GRC in Transition - From Compliance-Centric Models to Decision-Advantage Systems in the Age of AI and Systemic Risk

Abstract

Governance, Risk and Compliance (GRC) is undergoing structural reconfiguration driven by systemic volatility, regulatory expansion, artificial intelligence (AI), and the increasing interdependence of global economic and operational systems. This paper develops an integrative conceptual framework that synthesises established academic literature with contemporary practitioner thought leadership, including the work of Michael Rasmussen, to examine the transition from compliance-centric GRC architectures to intelligence-led decision systems.

Building on enterprise risk management theory, resilience scholarship, systems science, and AI governance research, the paper argues that traditional GRC models—centred on static artefacts such as risk registers, heat maps, and periodic assessments—are structurally misaligned with the requirements of complex adaptive environments. In response, it identifies a paradigmatic shift toward four interlocking capabilities: (i) decision advantage as the primary objective of risk governance; (ii) continuous, AI-augmented risk sensing and monitoring; (iii) network-based and causally informed systemic risk modelling; and (iv) extended enterprise governance driven by regulatory and supply chain transparency requirements.

The paper further develops a critical perspective on the integration of AI into GRC systems, highlighting risks related to hallucinated outputs, model opacity, and governance accountability gaps. It argues that while AI and network analytics significantly expand analytical capacity, they simultaneously introduce new epistemic and organisational risks that must be explicitly governed rather than implicitly assumed to be beneficial.

The paper concludes that the future of GRC lies not in incremental optimisation of existing compliance frameworks, but in the design of adaptive governance architectures capable of integrating intelligence, interpretability, and accountability. In doing so, it positions GRC as a core decision infrastructure for organisations operating under conditions of deep uncertainty and systemic interdependence.

1. Introduction

Governance, Risk and Compliance (GRC) has evolved over the past two decades into a widely institutionalised organisational discipline, underpinned by formal standards such as ISO 31000 and implemented through enterprise risk management (ERM), internal control systems, and compliance monitoring functions (ISO, 2018). In most implementations, GRC remains anchored in a compliance assurance paradigm characterised by periodic risk assessments, structured documentation, and artefacts such as risk registers, control frameworks, and heat maps. While these mechanisms have delivered consistency, auditability, and regulatory alignment, they increasingly reflect a stabilised institutional logic that assumes risks can be identified, categorised, and managed within relatively bounded and decomposable systems.

However, a substantial body of academic literature now challenges the adequacy of this paradigm. Enterprise risk research highlights persistent structural limitations in conventional ERM approaches, particularly their tendency to fragment risk into organisational silos and to prioritise formal compliance over decision relevance (Bromiley et al., 2015). Similarly, Power (2021) argues that risk management systems often evolve into “ritualised” governance mechanisms that privilege auditability and procedural correctness over substantive improvements in organisational decision-making. Within this framing, GRC becomes less a decision-support function and more an assurance-oriented reporting system designed to satisfy external accountability requirements.

At the same time, broader developments in risk theory and complexity science have fundamentally reshaped how uncertainty is understood. Contemporary scholarship increasingly conceptualises risk as a dynamic and emergent property of complex adaptive systems rather than a static attribute of discrete entities (Helbing, 2013). In such environments, uncertainty is not an exception to be eliminated but a persistent condition shaped by feedback loops, non-linear interactions, and cross-domain dependencies. This challenges the foundational assumption embedded in many GRC systems that risk can be periodically assessed and stabilised through discrete interventions.

In parallel, advances in decision theory have further shifted the conceptualisation of risk management away from descriptive reporting toward decision-centric frameworks. Aven (2020) argues that modern risk governance must move beyond static probability-impact representations and instead focus on decision-relevant knowledge, explicitly incorporating uncertainty, context, and assumption fragility into risk evaluation processes. This reflects a broader intellectual movement in which risk management is increasingly embedded within decision architectures rather than treated as an auxiliary reporting function.

