When lawyers manage GRC projects: success or disaster?

GRC projects are becoming more common and critical in most companies. They define how businesses comply with laws that shape entire industries, AI governance for the EU AI Act, data protection for GDPR, protecting critical infrastructure for NIS2 are just a few examples. But too often, these projects are managed by people who lack the necessary expertise in project and programme management, leading to delays, failures, and even regulatory non-compliance.

In this post I am discussing project and programme management, not project and programme leadership - related but different disciplines that often require different profiles.

About 10 years ago, an experienced Danish lawyer emphasised to me that legal advice should only be given by a lawyer, and I totally agree. She had seen too many disasters caused by unqualified people stepping into roles they weren’t trained for. And yet, in many GRC projects, the same principle often doesn’t apply. Project and programme management is a profession in its own right, with its own frameworks, methodologies, and best practices. Assigning a GRC project, e.g. covering AI governance, to someone without the right skills is like asking a junior paralegal to lead a mission-critical litigation case - it’s a recipe for disaster.

Project and programme management is a team sport

Project and programme management is not a solo endeavor, it’s a team sport. Successful execution requires the right mix of skills and subject matter expertise. An AI governance project, for example, needs deep AI governance knowledge, but that doesn’t mean a technical AI expert should be managing the project, unless they also have strong project management experience. Management is its own discipline, and experience in it is essential.

In my early days as a project manager, I was out of my depth. It’s not a nice feeling, and more importantly, it’s dangerous for the company. Throwing someone in at the deep end without proper support can lead to costly mistakes, inefficiencies, and even compliance failures. If you’ve already appointed an inexperienced person in a project or programme management role, don’t leave them to sink or swim, give them the support they need. Pair them with an experienced mentor or provide structured guidance.

Misconceptions about project management

Despite its complexity, project management is often underestimated. A lawyer once told me that managing a project is just about staying on top of people, making sure they do as they’re told, and following up every week. If only it were that simple. Good project and programme management is about much more than tracking tasks, it’s about strategic planning, risk mitigation, stakeholder alignment, and ensuring that the right outcomes are achieved within constraints of time, cost, and quality. I could break down each of those terms that would explain the broadness of them, but that's for a future post.

A head of information security in a global corporation once dismissed assumptions management as too abstract. He couldn't accept that implementation planning could begin before he had the IS policies written and approved. Ignoring assumptions management is akin to building a house on shifting sand. I saw similar comments on LInkedin from a prominent lawyer who ridiculed others for starting their planning before the EU AI Act was approved. That was a big mistake in his eyes.

A head of HR once told me she didn’t have the time to document her plan, and it didn't matter anyway, because everything was in her head. That might work for a small initiative, but not for a multi-faceted GRC project where documentation, traceability, and structured communication are essential. A lack of planning leads to confusion, inefficiency, and missed deadlines.

Then there’s the tech leader who said he would let his organisation figure out ‘in the line’ how to address a damning audit report that had the CFO’s attention. Imagine trying to wing a response to regulators or auditors without a structured plan. Hoping things will somehow resolve themselves is not a strategy, it’s a liability.

Do people understand what a project or programme actually is?

One fundamental challenge is that many people who are given the responsibility to 'comply with the EU AI Act' don’t fully grasp the difference between a project and a programme. A project is a temporary endeavour to create a unique product, service, or result, while a programme is a collection of related projects managed in a coordinated manner to achieve benefits that wouldn’t be possible if managed individually. Regulatory compliance isn’t just about completing a single task or producing a report, it requires strategic alignment across multiple projects, functions, and stakeholders.

The hard questions every company should ask

Before handing a GRC project to an internal colleague who ‘will figure it out,’ companies should provide sufficient education and/or support so the person who'll be managing the project knows:

• What is the difference between a project risk and a project issue

• What estimating technique is being used

• What project methodology is being followed

• How to estimate and define the scope, effort, and cost of their project

• How to build a realistic schedule that accounts for dependencies and risks

• How to monitor progress and adjust based on actual performance

• How to manage organisational change and ensure lasting compliance, not just short-term fixes

• How to ensure effective communication across multiple stakeholder groups

• The difference between leadership and management in a project context

These are just a few examples, there are so many other important disciplines, and without this knowledge and expertise, your projects are at risk of failure before they even begin.

The value of experienced project and programme managers

Bringing in qualified or experienced project and programme managers doesn’t just ensure smooth execution. it dramatically increases the likelihood of success. They provide structure, accountability, and a disciplined approach to execution. They align stakeholders, manage risks, and drive projects to completion in a way that ensures compliance, mitigates exposure, and optimises business outcomes.

Would you let someone without legal training draft a complex contract? Would you trust an unqualified person to run financial audits? Then why leave GRC projects in the hands of people without project and programme management expertise?

If you’ve already appointed an inexperienced person to a critical role, support them. Give them access to mentorship and expert guidance.

At Purpose and Means, we provide exactly this kind of support, helping companies bridge the gap between intent and execution. Our services ensure that change initiatives succeed, not just survive. Purpose and Means also performs project and programme reviews, helping organisations identify gaps and optimise their approach for better outcomes, and in extreme cases we can help turn around troubled projects, using approaches and strategies that cut through.

These days, failure is not an option. Success demands leadership, structure, and the right skills in the right roles. If companies want to meet their regulatory obligations without unnecessary pain, they must stop treating project management as an afterthought, and start seeing it as a strategic advantage.

Did this resonate? Feel free to get in touch to arrange a no obligation call to discuss your requirements.