Excellent governance, risk, and compliance (GRC) is a common aspiration, but how often is it a reality? For most companies, GRC is a work in progress, according to McKinsey’s 2025 Global GRC Benchmarking Survey (see sidebar, “Our survey methodology”). Despite efforts to broaden expertise at senior levels, corporate leaders see a “need for improvement” across numerous aspects of all three GRC pillars.
There are many reasons for GRC shortfalls, some of which can be traced back to idiosyncratic factors in how businesses are run. Yet across industries, there are also some common pain points, including limited tech enablement, insufficient resourcing of oversight capabilities, and the challenges of a shifting regulatory landscape.
To understand the dynamics that shape GRC capabilities, we asked 193 corporate leaders to tell us how they structure their governance frameworks, manage risk, and comply with local and regional regulations. The survey responses offer compelling insights into levels of GRC maturity globally and highlight the strategies that some companies are using to build smarter, more effective capabilities.
Governance approaches vary widely
Most companies in our survey understand that dedicated governance frameworks are integral to efficient and effective operations. Fifty percent of respondents have chosen a strategic board archetype, with 72 percent adding between two and five subcommittees. This approach means the board can both take a hands-on approach to governance and draw on a wide range of expertise to manage critical aspects of operations. Indeed, 55 percent of respondents opt for a board with diverse expertise across industries and functions.
At many organizations, the ultimate approval authority for key decisions sits with the board and the CEO, meaning the board is involved in defining and approving matters including strategy (business planning, strategic KPIs, and targets), finance and capital, and risk management frameworks and policy (Exhibit 1). Moreover, a comprehensive board committee structure oversees critical aspects of operations and governance. Shareholders and wider management, meanwhile, play a more limited role.
Boards often delegate specialist responsibilities such as risk management and legal and compliance. In those two areas, 38 percent and 44 percent of respondents, respectively, assign responsibilities to wider management. The same thinking is reflected in reporting lines, with insights from our client work and benchmarking showing that risk and compliance functions at most nonfinancial institutions commonly report to the CFO or chief legal officer (CLO)/group counsel.
The delegation of risk and compliance feeds through to GRC maturity. It is no coincidence that almost half of institutions (44 percent) tell us that the head of risk is positioned more than one level below the CEO and that those companies, on average, report less mature risk functions. The general rule is that where the top risk professional has less seniority, the maturity of the risk function is seen as lower. Stress testing, a well-defined risk appetite, and risk-based compensation are three key areas in which less mature organizations have fallen behind.
The same relationship between seniority and maturity is found in the governance of compliance activities, with almost half of institutions (47 percent) saying that the function is managed at two levels below the CEO or lower. Again, organizations with lower-ranked heads of compliance score themselves lower on maturity. A minority of compliance heads (38 percent) report to the general council or CLO. Still, 75 percent of respondents indicate that a chief compliance officer is responsible for groupwide compliance, while 80 percent say that person can escalate matters directly to the board.
A reliable foundation of good governance is documentation, and 93 percent of survey respondents say they have a framework or policy document in place. That said, many organizations report gaps in coverage. For example, about half of companies (48 percent) have no formal corporate governance procedures, 58 percent do not use manuals, and 53 percent do not keep inventories of board resolutions.
Risk management: Some industries are ahead of others
On risk management, we asked decision-makers to rate themselves on a range of capabilities necessary to navigate a complex global risk landscape. Across industries, the responses reveal that decision-makers see room for improvement, as evidenced by an average score of 2.6 out of 4.0. The only industry to rate itself as “good” (with a score of 3.2) is insurance, suggesting that financial services may be ahead of other industries following past crises (for example, the 2007–08 financial crisis) and subsequent regulatory actions.
Most industries tell us that they need to up their game in strategic risk management, encompassing areas such as risk appetite, stress testing, and board oversight. Sixty-seven percent of companies in life sciences, for example, say that a well-defined risk appetite is either absent, lagging, or in need of improvement, while 54 percent of companies in the travel, logistics, and infrastructure (TLI) sector apply the same three descriptors to their use of stress scenarios. Conversely, industry scores are highest in areas such as having a clear risk taxonomy and making capital allocation decisions.
Among other risk categories, five of the eight industries surveyed report challenges in operating a three-lines-of-defense model (with life sciences being the most prominent). Additionally, four in eight profess weakness in self-assessment of risk culture (with insurance, life sciences, and TLI scoring themselves below average).
As companies grow, they don’t only expand their GRC capabilities. They also learn how to continue that development over time. Larger companies in our survey generally report more mature risk management capabilities than medium-size or smaller companies. Equally, medium-size companies generally rate themselves higher than smaller companies.
Compliance: Zeroing in on a moving target
Across industries, there is room for improvement in compliance management, revealed by an average score of 2.9 out of 4.0 in our survey. TLI and advanced industries report the lowest compliance maturity, while insurance sits at the top of the table with a score of 3.4, again reflecting the heightened regulatory and prudential environment in the financial industry. Global energy and materials and technology, media, and telecommunications (TMT) also rate themselves as “good,” with scores of 3.0 or above.
Significant areas for improvement include risk-based approaches for compliance controls, systematic monitoring and reporting, sanctions management, and fulfillment of organizational and supervisory duties by executive management or the board, where advanced industries, consumer, life sciences, and TLI are laggards.
Companies are most confident in six key areas of compliance operations:
- the existence of compliance risk processes and the tailoring of compliance systems
- comprehensive compliance policies and procedures
- regular targeted training
- the existence of a culture of compliance communicated by senior leadership
- the provision of a whistleblowing channel, on which a notable 52 percent of respondents describe themselves as leading (Exhibit 4)
- ownership of effective remediation processes
Conversely, the dimension most often cited as a source of weakness is the extent to which ethics and compliance culture feeds through to leadership incentives and bonus structures. On that count, 68 percent of respondents describe their maturity level as absent, lagging, or in need of improvement.
Larger companies are more confident in their capabilities than their smaller peers. Across 11 compliance metrics, these companies score themselves higher than the industry average on nine metrics. The two metrics on which they underperform are leadership communication of a culture of compliance and whistleblowing.
Observations across GRC
A common pain point highlighted by our survey is that companies are generally failing to use basic GRC tools and systems as effectively as they would like to. For example, in the risk function, 42 percent of respondents across industries say their use of IT and GRC systems “needs improvement.” Fifteen percent say it is absent or lagging.
While most institutions operate distributed centralized and decentralized resources, with a one-to-one to one-to-two ratio (56 percent in risk), overall resourcing of GRC functions is quite small in absolute terms. In risk management, 66 percent of respondents have 20 or fewer full-time equivalents (FTEs) in total. Similarly, in compliance, 62 percent of companies say their teams employ fewer than 20 FTEs. These relatively sparse resources are notable, even though our survey is focused generally on large organizations.
Companies rarely tie compensation systems (incentives and bonus structures) to risk- or compliance-related performance metrics. Admittedly, there may be some cases in our survey where respondents do not have access to relevant information at senior levels, but a reasonable supposition is that companies are generally yet to implement GRC-related compensation metrics.
Five imperatives for reaching GRC excellence
Leading GRC companies rarely achieve rock-steady capabilities through piecemeal or periodic initiatives. Instead, they rigorously seek out approaches to support excellent decision-making, unlock value creation opportunities, and comply with relevant regulations in their spheres of operations. Here we set out five features that can be a driver of GRC excellence.
Read more at: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/governance-risk-and-compliance-a-new-lens-on-best-practices
Source: McKinsey & Company, Risk and Resilience