Within practitioner discourse, similar concerns have been articulated by Michael Rasmussen, who argues that traditional GRC systems are no longer sufficient in environments characterised by systemic volatility, regulatory complexity, and technological acceleration. He proposes that GRC must evolve toward delivering “decision advantage”, shifting its core purpose from retrospective compliance reporting to forward-looking decision enablement that improves the quality and speed of executive judgement under uncertainty (Rasmussen, 2023).

This emerging convergence between academic critique and practitioner insight reveals a fundamental tension at the heart of contemporary GRC practice. On one hand, organisations continue to rely on established compliance infrastructures that prioritise stability, documentation, and auditability. On the other hand, the operational environment increasingly demands adaptive, real-time, and system-aware decision capabilities capable of responding to rapidly evolving risk landscapes.

Accordingly, this paper addresses the following research problem: how must GRC systems be reconfigured to remain effective in environments characterised by systemic interdependence, technological acceleration, and deep uncertainty? To answer this question, the paper synthesises insights from enterprise risk management, resilience theory, systems science, AI governance, and supply chain risk literature to develop a conceptual framework for next-generation GRC.

The paper makes three primary contributions. First, it reconceptualises GRC as an intelligence-driven decision infrastructure rather than a compliance reporting mechanism. Second, it integrates perspectives from systemic risk theory and AI governance to articulate the implications of networked and algorithmically mediated risk environments. Third, it incorporates practitioner-driven insights, particularly from Michael Rasmussen, to bridge the gap between theoretical development and applied GRC design.

The remainder of the paper is structured as follows: Section 2 examines the limitations of traditional risk artefacts and introduces the concept of decision advantage. Section 3 analyses the role of AI in reshaping GRC systems, including both its enabling and destabilising effects. Section 4 explores dynamic and network-based risk modelling approaches. Section 5 considers the implications of extended enterprise and supply chain governance. Section 6 synthesises these developments and discusses emerging tensions, particularly around interpretability and accountability in AI-augmented systems. Section 7 concludes by outlining the implications for future GRC design and research.

2. From Compliance Reporting to Decision Advantage

2.1 Limitations of Traditional Risk Artefacts

Despite their widespread institutionalisation, traditional GRC artefacts—particularly risk registers, heat maps, and control libraries—exhibit structural limitations that increasingly constrain their effectiveness in complex operational environments. While these artefacts provide standardisation and facilitate auditability, they are fundamentally grounded in a reductionist representation of risk that assumes discrete, independently assessable risk events. This assumption is increasingly misaligned with empirical reality, where risks are interdependent, dynamically evolving, and often emergent rather than pre-defined (Hillson, 2017; Helbing, 2013).

From an academic perspective, enterprise risk management (ERM) literature has long identified the fragmentation problem inherent in conventional risk structures. Bromiley et al. (2015) argue that ERM systems frequently decompose risk into organisational silos, thereby obscuring systemic interactions and cross-functional dependencies. In such configurations, risks are treated as isolated units of analysis rather than as components of broader causal networks, limiting the organisation’s ability to anticipate cascading effects or second-order impacts.

Power (2021) further extends this critique by demonstrating how risk management systems can become institutionalised as “assurance technologies” that prioritise procedural compliance over substantive risk insight. In this framing, risk artefacts serve primarily as evidence of governance activity rather than as mechanisms for improving decision quality. The result is a structural drift toward ritualised reporting practices that reinforce accountability structures without necessarily enhancing organisational foresight.

Within practitioner discourse, Michael Rasmussen similarly critiques the epistemic limitations of these artefacts, arguing that they provide a backward-looking snapshot of risk conditions that lacks predictive power and contextual depth. In rapidly changing environments characterised by geopolitical instability, supply chain fragility, and technological disruption, such static representations are increasingly insufficient for supporting real-time executive decision-making (Rasmussen, 2023).

