GRC Alchemy: Imagination, Knowledge, and the Future of GRC

Michael RasmussenWritten by
Published onUpdated onDiscussionLeave a Comment on GRC Alchemy: Imagination, Knowledge, and the Future of GRC

The highlight of my current business trip to Denmark has not been a meeting, a briefing, an RFP conversation, or a strategy session. The highlight was going to Alchemist in Copenhagen with my oldest son, Noah, who is a chef . . .

That made the experience personal. It was father and son, but also analyst and chef, both of us looking at craft, design, precision, execution, and imagination from different professional angles. Noah sees cuisine with a depth that I appreciate but cannot fully inhabit. I see operating models, governance structures, taxonomies, information architectures, and systems of accountability where others simply see dinner. My family has learned to live with this condition, as there is no known cure.

Alchemist is consistently reviewed as one of the best restaurants in the world, and Chef Rasmus of Alchemist has been voted best chef in the world the past two years. But calling Alchemist a restaurant is like calling the Starship Enterprise a vehicle. Technically accurate, but it misses the entire point.

Alchemist is an experience: theater, science, cuisine, technology, design, choreography, social commentary, hospitality, precision, and imagination. It is not merely about eating. It is about entering a world deliberately constructed to transform how you perceive food, space, story, and meaning.

And that is where this becomes a GRC story . . .

Too much of GRC has been trapped in the mechanics of the past. We have built repositories, workflows, assessments, issue logs, control libraries, obligation inventories, policy portals, risk registers, and dashboards. These are all important: they are the ingredients of GRC. But ingredients alone do not make a meal. A pantry full of fine components does not produce a great dining experience. A kitchen full of jars, spices, herbs, and carefully labeled extracts is still only potential until someone with vision understands how they come together. Organizations should not ask, “What tool should we buy?” They should ask, “What should GRC become?” . . . That is the right question to be asking.

Entering the Experience

The Alchemist experience does not begin with a menu. It begins with a shift in perception.

When Noah and I first set foot into the experience, we entered a visual multimedia room where images were projected in front of us with our faces transposed onto them; moving across history, humanity, culture, science, and imagination. This was not a waiting room. This was not decoration. This was the threshold . . . It was an intentional transition from the ordinary into the extraordinary.

The opening experience concluded that opening sequence with the statement:

“Imagination is more important than knowledge. For knowledge is limited to all we now know and understand, while imagination embraces the entire world, and all there ever will be to know and understand.” – Albert Einstein

The fuller point was that knowledge is limited to what we now know and understand, while imagination reaches toward the whole world and what there will be to know and understand. Imagination can be the birthing chamber to more knowledge. For example, some of the techniques used at Alchemist were entirely new and innovative, creating something new that has introduced new knowledge into the culinary sphere. While there were also other aspects of Alchemist that were intentionally attempting to resurrect and revive knowledge that has nearly been lost to time, at least to most of the world. In this sense, new knowledge is introduced into the modern compendium through imagination.

That thought stayed with me throughout the evening. It also stayed with me through my GRC conversations in Denmark the next day and through this past weekend.

Because this is exactly where GRC is today. We have more knowledge than ever. We have more data, more regulations, more frameworks, more controls, more risk indicators, more audit findings, more cyber telemetry, more third-party intelligence, more sustainability metrics, more resilience data, more regulatory alerts, more policies, more evidence, more questionnaires, more issues, more exceptions, more dashboards, more, more and more . . .

We are swimming in knowledge. Some organizations are drowning in it. But knowledge is not enough. Knowledge tells us what exists. Imagination helps us decipher what it means. Knowledge catalogs the present: imagination designs the future. Knowledge can document the ingredients, while imagination creates the experience.

That is the lesson of Alchemist. It is also the lesson for the future of GRC.

The Alchemist as a Model for GRC

Alchemist describes its experience through the language of transformation. Alchemists in centuries long past sought to purify, mature, and perfect physical objects. In the same way, Alchemist aims to transform and transcend the nature and perception of food and dining.

That is a powerful metaphor for GRC. GRC, at its best, is also an act of transformation. It takes fragmented things and makes them coherent. It takes uncertainty and gives it structure. It takes obligations and connects them to accountability. It takes risks and places them in the context of objectives. It takes controls and shows whether they are relevant, effective, redundant, or missing. It takes incidents, issues, losses, complaints, findings, and failures and turns them into learning. It takes governance out of the boardroom, risk out of the register, and compliance out of the checklist, bringing them into the rhythm of the business.

