GRC versus GCN Why Finding Problems Is Not the Same as Solving Them

Last Updated on 19/06/2026 by 75385885

The Procurement Department That Never Heard from Compliance

GRC Hidden Pittfalls – At Delta Manufacturing Group, a multinational industrial company with annual revenues exceeding €2 billion, procurement was considered one of the best-run departments in the organization.

The Head of Procurement, Peter van Dijk, worked there for more than fifteen years. Suppliers respected him, operations trusted him, and senior management viewed him as someone who could always get things done.

The department processes approximately 40,000 purchase orders annually. Internal and external audits rarely found material issues. Procurement delivered savings targets year after year.

Then, on a Tuesday morning, Peter received an email.

Subject: Internal Audit Review – Procurement Cycle Testing

Internal Audit informed him that they would review 25 purchase orders selected from the previous six months as part of a standard Procure-to-Pay (P2P) control assessment.

Peter was not worried.

At least not initially.

The Discovery

As preparation for the audit, one of Peter’s managers reviewed the selected purchase orders.

Within a few hours something unusual appeared.

The organization’s Segregation of Duties (SoD) design required three separate individuals to be involved in high-value purchase approvals:

  • Requestor
  • Procurement approver
  • Final authorization manager

This design was approved years ago by Risk Management, Internal Control, and Internal Audit.

On paper everything looked perfect.

Reality, however, was slightly different.

Six months earlier, one of the key approval positions had become vacant after an employee retired.

The position represented 0.5 FTE.

Recruitment had proven difficult.

The vacancy remained open.

Operations could not wait.

Purchase orders still needed approval.

Suppliers still needed payment.

Production still needs materials.

As happens in many organizations, a practical solution emerged.

An experienced employee named User01287 was assigned additional approval rights.

Nobody considered it particularly risky.

He had worked for the company for forty years.

He was respected.

Trusted.

Reliable.

The phrase most frequently heard was:

“If anyone can be trusted, it is him.”

And so the temporary solution became permanent.

The Rationalization

Over time, nobody even questioned the arrangement.

The system technically showed a SoD conflict.

However, Peter personally reviewed the approvals.

He knew the employee.

He trusted the employee.

He believed the risk was negligible.

In meetings he occasionally explained:

“Yes, technically it isn’t exactly according to the design, but we have compensating oversight.”

Nobody challenged him.

After all, Peter was a highly regarded executive with a reputation for integrity.

grc hIDDEM PITFALLS

The organization accepted the exception.

Informally.

Silently.

Without documentation.

Without formal risk acceptance.

Without escalation.

Without a remediation plan.

Also read more about the COSO-model that GCN fully supports: COSO Internal Control Framework: Lessons from Global Corporate Failures or from COSO the subject of monitoring: Step 5 – Monitoring Activities: The Continuous Pulse of Internal Control, both from our blog.

Enter Traditional GRC

The interesting part is what happened next.

Nothing.

For six months.

The GRC framework existed.

The policies existed.

The controls existed.

The audit universe existed.

The risk registers existed.

The compliance manuals existed.

The dashboards existed.

But nobody knew the issue existed.

The reason was simple.

Nobody was looking.

The organization relied on periodic testing.

Issues were discovered when auditors happened to sample the affected transactions.

Until that moment, the exception remained invisible.

The procurement department never contacted Compliance.

Compliance never contacted Procurement.

Neither side expected much value from the other.

Procurement viewed Compliance as a group that documented problems.

Compliance viewed Procurement as a department that preferred operational convenience.

Both groups operated professionally.

Yet neither group truly collaborated.

The relationship was largely transactional.

Many conversations followed the same pattern:

Compliance asks for evidence.

Procurement provides evidence.

Compliance identifies deficiencies.

Procurement explains operational constraints.

Nothing fundamentally changes.

As one procurement manager joked:

“Compliance always tells us what we cannot do. They never tell us how we can solve it.”

Of course, that perception was not entirely fair.

But perceptions matter.

Also read McKinsey & Company: Governance, risk, and compliance: A new lens on best practices.

