Spring 2025
2025 IT Risk and Compliance Benchmark Report
The Reader’s Digest Issue
A Publication by
Scroll to Begin
Unlock the Full Report
Top Findings in Numbers
Top Finding 1
91% of respondents have a centralized team to manage GRC
This is the highest number we’ve ever seen in the six years we have conducted this survey, up from 88% in the previous year.
Why this matters
The high adoption of centralized GRC teams indicates a strong trend toward integration in the market, as most organizations recognize the importance of taking a unified approach to risk and compliance management. However, those 8% of organizations still operating in silos face significant challenges, including inconsistent risk mitigation practices and inefficiencies.
Top Finding 2
60% of respondents who manage risk ad-hoc or when a negative event happens experienced a data breach in 2024
Respondents who use integrated and automated GRC tools are less likely to experience a data breach at only 41%.
Why this matters
The tangible benefits of investing in GRC platforms that enable continuous monitoring, streamlined workflows, and real-time insights are undeniable. This finding underscores that relying on reactive, event-driven risk management leaves organizations more vulnerable to breaches, while adopting integrated and automated solutions significantly enhances their ability to identify, mitigate, and prevent risks, ultimately protecting sensitive data and organizational reputation.
Top Finding 3
63% of all respondents said their GRC budgets will increase in 2025
The majority of respondents expect budgets to go up for the second year in a row.
Why this matters
This finding underscores the growing recognition of GRC as a competitive advantage. As cyber threats become more sophisticated, regulatory requirements more stringent, and supply chains more interconnected, organizations must invest in robust GRC frameworks to mitigate risks, ensure compliance, and build stakeholder trust. Increased budgets signal a commitment to adopting advanced tools — like automated GRC platforms — to streamline workflows, improve efficiency, and enhance decision-making.
Access the report
Want to learn more? Unlock the complete 2025 IT Risk and Compliance Benchmark Report for free.
Top Finding 4
72% of surveyed organizations plan to grow their compliance teams in 2025
The majority of respondents are confident about their ability to expand their teams despite economic uncertainty in 2025.
Why this matters
The overwhelming intent to expand compliance teams highlights a broad industry shift toward strengthening GRC efforts. This trend is likely driven by increasing regulatory complexity, heightened enforcement, and the growing need for organizations to demonstrate accountability and transparency. With compliance viewed as a critical enabler of organizational resilience and trust, the next two years will see many teams expanding to meet these demands head-on.
Top Finding 5
52% of all respondents spend 30%-50% of their time on administrative tasks like manual data entry
Although respondents are confident that they have taken steps to mature their GRC programs, they still spend a significant amount of time on manual processes.
Why this matters
Despite efforts by GRC teams to streamline workflows, adopt new processes, and better integrate their work, our respondents stated that their work is still burdensome and certain tasks are still too laborious. To address these burdens, many organizations are turning to purpose-built tools and software solutions designed to alleviate the manual, fragmented, and complex aspects of GRC work. These tools reduce the reliance on repetitive data entry, streamline processes across multiple systems, and provide greater clarity in risk identification and management.
Ready to dive into this year’s insights?
Unlock the complete 2025 IT Risk and Compliance Benchmark Report for free.
Top Finding 6
59% of respondents test all controls as opposed to only the most critical controls
This is an increase of 26% year-over-year, signifying a major industry shift to proactive compliance management strategies.
Why this matters
This year, 59% of respondents reported that they test all controls as opposed to only the most critical controls. This is a major shift in the industry, emphasizing the importance of moving beyond reactive, audit-driven assessments to a more strategic and holistic control testing process. Testing all controls ensures that even lower-priority areas are scrutinized, reducing the likelihood of overlooked vulnerabilities that could lead to compliance failures or security breaches.
Top Finding 7
74% of respondents in 2024 said their annual security budget is over $1 million
Most of the surveyed organizations are making a substantial investment in security. Only 22% of respondents reported that their annual security budget is under $1 million.
Why this matters
Respondents are taking a proactive approach to GRC, a significant shift in the industry since last year’s survey report. Businesses are no longer viewing GRC as a cost center but as a critical investment, and their budgets are beginning to reflect this change in mindset. With significant budgets allocated to GRC, organizations are better positioned to adopt advanced solutions, including AI-driven risk management tools and integrated GRC platforms. This trend creates opportunities for service providers and vendors to meet the growing demand for innovative GRC solutions. This finding offers a clear call to action: the landscape is shifting, and those who embrace this momentum stand to gain a competitive edge.
Top Finding 8
55% of respondents in 2024 said they use a common controls framework to streamline their GRC processes
Using a common controls framework (CCF) has become a standard best practice, differing from our results in previous years.
Why this matters
A CCF simplifies compliance by mapping multiple regulatory requirements to a single set of controls, reducing duplicative efforts and making it easier for organizations to stay compliant across different frameworks. This finding highlights the importance of adopting best practices to improve operational efficiency, ensure consistent control implementation, and reduce the complexity of managing overlapping compliance requirements. The increased use of CCFs reflects a maturing GRC landscape where organizations prioritize scalability and resilience, positioning themselves to respond more effectively to evolving regulatory and risk environments.
Coming Soon …
Coming Soon …
Coming Soon …
