Where's the Hole? The Inner Game of GRC Leadership
There's a concept from Timothy Gallwey's The Inner Game of Golf that I come back to often in my work with GRC leaders. Gallwey's point is simple: knowing where the hole is matters more than how hard you hit the ball. Perfect your swing all you like, but if you're aiming at the wrong target, the effort is wasted.
I see a version of this playing out regularly across governance, risk, and compliance functions. The leaders I work with are, almost without exception, technically excellent. Strong frameworks, comprehensive programmes, well-managed regulatory relationships. The execution is often very good.
But when I ask a different kind of question, "What does your function look like when it's working at its best, beyond meeting regulatory obligations?" many find it harder to answer than you might expect. They can walk me through the plan, the Book of Work, and the current remediation activity. The bigger picture, the vision for what the function is actually trying to become and why that matters to the organisation, is often unclear or unspoken.
Plans and visions are not the same thing
A plan is operational. It tells your team what to do. Managers plan and cope with complexity. A vision gives direction and meaning. Leaders set direction and cope with change, an idea John Kotter explored in his work on what separates leadership from management. With a vision that provides clear purpose, values, and desired results, leaders can operate with conviction. When those three things are unclear, even the most capable people end up stuck in execution mode, doing the work rather than leading it.
The distinction becomes visible in how conversations with the business unfold. Where a function operates primarily through programme delivery, discussions focus on status updates, remediation timelines, and control coverage. Where there is clearer functional leadership, the conversation shifts to include behaviour, decision quality, and how risk insight shapes real business outcomes. Both are necessary, but they are not interchangeable.
The prevention trap
This is why so many GRC leaders feel like "the person who says no." They are protecting the firm, but they can only articulate what they are preventing, not what they are building toward. And prevention is a much harder thing to rally people around.
Gallwey's analogy holds here too: yes, see the hole, but it is just as critical not to fix your eyes on the bunker. Look where you want to go, not where you don't. In control's function roles, it is easy to frame everything as prevention, keeping your eyes on the obstacles as you make your swing. Over time, the function becomes defined by what it stops rather than what it contributes. The consequence is not a lack of effort. In most cases, effort increases. The consequence is a constraint on influence.
Preventing loss is essential work. But it does not, on its own, earn the function a voice in how the business makes decisions. The GRC leaders I see who genuinely influence, who get a different reception from the CEO or the business heads, have a clear, articulated view of what their function contributes beyond compliance as prevention. They connect conduct, culture, and risk management to business strategy in a way that makes senior stakeholders want to engage, not just tolerate.
Two questions worth sitting with
If someone asked you today what your vision for your function is, not your plan for the year, but your actual vision for what it looks like when it is working at its best, what would you say? And would your team, your ExCo, or your regulator give the same answer?
Where those answers diverge, the issue is rarely execution. Most GRC functions are not under-delivered. They are under-defined at the leadership level. That is a different problem, and it requires a different response.
