Lessons From the Court: What Coaching Youth Basketball Taught Me About GRC

There is a moment in every youth basketball practice when everything clicks. A kid who has been throwing up wild shots for weeks suddenly squares up, sets his feet and drains a jumper. It is a small thing, maybe, but it is the product of discipline and repetition. And it is, I have come to believe, the exact same process that makes governance, risk and compliance work inside a small or midsized business.

I have spent my career building compliance programmes and governance frameworks for organisations that do not have the luxury of Fortune 500 budgets. The work is technical, often tedious, and absolutely critical. But the clearest lessons I have learned about doing it well did not come from an audit report or a NIST publication. They came from a gymnasium full of 10-year-olds.

Never Fire on the Go

The first thing you teach a young player is to stop moving before taking a shot. Kids want to launch the ball while sprinting toward the basket because the game feels urgent and they are afraid someone will take the opportunity away. The result is predictable: the shot sails wide, the fundamentals collapse, and they wonder what went wrong.

SMBs make the same mistake with compliance. A new regulation drops or a vendor sends over a security questionnaire, and the instinct is to react immediately. Someone throws together a policy document on the fly. Controls get implemented without mapping them to actual risk. The organisation fires on the go, and the shot misses.

The fix is the same on the court and in the boardroom. Set your feet. Establish your base. In GRC terms, that means having a governance framework in place before the pressure arrives. It means your risk register exists before the audit notice, not after. It means your policies are written, reviewed and approved as a matter of routine, not crisis response.

You cannot hit a target you are rushing past. Stop. Square up. Then shoot.

Even When They Double Down, Shoot Anyway

Every young player encounters the moment when a defender gets in his face. Sometimes two defenders collapse on him. The natural reaction is to pass the ball, pull back or simply freeze. But the coached response, the disciplined response, is to take the shot anyway. Not recklessly. With technique, with confidence, and with the understanding that the defence is trying to intimidate you out of doing what you trained to do.

Organisations face the same pressure in compliance. A regulatory requirement feels onerous. A framework mapping exercise reveals uncomfortable gaps. An executive pushes back on the cost of a control implementation, or a department resists a new policy because "we have always done it this way." The adversary doubles down.

The temptation is to soften the programme. Water down the policy language. Grant exceptions that become permanent. Defer the remediation to next quarter, and then the quarter after that. But the risk does not defer itself. The threat landscape does not wait for your organisation to feel comfortable.

Shoot anyway. Present the findings. Enforce the policy. Document the risk acceptance if leadership chooses a different path, but do not let pressure talk you out of doing the work. The defenders are supposed to make it hard. That is their job. Yours is to take the shot with good form regardless.

Run Your Plays

The least glamorous part of coaching is running the same play 50 times in practice. Kids want to improvise. They want to freelance. And occasionally, a talented player can get away with it. But talent without structure is unreliable, and unreliable is a losing strategy over a full season.

The plays exist for a reason. When every player knows where to be and when to be there, the offence flows. When the point guard calls "32" and everyone cuts to the right spot, the open look appears almost like magic. It is not magic. It is muscle memory. It is the product of doing the boring work so many times that the right response becomes automatic.

GRC programmes work the same way. The policy review cycle is a play. The incident response plan is a play. The quarterly risk assessment, the access review, the vendor evaluation, these are all plays. They are not exciting. Nobody wins an award for completing a tabletop exercise on schedule. But when the real incident hits, when the auditor arrives, when the breach notification clock starts ticking, the organisation that has run its plays responds with precision. The organisation that freelanced responds with panic.

Muscle memory is not just a physical phenomenon. It is organisational. Every time your team executes a process the same disciplined way, you are building the reflexes that will carry you through the moments that matter most.

The Buzzer

Youth basketball is not really about basketball. It is about teaching young people that discipline, preparation and composure under pressure are transferable skills. They will use those lessons long after they forget the plays.

GRC is not really about compliance, either. It is about building organisations that can absorb pressure, respond to adversity and execute with consistency. The frameworks and controls are just the mechanics. The real programme lives in the culture you build around them.

Set your feet. Take the shot. Run your plays.

The fundamentals win games. They also pass audits.