when three feedback loops close the cycle.

THE GRC OPERATING SYSTEM RISK MANAGEMENT Identify → Assess → Treat → Monitor The engine — everything starts here GOVERNANCE Policies → Decisions → Authority The steering mechanism COMPLIANCE Evidence → Audit → Assurance The evidence layer Loop 1: Risk informs decisions Loop 2: Controls produce evidence Loop 3: Evidence reassesses risk Incidents + threat intel Regulatory changes Audit findings External inputs feed the system: incidents update risk, regulations update compliance, findings drive improvement

Figure 1.1: The GRC operating system. Risk management identifies threats. Governance makes decisions. Compliance produces evidence. Three feedback loops close the cycle. External inputs (incidents, regulatory changes, audit findings) feed continuous updates.

Every arrow in that diagram represents a data flow that either exists in your organization or doesn't. If the arrow from compliance back to risk management is missing, meaning audit findings and control effectiveness data never feed back into the risk register, you're running an open-loop system. The risk register degrades over time because it never receives correction signals. McKinsey's 2025 Global GRC Benchmarking Survey found that 42% of organizations say their IT and GRC systems need improvement, and 15% say they are absent or lagging entirely. The missing feedback loops explain why.

The three feedback loops

Loop 1: Risk informs governance decisions. Risk management identifies a threat (credential phishing targeting finance users, for example). The risk assessment quantifies the exposure: estimated $340,000 based on average outbound payment value. This data flows to governance, where the risk committee approves treatment: deploy anti-phishing policies, enforce phishing-resistant MFA for finance accounts, and run monthly targeted simulations. Without this loop, governance decisions are based on intuition rather than data, and budget goes to whoever argues loudest rather than wherever the risk is greatest.

Anti-Pattern

The disconnected risk register

Risk management identifies 47 risks. Governance produces 23 policies. Nobody maps which policies address which risks. The information security policy says "MFA shall be enforced for all administrative access" but doesn't reference the identity risk that justifies the requirement. When the CFO asks why MFA is required, the GRC team can cite the policy but not the risk. The policy becomes a rule to follow rather than a decision to understand.

Loop 2: Governance decisions produce compliance evidence. The governance decision (enforce phishing-resistant MFA) creates a control. The control produces evidence: Conditional Access policy evaluation logs, sign-in records showing MFA method used, phishing simulation results. This evidence flows to compliance, which maps it to framework requirements. The MFA enforcement satisfies ISO 27001 A.8.5 (authentication), NIST CSF PR.AA-03 (identity management), and NIS2 Article 21(2)(j) (multi-factor authentication). Without this loop, compliance evidence is collected separately from the controls that produce it, creating a manual reconciliation burden that grows with every framework.

Loop 3: Compliance evidence reassesses risk. The compliance evidence reveals that MFA enforcement is 94% across the organization but only 71% for administrative accounts in the finance department. This finding flows back to risk management, which updates the credential phishing risk: the control is partially effective, residual risk is higher than assumed. The risk committee reviews the updated assessment and authorizes a targeted remediation. Without this loop, the risk register assumes controls are working as designed. The 71% enforcement gap persists because nobody measures, and the risk score stays at the level the original treatment plan predicted.

The COSO ERM 2025 framework and the OCEG Capability Model both emphasize these feedback connections. COSO structures the loops as five components: governance and culture, strategy and objective-setting, performance, review and revision, and information/communication/reporting. OCEG calls the integrated approach "Principled Performance." The terminology differs but the principle is the same: the three disciplines produce value when connected and produce shelf-ware when separated.

Tracing a risk through the system

To make the integration concrete, trace a single risk through both models. A threat intelligence report identifies that adversary-in-the-middle credential phishing attacks against organizations in your sector have increased 340% in the past quarter.

In an integrated system, the threat intel triggers an immediate risk register update. The risk score changes from Medium to High based on sector-specific data. The impact is quantified using the average outbound payment value for the CFO's mailbox. The risk committee approves three treatments within a week: anti-phishing policies in Defender for Office 365, phishing-resistant MFA for all finance and executive accounts, and monthly targeted phishing simulations. Each control is mapped to the relevant compliance requirements. Evidence collection begins automatically from sign-in logs and simulation results. Four weeks later, the compliance evidence shows 100% enforcement for the target population. The risk score is updated to reflect the implemented controls.

In a disconnected system, the same threat intel goes to the SOC. The SOC manager mentions it in a team meeting. Nobody updates the risk register because "we already have phishing in there." No formal governance decision is made and no budget is allocated. An analyst enables the anti-phishing policy because it seems like a good idea, but there's no mapping to the risk, no documentation, and no measurement. Six months later, the auditor asks for evidence that the organization responded to the AiTM threat. The evidence doesn't exist because the response was informal, undocumented, and unmeasured.

The difference between these two outcomes is not capability. Both organizations have the same tools, the same staff, the same threat intelligence feed. The difference is structural: whether risk data flows to governance, whether governance decisions produce documented controls, and whether control evidence flows back to risk assessment.

