Skip to content.

State of GRC Management Report exposes gaps in GRC maturity, data, and organizational management

PORTLAND, Ore. — October 25, 2023NAVEX, the leader in integrated risk and compliance management software, today announced the publication of its inaugural 2023 State of Governance, Risk and Compliance Management Report. The data, based on a commissioned study conducted by Forrester Consulting on behalf of NAVEX, exposes the major obstacles governance, risk, and compliance (GRC) decision makers face as well as the gaps in GRC maturity, data, and organizational management. Nearly all 300 industry leaders surveyed at European and North American organizations think artificial intelligence (AI) could improve the performance of their GRC programs.

“An effective GRC program should analyze data in a way that enables prediction and mitigation of potential business risks. Given the increasing complexity of both business challenges and regulatory requirements, risk management programs must become increasingly digitized and automated. The next logical step is to incorporate AI tools,” said A.G. Lambert, Chief Product Officer at NAVEX. “This research shows that mature GRC programs emphasize automation and the holistic integration of data; with several business functions contributing to and deriving insights from it.”

Forrester Consulting’s data suggests a strong GRC program is important to meeting today’s top business goals. While the trend of integrated GRC is a big buzzword right now, its analysis and insights are still highly manual and hindered by data silos. A comprehensive, integrated AI-powered system to view, analyze, and report on GRC data will empower organizations to break down these silos, analyze data more effectively, and automate control monitoring and compliance review.

Key Findings:

  • GRC program obstacles Although many respondents indicate they are moving towards implementing a comprehensive, enterprise wide GRC program, more than one in three reported facing several obstacles. Namely a lack of financial resources (37%); lack of common understanding of organizational risk (37%); and lack of cross-functional accountability (36%).
  • AI to play a crucial role in GRC programs of the future Nearly all respondents (98%) said they believe AI could improve the performance of their GRC program as it is seen as an enabler of operational improvements. The top two use cases, each highlighted by 55% of respondents, were: “incident management data collection” and “efficient integration of relevant risk and compliance data into reports.” Predictive AI will empower organizations and GRC programs to break down data silos that will drive more efficient and timely data analysis. However, the survey findings indicate that most organizations are somewhat hesitant to adopt AI, with 57% expecting to incorporate some aspects of AI into their GRC program in the near future. The vast majority, (92%) said they believe AI will be incorporated to some degree into GRC program management, in the next one to three years.
  • Data analysis leaves room for improvement Asked to describe the level of technological/digital maturity of their organization’s program, 64% responded either “significantly” or “comprehensively” automated. Yet, when asked how the data used in the GRC program is integrated for the purpose of analysis, only 26% said their organization has automated systems where data is collected, integrated, and stored. This suggests that many programs – even those that are sophisticated in the collection of GRC data – have room to mature in putting that data into practice. More than 8 in 10 respondents reported that their organization faced one or several challenges in data collection, storage, analysis, or reporting. Nearly half of respondents (47%) cited “legacy tools and technology with limited functionality and integration capabilities” as among those challenges.
  • Digital transformation and GRC program centralization GRC programs that were described as “significantly” or “comprehensively” automated are more likely to be managed by a single department compared to GRC programs that have not undergone a digital transformation (45% versus 28%). This finding indicates that the more digitized a GRC program is, the more centralized it is and, thus, the more mature the program. Forty one percent of respondents said, “responsibility is spread across multiple functional areas, but the data is collected, analyzed, and reported by one department.” Another 39% revealed that management of the overall GRC program is within a single function/ department (e.g., compliance, legal, HR). While 20% said responsibility is spread across multiple departments and geographies, and that data is analyzed and reported separately.

“GRC is a strategic business enabler, providing executives with a comprehensive, actionable view of risk and risk mitigation. Yet, the majority of those surveyed for this report said their access to GRC data is fragmented, making it difficult to gain a holistic view of the organization’s risk management challenges and successes” said Carrie Penman, NAVEX Chief Risk & Compliance Officer. “Organizations that successfully identify, integrate, and analyze GRC-relevant data from across the business will gain insight that will empower them to drive distinct competitive advantage.”

To learn more, download the full report here.

About the 2023 State of Governance, Risk and Compliance Management Report

NAVEX commissioned Forrester Consulting to survey more than 300 GRC program decision makers at North American and European organizations. Respondents represented organizations from 1,000 to more than 20,000 employees and spanned industries including retail, travel and hospitality, manufacturing, business services, education and non-profit, financial services and insurance, and healthcare. The NAVEX data science team looked at primary incident management benchmarking metrics for customer organizations using the NAVEX One platform. In addition to data analysis by customers that incorporated either one additional service (for a total of two) or more additional functions (a total of three or more) on the platform. For the three cohorts in this study, organizations had roughly the same mean number of employees, at around 15,000.

About NAVEX

NAVEX is trusted by thousands of customers worldwide to help them achieve the business outcomes that matter most. As the global leader in integrated risk and compliance management software and services, we deliver our solutions through the NAVEX One platform, the industry’s most comprehensive governance, risk, and compliance (GRC) information system.