2.2 Decision Advantage in Risk Governance

In response to these limitations, contemporary risk scholarship increasingly advocates a shift toward decision-centric governance models. The concept of “decision advantage” reflects this evolution, repositioning GRC as a capability designed to enhance the quality, speed, and robustness of organisational decisions under uncertainty rather than merely documenting risk exposure.

This framing aligns closely with developments in decision theory and risk-informed governance, where the primary objective of risk management is not exhaustive enumeration of risk factors but the improvement of decision outcomes under conditions of incomplete information (Marchau et al., 2019). Aven (2020) further reinforces this shift by arguing that modern risk analysis must explicitly incorporate uncertainty, context dependence, and the quality of underlying assumptions, rather than relying solely on probabilistic or deterministic representations.

Within this paradigm, decision advantage can be understood as the capacity of GRC systems to materially improve three interrelated dimensions of organisational decision-making. First, it enhances strategic optionality, enabling organisations to identify where controlled risk-taking may generate asymmetric value. Second, it improves assumption transparency, surfacing the fragility of underlying models, forecasts, and planning assumptions. Third, it supports adaptive risk calibration, allowing organisations to dynamically adjust risk appetite and control intensity in response to changing conditions.

Michael Rasmussen positions this shift as a fundamental reorientation of GRC purpose, moving away from retrospective compliance validation toward forward-looking decision enablement embedded within operational and strategic workflows (Rasmussen, 2023). In this sense, GRC is no longer positioned as an external control function but as an internal decision infrastructure.

2.3 Normalisation of Failure

A further foundational shift underpinning modern GRC transformation is the reconceptualisation of failure as a normal and persistent feature of complex systems rather than an exceptional anomaly. Resilience theory and complexity science both emphasise that in highly interconnected environments, disruptions are not deviations from equilibrium but intrinsic properties of system behaviour (Helbing, 2013; Weick and Sutcliffe, 2015).

Taleb (2012) extends this argument by demonstrating that systems characterised by non-linear dynamics and asymmetric risk distributions are inherently prone to unpredictable shocks. In such environments, attempts to eliminate failure entirely are not only unrealistic but may also reduce systemic adaptability by suppressing variability that is necessary for learning and resilience.

Within this intellectual context, Michael Rasmussen’s framing of “instability as the new normal” reflects a convergence between practitioner insight and academic resilience theory (Rasmussen, 2023). Rather than designing GRC systems around the assumption of stability, organisations must instead assume persistent volatility and design governance mechanisms capable of continuous sensing, rapid adaptation, and iterative learning.

This reconceptualisation has significant implications for GRC architecture. It necessitates a shift from periodic assessment cycles toward continuous monitoring systems, from static control frameworks toward adaptive governance models, and from compliance-centric reporting toward real-time decision intelligence. In this way, the normalisation of failure becomes a foundational design principle for next-generation GRC systems rather than a peripheral consideration.

3. Agentic AI and the Reconfiguration of GRC Systems

3.1 AI as Transformation or Interface Layer

The integration of artificial intelligence (AI) into Governance, Risk and Compliance (GRC) systems is frequently presented as a step-change in organisational capability, enabling automation, predictive insight, and enhanced decision support. However, a more critical reading emerging from information systems research suggests that many AI implementations in enterprise environments risk reproducing existing workflows under a more sophisticated interface layer, rather than fundamentally transforming underlying decision architectures (Davenport et al., 2020).

This distinction is analytically important. If AI systems are primarily deployed as enhanced interfaces to legacy compliance processes, their impact is largely cosmetic: they accelerate reporting, improve usability, and standardise outputs, but do not materially alter the epistemic structure of risk decision-making. In such cases, the organisation retains a fundamentally deterministic, rule-based logic, merely augmented by more efficient computational tooling.

By contrast, a genuinely transformative deployment of AI in GRC would require a shift toward probabilistic reasoning, contextual inference, and adaptive learning systems capable of modifying their own analytical outputs based on evolving data environments. The difference between these two states—interface enhancement versus cognitive augmentation—represents a central fault line in contemporary AI governance discourse.