That is not bureaucracy. That is alchemy. The problem is that many organizations still approach GRC as if it were a storage problem. They gather risks in one place, controls in another, obligations somewhere else, policies in a portal, third-party data in a procurement system, audit findings in spreadsheets, incidents in a case management tool, resilience plans in documents, and objectives in strategy decks that never shake hands with the rest of the architecture.

Then organizations wonder why GRC feels fragmented. That is like giving a chef access to a warehouse of ingredients but no kitchen, no recipe, no menu, no service model, no trained team, no understanding of the diner, no coordination, no timing, and no purpose beyond “please produce something impressive by the end of the quarter.”

Good luck. Bon appétit. May the risk register be ever in your favor.

Alchemist works because everything is expertly curated and designed. The experience has strategy. It has process. It has information. It has technology. It has choreography. It has timing. It has roles. It has space. It has story. It has purpose. It has execution.

That is exactly what GRC needs.

Strategy: The Experience Begins Before the First Course

One of the most important lessons from Alchemist is that the experience begins long before anything is served. Even the anticipation build up as you are forced to wait outside the door. It is intentionally designed to reset your mind to enter a new world and create intrigue.  

There is a clear vision. There is a purpose. There is a philosophy. Every element exists in relation to the whole. The evening is not a random sequence of clever dishes. It is an orchestrated journey.

This is where many GRC programs fail.

They begin with activity instead of strategy. Someone needs a risk assessment. Someone else needs a control test. Compliance needs policy attestations. Audit needs evidence. Procurement needs third-party due diligence. Legal needs regulatory change tracking. The board wants reporting. The regulator wants accountability. The business wants all of this to stop getting in the way.

In response, the organization buys tools, configures workflows, launches assessments, builds dashboards, and creates committees. Then it calls the result “integrated GRC.”

But activity is not strategy. In the restaurant industry, my son says his colleagues and him have a term for people who take this approach. They call them ‘busy idiots.’

An integrated GRC strategy begins with the decisions and objectives of the organization. 

  • What is the business trying to achieve? 
  • What uncertainty could affect those objectives? 
  • What obligations define the parameters of integrity? 
  • What controls are necessary to ensure reliability? 
  • What information is needed to make decisions? 
  • What assurance is required to build confidence? 
  • What technology architecture supports this in a way that is agile, connected, and sustainable?

Strategy gives GRC its purpose. Without strategy, GRC becomes a mundane, aimless buffet of disconnected functions. Everyone fills their plate. Nobody has designed the meal.

Process: The Choreography of GRC

The experience at Alchemist is intentionally choreographed. Guests move through physical spaces, and the experience unfolds through different stages. Each impression has a place, a sequence, a role, and a moment. Nothing feels accidental.

Good GRC is also choreography. It is not enough to define a risk process, a compliance process, an audit process, a third-party process, a policy process, and an incident process as separate operating models. These processes interact. They overlap. They inform each other. A regulatory change may require a policy update, control redesign, training, third-party communication, monitoring, and assurance. A third-party incident may affect operational resilience, contractual obligations, cyber risk, business continuity, customer commitments, and board reporting. A failed control may indicate a weak process, a poorly understood obligation, insufficient accountability, or a technology dependency that no one mapped correctly.

GRC processes are not parallel lines. They are an ecosystem.

This is where imagination matters. Anyone can draw a process map, and many do. Some are even useful. But imagination asks how the process works in reality. 

  • How does the business experience it? 
  • Where does accountability break down? 
  • Where do handoffs fail? 
  • Where is data duplicated? 
  • Where are decisions delayed? 
  • Where does the process create friction without reducing risk? 
  • Where does the organization mistake motion for progress?

The future of GRC requires process design that is business-integrated, role-aware, risk-informed, and adaptive. It has to recognize that the organization is not static. Strategies change. Markets shift. Regulations expand. Third parties come and go. Technologies evolve. Threats emerge. Controls degrade. People move. Data changes. Business models transform.

The GRC process has to be designed for movement.

Information: The Wall of Flavors

One of the most striking parts of Alchemist is the test kitchen and the wall of flavors in jars (see blog article post picture). To a chef, this is not simply a wall of interesting ingredients. It is a vocabulary. It is possibility stored in physical form. It is knowledge waiting to be combined through imagination.