The Audit Finding

Internal Audit completed its review.

The auditors identified repeated SoD violations.

The finding was classified as medium risk.

Several recommendations followed:

  • Restore segregation of duties.
  • Document compensating controls.
  • Formally approve exceptions.
  • Monitor privileged users.

A management action plan was created.

A target completion date was assigned.

The finding appeared in an audit report.

The Audit Committee was informed.

The Board received a summary.

The issue was officially known.

Six months after it started.

This is traditional GRC functioning exactly as designed.

The system eventually found the problem.

GRC Hidden Pitfalls

The question is whether finding it six months later created value.

Also read this message on LinkedIn: GRC’s Hidden Pitfalls: The Top IT Governance Issues Everyone Ignores.

What Would Have Happened Under GCN?

Now imagine the same organization operating under a Governance, Compliance & Navigation (GCN) model.

The retirement occurs.

The position becomes vacant.

The approval rights are reassigned.

The SoD conflict appears in the ERP system.

But this time continuous monitoring is active.

Within 24 hours the exception appears on a dashboard.

Within days Compliance receives an alert.

Not because someone is suspected of wrongdoing.

Not because anyone violated policy intentionally.

Simply because the approved control design no longer matches operational reality.

A compliance analyst contacts Procurement.

The conversation sounds different.

Not:

“You have violated policy.”

But:

“We noticed the approved control structure is no longer functioning as designed. What operational challenge are you facing?”

That small change completely alters the dynamic.

The discussion focuses on solutions rather than blame.

Read more on GCN – Governance Control Navigator in its pilot phase.

The procurement manager explains:

“We have a 0.5 FTE vacancy. We cannot recruit quickly enough. Production cannot wait.”

Under a traditional model, the conversation often stops there.

Under a GCN model, it starts there.

Compliance becomes part of the solution.

Several options are explored:

Option 1: Temporary Transfer

Another department has excess capacity.

A qualified employee is temporarily transferred for 0.5 FTE.

The SoD structure remains intact.

Option 2: Compensating Review

Finance performs an independent weekly review of approvals exceeding predefined thresholds.

The exception is formally documented.

Option 3: Automated Workflow

The ERP workflow is redesigned so approvals are routed to an alternative manager.

No additional staffing required.

Option 4: Formal Risk Acceptance

Management formally documents the temporary exception and defines an end date.

Monitoring remains active until resolution.

The point is not which solution is chosen.

The point is that a solution is actively pursued.

The Difference in Philosophy

Traditional GRC often answers the question:

“Did something go wrong?”

GCN answers a different question:

“How do we prevent this situation from becoming a larger problem?”

That distinction sounds subtle.

In practice it is enormous.

GRC frequently acts as a rear-view mirror.

GCN functions more like a navigation system.

A rear-view mirror is useful.

You absolutely need one.

But nobody would drive from Rotterdam to Milan using only a rear-view mirror.

You need forward visibility.

You need warnings.

You need route corrections.

You need guidance.

You need navigation.

Why Employees Often Dislike Traditional Compliance

Many organizations struggle with compliance fatigue.

Employees perceive compliance teams as:

  • Bureaucratic
  • Reactive
  • Documentation-focused
  • Detached from operational realities

Again, these perceptions are often unfair.

Most compliance professionals genuinely want to help.

However, organizational structures frequently reward identification of problems rather than resolution of problems.

As a result, compliance teams can become known as the people who create reports.

Not the people who remove obstacles.

GCN changes that perception.

Compliance becomes an operational partner.

The department still protects the organization.

The standards remain high.

The controls remain essential.

But the emphasis shifts from policing to enabling.

The Executive Perspective

Board members and Audit Committees should pay attention to this distinction.

Most organizations already possess:

  • Policies
  • Risk registers
  • Audit plans
  • Compliance frameworks
  • Control matrices

The real question is different.

Can the organization detect control degradation while it is happening?

Can it identify emerging weaknesses before an auditor samples them?