Within practitioner debates, Michael Rasmussen raises a parallel concern regarding the emergence of so-called “agentic AI” in GRC platforms. He questions whether such systems represent substantive advances in decision intelligence or whether they constitute a rebranding of traditional workflow automation systems under the language of autonomy and intelligence (Rasmussen, 2023). This critique aligns with broader concerns in digital transformation literature regarding “automation theatre,” where technological sophistication masks limited structural change in decision processes.

The core issue, therefore, is not the presence of AI itself, but its epistemic function within GRC architectures: whether it enhances reasoning under uncertainty or merely optimises the execution of predefined compliance logic.

3.2 Risk of Hallucinated Intelligence

A critical constraint on the use of generative AI within GRC systems is the phenomenon of hallucinated outputs—instances in which models generate plausible but incorrect, unverified, or contextually inappropriate information. Recent research in natural language generation demonstrates that such behaviour is not incidental but a structural feature of large-scale probabilistic models, particularly when operating without strict grounding in validated datasets or controlled knowledge representations (Ji et al., 2023).

In GRC environments, the implications of such errors are significantly amplified due to the high-stakes nature of governance decisions. Unlike consumer applications, where inaccuracies may be inconvenient, errors in GRC contexts can directly influence regulatory reporting, internal control assessments, audit conclusions, and strategic risk prioritisation. As a result, hallucinated outputs represent not merely technical defects but governance risks with potential organisational and legal consequences.

This concern has been formalised in emerging AI governance frameworks. The NIST AI Risk Management Framework emphasises core principles including transparency, reliability, validity, and accountability as essential requirements for the safe deployment of AI systems in high-impact domains (NIST, 2023). These principles are particularly relevant for GRC applications, where decision traceability and evidentiary integrity are foundational requirements.

From a governance perspective, this introduces a fundamental design constraint: AI systems in GRC must be treated as advisory and probabilistic rather than authoritative or deterministic. They require continuous validation, human oversight, and explicit accountability structures to ensure that generated outputs can be interrogated, explained, and justified.

Michael Rasmussen’s critique of AI in GRC aligns with this position, emphasising that the value of such systems must be measured not by their perceived intelligence, but by their contribution to decision quality, contextual understanding, and risk-informed judgement under uncertainty (Rasmussen, 2023).

In this sense, the central challenge is not the adoption of AI in GRC, but the governance of AI itself: ensuring that automation enhances rather than obscures decision-making, and that algorithmic outputs remain anchored in accountable, transparent, and verifiable governance structures.

4. Dynamic Risk Models and Interconnected Systems

4.1 From Static Registers to Network Risk

A central limitation of traditional GRC architectures is their reliance on static representations of risk, typically structured through risk registers and heat maps that assume risks can be independently identified, categorised, and managed. While operationally convenient, this representation increasingly diverges from the empirical reality of contemporary risk environments, where risk emerges from interdependencies, feedback loops, and cascading system dynamics.

Contemporary risk and complexity literature increasingly conceptualises risk as a property of systems rather than of isolated events or entities. Helbing (2013) argues that modern socio-technical and economic systems are characterised by “globally networked risks”, where local disruptions propagate across interconnected domains through non-linear and often unpredictable pathways. In such systems, the behaviour of the whole cannot be inferred from the properties of individual components, as interactions themselves generate emergent outcomes.

This has profound implications for Governance, Risk and Compliance (GRC). Supply chain disruption, geopolitical instability, regulatory change, and cyber risk are no longer separable categories but interdependent expressions of a shared systemic environment. A disruption in one domain may rapidly cascade into operational, financial, compliance, and reputational consequences, reflecting tightly coupled dependencies across organisational and ecosystem boundaries.

Within this context, Michael Rasmussen’s emphasis on interconnected risk ecosystems reflects a necessary conceptual shift away from siloed risk taxonomies toward integrated, system-aware models of enterprise exposure (Rasmussen, 2023). Rather than treating risks as discrete objects, this perspective positions them as nodes within a dynamic network of dependencies that must be continuously mapped and updated.

