Volume XXVI, Issue 65 |

GRC solutions are no longer just tools for meeting regulatory requirements — they’ve become critical drivers of strategic decision-making and competitive advantage. L.E.K. Consulting’s latest analysis reveals a growing GRC market in the U.S. and Western Europe, driven by intensifying regulations, complex risk environments and rising demand for integrated platforms that can operate as the true system of record for organization wide risk.

For corporate leaders and investors, penalties for noncompliance continue to rise, both within and outside heavily regulated sectors such as banking, financial services and insurance (BFSI); healthcare; and energy. Recent consequential incidents across these industries highlight lapses in compliance controls.  

The collapse of Silicon Valley Bank was driven in part by a failure to manage interest rate and liquidity risk, as well as governance issues. Elsewhere, U.S. financial institutions incurred substantial fines for anti-money laundering and Know Your Customer (KYC) violations in the first half of 2023, including a $98 million penalty for Wells Fargo for processing $532 million in prohibited transactions due to insufficient oversight of sanctions compliance.  

Noncompliance with healthcare regulations, such as the False Claims Act, can result in severe penalties and reputational damage. For instance, Walgreens was fined $107 million in September 2024 for failing to audit its pharmacy management system, leading to unintentional billing of government healthcare programs for uncollected prescriptions.

Such issues are not solely the domain of BFSI and healthcare; FirstEnergy recently paid $100 million to settle a Securities and Exchange Commission investigation that involved bribery charges, including misrepresentations to investors and failure to disclose material related-party transactions.  

The GRC conversation extends beyond these industries and straightforward regulatory adherence. GRC increasingly involves identifying opportunities to sustain and enhance competitiveness and to future-proof organizations. The GRC software market in the U.S. and Western Europe represents several billion dollars in annual spend, with growth driven by increasing regulatory demands and the need for comprehensive risk management solutions.  

How is GRC defined?

GRC is a structured framework that manages an organization’s approach to governance, risk management and compliance, covering both business and cyber use cases.

Business domain: GRC in business operations encompasses four key areas:

  1. Risk management: Identifies, assesses, monitors, and mitigates risks by capturing and aggregating risk data and applying consistent management methodologies to reduce exposure and financial impact
  2. Compliance management: Manages policies and evaluates compliance processes against regulatory standards, streamlining the capture, documentation and investigation of compliance cases
  3. Audit management: Enhances internal audit processes, including planning, data management and issue tracking, to ensure successful audits and resolution of findings
  4. Third-party risk management: Assesses and monitors business partners and suppliers for performance, security, and compliance through due diligence, onboarding and real-time risk monitoring

Cyber domain: GRC in the cyber domain includes information technology (IT) and cyber risk management and compliance to safeguard data, IT assets and processes.

  • IT and cyber risk management: Manages IT and cyber risks by defining and tracking risks, assets and controls; includes mapping assets to security risks and using quantification models to simulate and calculate potential financial impacts
  • IT and cyber compliance: Establishes and enforces systematic IT and cybersecurity policies across business units, enabling efficient compliance management and monitoring of assets, frameworks and standards

Key drivers of GRC solution adoption

Regulatory pressures

One of the primary forces driving the GRC market is the growing regulatory burden on both sides of the Atlantic. Europe is leading, with stringent regulations such as the U.K.’s 2024 Sarbanes-Oxley equivalent, the Corporate Governance Code (or “UK SOX”); the German Corporate Sustainability Due Diligence Directive, known as CS3D; and the EU’s Network and Information Systems Directive II, known as NIS2, all of which require enhanced monitoring, reporting and compliance measures. Additionally, the number of regulations has surged in the U.S., where federal regulatory restrictions in sectors such as finance have nearly doubled since 2010 (see Figure 1). 

Investor pressures

Investors are increasingly pushing for standardized and transparent risk management practices. With rising regulatory demands and a stronger focus on risks related to environmental, social and governance (ESG) — particularly environmental — investors expect real-time risk reporting and robust compliance frameworks.  

