Effective GRC programs rely on team collaboration
One in three organizations are not currently able to proactively identify, assess, and mitigate risk with their GRC program, nor are they able to ensure compliance with regulations and frameworks – both key aspects of a mature, holistic GRC program, according to LogicGate’s 2024 GRC Strategies, Teams and Outcomes Report.
This leaves considerable room for growth as organizations continue to recognize that centralized GRC practices lead to positive business outcomes.
“Security, risk, and compliance needs look different for every organization depending on their industry and applicable regulations, among other factors,” said Matt Kunkel, CEO, LogicGate. “However, our research identified a common factor across optimal GRC programs: utilizing a single, comprehensive GRC solution to uphold program objectives that support the organization’s core business goals and desired outcomes. By using a holistic approach to streamline GRC, organizations can better mitigate risk and deliver heightened business value.”
GRC spending varies between industries
Most GRC programs are supported by multiple teams, requiring close collaboration across functions. For example, while 81% of risk management groups claim sole responsibility for the risk management area of a GRC program, 40% of cybersecurity teams and 37% of compliance teams play vital supporting roles to maximize the success of risk management activity.
In addition, the report found that as the number of GRC software solutions being used by an organization increases, the efficacy of those solutions at proactively managing risk declines (59% of organizations using just one GRC solution strongly agreed that their software is effective at proactively managing risk, whereas only 15% of organizations using two GRC solutions had the same sentiment). It also found that leveraging one comprehensive GRC tool is more cost-effective, as organizations using two or more solutions spend 21% more to run their GRC program than those using a single solution.
The amount organizations spend on GRC varies between industries and organizational sizes, with the largest organizations spending the least due to their ability to achieve economies of scale. Looking at significant industry differences, financial services organizations spend a median of 1.13% of total annual revenue on GRC, while healthcare spends just 0.41%.
This is somewhat surprising, as recent data indicates that the average cost of a healthcare breach is $10.93 million – far and away the highest of any industry, with finance a distant second at $5.90 million. Both healthcare and finance are subject to stringent regulations, but financial services organizations spend almost three times as much on GRC as their counterparts in healthcare.
GRC investment is largely focused on people and software
Cybersecurity risk, geopolitical risk, and social and reputational risk claim the three top spots for most impactful risks and market trends expected to impact the ability of organizations to meet their strategic business objectives over the next 12 months. However, supply chain risk, a significant issue during the pandemic and its aftermath, appears to stabilize as the economy recovers.
AI has the greatest unknown and unquantified risk and may have a significant unforeseen impact. While this information does not come as a surprise, it will be important to track how these rankings evolve as AI becomes increasingly accessible and regulators continue to explore ways to govern its impact and use.
Hiring and retaining talent is by far the largest expense related to GRC, claiming 46% of GRC budget allocation. GRC software tools come in second at 18%, with organizations investing in solutions to drive their programs, align teams, and automate manual GRC processes. Additionally, 80% of organizations are either keeping the same budget allocation or increasing it over the next 12 months. The largest increases will again be seen in investments in the workforce and GRC software, with a combined net average increase of 5% and 4% respectively.