That wall is a perfect metaphor for GRC information architecture. Imagine the GRC equivalent: a wall of objectives, risks, obligations, controls, policies, assets, processes, third parties, incidents, issues, metrics, losses, regulations, authorities, business units, products, geographies, and assurance activities. Each jar matters. Each has its own identity. Each contains something useful. But the real value is not in the jar. The value is in the relationship between the jars.

This is where so many GRC platforms and programs have historically struggled. They collect the jars. They label the jars. They count the jars. They produce reports on jar ownership, jar status, jar review cycles, and overdue jar attestations. 

But they do not understand the recipe. A risk without an objective is abstract. A control without an obligation or risk context is noise. A policy without mapped requirements is a document. A regulatory change without business impact analysis is a news alert. A third-party assessment without relationship context is administrative theater. An issue without root cause analysis is a recurring future failure politely waiting its turn.

The future of GRC depends on connected information. Organizations need a common information architecture that understands the relationships between objectives, risks, obligations, controls, processes, assets, third parties, policies, incidents, issues, and performance. This is the foundation for what I increasingly talk about as GRC 7.0: GRC Orchestrate. It is not simply workflow. It is not simply content. It is not simply analytics. It is the orchestration of governance, performance, risk, and compliance across the extended enterprise.

The wall of flavors becomes powerful and effective when the chef knows how to combine them.

The wall of GRC information becomes powerful and effective when the organization understands context and objects. This is why GRC technologies need to move beyond traditional relational databases to object oriented graph databases (more on that coming next week in this blog).

Technology: The Architecture of the Experience

At Alchemist, technology is everywhere, but it does not dominate the experience. It supports the experience. It enables the imagination. It creates atmosphere, timing, coordination, and precision. While not always visibly apparent, it is present, but it is not the point.

That is exactly how GRC technology should work. Too many organizations still let the tool define the program. They buy a platform and then conform their GRC operating model to whatever the system can do most easily. This is backwards. Technology should support the strategy, process, and information architecture of GRC. It should enable the experience of governance, risk management, and compliance across the business. It should not force everyone into rigid forms and workflows that were designed for another organization, another decade, or another regulatory problem.

The best GRC technology is not merely a system of record. It is a system of intelligence. It brings together structured and unstructured information. It connects internal and external data. It supports decision-making. It enables accountability. It provides visibility into change. It understands relationships. It integrates with the broader business technology environment. It becomes part of the organization’s nervous system.

This is where AI enters the conversation. AI is very good at processing knowledge. It can read, summarize, classify, map, compare, detect patterns, generate drafts, identify anomalies, recommend linkages, and accelerate analysis. In GRC, that is enormously valuable. AI can help organizations process regulatory change, map obligations to controls, analyze policy gaps, summarize incidents, review third-party risk intelligence, draft control narratives, and identify patterns across issues and losses.

But AI does not have imagination. AI can process what is known. It can work from patterns, data, language, models, and training. It can accelerate the handling of knowledge. But imagination is different. Imagination asks what could be. It sees the unusual connection. It challenges the assumption. It creates a new model. It recognizes that the future may not be a more efficient version of the past.

That is human. The future of GRC is not AI replacing human judgment. It is AI augmenting human capability. It is AI handling the knowledge burden so humans can focus more deeply on context, judgment, creativity, ethics, strategy, and imagination.

  • Knowledge and imagination are both needed.
  • Knowledge without imagination becomes bureaucracy.
  • Imagination without knowledge becomes fantasy.
  • Together, they become transformation.

The Business-Orchestrated Future of GRC

The organizations I am interacting with are wrestling with this reality. They are not simply asking for another tool to automate existing tasks. They are trying to understand how GRC becomes more connected, intelligent, agile, and aligned with the business.

This is the right direction. The future of GRC is not a bigger repository. It is not another layer of workflow. It is not more dashboards showing stale data in prettier colors. It is not an AI chatbot sprinkled on top of a fragmented architecture like parsley on a poorly assembled plate.

The future of GRC is business-orchestration. It connects governance to objectives. It connects risk to uncertainty. It connects compliance to integrity. It connects performance to accountability. It connects controls to obligations and risks. It connects issues to root causes. It connects third parties to business services and resilience. It connects regulatory change to operational impact. It connects assurance to confidence. It connects data to decisions.

This requires imagination because the organization must see GRC differently, and . . .

  • Not as a compliance burden.
  • Not as a risk reporting exercise.
  • Not as an audit support function.
  • Not as a technology implementation.
  • Not as a department.