Evolving risk landscape

Business operations are facing increasing complexity due to globalized supply chains, extensive use of third-party vendors and outsourcing. This interconnectedness heightens exposure to risks, such as regulatory noncompliance and operational disruptions, which are exacerbated in an environment of increased geopolitical tension. The surge in cyber threats, with nearly 1,800 data breaches in the U.S. alone in 2022, further underscores the need for advanced GRC solutions to manage digital risks.

Another complex facet for firms to manage is the massive volumes of data generated by corporations. The global volume of data created, captured, copied and consumed is projected to grow from 33 zettabytes in 2018 to 181 zettabytes by 2025. This presents challenges and opportunities for managing risks effectively as the potential for adverse events rises.  

The increasing incorporation of AI

Artificial intelligence (AI) has the potential to enable GRC use cases by automating compliance processes, enhancing risk detection and providing predictive insights. Specific applications of AI in GRC include:

  • Synthesizing regulations and statements issued by regulators, highlighting key changes and gaps relative to existing policies and procedures, for more rapid absorption into policies and workflows
  • Proactively flagging riskier vendors, practices or patterns
  • Considering a broader set of structured and unstructured data within risk scoring algorithms
  • Identifying potential regulatory breaches through automated compliance monitoring
  • Automating manual GRC tasks such as integrating multiple internal data sources for automated extraction and analysis to generate reports (e.g., key risk indicators)  

The evolving role of the CCO and general counsel

As regulatory and risk management complexities grow, the roles of the chief compliance officer (CCO) and general counsel (GC) are becoming more central to strategic decision-making. Once primarily focused on compliance management and legal advisory, these leaders are now proactively shaping corporate strategy, predicting potential adverse ramifications of business plans and instilling a culture of compliance within their organizations.

Their influence spans managing emerging business risks, cybersecurity threats and ESG requirements. This broad reach provides numerous touchpoints across their organizations, enabling them to see how decisions in one business unit affect other areas. Although CCOs and GCs lead non-revenue-generating functions, they can be crucial to organizations’ bottom lines, as effective governance, risk management and compliance practices can shield companies from significant financial penalties and reputational harm.

Customer and competitive dynamics

Customer archetypes: One size does not fit all

GRC adoption varies significantly based on geography, industry, company size and GRC submodule. Enterprise and upper midmarket firms in highly regulated sectors such as BFSI and healthcare are, understandably, significantly more advanced in their use of GRC solutions. In contrast, midmarket and smaller firms, especially in less regulated industries, often start with basic tools (such as spreadsheets) for specific needs (see Figure 2).

The most utilized GRC submodules include audit and IT/cyber risk solutions, which are integral to a business’s ability to adhere to regulatory mandates and defend against cyber risks. Third-party management and compliance submodules, while important, are less often adopted, given varying applicability across industries and firm sizes. 

Fragmented decision-making and solution usage

Decision-making around GRC, despite rolling up to the CCO and GC, is still highly fragmented, often differing across departments, regions and functions. A company might use different GRC vendors for regulatory compliance in Europe, the Middle East and Africa versus North America or might have multiple solutions for internal audits due to legacy contracts.  

M&A activity often leads to redundant GRC solutions, adding complexity and making a one-size-fits-all go-to-market (GTM) strategy ineffective. Replacing legacy systems is challenging, as most heavy GRC users rely on multiple competing solutions. Organizations need customized solutions that align with their specific regulatory and operational requirements.

Complexity and fragmentation in the GRC vendor landscape

The GRC competitive landscape is characterized by its complexity and fragmentation, reflecting the differing needs of organizations. Over the past decade, this landscape has continued to evolve, with a number of vendor archetypes emerging and vying for market share (see Figure 3). 

The GRC market has evolved from focusing exclusively on highly regulated sectors to offering solutions tailored to specific industries, geographies and subfunctions. Meanwhile, several vendors have sought to become “full suite” providers through organic growth and M&A, alongside adjacent software companies such as ServiceNow that are entering the space. This diversification has created a complex landscape where various vendors compete for the same customers using unique value propositions.

