Commissioned by LogicGate
Published May 2024
Executive summary
Governance, risk, and compliance is a team sport — in a league where no two teams look alike. This diversity in team structures, responsibilities, and program resources makes GRC benchmarking across organizations and industries challenging — and objectively evaluating your program strategy even more difficult.
To better enable GRC leaders with a clear understanding of what “good” GRC looks like, we surveyed 350 risk, cybersecurity, and compliance leaders worldwide about their program objectives, team structures, processes, and technology investments — and aligned responses to a maturity model to gauge their GRC program maturity and success.
One finding stood out above all others: there is no silver bullet for running an effective GRC program. Good GRC practices are simply good business practices.
Team sizes, responsibilities, processes, and spending varied considerably across organization sizes, industries, and geographies. This suggests GRC leaders should first align their strategy and program to business objectives — and interpret peer benchmarks with several grains of salt.
However, what successful GRC teams did have in common were collaborative processes, strong stakeholder engagement, and integrated data and systems.