Ramachander Rao Thallada is a Governance, Risk, and Compliance (GRC) Executive for Manulife, a modern North American financial institution.

getty

Governance, risk and compliance (GRC) have long been viewed as a purely operational cost rather than a strategic opportunity. Significant investment has been made in building compliance systems to meet regulatory requirements, yet inefficiencies persist due to fragmented processes, legacy systems and rising risk exposure. Drawing on experience in financial systems and compliance, the core issue is often not the absence of controls, but how those controls are designed and implemented.​

Traditional GRC models have historically been reactive, focusing on identifying and managing risks after they emerge rather than designing systems that prevent or reduce risk at the source. In digital payment environments, for example, considerable progress has been made in securing transactions at the point of entry. However, downstream processes such as refunds, dispute resolution and charge-back evidence collection often still rely on outdated, data-intensive workflows.

These gaps often result in unnecessary exposure of sensitive information and increased operational complexity and ultimately weaken the effectiveness of compliance itself.​​

From Reactive Controls To Embedded Governance​​​

​To address this problem, businesses need to shift from compliance by control to compliance by architecture, where governance is embedded directly into system design. Instead of relying on layers of oversight and manual controls, systems should be designed to inherently reduce risk while still maintaining transparency and accountability.

One area where this shift is increasingly relevant is payment tokenization. While tokenization has been widely adopted to protect cardholder data during transaction authorization, its use has typically been limited to the front end of the payment process. Downstream processes, however, often still rely on legacy approaches that depend heavily on sensitive data.

​​This issue was highlighted in a study conducted by Vimal Teja Manne, a business analyst with expertise in payment processing and privacy-focused financial infrastructure. According to the study, many tokenization solutions still rely on PAN-associated data when managing refunds and processing charge-backs. Manne’s work closely examines the end-to-end workflow and proposes a new architecture that connects the payment, refund and dispute processes without relying on sensitive identifiers.

​Under the GRC framework, this represents a significant paradigm shift. Rather than relying on continuous access to sensitive information, the approach uses a secure token-based relationship model, enabling full traceability without compromising confidentiality. These ideas are also aligned with privacy by design and data minimization, which are two principles that are becoming increasingly important in today’s regulatory environment.

The proposed system could reduce privacy exposure from a score of 1.48 to 0.31 (approximately 79%)​, while also improving the accuracy and reliability of audit evidence. This reinforces that effective compliance is not about adding more controls, but about designing systems that are inherently risk-aware and resilient.​

One key aspect of the Manne framework is the concept of selective disclosure. In traditional compliance processes, transaction data is often shared broadly across multiple parties, which increases both risk and inefficiency. By contrast, the framework introduces role-based disclosure of evidence, ensuring that only the minimum amount of data required for a specific function is shared.

This design improves security while also increasing efficiency by reducing unnecessary data handling and processing. It effectively introduces a structured analytical approach that helps bridge the gap between compliance requirements and practical system implementation.​​

Designing systems that effectively balance operational needs with compliance requirements demands more than technology alone, and business analysis is what helps make that alignment possible.​

In order to make this transition, companies will need to initially examine their end-to-end compliance processes and see where sensitive data is accessed, stored or replicated more than is necessary for purposes of regulation and compliance management. In most instances, risk does not come from a lack of controls, but from an outdated set of dependencies inherent in the processes that were established before modern technology came into play.

Organizations should focus on reducing unnecessary dependencies on sensitive data through approaches such as tokenization, abstraction and privacy-centric system design. Where appropriate, these methods can limit direct exposure to regulated information while still preserving traceability, operational continuity and compliance effectiveness.​

Another critical step is utilizing a role-based strategy for sharing data, whereby access is granted on a need-to-know basis. For instance, firms can start by reviewing their approaches to creating audit evidence and distribute it in such a way that every party gets the necessary data to perform their duties. Firms can benefit from developing robust internal capabilities, especially when it comes to business analysis and process redesign, which help make it easier to integrate compliance regulations into systemwide solutions.​​

The Rise Of Architecture-Driven Compliance

​This reflects a broader shift in the GRC landscape. As data volumes and digitization continue to grow, the role of the business analyst is evolving from that of a traditional analyst to a more enabling, strategic function. The ability to align regulatory requirements with an organization’s system architecture is becoming increasingly critical for both innovation and compliance.

Organizations that continue to treat compliance as a back-office function risk facing escalating challenges in managing risk and adapting to regulatory change. In contrast, those that adopt an architecture-based approach to GRC—supported by strong analytical capabilities—will be better positioned to manage risk, build customer trust and improve operational efficiency. In this context, compliance should not be seen as an obstacle to success, but as a potential source of competitive advantage.

In a token-based economy, trust is no longer defined primarily by policies and controls, but by system design itself—where governance is embedded, risk is reduced by default and compliance evolves alongside technology. Organizations that recognize this shift in paradigm will be the ones that shape the future of GRC.​

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?