The implication is that traditional GRC artefacts are not merely incomplete but structurally misaligned with the nature of systemic risk. They fail to capture directionality, propagation mechanisms, and feedback structures, all of which are essential for understanding how risk materialises in complex environments.

4.2 Causal and Bayesian Approaches

In response to the limitations of static and correlation-based risk representations, there has been growing academic and applied interest in probabilistic, causal, and network-based modelling techniques capable of capturing dynamic interdependencies more effectively. These approaches enable a shift from descriptive risk catalogues toward explanatory and predictive systems of risk reasoning.

Bayesian networks provide one such mechanism, enabling the formal representation of probabilistic dependencies between variables and supporting dynamic updating of risk assessments as new evidence becomes available. Fenton and Neil (2019) demonstrate that Bayesian approaches are particularly effective in environments characterised by uncertainty, incomplete information, and evolving risk conditions, as they allow for continuous refinement of belief structures rather than fixed-point estimation.

Causal inference frameworks further extend this capability by enabling analysts to distinguish between correlation and causation. Pearl (2009) emphasises that understanding causal structure is essential for meaningful intervention, as it determines not only whether variables are related, but how changes in one variable propagate through a system. In GRC contexts, this is critical for designing effective control mechanisms, as interventions based on correlation alone may fail to address underlying drivers of risk.

Network science complements these approaches by providing tools for analysing the structural properties of interconnected systems, including centrality, clustering, and cascade potential. Barabási (2016) demonstrates that many complex systems exhibit scale-free properties, where a small number of highly connected nodes disproportionately influence system behaviour. In risk terms, this implies that certain entities or dependencies may act as critical failure points whose disruption can trigger widespread systemic effects.

Within this evolving methodological landscape, Michael Rasmussen’s advocacy for graph-based and probabilistic risk modelling aligns closely with academic advances in systems science and computational risk analysis (Rasmussen, 2023). The convergence of these perspectives suggests a shift toward GRC architectures that are capable of representing not only risk data, but also the structural relationships and causal mechanisms that generate risk.

Taken together, these developments mark a transition from static, correlation-driven risk reporting toward dynamic, causally informed, and network-aware decision systems. In such systems, the primary value of GRC lies not in cataloguing risk, but in modelling its behaviour across interconnected environments in real time.

5. Supply Chain Risk and the Extended Enterprise

5.1 From Vendor Assessment to Continuous Monitoring

Traditional Third-Party Risk Management (TPRM) has historically been built around periodic, compliance-driven assessment cycles. These typically include annual questionnaires, scheduled audits, and static attestations intended to provide assurance over supplier control environments. While such mechanisms offer a degree of governance consistency, they are increasingly misaligned with the operational reality of globally distributed and digitally interconnected supply chains.

The core limitation of these approaches lies in their temporal structure. Point-in-time assessments assume relative stability in third-party risk profiles, yet contemporary supply chains are characterised by continuous change, rapid disruption propagation, and deep interdependence across multiple tiers of suppliers. As a result, risk conditions may evolve significantly between assessment cycles, leaving organisations exposed to material blind spots in their third-party ecosystems.

Regulatory developments are accelerating the obsolescence of static TPRM models. Instruments such as the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz) and broader EU corporate sustainability and due diligence directives are effectively redefining governance expectations by requiring organisations to demonstrate ongoing visibility and accountability across their supply networks. This represents a structural shift from periodic compliance verification toward continuous due diligence obligations embedded within operational processes.

Academic research supports this transition. Ivanov and Dolgui (2021) argue that modern supply chains must be understood as dynamic systems requiring “always-on” visibility to detect disruptions early and enable rapid reconfiguration. In their analysis, resilience is not achieved through static preparedness alone, but through continuous sensing and adaptive response capabilities integrated across the supply chain network.

