There’s a simple truth in human behaviour: we act faster to relieve pain than to prevent it. A headache sends us reaching for a painkiller immediately. A vitamin, despite its long-term benefits, is easy to postpone, ignore, or underestimate. Organizations behave in much the same way; too often, compliance is treated as a response mechanism. Something to activate when there is pressure: an audit finding, a regulatory request, a reputational concern, or an internal issue that can no longer be ignored. But by the time the “pain” appears, the underlying risk has already been building for some time.
The Perception Problem The pattern seems familiar. I have seen it couple of times in my career. Everything is moving fast. Priorities are shifting. Expectations are high. Governance and compliance are present; but more in the background than in the way decisions are actually being made. Why? The answers vary per case.
Nothing is “wrong.” Until small things start to surface or until a crisis event strikes. Gaps. Misalignments. Questions without clear ownership. Individually manageable. Collectively… distracting, time-consuming and avoidable. And like most organizations in that position, the response will be immediate and responsive. A classic painkiller approach!
Across both private and public sector organizations, compliance is frequently seen as a necessary obligation rather than a strategic function, as a cost centre with limited visible return, as constraint on speed and flexibility. This perception shapes behaviour. Because, when compliance is viewed as a “bitter syrup”, as a burden, it is engaged late; often under pressure and with limited room for thoughtful implementation. The result is predictable: fragmented processes, inconsistent practices, and risks that remain hidden until they become urgent.
Risk Doesn’t Appear Overnight Most organizational risks don’t emerge suddenly. They develop gradually in: unclear decision-making structures, inconsistent application of policies, poorly documented processes, misaligned incentives or insufficient oversight. In gaps between strategy and execution (or even worse, because there is not a strategy or an execution plan all together). By the time these risks surface, they are no longer isolated issues, they affect operations, credibility and trust.
A reactive approach treats the symptoms. A proactive approach addresses the system.
From Obligation to Capability Organizations that operate in complex, regulated, or institutionally sensitive environments; whether in industry, public administration, or international operations need to reframe compliance. Not as a control mechanism, but as a core organizational capability. This shift changes the question from:
“How do we fix issues when they arise?” to “How do we design our organization so that risks are anticipated, understood, and managed early?”
This is where GRC – Governance, Risk, and Compliance – becomes not just relevant but essential.
Making It Work in Practice and Changing the Narrative The real challenge is not understanding compliance but making it practical. Policies alone do not create compliance. Frameworks alone do not reduce risk.
One of the most important shifts organizations can make is cultural. Compliance should not enter the conversation only when something goes wrong or the pressure of a fine or directors’ liabilities; has to be part of how organizations define quality, accountability and sustainable success. Have its place as a function that ensures that when the organization moves forward, it does so with awareness.
Final Thought: Painkillers will always have their place. Issues will arise and responses will be necessary. Proactive GRC does not eliminate challenges. However, it fundamentally changes how organizations experience them: there is preparedness, clarity, not mere reaction but control.
Organizations that rely only on reactive solutions remain in a cycle of urgency. Those that invest in “vitamins” (in governance, structured risk management and embedded compliance) build.
If this perspective resonates, it may be worth rethinking how NIS2 or other sector specific compliance models are positioned; not as a response to cyberattacks, or to a regulator’s audit but as a foundation for better outcomes. As something far more valuable:
Stability in complexity. Confidence in decision-making. Trust in how they operate.
