Governance, risk and compliance (GRC) is evolving faster than at any point in recent history. With regulation becoming more complex, risks more interconnected, and artificial intelligence reshaping how organisations operate, technology alone can no longer carry the burden of effective compliance. Today’s most resilient GRC programmes rely just as much on experienced practitioner judgement as they do on sophisticated platforms.
In this interview with TechBullion, Brent Lee Cole explores why the industry is moving beyond tools-only solutions towards a model that blends advanced technology with deep human expertise. Brent reflects on how embedding seasoned GRC practitioners alongside digital platforms can meaningfully improve outcomes for organisations, strengthening credibility, enhancing defensibility, and enabling practical, scalable execution across the enterprise.
Looking to the future, Brent shares Mitratech’s vision for GRC in an increasingly AI-driven and globally regulated world. He discusses how the right balance between innovation and human insight will be critical in helping organisations build trustworthy, adaptable and resilient compliance frameworks that can withstand both today’s challenges and tomorrow’s uncertainties.
Please tell us more about yourself.
My name is Brent Cole, and I’ve been part of the Mitratech story for six years now. Over that time, I’ve had the opportunity to grow alongside the business — taking on a variety of leadership roles and ultimately stepping into my current role as CEO of Mitratech’s GRC Division. What motivates me here is simple: the people, the mission, and the positive impact we’re able to make for organizations that are navigating increasingly complex risk and regulatory environments.
My background spans sales, operations, and product strategy, and that mix has really shaped how I lead. I’ve spent a lot of time listening to customers, working closely with teams on the ground, and learning what actually works in practice, not just in theory. At Mitratech, I’m passionate about bringing together deep practitioner expertise and enterprise-grade technology so our customers can make smarter decisions, faster, and with confidence.
What excites me most right now is where we’re headed. The pace of innovation across our GRC offering, especially with AI and automation, creates a real opportunity to help organizations move from reactive compliance to proactive, resilient risk management. I’m proud of the team we’ve built and optimistic about what we can accomplish together as we continue to scale, innovate, and deliver meaningful outcomes for our customers.
What is a GRC Program? How has the rapid evolution of regulation, risk and AI changed what “good” GRC looks like in practice, beyond simply deploying technology?
A GRC program is the operating system that helps an organisation set expectations (governance), identify and treat uncertainty (risk), and meet obligations (compliance) consistently, repeatedly, and with evidence. Technology helps, but “good” GRC is fundamentally a discipline: clear ownership, practical controls, repeatable workflows, and credible documentation.
What’s changed are the pace and the stakes:
- Regulatory change is continuous, global, and increasingly complex — meaning you need an approach that can map obligations to policies, controls, and evidence in a living system of record, not in static documents.
- Risk is more interconnected (third parties, cyber, privacy, operations, AI, data). Good GRC now requires cross-domain visibility so leaders don’t make decisions based on partial information.
- AI raises a new governance requirement: not just “monitor and use AI,” but also prove it is controlled, accurate, and ethically aligned. Good GRC needs to be transparent, accountable, and audit-ready across the lifecycle – aligned with frameworks and emerging regulations.
So “good” GRC today looks like connected oversight + defensible evidence + expert judgment, with technology accelerating execution rather than replacing thinking.
Why do you believe practitioner judgment is becoming more critical to effective GRC programmes than ever before?
Because the hardest GRC decisions aren’t binary, organisations are constantly interpreting conflicting or complex requirements, prioritising risk remediation, and responding to regulators, auditors, boards, and other stakeholders.
In a world of accelerating change and AI-enabled operations, organisations need the expertise and judgment of people who have built, defended, and evolved risk and compliance programs in the real world.
Risk has moved beyond “follow the template” to “apply the principle,” and to thinking three steps in the future. While AI and automated operations can streamline analysis, judgment/experience are what make governance trustworthy: knowing what matters and what will stand up under scrutiny. That’s why I believe the future of GRC is expert-led, not expert-replaced. And from a very practical perspective, it’s an individual, not a system, who ultimately bears responsibility for the GRC environment.
Where do purely tools-based GRC approaches most commonly fall short for organisations today?
Tools-only approaches fall short in several places, including:
- Implementation without adoption: workflows exist, but teams keep working in email and spreadsheets because the program design doesn’t reflect operational reality. Too often, extended implementation timelines miss operational changes, leaving them constantly behind the curve.