Integrated risk management

Organizations are consolidating GRC solutions into integrated risk management (IRM) platforms (see Figure 4). True IRM platforms offer several advantages, such as a uniform interface, improved data sharing and enhanced analytical insights. Most important, they provide a single-pane-of-glass view across the organization, enabling users to manage and optimize risk-related workflows from a centralized dashboard, including the ability to:

  • Manage policies and controls; set permissions; configure interrelated workflows and processes across modules; and identify, assess and monitor risk factors and scores in real time across modules.
  • Facilitate seamless data flow and communication across GRC submodules.
  • Port policies and controls (e.g., compliance policies, business continuity action plans) directly into other modules. These policies or action plans can be automatically executed and relevant stakeholders alerted.
  • Set permissions and automate workflows, triggering actions and approvals across modules (e.g., an update to a compliance policy may trigger an alert to update a KYC workflow).
  • Pull risk assessment data from modules into a centralized reporting interface to analyze and monitor risk mitigation performance in real time.
  • Streamline audit management by pulling metrics on policies in place, status of controls and actions taken by users across modules.

Despite these benefits, achieving IRM remains challenging. Organizations face several significant barriers:

  • Addressing departmental-level preferences: Different departments often have preferred vendors for specific modules, making it difficult to align with a single solution provider.
  • Lack of options for studies with “true IRM” capability: Many GRC platforms are not fully integrated, leading to gaps between modules and functionalities. While IRM players exist, their applicability across firm sizes, industries and geographies varies.
  • Challenges in migrating and integrating data: Transitioning from existing systems to a consolidated platform can be complex and costly, particularly when dealing with multiple legacy systems.
  • Requirements for employee retraining: Shifting to an integrated platform often requires extensive retraining, which can meet resistance from employees accustomed to their current tools.

The potential exists for significant value to be realized by deploying IRM solutions. Vendors offering comprehensive, scalable platforms that effectively connect disparate modules into a cohesive suite can deliver enhanced risk visibility and operational efficiency. As vendors evolve their platforms to offer true integration, organizations that adopt these solutions can gain a strategic advantage in navigating regulatory pressures and optimizing risk management.

Navigating the evolving GRC landscape

As business complexity and regulatory demands grow, the strategic importance of effective GRC management is increasing. Key factors shaping the GRC market include:

  • Evolving risks and geopolitical conflicts: The dynamic nature of risks, combined with ongoing geopolitical challenges, will drive further growth in the GRC market
  • AI-driven productivity: AI has the potential to significantly enhance productivity within GRC processes
  • Diverse customer needs: Requirements vary widely based on company size, industry, geography and specific solution needs
  • Shift toward integrated risk management: The move toward IRM is transforming the competitive landscape

Organizations seeking to improve GRC management and oversight must consider their needs holistically, examine redundancies in existing solutions and evaluate whether more-comprehensive IRM applications are preferable to fragmented point solutions.

For GRC vendors, the diverse customer landscape makes it challenging to be “everything to everyone.” Vendors should develop a deep understanding of their ideal customer profile (ICP) and should tailor product offerings, integration plans and go-to-market strategies accordingly. For example, addressing the complex needs of BFSI enterprises requires a fundamentally different product and GTM strategy relative to smaller companies in less regulated industries.

For private equity investors, opportunities abound both in point solutions offering in-depth functionality tailored to specific use cases or industries and in broader suites expanding into diverse product and customer segments. As with vendors, investment theses should first consider the target company’s ICP and its unique ability to address pain points within this profile.

Whether you’re considering an investment, optimizing your GRC strategy or exploring adjacent markets, L.E.K.’s expertise can help guide you and your decision-makers. Contact us to leverage our GRC insights and navigate opportunities in this dynamic market.

L.E.K. Consulting is a registered trademark of L.E.K. Consulting LLC. All other products and brands mentioned in this document are properties of their respective owners. © 2024 L.E.K. Consulting LLC

Questions about our latest thinking?

Related Insights