The role profile of a governance, risk, and compliance (GRC) professional is a challenging one. The mix of risk management, business strategy understanding, regulatory analysis, and interpersonal influence required is daunting.


The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.

If that wasn’t a big enough ask, I’d add another essential requirement: being alert to, and overcoming, basic human tendencies in oneself that will get in the way of “doing the right thing.” An effective GRC practitioner must face problems rather than avoid them, hold to principles when it is easier to dodge them, and challenge commonly accepted beliefs when needed. What psychological research tells us is these qualities do not come naturally.

We are, by nature, social beings, and our desire to identify with groups and “fit in” is incredibly strong. In a classic experiment, a group of 10 people was asked to choose a drawn line from a set of options that were the same length as an example line they had been shown. Nine of the group were “plants” who had all been instructed to choose the same, but obviously incorrect, line. The subject was then asked to make their choice; most went with the (clearly erroneous) consensus. Such conformity is enhanced when the correct choice is less clear, by strong association with a group, and when encouraged to act in a particular way by authority.

In short, when the majority is pulling toward the same, vaguely defined goal with authority figures leading the way, other individuals following suit is more likely. This is exactly what we have—and is desired—in most organizations.

To make matters worse, when faced with a challenging situation that requires intervention, most people will choose not to get involved. This is especially true when there are a lot of people witnessing a problem. Such diffusion of responsibility makes it more likely no action will be taken.

There are several barriers to intervention at play here. If noncompliance is accepted as just “the way we do things,” colleagues could be completely blind to the issue in the first place. The same noncompliant culture might also make people feel there is no point in escalating issues, as if the organization wouldn’t do anything about it anyway. A mixture of poor culture and feelings of personal impotence will undermine any policies or expectations the GRC function might set.

Sealing the deal for noncompliant behavior is the human ability to morally disengage from our actions (or lack of action). We are masters of telling ourselves stories that reduce internal discomfort and allow us to sleep at night.

With this analysis, I am not concluding humans are inherently bad or morally weak. These natural tendencies can be used to enhance, rather than compromise, compliance. My intent is to illustrate the challenge GRC professionals face in dealing with organizations and the internal struggles faced in containing their own natural tendencies.

Here are a few personal words of encouragement based on what psychological literature has to say about our GRC roles:

  • Be brave. Your own internal voice is likely to be the same as everyone’s: “Don’t get involved, go with the consensus, and morally disengage from the consequences.” As GRC professionals, our role is often the reverse of this; we will be the only person walking toward a problem and calling out the moral issues at its heart. Doing so when it seems like the rest of the firm is against you takes bravery.
  • Respect individuals. Apart from a very small number of extreme personalities, people want to do the right thing. What has led to noncompliant behaviors is a complex recipe of imperfect processes, stretch goals, under-resourced controls, and a demanding work environment. These can be addressed and fixed with appropriate management focus and intent.
  • Be mindful of your own moral disengagement. It can be difficult to spot when you are justifying to yourself why you are backing off rather than facing an issue. Diffusion of responsibility and internally downplaying impacts are powerful psychological forces you need to challenge yourself about.

At its core, GRC is a human challenge. Understanding the behavioral drivers of both ourselves and others is a fundamental requirement of what we do.

I offer the following clarion call: Be brilliant. Be human. Be proud.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.