When people hear GRC (Governance, Risk, and Compliance), the first thing that comes to mind is paperwork. Policies. Documents. Checklists. Forms. Endless writing.
I used to think the same.
But the more I learn about GRC, the more I realise something important:
GRC is not about paperwork.
Paperwork is the evidence.
The real work of GRC happens long before a document is written and long after it has been filed away.
Policies, reports, and documents don’t exist for decoration. They exist to answer real questions:
- What could go wrong?
- Who is responsible if it does?
- What should happen when something fails?
- How do we reduce damage and recover quickly?
The paperwork is simply how organisations record decisions that protect people, systems, and business operations.
GRC Is About Thinking Ahead
At its core, GRC is about anticipation.
It asks:
- Where are we exposed to risk?
- How might human behaviour affect security?
- What happens if someone makes a mistake?
- How do we keep the business running during disruption?
That’s not paperwork.
That’s foresight.
What Aviation Compliance Taught Me About GRC
As a flight attendant, compliance was never optional it was my reality.
One of the most important compliance requirements in aviation is our cabin crew licence. Every year, that licence must be renewed. But renewal is not automatic.
Before it is approved, we must:
- return to training
- write exams
- pass a competency check
Only after meeting all these requirements is the licence submitted for renewal.
Medical fitness is also part of compliance.
If you are under 40, your medicals are renewed every two years.
If you are over 40, they are renewed every year.
Recently, I went for my medicals and was told I now need to wear glasses. That information was recorded on my licence. From that moment, compliance became very clear to me:
Even if my licence is renewed, if my glasses are not ready, I am not fit to fly.
No excuses.
No shortcuts.
No “almost compliant.”
That is compliance in real life.
How This Relates to GRC
GRC works the same way.
You can have policies.
You can pass audits.
You can tick all the boxes.
But if you are not complying with the actual requirements based on your role, your region, and your responsibilities then you are still a risk.
In GRC:
- policies define expectations
- regulations set boundaries
- compliance determines whether you can operate
Just like aviation, compliance is not about punishment.
It is about safety, readiness, and trust.
Why This Changed My Perspective
This is why GRC feels familiar to me.
It is not paperwork for paperwork’s sake.
It is about ensuring people, systems, and businesses are fit to operate before something goes wrong.
A licence is proof.
A medical is proof.
A policy is proof.
But the real work happens in preparation, discipline, and accountability.
That’s why GRC matters.
And that’s why it has always felt like home to me even before I knew its name.