Within this evolving context, Michael Rasmussen’s concept of continuous third-party risk visibility reflects a broader reconceptualisation of supplier governance. Rather than treating vendors as periodically evaluated external entities, they are increasingly understood as continuously evolving nodes within a dynamic risk ecosystem that must be monitored in real time (Rasmussen, 2023).

5.2 The Extended Enterprise

The concept of the “extended enterprise” reflects a fundamental redefinition of organisational boundaries in which risk, accountability, and operational dependency extend beyond formal legal and contractual structures. In this model, organisations are embedded within broader ecosystems of suppliers, subcontractors, service providers, logistics networks, and geopolitical environments that collectively shape operational risk exposure.

This reconceptualisation challenges traditional GRC assumptions that risk can be managed primarily within organisational boundaries. Instead, it positions risk as inherently distributed across networks of interdependent actors, where disruptions in one part of the ecosystem can propagate rapidly across multiple organisational layers. As such, governance must extend beyond internal controls to include visibility and coordination across external entities and systemic dependencies.

Michael Rasmussen’s articulation of the extended enterprise emphasises this distributed nature of risk exposure, arguing that effective GRC must incorporate external ecosystem dependencies as first-class components of enterprise risk architecture (Rasmussen, 2023). This perspective reframes third-party governance not as an ancillary compliance function but as a central pillar of enterprise risk strategy.

This view is strongly aligned with resilience research in supply chain management. Christopher and Peck (2004) argue that resilience emerges not solely from internal organisational capabilities but from the structure, diversity, and adaptability of the broader supply network. In this sense, supply chain resilience is a systemic property rather than an individual firm attribute.

The implications of this extended enterprise perspective are significant. It requires organisations to develop governance mechanisms capable of mapping multi-tier dependencies, identifying systemic bottlenecks, and understanding how geopolitical, environmental, and regulatory risks propagate through complex supply ecosystems. It also necessitates a shift in accountability models, where responsibility for risk management becomes distributed across interconnected actors rather than confined within organisational silos.

In combination, regulatory pressure, academic research, and practitioner insight converge on a clear trajectory: supply chain governance is evolving from periodic vendor assurance toward continuous, ecosystem-wide risk intelligence. Within this paradigm, the extended enterprise is not merely a conceptual extension of the firm, but a foundational reorientation of how organisational risk is defined, monitored, and governed.

6. Discussion

The preceding analysis demonstrates a clear convergence between academic research in risk, resilience, systems science, and AI governance, and contemporary practitioner-led developments in Governance, Risk and Compliance (GRC). Across these domains, there is growing recognition that traditional compliance-centric GRC architectures are increasingly misaligned with the characteristics of modern risk environments, which are defined by volatility, interdependence, and non-linear systemic behaviour (Bromiley et al., 2015; Helbing, 2013; Power, 2021).

A central outcome of this convergence is the emergence of a reconfigured GRC paradigm organised around four interrelated shifts. First, GRC is being repositioned from a compliance reporting function toward an intelligence-driven decision support capability, in which the primary objective is to improve the quality, speed, and robustness of organisational decision-making under uncertainty (Aven, 2020). Second, organisations are increasingly adopting continuous, AI-augmented risk sensing mechanisms that move beyond periodic assessments toward real-time detection, interpretation, and response to emerging risk signals (Ivanov and Dolgui, 2021). Third, there is a methodological shift toward network-based and causally informed systemic risk modelling, reflecting the limitations of linear and siloed representations of risk in complex adaptive systems (Fenton and Neil, 2019; Barabási, 2016). Fourth, regulatory and geopolitical developments are expanding the scope of governance beyond organisational boundaries through enhanced supply chain transparency and the formalisation of extended enterprise accountability structures.

Within this evolving landscape, the work of Michael Rasmussen is particularly significant in bridging academic and practitioner perspectives. His articulation of “decision advantage” reframes GRC as an embedded decision infrastructure rather than an external assurance function, aligning closely with academic arguments that emphasise risk as a decision-centric, context-dependent construct rather than a static object of measurement (Rasmussen, 2023).

