Excellent governance, risk, and compliance (GRC) is a common aspiration, but how often is it a reality? For most companies, GRC is a work in progress, according to McKinsey’s 2025 Global GRC Benchmarking Survey (see sidebar, “Our survey methodology”). Despite efforts to broaden expertise at senior levels, corporate leaders see a “need for improvement” across numerous aspects of all three GRC pillars.
There are many reasons for GRC shortfalls, some of which can be traced back to idiosyncratic factors in how businesses are run. Yet across industries, there are also some common pain points, including limited tech enablement, insufficient resourcing of oversight capabilities, and the challenges of a shifting regulatory landscape.
To understand the dynamics that shape GRC capabilities, we asked 193 corporate leaders to tell us how they structure their governance frameworks, manage risk, and comply with local and regional regulations. The survey responses offer compelling insights into levels of GRC maturity globally and highlight the strategies that some companies are using to build smarter, more effective capabilities.
Governance approaches vary widely
Most companies in our survey understand that dedicated governance frameworks are integral to efficient and effective operations. Fifty percent of respondents have chosen a strategic board archetype, with 72 percent adding between two and five subcommittees. This approach means the board can both take a hands-on approach to governance and draw on a wide range of expertise to manage critical aspects of operations. Indeed, 55 percent of respondents opt for a board with diverse expertise across industries and functions.
At many organizations, the ultimate approval authority for key decisions sits with the board and the CEO, meaning the board is involved in defining and approving matters including strategy (business planning, strategic KPIs, and targets), finance and capital, and risk management frameworks and policy (Exhibit 1). Moreover, a comprehensive board committee structure oversees critical aspects of operations and governance. Shareholders and wider management, meanwhile, play a more limited role.
Boards often delegate specialist responsibilities such as risk management and legal and compliance. In those two areas, 38 percent and 44 percent of respondents, respectively, assign responsibilities to wider management. The same thinking is reflected in reporting lines, with insights from our client work and benchmarking showing that risk and compliance functions at most nonfinancial institutions commonly report to the CFO or chief legal officer (CLO)/group counsel.
The delegation of risk and compliance feeds through to GRC maturity. It is no coincidence that almost half of institutions (44 percent) tell us that the head of risk is positioned more than one level below the CEO and that those companies, on average, report less mature risk functions. The general rule is that where the top risk professional has less seniority, the maturity of the risk function is seen as lower. Stress testing, a well-defined risk appetite, and risk-based compensation are three key areas in which less mature organizations have fallen behind.
The same relationship between seniority and maturity is found in the governance of compliance activities, with almost half of institutions (47 percent) saying that the function is managed at two levels below the CEO or lower. Again, organizations with lower-ranked heads of compliance score themselves lower on maturity. A minority of compliance heads (38 percent) report to the general council or CLO. Still, 75 percent of respondents indicate that a chief compliance officer is responsible for groupwide compliance, while 80 percent say that person can escalate matters directly to the board.
A reliable foundation of good governance is documentation, and 93 percent of survey respondents say they have a framework or policy document in place. That said, many organizations report gaps in coverage. For example, about half of companies (48 percent) have no formal corporate governance procedures, 58 percent do not use manuals, and 53 percent do not keep inventories of board resolutions.
Similar metrics apply to board oversight of governance, with only about half of companies (53 percent) retaining documentation for annual board assessments. In many cases, there may be no assessments at board level, implying significant gaps in performance and change management capabilities.
Risk management: Some industries are ahead of others
On risk management, we asked decision-makers to rate themselves on a range of capabilities necessary to navigate a complex global risk landscape. Across industries, the responses reveal that decision-makers see room for improvement, as evidenced by an average score of 2.6 out of 4.0. The only industry to rate itself as “good” (with a score of 3.2) is insurance, suggesting that financial services may be ahead of other industries following past crises (for example, the 2007–08 financial crisis) and subsequent regulatory actions (Exhibit 2).
Most industries tell us that they need to up their game in strategic risk management, encompassing areas such as risk appetite, stress testing, and board oversight. Sixty-seven percent of companies in life sciences, for example, say that a well-defined risk appetite is either absent, lagging, or in need of improvement, while 54 percent of companies in the travel, logistics, and infrastructure (TLI) sector apply the same three descriptors to their use of stress scenarios. Conversely, industry scores are highest in areas such as having a clear risk taxonomy and making capital allocation decisions (Exhibit 3).
