Govern, Reassure, Confuse
GRC, in the official slide, stands for Governance, Risk and Compliance. The three words are intended to describe three disciplines, each anchored to an operational substrate, each accountable to a measurable outcome, each contributing to the safety of the institution it serves.
In the median European bank, in 2026, the three words describe three rituals. The rituals are not malicious. They are not the result of a conspiracy. They are the equilibrium that emerges, over fifteen years of incremental procurement of frameworks, methodologies, certifications and platforms, when the production of documentation rewards better than the prevention of intrusion.
This article documents the three rituals, in their current operational form. It proposes, in the closing, that the discipline GRC, in its original sense, is still possible. It is not, in 2026, what most CISOs spend their week defending.
G is for Govern, in the Sense of Govern the Narrative
Governance, in the original sense, is the discipline of accountable decision-making about cyber risk. A board of directors decides what risks the institution is willing to carry. An executive committee implements those decisions through policy and resource allocation. A risk function escalates exceptions. The decisions are documented, dated, and traceable to outcomes.
Governance, in the operational sense observed in the median European bank in 2026, is the discipline of producing committees.
The median enterprise GRC framework, by 2026, has spawned, by Forrester’s recent count, between twelve and eighteen distinct standing committees, councils, advisory panels and working groups, each with a charter, a quarterly review cycle, a SharePoint site, a secretariat seconded from a Big Four consulting firm, and a budget code. The committees are arranged in a configuration in which each intersects three other committees without intersecting any operational team. The output of each committee is a report. The reports are reviewed by other committees. The reviews are reported back to the original committees, in the next quarterly cycle, as evidence of the maturity of the framework.
At the end of each calendar year, the framework reports its own maturity to itself, and finds it strong. The report goes to the board. The board approves the framework. The framework adds, for the next calendar year, a new working group on the latest topic, typically AI Governance.
This is the Govern part. It governs, in the sense in which a self-referential bureaucracy governs itself: by producing its own legitimacy through the production of its own outputs. It does not govern the underlying cyber risk, because the underlying cyber risk does not produce reports.
R is for Reassure, in the Sense of Reassure the Audience
Risk management, in the original sense, is the discipline of disciplined assessment and prioritization of credible threats. A threat model is constructed. The model is calibrated against observed incidents in comparable institutions. The most credible threats are prioritized. Resources are allocated to mitigate them. The mitigation effectiveness is measured against the recurrence of the threat. The cycle is iterative, falsifiable, and bounded.
Risk management, in the operational sense observed in 2026, is the discipline of producing dashboards.
The median enterprise GRC dashboard, by 2026, contains 247 KPIs. The number 247 is not the result of a methodological derivation. It is the cumulative result of four years of additive contribution from each successive Chief Risk Officer, each successive Head of Compliance, each successive external audit recommendation, and each successive vendor demo of a GRC platform. The KPIs were selected when they were selected, not because they measured the threats facing the institution at the time of selection, and certainly not because they measure the threats facing the institution at the time of the dashboard refresh.
The KPIs measure, in various proportions: policy issuance rates, training completion rates, incident closure rates, audit finding remediation rates, third-party risk assessment completion rates, framework maturity self-assessment scores, board reporting frequency, regulatory engagement frequency, control testing coverage percentages, and approximately seventeen distinct varieties of “alignment”.
None of the 247 KPIs measure, in any direct or proxy fashion, whether the institution is being broken into. Eighty percent of breaches in 2026 involve compromised credentials. The figure has been stable, within plus or minus three points, for seven consecutive years. The dashboard does not display this figure. The dashboard does not display this figure because the dashboard is designed to measure the discipline of producing the dashboard, not the discipline of preventing intrusions.
The dashboard turns green. It always turns green. There are never reds. There are four yellows and one “deprioritized for methodology reasons”. This is the Reassure part. It reassures, in the sense in which a placebo reassures: the recipient feels better, the underlying condition is unaffected, and the practitioner is paid.
Sources: 80% of breaches involve compromised credentials — Verizon DBIR style cross-reported through miniOrange, Built In, CDW, multiple industry reports through 2026.
C is for Confuse, in the Sense of Confuse the Auditor
Compliance, in the original sense, is the discipline of meaningful adherence to regulation that exists for substantive reasons. A regulation requires the institution to do something. The institution does it. The doing is documented. The auditor verifies that the documentation reflects the doing. The compliance function exists to ensure the connection between the doing and the documentation.
Compliance, in the operational sense observed in 2026, is the discipline of producing post-incident reviews.
