Governance, risk, and compliance: A new lens on best practices

Excellent governance, risk, and compliance (GRC) is a common aspiration, but how often is it a reality? For most companies, GRC is a work in progress, according to McKinsey’s 2025 Global GRC Benchmarking Survey. Despite efforts to broaden expertise at senior levels, corporate leaders see a “need for improvement” across numerous aspects of all three GRC pillars.

There are many reasons for GRC shortfalls, some of which can be traced back to idiosyncratic factors in how businesses are run. Yet across industries, there are also some common pain points, including limited tech enablement, insufficient resourcing of oversight capabilities, and the challenges of a shifting regulatory.

To understand the dynamics that shape GRC capabilities, the authors asked 193 corporate leaders to tell them how they structure their governance frameworks, manage risk, and comply with local and regional regulations. The survey responses offer compelling insights into levels of GRC maturity globally and highlight the strategies that some companies are using to build smarter, more effective capabilities.

Governance approaches vary widely.  Most companies in our survey understand that dedicated governance frameworks are integral to efficient and effective operations. Fifty percent of respondents have chosen a strategic board archetype, with 72 percent adding between two and five subcommittees. This approach means the board can both take a hands-on approach to governance and draw on a wide range of expertise to manage critical aspects of operations. Indeed, 55 percent of respondents opt for a board with diverse expertise across industries and functions.

Risk management: Some industries are ahead of others.  Across industries, the responses reveal that decision-makers see room for improvement, as evidenced by an average score of 2.6 out of 4.0. The only industry to rate itself as “good” (with a score of 3.2) is insurance, suggesting that financial services may be ahead of other industries following past crises (for example, the 2007–08 financial crisis) and subsequent regulatory actions. Most industries tell us that they need to up their game in strategic risk management, encompassing areas such as risk appetite, stress testing, and board oversight. Sixty-seven percent of companies in life sciences, for example, say that a well-defined risk appetite is either absent, lagging, or in need of improvement, while 54 percent of companies in the travel, logistics, and infrastructure (TLI) sector apply the same three descriptors to their use of stress scenarios.

A common pain point highlighted by the survey is that companies are generally failing to use basic GRC tools and systems as effectively as they would like to.

Leading GRC companies rarely achieve rock-steady capabilities through piecemeal or periodic initiatives. Instead, they rigorously seek out approaches to support excellent decision-making, unlock value creation opportunities, and comply with relevant regulations in their spheres of operations. Here we set out five features that can be a driver of GRC excellence.  Focus on tone from the top and revisit your GRC mandate.  Adopt a strategic lens, particularly in risk management.  Fix the fundamentals first.  Embrace technology to complement human expertise at scale.  And review incentives and bonus structures to reflect risk and compliance priorities.

show less