Can it intervene before a temporary workaround becomes permanent?

Can it guide departments toward practical solutions?

Those capabilities are increasingly what separates mature governance environments from merely compliant ones.

Conclusion

The Procurement Department at Delta Manufacturing did not have bad people.

It did not have fraud.

It did not have malicious intent.

It had something far more common.

Operational pressure.

Staff shortages.

Practical workarounds.

Human judgement.

Traditional GRC eventually discovered the problem.

GCN would have discovered it immediately.

More importantly, GCN would not merely have reported the issue.

It would have helped solve it.

That is the fundamental distinction.

GRC asks whether controls worked yesterday.

GCN asks whether controls are still working today and what should be done if they are not.

In a world of constant organizational change, that difference is becoming increasingly important.

Because governance is not simply about identifying deviations.

It is about helping organizations navigate them.

FAQ’s – GRC versus GCN

FAQ 1 – What is the fundamental difference between GRC and GCN?

Greggs UK retail strategy

 
Governance, Risk and Compliance (GRC) has traditionally focused on defining policies, identifying risks, testing controls and reporting deviations. It is largely built around the question whether controls operated effectively during a specific period. Internal audits, compliance reviews and management assessments are often performed periodically, meaning that issues may remain unnoticed for weeks or months.

Governance, Compliance and Navigation (GCN) introduces an additional dimension. Instead of focusing primarily on identifying deviations, it emphasizes the continuous detection of emerging weaknesses and the active navigation towards sustainable solutions. The objective is not merely to discover that a control failed but to prevent a temporary deviation from becoming a structural governance problem.

In practice this means that GCN relies heavily on continuous monitoring, automated alerts, rapid escalation procedures and structured remediation processes. When a segregation-of-duties conflict appears, GRC may identify it during the next audit cycle. GCN identifies it immediately, documents it, assigns ownership and supports management in resolving the underlying cause.

The difference can be summarized simply: GRC reports on what happened, while GCN helps organizations determine what should happen next. As organizations become more dynamic, this forward-looking capability becomes increasingly valuable for boards, audit committees and executive management teams.

 
FAQ 2 – Why do many control failures originate from operational pressures rather than fraud?

Greggs UK retail strategy

 
Most governance failures do not start with dishonest employees or intentional misconduct. They usually begin with practical business pressures such as vacancies, project deadlines, staff shortages, system limitations or unexpected growth. Managers often face difficult choices between maintaining operational continuity and adhering strictly to control frameworks.

Consider a procurement department that suddenly loses a key employee. Purchase orders still need approval, suppliers still need payment and production still requires materials. Under pressure, management may implement a temporary workaround that appears reasonable at the time. Over weeks or months the workaround becomes normal practice, even though it no longer complies with the original control design.

Psychologically this process is reinforced by trust. Employees who have worked for the organization for decades are often considered low-risk individuals. Managers therefore rationalize exceptions by relying on personal trust rather than formal controls.
This phenomenon is known as control degradation. The control framework remains documented and approved, but actual operations gradually drift away from the intended design.

A strong governance framework recognizes that human behaviour, operational realities and business pressures are natural components of organizational life. Effective governance therefore focuses not only on preventing misconduct but also on detecting and correcting deviations before they become systemic weaknesses.

FAQ 3 – Why do business departments often perceive compliance functions as bureaucratic?

Hannah Ritchie climate book

Many operational managers view compliance departments as groups that primarily identify problems without helping to solve them. While this perception is often unfair, it exists in many organizations and can undermine the effectiveness of governance programs.

Historically, compliance functions have been measured on their ability to identify non-compliance, maintain documentation and satisfy regulatory expectations. Their success is frequently demonstrated through reports, findings and policy adherence metrics. Operational managers, however, are evaluated based on business performance, customer service, production output and financial results.

This difference in incentives creates tension. Procurement managers, sales leaders and operations executives may feel that compliance professionals do not fully understand practical business constraints. Compliance professionals, on the other hand, may believe that business managers underestimate the importance of governance requirements.

