Governance, risk and compliance (GRC) performance management often measures activity instead of impact. Many companies track the number of audits completed, policies updated or training sessions delivered. While these are useful operational indicators, they do not address the real question for executive management, which is: Is our governance, risk and compliance function influencing behaviour, strengthening risk culture and reducing exposure across the organisation?

This article examines which performance metrics are truly critical to governance, risk and compliance teams. It also examines how shifting the focus from activity counts to cultural and strategic impacts can improve a company’s risk culture and business results.

The Gaps

Current governance, risk and compliance metrics often suffer from three shortcomings:

* An over-emphasis on output over outcomes: Compliance teams proudly report on the number of monitoring reviews conducted, but rarely connect those activities to measurable risk reduction or improved decision-making.

* A lack of alignment with business objectives: Risk registers, control frameworks and policy updates can become stand-alone exercises if they are not tied to strategic goals. Without a direct link, governance, risk and compliance can be perceived as a cost centre rather than a value driver.

* Limited behavioural insight: Many metrics capture what was done, not how people act under pressure or make risk-based decisions. This limits the ability to assess whether leadership behaviours shape a sustainable risk culture.

What to measure instead?

A more effective performance framework for governance, risk and compliance teams should balance operational efficiency with cultural and strategic indicators:

* Risk-adjusted decision quality: Track the proportion of major business decisions that incorporate documented risk assessments and are later validated as sound.

* Control effectiveness over time: Measure how many high-risk controls maintain effectiveness over multiple review cycles, not just at a single point in time.

* Leadership influence on culture: Use pulse surveys and incident reviews to evaluate how executives’ actions align with stated risk values.

* Regulatory interaction outcomes: Monitor the trend in regulator feedback - not only the absence of fines, but also improvements in supervisory trust and collaboration.

• Training impact, not attendance: Post-training assessments, scenario simulations and behavioural changes should replace raw participation numbers as the training success metric.

Bridging the gaps

To implement these changes, executives must:

* Shift the narrative from compliance to contribution: Frame governance, risk and compliance as an enabler of safe growth, innovation and market credibility.

* Integrate governance, risk and compliance metrics into corporate scorecards: Place risk and compliance performance alongside financial and operational key performance indicators (KPIs) to emphasise strategic importance.

* Invest in behavioural measurement tools: Adopt qualitative and mixed-method approaches that capture how risk culture forms and evolves, not just how rules are followed.

* Hold leaders accountable for cultural outcomes: Include risk culture indicators in leadership performance reviews to reinforce top-down influence.

In conclusion, as a management executive, you set the tone for what your company measures and values. If your governance, risk and compliance reports are heavy on activity counts but light on behavioural and cultural insight, you are flying without a clear view of how risk is truly managed. Redefine the metrics. Demand that your governance, risk and compliance teams show the connection between their work, leadership behaviour and tangible business outcomes. In doing so, you will move from compliance as a checklist to governance as a competitive advantage.

• NB: About Derek Smith Jr

Derek Smith Jr has been a governance, risk and compliance professional for more than 20 years with a leadership, innovation and mentorship record. He is the author of ‘The Compliance Blueprint’. Mr Smith is a certified anti-money laundering specialist (CAMS) and holds multiple governance credentials. He can be contacted at hello@pineapplebusinessconsultancy.com