- Compliance without risk intelligence: organisations collect evidence, but don’t connect it to decisions; so they can’t see patterns, emerging risk, or control weaknesses early enough.
- Over-designed and convoluted solutions that are never fully implemented, creating inherent risks in and of themselves.
- Defensibility gaps: a system can track tasks, but it can’t automatically provide the rationale for why choices were made (scope, risk acceptance, control design) — the very details stakeholders ask for during audits, incidents, or regulatory scrutiny.
This is exactly the “GRC technology paradox” we see in the market: organisations don’t want clunky, over-designed, or elaborate tools or generic systems, but they also can’t stand still as risk evolves.
How does embedding experienced in-house GRC advisers alongside Mitratech’s platform materially improve customer outcomes?
Advisors improve outcomes by closing the gap between what the platform can do and what the organisation needs to accomplish. changing any implementation from a “configure a system” to “build a program that d can grow and mature in the real world.”
Our in-house strategic advisory team brings practitioner expertise across governance, compliance, risk program design, ethics, and cross-jurisdictional execution. With the addition of Jan Tadeusz Stappers (EVP, Solutions Strategy) — alongside Laura Jacobus (EVP, Strategic Advisory Services) — customers get hands-on guidance rooted in regulatory analysis, risk logic, and program architecture, not theoretical models.
What differences do clients see in credibility and defensibility when expert-led guidance is combined with enterprise GRC technology?
Defensibility: programs become easier to explain and defend because the “why” is built into the operating model — how an organisation’s governance model is reflected in a solution and how risks are identified, prioritised, and managed.
When expert guidance joins forces with a unified platform, clients can demonstrate:
- A thoughtfully designed solution reflecting the governance structure of the organization
- A clear line from obligation → policy → control → test → evidence → remediation
- Consistent decision-making around risk appetite and exceptions
- An audit trail that reflects how decisions were made, not just that tasks were completed
That’s what credibility looks like: intelligently designed solutions that stand up to regulators, auditors, boards, and customers.
How does Mitratech help organisations scale practical, real-world risk management rather than theoretical compliance frameworks?
We focus on connected programs that scale with the business, rather than become obsolete.
Mitratech’s GRC suite unifies critical risk and compliance functions in one place, with configurable workflows designed to address real-world complexity across teams and jurisdictions. That creates a shared system for ownership, evidence, approvals, reporting, and oversight — reducing fragmentation and improving consistency as the organisation grows.
And critically, our advisory expertise helps customers translate requirements into sustainable operating practices — what to standardise, what to tailor, and how to build a program people can actually run.
In an AI-driven future, how should organisations balance automation with human expertise to maintain trustworthy governance?
Think of AI as an accelerator, not an authority. Don’t abdicate to AI; instead, use it to augment. A strong balance looks like:
- Automating the repeatable actions, mapping, summarisation, monitoring, and reporting.
- Keeping humans accountable for the consequential: materiality, risk acceptance, policy decisions, model accountability, and regulatory interpretations.
- Building strong governance, so AI outputs are reviewable, explainable, and auditable, with a clear owner for every decision.
That’s how you get speed and trust.
How is Mitratech preparing its clients for increasingly complex global regulatory expectations across multiple jurisdictions?
We help clients address multi-jurisdiction complexity in two ways:
1) Platform capability: a connected system that enables cross-functional oversight, consistent evidence, and executive and board reporting across frameworks and geographies.
2) Practitioner guidance: in-house experts with experience across global environments — particularly across North America, EMEA, and APAC regulatory landscapes — help organisations interpret expectations and operationalise them in a defensible way.
This is especially important as regulators raise expectations in areas such as whistleblowing management maturity, third-party governance, and responsible AI adoption.
Over the next five years, what single shift will most transform the way enterprises design and operate their GRC programmes?
The biggest shift will be moving from ad hoc, spreadsheet-based risk management to continuous, decision-grade risk intelligence.
Enterprises will move toward GRC programs that continuously monitor and combine risk signals across a broad range of channels (including third parties and AI), maintain audit-ready evidence in real time, and support faster, better decisions at every level. Those that succeed won’t be the ones with the most tools or the most data — they’ll be the ones who combine connected technology, disciplined operations, and expert judgement to create trust at scale. The future of GRC is expert-led, not expert-replaced.