GCN attempts to bridge this gap. Rather than positioning compliance as a control-enforcement function, it positions compliance as a navigation partner. The objective remains the same—protecting the organization—but the approach changes. Compliance becomes involved earlier, helping management explore alternatives, document decisions and implement practical solutions.

When compliance contributes to operational problem-solving, relationships improve significantly. Governance becomes something that enables responsible business performance rather than something perceived as a bureaucratic obstacle.

FAQ 4 – How does continuous monitoring support continuous improvement rather than simply detecting errors?

realistic climate optimism

Many people associate continuous monitoring with surveillance. They imagine dashboards that identify violations, generate alerts and create additional work for employees. In reality, the most mature organizations use continuous monitoring very differently.
The real objective is not to catch employees making mistakes. The objective is to help individuals, teams and departments continuously improve the quality of their decisions and processes.

Consider a procurement manager who receives an alert indicating that a segregation-of-duties conflict has emerged. In a traditional environment, the issue may remain invisible until an auditor discovers it months later. By that time the manager may struggle to explain why the situation developed and how long it existed.

With continuous monitoring, feedback is immediate. Small deviations become visible before they develop into larger governance issues. Employees can correct mistakes, improve procedures and strengthen controls while the business continues to operate normally.

The principle is similar to modern manufacturing quality systems. Organizations do not wait until the end of the production process to inspect quality. They monitor quality continuously so that small deviations can be corrected before defective products reach customers.

The same principle applies to governance. Continuous monitoring provides a continuous learning mechanism. Users receive timely feedback about control weaknesses, managers gain insight into operational challenges and the organization becomes more resilient over time.

The greatest value therefore lies not in identifying exceptions, but in creating a culture of continuous improvement. Governance becomes less about punishment and more about helping people make better decisions every day.

FAQ 5 – Does GCN reduce the importance of Internal Audit?

polder model’s problems

No. In fact, GCN may increase the strategic value of Internal Audit.

Under traditional models, auditors spend significant time identifying control deficiencies that may have existed for months or years. While this work remains important, it often results in audit reports that describe historical events. Management then develops remediation plans after the fact.

In a GCN environment, continuous monitoring identifies many operational issues as they emerge. This allows Internal Audit to focus more on root-cause analysis, governance maturity, culture, decision-making processes and systemic risk management.

Auditors become less focused on finding individual exceptions and more focused on assessing whether governance mechanisms effectively identify, escalate and resolve issues. This shift aligns Internal Audit more closely with strategic governance objectives.
Audit committees also benefit. Instead of receiving reports describing problems that have already occurred, they gain insight into how management responds to emerging risks and whether corrective actions are effective.

The role of Internal Audit therefore evolves rather than diminishes. Auditors remain independent assurance providers, but they increasingly assess the effectiveness of governance navigation mechanisms rather than merely testing historical compliance outcomes.

FAQ 6 – Why should boards and audit committees care about GCN?

can the polder model be renewed

Boards and audit committees operate in environments characterized by rapid change, regulatory complexity, cyber risks, staffing challenges and technological disruption. Traditional governance approaches were largely designed for more stable business environments where annual reviews and periodic audits were sufficient.

Today, risks emerge and evolve much faster. A vacancy, system change, acquisition, cybersecurity incident or supply-chain disruption can weaken controls almost immediately. Waiting for the next audit cycle may expose the organization to unnecessary operational, financial and reputational risks.

GCN provides directors and audit committee members with earlier visibility into governance deterioration. Instead of focusing exclusively on completed audit findings, they gain insight into emerging risks, ongoing remediation efforts and management responsiveness.

This approach supports better decision-making. Directors can evaluate whether management is identifying issues promptly, documenting decisions appropriately, assigning ownership effectively and implementing sustainable solutions.
Ultimately, strong governance is not measured by the absence of audit findings. It is measured by an organization’s ability to recognize challenges early, respond appropriately and maintain control while continuing to achieve strategic objectives.
That capability is precisely where GCN seeks to add value.

grc hIDDEN pITFALLS