Among other risk categories, five of the eight industries surveyed report challenges in operating a three-lines-of-defense model (with life sciences being the most prominent). Additionally, four in eight profess weakness in self-assessment of risk culture (with insurance, life sciences, and TLI scoring themselves below average).
As companies grow, they don’t only expand their GRC capabilities. They also learn how to continue that development over time. Larger companies in our survey generally report more mature risk management capabilities than medium-size or smaller companies. Equally, medium-size companies generally rate themselves higher than smaller companies.
Compliance: Zeroing in on a moving target
Across industries, there is room for improvement in compliance management, revealed by an average score of 2.9 out of 4.0 in our survey. TLI and advanced industries report the lowest compliance maturity, while insurance sits at the top of the table with a score of 3.4, again reflecting the heightened regulatory and prudential environment in the financial industry. Global energy and materials and technology, media, and telecommunications (TMT) also rate themselves as “good,” with scores of 3.0 or above.
Significant areas for improvement include risk-based approaches for compliance controls, systematic monitoring and reporting, sanctions management, and fulfillment of organizational and supervisory duties by executive management or the board, where advanced industries, consumer, life sciences, and TLI are laggards.
Companies are most confident in six key areas of compliance operations:
- the existence of compliance risk processes and the tailoring of compliance systems
- comprehensive compliance policies and procedures
- regular targeted training
- the existence of a culture of compliance communicated by senior leadership
- the provision of a whistleblowing channel, on which a notable 52 percent of respondents describe themselves as leading (Exhibit 4)
- ownership of effective remediation processes
Conversely, the dimension most often cited as a source of weakness is the extent to which ethics and compliance culture feeds through to leadership incentives and bonus structures. On that count, 68 percent of respondents describe their maturity level as absent, lagging, or in need of improvement.
Larger companies are more confident in their capabilities than their smaller peers. Across 11 compliance metrics, these companies score themselves higher than the industry average on nine metrics. The two metrics on which they underperform are leadership communication of a culture of compliance and whistleblowing.
Observations across GRC
A common pain point highlighted by our survey is that companies are generally failing to use basic GRC tools and systems as effectively as they would like to. For example, in the risk function, 42 percent of respondents across industries say their use of IT and GRC systems “needs improvement.” Fifteen percent say it is absent or lagging.
While most institutions operate distributed centralized and decentralized resources, with a one-to-one to one-to-two ratio (56 percent in risk), overall resourcing of GRC functions is quite small in absolute terms. In risk management, 66 percent of respondents have 20 or fewer full-time equivalents (FTEs) in total. Similarly, in compliance, 62 percent of companies say their teams employ fewer than 20 FTEs. These relatively sparse resources are notable, even though our survey is focused generally on large organizations.
Companies rarely tie compensation systems (incentives and bonus structures) to risk- or compliance-related performance metrics. Admittedly, there may be some cases in our survey where respondents do not have access to relevant information at senior levels, but a reasonable supposition is that companies are generally yet to implement GRC-related compensation metrics.
Five imperatives for reaching GRC excellence
Leading GRC companies rarely achieve rock-steady capabilities through piecemeal or periodic initiatives. Instead, they rigorously seek out approaches to support excellent decision-making, unlock value creation opportunities, and comply with relevant regulations in their spheres of operations. Here we set out five features that can be a driver of GRC excellence.
Focus on tone from the top and revisit your GRC mandate
The positioning and mandate of the GRC function, and specifically the risk and compliance management functions, are often an indication of maturity level. Where senior decision-makers are less involved, or do not provide an adequate mandate (for example, in the form of a chief risk officer [CRO] or group compliance officer [GCO]), functional maturity tends to be lower. In nonfinancial industries, it is less common for companies to have a C-level mandate for roles such as CROs and GCOs—and the absence of a “seat at the table” feeds through to GRC performance. Thus, establishing appropriate C-level representation and mandates.
The underlying principle is that it is vital to have an adequate “voice of risk” at the executive level. In some instances, this may come through a dedicated CRO or CCO. In others, the CFO or COO may take a lead (with a dedicated CRO reporting to them with direct access to the board). In addition, interactions at the peer level tend to ease engagement and boost the quality of interactions, particularly in key decision-making bodies such as executive committees, where GRC can better contribute if adequately represented.