Despite this apparent convergence, the transformation of GRC is not without substantial tensions. The increasing reliance on AI-enabled systems introduces a fundamental tension between automation and interpretability. While AI systems enhance analytical scalability and pattern recognition capabilities, they also introduce risks associated with opacity, model uncertainty, and hallucinated outputs, particularly in generative systems operating without strict grounding constraints (Ji et al., 2023). These issues are compounded by the fact that GRC operates in high-stakes regulatory and assurance contexts, where explainability, traceability, and accountability are not optional design features but core governance requirements (NIST, 2023).

A second tension arises from the increasing complexity of risk modelling itself. As organisations move toward probabilistic, causal, and network-based representations of risk, the cognitive accessibility of risk information may diminish. In other words, while analytical fidelity increases, interpretability for decision-makers may decrease. This creates a potential governance paradox in which systems become more accurate but less usable without intermediary translation layers or human-in-the-loop interpretation structures.

Finally, there remains a structural tension between decentralised, ecosystem-based risk governance and traditional accountability frameworks that remain largely organisation-centric. The extended enterprise model distributes risk across networks of suppliers, subcontractors, and external actors, yet regulatory and legal accountability remains concentrated within focal organisations. This misalignment creates governance challenges in assigning responsibility, enforcing standards, and ensuring consistent oversight across complex supply ecosystems.

Taken together, these tensions suggest that the future evolution of GRC will depend not only on technological advancement, but on the design of governance architectures capable of balancing three competing imperatives: analytical sophistication, interpretability, and accountability. The central challenge is therefore not simply to improve risk intelligence, but to ensure that such intelligence remains transparent, governable, and actionable within organisational decision processes.

Within this context, the convergence between academic theory and practitioner insight—particularly as reflected in the work of Michael Rasmussen—indicates that GRC is transitioning toward a new operational logic. This logic is characterised not by the elimination of uncertainty, but by the institutionalisation of organisational capability to operate effectively within it through continuous sensing, system-aware modelling, and decision-embedded risk intelligence.

7. Conclusion

This paper has argued that Governance, Risk and Compliance (GRC) is undergoing a structural transition from compliance-centric assurance systems toward intelligence-driven decision infrastructures. Across academic literature in enterprise risk management, resilience theory, systems science, and AI governance, there is increasing consensus that traditional GRC architectures—built around static artefacts such as risk registers, heat maps, and periodic assessments—are no longer sufficient for governing risk in complex, interconnected, and rapidly evolving environments (Bromiley et al., 2015; Power, 2021; Helbing, 2013).

The analysis demonstrates that this transformation is not incremental but paradigmatic. First, GRC is being redefined around the concept of decision advantage, in which the primary purpose of risk governance is to enhance the quality, speed, and robustness of organisational decision-making under uncertainty rather than to document risk exposure retrospectively (Aven, 2020). Second, the integration of continuous, AI-augmented risk sensing systems is reshaping the temporal structure of governance, shifting it from periodic assessment cycles toward real-time monitoring and adaptive response capabilities (Ivanov and Dolgui, 2021). Third, the emergence of network-based and causally informed modelling approaches enables organisations to represent risk as a systemic and relational phenomenon rather than a set of discrete, independently manageable entities (Fenton and Neil, 2019; Barabási, 2016). Fourth, regulatory developments and supply chain complexity are extending governance obligations beyond organisational boundaries, embedding the concept of the extended enterprise as a core dimension of modern risk management.

A central contribution of this paper is the integration of these academic developments with practitioner-led conceptualisation, particularly the work of Michael Rasmussen, whose notion of GRC as a decision-enablement discipline provides a pragmatic articulation of this broader theoretical shift. His framing of “decision advantage” aligns with the view that GRC systems must evolve from retrospective compliance mechanisms into embedded intelligence layers that actively shape organisational decision-making under uncertainty (Rasmussen, 2023).

