Foreword
2024 was a milestone year for governance, risk, and compliance (GRC). As companies grappled with increasing regulatory demands, growing stakeholder expectations, and an ever-expanding risk landscape, the importance of GRC programs rose to prominence. This push resulted from several drivers, including new government regulations like the Digital Operational Resilience Act (DORA) and NIS2. Meanwhile, tech stack overlaps at companies and reliance on vendors continues to deepen, causing third-party risk to expand. Regulatory bodies in the US also continued to expand their oversight of cybersecurity practices, requiring organizations to demonstrate proactive risk management. We anticipate the regulatory climate in the United States will be more complex in 2025.
Increasing AI adoption also added complexity to the equation due to new emerging risks like cybersecurity threats, ethical concerns, and potential operational disruptions. Organizations found themselves needing to mature their GRC programs and provide the frameworks needed to manage these risks while enabling innovation. As a result, GRC is no longer seen as a back-office function — it is a public-facing responsibility that influences brand reputation and your ability to land and expand new markets.
So, what’s the impact for 2025?
The findings of this survey reflect a decisive trend: organizations are responding to the changes seen in 2024 and making deliberate efforts to mature their GRC practices, not just for compliance but as a strategic imperative for long-term resilience and success. From integrating technology solutions that centralize risk and compliance activities to fostering cross-functional collaboration and embedding a culture of accountability, these efforts are reshaping the GRC space. Our findings highlight a shift in perspective within the market: GRC teams are looking to mature their practices, as they are no longer seen as a check box exercise but a driver of operational excellence and strategic growth.
As you explore the insights provided in this report, we invite you to consider how these trends align with your own organization’s journey, especially in the coming year. Whether you are in the early stages of building a GRC program or refining a well-established program, there is much to learn from the collective experience of your peers. Together, we have an opportunity to elevate the role of GRC in shaping a more resilient, responsible, and forwardlooking business environment.
Learn About:
- GRC Programs Are Maturing
- Framework Adoption Trends
- How Organizations Address GRC Tasks
- Third-Party Risk: The Ever-Expanding Threat Vector
- Budgeting: How Much Are Companies Investing in GRC and Security?
- Who Is Responsible for GRC?