Governance, Risk, and Compliance: A New Lens on Best Practices

Introduction

• GRC (Governance, Risk, and Compliance) is a common goal but often remains a work in progress.
• McKinsey's 2025 Global GRC Benchmarking Survey highlights areas for improvement despite efforts.
• Pain points include limited tech enablement, insufficient oversight resources, and shifting regulatory landscapes.

Governance Approaches

• Strategic Board Archetype: 50% of companies use this with 72% having 2-5 subcommittees.
• Board and CEO Authority: They hold ultimate approval for key decisions like strategy, finance, and risk management.
• Delegation: Risk and compliance responsibilities often delegated; maturity affected by the seniority of heads.
  • 44% report heads of risk are more than one level below CEO.
  • Heads of compliance often manage two levels below CEO.
• Documentation Gaps: 93% have frameworks, but many lack formal corporate governance procedures.

Risk Management

• Industry Self-Assessment: Average score of 2.6/4.0; insurance industry scores highest.
• Improvement Areas: Risk appetite, stress testing, board oversight.
  • Life sciences and TLI sectors highlight need for improvement in stress scenarios.
• Maturity and company size: Larger companies generally report more mature risk management.

Compliance Management

• Average Score: 2.9/4.0 with TLI and advanced industries scoring lowest; insurance scores highest.
• Key Areas of Confidence: Compliance risk processes, comprehensive policies, cultural communication, whistleblowing.
  • 52% describe themselves as leaders in whistleblowing.
• Common Weakness: Ethics and compliance culture connection to leadership incentives.
• Maturity Variation: Larger companies score higher on most compliance metrics.

Observations Across GRC

• Companies often underuse basic GRC tools and systems.
• Resource Allocation: Many have fewer than 20 full-time equivalents in risk and compliance functions.
• Compensation Tied to Performance: Rarely linked to risk or compliance metrics.

Five Imperatives for GRC Excellence

1. Focus on Tone from the Top: Establish C-level representation and appropriate mandates.
2. Strategic Risk Management: Integrate strategic perspectives with daily operations.
3. Fix Fundamentals First: Draft a transformative approach roadmap.
4. Embrace Technology: Leverage IT and AI to support GRC activities.
5. Review Incentives: Embed risk and compliance targets into leader compensation packages.

Conclusion

• The McKinsey survey highlights progress in GRC but also areas needing improvement.
• Companies are working to address weaknesses and enhance GRC capabilities to prepare for future challenges.