However, the paper also highlights that this transformation introduces new and unresolved governance challenges. The increasing reliance on AI-enabled systems raises concerns regarding hallucinated outputs, model opacity, and accountability gaps, particularly in high-stakes regulatory environments where explainability and traceability are essential (Ji et al., 2023; NIST, 2023). Similarly, the shift toward probabilistic and network-based risk models, while improving analytical fidelity, introduces interpretability challenges that may limit their usability for decision-makers without appropriate translation and governance layers.

In addition, the extension of risk governance across the extended enterprise creates structural tensions between distributed risk exposure and centralised accountability frameworks. While risk is increasingly systemic and ecosystemic in nature, legal and regulatory responsibility remains largely concentrated within individual organisations, creating persistent governance asymmetries that are not yet fully resolved.

Overall, the findings suggest that the future of GRC will be defined not by the optimisation of existing compliance systems, but by the design of adaptive governance architectures capable of integrating intelligence, interpretability, and accountability. In this emerging paradigm, GRC is repositioned as a core organisational capability for navigating deep uncertainty, enabling continuous sensing, system-aware modelling, and decision-embedded risk intelligence.

Rather than seeking to eliminate uncertainty, next-generation GRC systems must be designed to operate effectively within it. The work synthesised in this paper indicates that achieving this goal will require not only technological advancement but also fundamental redesign of governance principles, decision structures, and organisational accountability models, ensuring that enhanced analytical capability translates into meaningful improvements in real-world decision-making under complex and evolving risk conditions.

8. References

Aven, T. (2020) ‘Risk assessment and risk management: Review of recent advances on their foundation’, European Journal of Operational Research, 253(1), pp. 1–13.

Barabási, A.-L. (2016) Network Science. Cambridge: Cambridge University Press.

Bromiley, P., McShane, M., Nair, A. and Rustambekov, E. (2015) ‘Enterprise risk management: Review, critique, and research directions’, Long Range Planning, 48(4), pp. 265–276.

Christopher, M. and Peck, H. (2004) ‘Building the resilient supply chain’, International Journal of Logistics Management, 15(2), pp. 1–14.

Davenport, T., Guha, A., Grewal, D. and Bressgott, T. (2020) ‘How artificial intelligence will change the future of marketing’, Journal of the Academy of Marketing Science, 48, pp. 24–42.

Fenton, N. and Neil, M. (2019) Risk Assessment and Decision Analysis with Bayesian Networks. Boca Raton: CRC Press.

Helbing, D. (2013) ‘Globally networked risks and how to respond’, Nature, 497, pp. 51–59.

Hillson, D. (2017) The Risk Management Handbook. London: Kogan Page.

ISO (2018) ISO 31000: Risk Management Guidelines. Geneva: International Organization for Standardization.

Ivanov, D. and Dolgui, A. (2021) ‘A digital supply chain twin for managing the disruption risks and resilience in the era of Industry 4.0’, International Journal of Production Research, 59(10), pp. 1–17.

Ji, Z. et al. (2023) ‘Survey of hallucination in natural language generation’, ACM Computing Surveys, 55(12), pp. 1–38.

Marchau, V., Walker, W., Bloemen, P. and Popper, S. (2019) Decision Making under Deep Uncertainty. Cham: Springer.

NIST (2023) AI Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology.

Power, M. (2021) The Risk Management of Everything: Rethinking the Politics of Uncertainty. London: Demos.

Rasmussen, M. (2023) GRC 20/20 Research and Thought Leadership Publications. GRC 20/20 Research.

Taleb, N. (2012) Antifragile: Things That Gain from Disorder. New York: Random House.

Weick, K. and Sutcliffe, K. (2015) Managing the Unexpected. 3rd edn. San Francisco: Jossey-Bass.

Contact

Reach out via email for inquiries.

Email

Subscribe to newsletter

info@grcadvisory.ch

© 2025. All rights reserved.