Adopt a strategic lens, particularly in risk management
Day-to-day management and oversight of GRC functions (managing risks in operations, ensuring adherence to compliance rules and regulations, and following policies of corporate governance) are essential to conducting business in a safe and sound way. But many institutions struggle to complement day-to-day activities with a strategic perspective—for example, failing to apply a top-down approach to risk management through a board-level view of risk appetite and capacity. Forward-looking companies not only do this but embrace activities such as horizon scanning, scenario-based analysis, and stress testing to support their processes. And they train their “foresight muscles” through close alignment between the risk function and the board, underpinned by industry benchmarking and market expertise.
Our survey shows that most risk management functions are engaged with addressing essential building blocks—indicating that areas such as risk appetite, scenario and stress testing, and involvement in strategic decisioning are “in need of development.” But the addition of a more forward-looking, top-down perspective on risks (particularly those not yet manifested in day-to-day operations) to what is seen daily and reported to supervisors (often in a backward-looking manner) will create a more holistic perspective. Thus, it is vital to work on both elements in a balanced way. This will boost the contribution of GRC when it comes to strategic decisioning and long-term planning. In our recent experience, climate change and geopolitical developments have led to more investment in scenario and stress testing.
Fix the fundamentals first
Given that the overarching sentiment across GRC is that companies “need improvement,” leaders should consider whether a more transformative approach is required. This would imply drafting a clearly defined road map, implementing focused performance management and change management, and developing capabilities to objectively measure the GRC function’s contribution to tangible value creation over time. For example, has the risk function helped to make a better decision of strategic relevance (for example, safeguarding the value of an acquisition and delivering a major investment project within the specified scope/time and risk envelope), while also presenting evidence that day-to-day risk management leads to sound and resilient operations? We often find that major incidents or scandals trigger a transformative approach. However, forward-looking companies embark on the journey without a trigger.
Embrace technology to complement human expertise at scale
Many companies say they “need to develop” IT and GRC systems to support their GRC activities, but the imperative is to do so. Many GRC vendors would confirm that their client base is using only a fraction of available features and functionalities, and many companies have yet to establish appropriate systems and tools, according to our survey. It is even more important to double down on technology support, which would include embracing AI and harnessing organizational and third-party data available to all organizations.
On smart AI-based tools and agents, many businesses are in a transition phase, but we are confident that in due course there will be numerous applications in GRC. One example would be a gen AI–based policy agent to advise procurement officers on whether sanction policy rules apply to a current supplier, or to inform them of changes in policies. Use cases are already being piloted and will mature over time. Automated and risk-based control testing, as well as smarter and more interactive training on compliance and risk management, offer other avenues where intelligent technology will overcome the limited availability of human resources. Indeed, we are convinced that only a combination of human expertise and smart technologies in GRC will enable companies to tackle the increasingly demanding regulatory and risk environment.
Review incentives and bonus structures to reflect risk and compliance priorities
While companies must prioritize a strong risk and compliance culture, human resources teams and board remuneration committees could help companies improve their oversight by expressly embedding targets into leadership compensation packages. The aim should be to offer incentives for balanced risk/return behaviors, with compensation directly tied to the success of risk-based approaches across the organization. This will also drive consideration of GRC matters at senior levels and in strategic decision-making. We have found this approach to be most effective when complemented with a learning culture—one where learning from mistakes is embraced to continuously improve the company’s business operations and risk management. The mining and airline industries are leading proponents of this.
In a challenging, volatile, and often disruptive environment, there is more pressure than ever on corporate decision-makers to get a strong grip on governance, risk, and compliance. McKinsey’s flagship GRC survey shows that companies are making progress across numerous dimensions but that there is still work to do. Many companies are now addressing their weaknesses and building GRC organizations that combine both strategic oversight and excellent daily operations. The capabilities they create will serve them well on the uncertain road ahead.
“Our firm is designed to operate as one—a single global partnership united by a strong set of values. We are equally committed to both sides of our mission: attracting and developing a talented and diverse group of colleagues and helping our clients create meaningful and lasting change.
From the C-suite to the front line, we partner with clients to help them innovate more sustainably, achieve lasting gains in performance, and build workforces that will thrive for this generation and the next.”
Please visit the firm link to site