GRC is the capability of the organization to reliably achieve objectives, address uncertainty, and act with integrity. That capability has to be designed with intent. It has to be orchestrated with skill. It has to be experienced by the business in a way that is useful, meaningful, and sustainable.

That is where many GRC programs need their own Alchemist moment.

They need to step through the threshold and leave behind the assumption that GRC is a collection of disconnected activities. They need to see the whole. They need to understand the ingredients, but also the experience. They need to know the jars on the wall, but also the combinations. They need the discipline of knowledge and the courage of imagination.

From the Test Kitchen to the Boardroom

The test kitchen at Alchemist is not just a place where food is prepared. It is where ideas are discovered, explored, refined, tested, matured, and transformed. Some combinations work while others do not. Some become part of the experience while others remain experiments. That is the nature of innovation.

GRC needs more test kitchens. This does not mean reckless experimentation with compliance obligations or controls. I am not suggesting that organizations should take their regulatory requirements, toss them into a blender, add foam, and serve them to the audit committee under a smoke-filled dome.Despite that, I have seen some board reporting that was not far off.

What I mean is that organizations need safe spaces that are cultivated to rethink how GRC works. They need to pilot new approaches. They need to test new information models. They need to explore how AI can improve regulatory analysis, control testing, policy management, third-party monitoring, resilience mapping, and issue management. They need to examine how digital twins can model the organization as well as its processes, dependencies, controls, risks, and obligations. They need to consider how agentic AI can assist in monitoring, routing, escalation, evidence gathering, and decision support.

But all of this must be anchored in governance. Innovation without governance becomes chaos. Governance without innovation becomes stagnation.

The test kitchen is where imagination and discipline meet. That is what GRC needs.

The Human Element

One of the reasons the Alchemist experience works is that it is unapologetically human. Technology supports it. Process structures it. Information informs it. Strategy guides it. But people bring it to life.

That is also true for GRC. We can have the best technology, the most elegant taxonomy, the most complete obligation library, the most advanced analytics, and the most sophisticated AI; but if people do not understand their role in governance, risk management, and compliance, the program will fail. If the business sees GRC as something done to them instead of something that enables them, the program will fail. If accountability is unclear, the program will fail. If culture rejects integrity, the program will fail. If leadership treats GRC as a regulatory cost center instead of a strategic capability, the program will fail.

  • Human judgment matters.
  • Human imagination matters.
  • Human courage matters.

AI can help process the knowledge, but humans must ask the crucial questions. Humans must decide what matters. Humans must challenge the assumptions. Humans must see around corners. Humans must connect ethics with objectives, risk with opportunity, compliance with trust, and governance with performance.

The organizations that will lead in GRC are not those that simply automate the known. They will be the ones that imagine better ways to govern, manage risk, and act with integrity in a world of constant change.

A Call to GRC Imagination

The quote that opened the Alchemist experience stayed with me because it captures the moment we are in.

Knowledge matters. It is essential. We need data. We need evidence. We need obligations mapped. We need risks understood. We need controls tested. We need policies governed. We need issues tracked. We need assurance documented. We need regulatory change monitored. We need third parties assessed. We need resilience validated.

But if all we do is process what is already known, we will only build more efficient versions of the past.

That is not enough.

The future of GRC requires imagination. It requires the imagination to see GRC as a business capability, not a compliance department. It requires the imagination to connect governance, performance, risk, and compliance into one integrated architecture. It requires the imagination to design processes that work in the rhythm of the business. It requires the imagination to build information models that show relationships and context. It requires the imagination to use technology and AI not as gimmicks, but as enablers of better decisions. It requires the imagination to ask what GRC should become, not merely how GRC can be automated.

Alchemist reminds us that transformation does not happen by accident:

  • It is designed.
  • It is orchestrated.
  • It is experienced.

The same must be true of GRC. The organizations that get this right will move beyond fragmented systems, static reports, and compliance theater. They will build GRC that is alive to the business, responsive to change, grounded in knowledge, and elevated by imagination.

That is the future of GRC. And perhaps that is the real alchemy: transforming the raw materials of objectives, uncertainty, obligations, controls, information, technology, and human judgment into an integrated capability that helps the organization achieve what it sets out to achieve, navigate what could disrupt it, and act with integrity along the way.

Knowledge gives us the ingredients.

Imagination creates the experience.

Let’s get into the GRC kitchen and get cooking!

Leave a Reply