The median post-incident review template, in the European banking sector, is eighty-three pages long, in version 4.7 of November 2024. The template comprises twelve sections. Two are reserved for the timeline. Three for the technical root cause. One for the financial impact. Six for the following:
- “Methodology learnings”
- “Process refinement opportunities”
- “Framework alignment observations”
- “Control architecture considerations”
- “Governance optimisation pathways”
- “Strategic resilience enhancement priorities”
The conclusion of the post-incident review, irrespective of the incident, is a variation on the following formula: “The framework was operating as designed, but the threat landscape evolved faster than the methodology refresh cycle.”
The formula is neither false nor falsifiable. The framework did, in some sense, operate as designed; the threat landscape did, in some measurable sense, evolve. The formula attributes the failure to the speed of the threat landscape, which is no one’s responsibility, and exonerates the framework, which is everyone’s responsibility. It is the rhetorical engine that allows the framework to survive its own failure, repeatedly, without the framework itself ever being placed in question.
This is the Confuse part. It confuses, in the sense in which administrative prose confuses: not by saying anything untrue, but by saying many things in a configuration in which the conclusion is no longer extractable.
Why the Three Rituals Persist
The three rituals persist for four structural reasons.
First, the institutions that consume GRC outputs (board, regulator, auditor, insurer, corporate customer questionnaires) consume documentation. The dashboard is the artifact they examine. The directory listing, the legacy authentication endpoint, the unaudited service account, the unmonitored credential-stuffing log, are artifacts they do not examine.
Second, the careers that the GRC framework supports are careers in the documentation layer. The Chief Risk Officer is promoted on the discipline of producing the dashboard. The Head of Compliance is promoted on the quality of the policy framework. The external auditor is paid for examining the documentation. None of these careers are evaluated against the question of whether the institution is being broken into.
Third, the GRC vendors of the period 2010-2025 have sold the dashboard, the framework, the methodology, the maturity model, and the certification path. They have not sold the question of whether any of these things detect or prevent intrusions. The market is supplied by what is bought. The buyers buy documentation.
Fourth, the CISOs who can see the gap are structurally junior to the dashboard producers. They are on the operational floor, not the strategic floor. They are reassigned to “strategic projects” when they become inconvenient. The handful who remain, and who continue to defend the operational substrate, do so against the gravitational pull of the entire validation ecosystem, and most lose the battle within five years.
These four conditions are individually rational. Together they produce the equilibrium in which the GRC framework continues to operate, the dashboard continues to turn green, the post-incident review continues to invoke the formula, and the breach continues to occur on schedule.
What the Discipline Could Still Be
The three rituals are not the disciplines. The disciplines, in their original sense, remain available to any institution willing to practice them.
Governance, in the original sense, requires a board that asks one specific question every quarter: “Show us a list of the credentials that, if compromised today, would enable the worst three scenarios we have agreed to defend against. Tell us when each was last rotated, who owns each, and what would prevent the compromise.” The question is short. The answer is operational, not documentary. The answer either exists or it does not. The boards that ask the question are rare.
Risk management, in the original sense, requires a dashboard with fewer KPIs and more signal. Three to five operational indicators, refreshed in near-real-time, calibrated against observed incidents, with explicit accountability for each. The dashboard is shorter than slide 23. It is also harder to produce. It is, in 2026, the dashboard of approximately five percent of European banks.
Compliance, in the original sense, requires a post-incident review that concludes with a binding action. The action is operationally verifiable, time-bound, and assigned to a named owner. The conclusion is not a methodology learning. The conclusion is a deprovisioning campaign, a patching deadline, an architectural change. The reviews that produce such conclusions are conducted by institutions that have decided, ahead of the incident, that the review will be useful rather than performative.
GRC, in the official slide, is Governance, Risk and Compliance. The three words describe three disciplines worth practicing.
GRC, in the median European bank in 2026, is Govern, Reassure, Confuse. The three verbs describe what the framework actually does. The verbs are not in the slide deck. They are visible in the calendar of any senior CISO who has been working the dashboard for more than three years.
The next CISO who notices this is invited to consider whether the slide deck or the dashboard is the artifact worth defending. The institution that picks the dashboard, in the original sense, is the institution that survives the next breach with the strategy intact. The institution that picks the slide deck is the institution whose strategy lives on the slide deck and whose breach lives in the directory listing.
They are different documents. Only one of them, in 2026, contains the actual posture of the institution. It is, in the median European bank, the one nobody is examining.
All my “insane” books on cybersecurity and governance are here 👉 https://www.amazon.it/stores/author/B0FB47T6Q4/allbooks