The integrated system produces full traceability. Every risk connects to the controls that treat it, the evidence that proves the controls work, and the framework requirements the controls satisfy. The relational diagram below shows this chain for the AiTM phishing risk:

RISK-CONTROL-EVIDENCE TRACEABILITY — AiTM PHISHING EXAMPLE RISK AiTM credential phishing High likelihood · $340K impact treated by Anti-phishing policy Defender for O365 Phishing-resistant MFA CA policy · FIDO2/passkey Monthly simulations Finance team targeted produces Policy eval logs Blocked phishing URLs Sign-in logs 100% MFA enforcement Simulation results 3% click rate (down from 12%) satisfies ISO 27001 A.8.5 Secure authentication NIST CSF PR.AA-03 Identity management NIS2 Art 21(2)(j) Multi-factor auth Evidence reassesses risk: 100% enforcement + 3% click rate → residual risk reduced to Low Disconnected system: these connections don't exist Risk stays at Medium · Controls undocumented · Evidence not collected · Frameworks unsatisfied Node colors: Red = risk · Blue = controls · Green = evidence · Amber = framework requirements Every arrow is a connection that either exists in your organization or doesn't. Missing arrows = open-loop system.

Figure 1.2: Risk-Control-Evidence traceability for the AiTM phishing risk. Each arrow is a connection that either exists in your organization or doesn't. The dashed return arrow shows Loop 3: evidence data flowing back to reassess the original risk.

GRC Principle

The GRC triad is a feedback system, not three parallel workstreams. Risk management identifies what can go wrong. Governance decides what to do about it. Compliance proves the decision was implemented and is working. If any of the three feedback loops in the diagram doesn't exist in your organization, you have a gap that will manifest as either a failed audit, an undetected risk, or a governance decision made on stale data.

The governance decision that tests the system

The triad diagram shows how data flows. What it doesn't show is what happens when the flows collide at a governance decision point. Consider the scenario every GRC practitioner eventually faces: the CEO requests an MFA exception.

The CEO travels internationally and finds the MFA prompt on his phone disruptive. He asks for an exception to the access control policy. Your policy says MFA is required for all users. The CEO is a user. What do you do?

This is a governance decision, not a technical one. Three options exist, and each reveals something about how the GRC system functions.

Accept the risk formally. Document the CEO's request, assess the residual risk (executive mailbox without MFA is a high-value BEC target), present the risk to the CEO for formal acceptance, and maintain the exception in the risk register with a review date. This is valid governance. The CEO has authority to accept risk for his own account. But the exception creates three downstream problems: the SOC 2 auditor will question whether access control is "consistently applied," the ISO 27001 auditor will assess whether residual risk is within tolerance, and every other executive will request the same accommodation. Within six months, you have 15 MFA exceptions for your highest-value targets.

Offer a technical alternative. Investigate phishing-resistant options that address the UX concern: a FIDO2 security key (tap to authenticate, no app required), a passkey enrolled on the tablet, or certificate-based authentication. Present the CEO with options that satisfy the security requirement without the friction he objects to. If a viable alternative exists, the exception is unnecessary and the risk is avoided entirely.

Deny the request outright. The policy says MFA is required. The CEO is a user. No exceptions. This is technically correct and organizationally destructive. The CEO overrides you because he has the authority. You now have an undocumented exception (worse than option one) and a damaged relationship with the most powerful stakeholder in the organization. Governance authority operates through influence, not decree.

The correct first response is the technical alternative. It addresses the CEO's actual concern (UX friction) without creating a control gap. A FIDO2 key costs $25 and provides stronger authentication than app-based MFA. If the CEO accepts the alternative, the policy is satisfied, the risk is avoided, and no exception is needed. This is governance in practice: managing risk through decisions, not enforcing rules through confrontation.

Three maturity levels

Before you can build the right program, you need to know where you're starting. The maturity model below provides the diagnostic.

Posture Assessment

Level 1 — Reactive: Risk register does not exist or is not maintained. Policies are generic templates. Compliance evidence is created retroactively before audits. Board reporting only when requested. Audit preparation takes 4-8 weeks. Incidents are not connected to risk management.

Level 2 — Structured: Risk register exists and is reviewed periodically. Policies are customized with calendar-based review. Evidence is collected periodically by the GRC team. Board reporting is periodic but inconsistent. Audit preparation takes 2-4 weeks. Major incidents trigger ad hoc risk updates.

Level 3 — Integrated: Risk register is updated when risks change. Policies reference specific controls and are updated when processes change. Evidence is produced automatically from operational data. Board reporting has a defined cadence with risk trend analysis. Audit preparation takes days. Every incident feeds systematic risk reassessment.

Your diagnostic: Score each of the eight indicators (risk register, policies, evidence, board reporting, audit prep, cross-framework mapping, incident-to-risk feedback, policy review trigger) as Level 1 (0), Level 2 (1), or Level 3 (2). Total: 0-4 = Reactive, 5-9 = Structured, 10-16 = Integrated. Your score shapes your path through the rest of the course.

Most organizations score between 5 and 9, landing in the structured range. The components exist but aren't connected. The risk register is maintained but doesn't drive policy decisions. Policies exist but aren't mapped to controls. Compliance evidence is collected but doesn't feed back into risk scores. The course modules from G2 onward build the connections that move you from structured to integrated.

If you score below 5, your priority is establishing the basic components. Complete G1-G2 for foundations, then G3-G5 to build the risk management engine. Don't attempt framework certification until the engine is running. If you score above 13, your program is already operational. Focus on Phase 4 modules: G12 for audit management, G13 for board reporting, G14 for regulatory change management.

Next
Section 1.2 examines four composite case studies, each illustrating a specific GRC failure mode. You'll diagnose which patterns apply to your organization and understand why each failure requires a different correction.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →