GRC solutions are no longer just tools for meeting regulatory requirements — they’ve become critical drivers of strategic decision-making and competitive advantage. L.E.K. Consulting’s latest analysis reveals a growing GRC market in the U.S. and Western Europe, driven by intensifying regulations, complex risk environments and rising demand for integrated platforms that can operate as the true system of record for organization wide risk.
For corporate leaders and investors, penalties for noncompliance continue to rise, both within and outside heavily regulated sectors such as banking, financial services and insurance (BFSI); healthcare; and energy. Recent consequential incidents across these industries highlight lapses in compliance controls.
The collapse of Silicon Valley Bank was driven in part by a failure to manage interest rate and liquidity risk, as well as governance issues. Elsewhere, U.S. financial institutions incurred substantial fines for anti-money laundering and Know Your Customer (KYC) violations in the first half of 2023, including a $98 million penalty for Wells Fargo for processing $532 million in prohibited transactions due to insufficient oversight of sanctions compliance.
Noncompliance with healthcare regulations, such as the False Claims Act, can result in severe penalties and reputational damage. For instance, Walgreens was fined $107 million in September 2024 for failing to audit its pharmacy management system, leading to unintentional billing of government healthcare programs for uncollected prescriptions.
Such issues are not solely the domain of BFSI and healthcare; FirstEnergy recently paid $100 million to settle a Securities and Exchange Commission investigation that involved bribery charges, including misrepresentations to investors and failure to disclose material related-party transactions.
The GRC conversation extends beyond these industries and straightforward regulatory adherence. GRC increasingly involves identifying opportunities to sustain and enhance competitiveness and to future-proof organizations. The GRC software market in the U.S. and Western Europe represents several billion dollars in annual spend, with growth driven by increasing regulatory demands and the need for comprehensive risk management solutions.
How is GRC defined?
GRC is a structured framework that manages an organization’s approach to governance, risk management and compliance, covering both business and cyber use cases.
Business domain: GRC in business operations encompasses four key areas:
- Risk management: Identifies, assesses, monitors, and mitigates risks by capturing and aggregating risk data and applying consistent management methodologies to reduce exposure and financial impact
- Compliance management: Manages policies and evaluates compliance processes against regulatory standards, streamlining the capture, documentation and investigation of compliance cases
- Audit management: Enhances internal audit processes, including planning, data management and issue tracking, to ensure successful audits and resolution of findings
- Third-party risk management: Assesses and monitors business partners and suppliers for performance, security, and compliance through due diligence, onboarding and real-time risk monitoring
Cyber domain: GRC in the cyber domain includes information technology (IT) and cyber risk management and compliance to safeguard data, IT assets and processes.
- IT and cyber risk management: Manages IT and cyber risks by defining and tracking risks, assets and controls; includes mapping assets to security risks and using quantification models to simulate and calculate potential financial impacts
- IT and cyber compliance: Establishes and enforces systematic IT and cybersecurity policies across business units, enabling efficient compliance management and monitoring of assets, frameworks and standards
Key drivers of GRC solution adoption
Regulatory pressures
One of the primary forces driving the GRC market is the growing regulatory burden on both sides of the Atlantic. Europe is leading, with stringent regulations such as the U.K.’s 2024 Sarbanes-Oxley equivalent, the Corporate Governance Code (or “UK SOX”); the German Corporate Sustainability Due Diligence Directive, known as CS3D; and the EU’s Network and Information Systems Directive II, known as NIS2, all of which require enhanced monitoring, reporting and compliance measures. Additionally, the number of regulations has surged in the U.S., where federal regulatory restrictions in sectors such as finance have nearly doubled since 2010 (see Figure 1).