Despite increasing budgets and board-level support, GRC programs continue to underperform. Nearly 50% of professionals, according to a Drata 2025 study that polled the perspectives of 300 US IT and security professionals at companies with 250 to 1,500 employees, struggle to keep up with evolving compliance requirements. Additionally, 96% report that high-profile breaches and fines have their roots in GRC’s weaknesses. Sadly, most cybersecurity teams continue to turn a blind eye at GRC glaring gaps, while placing exaggerated faith in flashy technologies.
There are many reasons GRC systems fail, but in my more than two decades experience, there are three stubborn ones.
- Siloed approach – Risk, compliance and auditing are all conducted independently, which results in duplicated efforts, inefficiency and huge burden on frontline teams.
- Reactive approach – In most instances, GRC is only activated after a high-impact incident, rather than being baked into business operations.
- Manual procedures – Excessive reliance on spreadsheets and dated tools that are fragmented leads to errors and fatigue. This issue was corroborated by the Drata survey cited above, which revealed that 28% of GRC processes are still manual.
These endemic loopholes expose companies to regulatory fines, reputational damage and huge dents to the bottom line. High-profile examples abound. In June 2025, the Dutch Central Bank fined ABN AMRO €15 million for continuing to pay bonuses to second-tier managers, despite a regulatory ban. ABN Amro’s actions were considered a brazen violation of accountability, not a simple oversight. Yet, the Dutch financial giant is not alone in making these missteps. In January 2025, Bayview Asset Management, a Florida-based firm, was fined £20 million by state regulators for cybersecurity failures that exposed the data of 5.8 million customers and for obscuring regulatory investigations.
These examples reinforce a critical truth: successful GRC is more than checklists and technical controls. Effective GRC implementation hinges on three critical factors.
- Clear accountability and documentation across technical, legal and board levels
- Robust, repeatable process for incident detection, response and regulatory communication
- Governance structures that enforce timely and accurate disclosure of critical risks
Fixing Broken GRC Processes
In the next section, I will share three practical strategies you can deploy to boost the effectiveness of your GRC processes at a fraction of the cost.
- Embed Individual Accountability
Problem: When ownership is obscure, compliance obligations will inevitably fall through the gaps.
Solution: Create an Individual Accountability Framework (IAF) that holds a C-level executive accountable for bringing specific, high-rated risks to within board-approved appetite. This also sends a clear message to operational teams that top executives take risk governance seriously and are willing to walk the talk. Additionally, tying key risk mitigation activities into key performance indicators pushes senior executives beyond the call of duty to do the right thing.
Illustrative example: The organization identified key risk owners (e.g., the CISO, for uplifting supply chain cyber risk posture, or the CIO for decommissioning legacy platforms by migrating them from an on-premises data center to Amazon Web Services), and then translate these into measurable KPIs, oversighted by the risk governance committee.
- Integrate and Automate GRC Platforms
Problem: Fragmented tools and manual processes create blind spots and inefficiencies.
Solution: Deploy a single, integrated GRC platform (e.g., ServiceNow, AuditBoard) to unify policy management, control testing, incident tracking and vendor risk. Automating repetitive GRC tasks frees up your risk and compliance teams to focus on high-value initiatives like proactive risk assessments, control design improvements, and board-level reporting.
Illustrative Example: A financial services organisation implemented ServiceNow GRC to automate mundane tasks like policy attestations, control evidence collection and user access reviews. This automation reduced manual workload by 40%, enabling the compliance team to shift focus toward strengthening third-party risk assessments and improving the quality of board-level cyber risk dashboards, all overseen by the enterprise risk committee.
- Use AI for Regulatory Intelligence
Problem: Manual tracking of regulatory change is slow, error-prone and painstakingly difficult.
Solution: Adopt AI-powered regulatory intelligence tools that scan legal sources, extract obligations, map to internal controls and escalate action items.
Illustrative example: An investment management firm deployed an AI-driven compliance engine to automatically map regulatory requirements (e.g., GDPR, CPS 234, NIST CSF) to internal controls and flag potential gaps in real time. This reduced manual regulatory tracking efforts by 60% and allowed the risk team to focus on advising business units during digital transformation initiatives under the oversight of the Risk and Compliance Committee.
The following table summarizes these three game-changing steps you can use to improve GRC effectiveness.
Strategic GRC Roadmap
| Strategy | Action Steps | Business Impact |
|---|---|---|
|
Robust Accountability |
Assign risk remediation ownership to executives with decision-making authority, embed actions into KPIs and hold them accountable at executive and board levels. |
Clear oversight, faster risk remediation and cleaner assurance reviews. |
|
Platform Integration |
Automate policy, risk, control workflows and any other mundane work. |
Efficiency, cost reduction, reduced duplication and motivated risk management teams. |
|
AI Regulatory Intelligence |
Implement continuous AI monitoring |
Proactive compliance, early warning stronger readiness |
Avoid GRC Failure
Most GRC failures stem from cultural, structural and process weaknesses. The high-profile examples cited above underscore the seriousness of the issue. However, by elevating risk ownership high up the chain of command, dismantling silos through automation and embracing AI, leaders can transform GRC from a reactive cost center into a strategic business enabler.
