Summer 2025
2025 IT Risk and Compliance Benchmark Report
Beyond the Benchmark:
How Does Our Report Compare?
A Publication by
Scroll to Begin
Unlock the Full Report
Unlock the Spring 2025 Full Report
Top Findings in Numbers
Top Finding 1
91% of respondents have a centralized team to manage GRC
This is the highest number we’ve ever seen in the six years we have conducted this survey, up from 88% in the previous year.
Why this matters
The high adoption of centralized GRC teams indicates a strong trend toward integration in the market, as most organizations recognize the importance of taking a unified approach to risk and compliance management. However, those 8% of organizations still operating in silos face significant challenges, including inconsistent risk mitigation practices and inefficiencies.
Top Finding 2
60% of respondents who manage risk ad-hoc or when a negative event happens experienced a data breach in 2024
Respondents who use integrated and automated GRC tools are less likely to experience a data breach at only 41%.
Why this matters
The tangible benefits of investing in GRC platforms that enable continuous monitoring, streamlined workflows, and real-time insights are undeniable. This finding underscores that relying on reactive, event-driven risk management leaves organizations more vulnerable to breaches, while adopting integrated and automated solutions significantly enhances their ability to identify, mitigate, and prevent risks, ultimately protecting sensitive data and organizational reputation.
Top Finding 3
63% of all respondents said their GRC budgets will increase in 2025
The majority of respondents expect budgets to go up for the second year in a row.
Why this matters
This finding underscores the growing recognition of GRC as a competitive advantage. As cyber threats become more sophisticated, regulatory requirements more stringent, and supply chains more interconnected, organizations must invest in robust GRC frameworks to mitigate risks, ensure compliance, and build stakeholder trust. Increased budgets signal a commitment to adopting advanced tools — like automated GRC platforms — to streamline workflows, improve efficiency, and enhance decision-making.
Unlock the Spring 2025 Full Report
Top Finding 4
72% of surveyed organizations plan to grow their compliance teams in 2025
The majority of respondents are confident about their ability to expand their teams despite economic uncertainty in 2025.
Why this matters
The overwhelming intent to expand compliance teams highlights a broad industry shift toward strengthening GRC efforts. This trend is likely driven by increasing regulatory complexity, heightened enforcement, and the growing need for organizations to demonstrate accountability and transparency. With compliance viewed as a critical enabler of organizational resilience and trust, the next two years will see many teams expanding to meet these demands head-on.
Top Finding 5
52% of all respondents spend 30%-50% of their time on administrative tasks like manual data entry
Although respondents are confident that they have taken steps to mature their GRC programs, they still spend a significant amount of time on manual processes.
Why this matters
Despite efforts by GRC teams to streamline workflows, adopt new processes, and better integrate their work, our respondents stated that their work is still burdensome and certain tasks are still too laborious. To address these burdens, many organizations are turning to purpose-built tools and software solutions designed to alleviate the manual, fragmented, and complex aspects of GRC work. These tools reduce the reliance on repetitive data entry, streamline processes across multiple systems, and provide greater clarity in risk identification and management.
Unlock the Spring 2025 Full Report
Top Finding 6
59% of respondents test all controls as opposed to only the most critical controls
This is an increase of 26% year-over-year, signifying a major industry shift to proactive compliance management strategies.
Why this matters
This year, 59% of respondents reported that they test all controls as opposed to only the most critical controls. This is a major shift in the industry, emphasizing the importance of moving beyond reactive, audit-driven assessments to a more strategic and holistic control testing process. Testing all controls ensures that even lower-priority areas are scrutinized, reducing the likelihood of overlooked vulnerabilities that could lead to compliance failures or security breaches.
Top Finding 7
74% of respondents in 2024 said their annual security budget is over $1 million
Most of the surveyed organizations are making a substantial investment in security. Only 22% of respondents reported that their annual security budget is under $1 million.
Why this matters
Respondents are taking a proactive approach to GRC, a significant shift in the industry since last year’s survey report. Businesses are no longer viewing GRC as a cost center but as a critical investment, and their budgets are beginning to reflect this change in mindset. With significant budgets allocated to GRC, organizations are better positioned to adopt advanced solutions, including AI-driven risk management tools and integrated GRC platforms. This trend creates opportunities for service providers and vendors to meet the growing demand for innovative GRC solutions. This finding offers a clear call to action: the landscape is shifting, and those who embrace this momentum stand to gain a competitive edge.
Top Finding 8
55% of respondents in 2024 said they use a common controls framework to streamline their GRC processes
Using a common controls framework (CCF) has become a standard best practice, differing from our results in previous years.
Why this matters
A CCF simplifies compliance by mapping multiple regulatory requirements to a single set of controls, reducing duplicative efforts and making it easier for organizations to stay compliant across different frameworks. This finding highlights the importance of adopting best practices to improve operational efficiency, ensure consistent control implementation, and reduce the complexity of managing overlapping compliance requirements. The increased use of CCFs reflects a maturing GRC landscape where organizations prioritize scalability and resilience, positioning themselves to respond more effectively to evolving regulatory and risk environments.
About this Report
Each year, The 2025 IT Risk and Compliance Benchmark Report takes a deep dive into market trends in the GRC space to help you prepare for the year ahead. This year, we uncovered several surprising gaps between cybersecurity industry ideals and operational compliance realities today. To present the most well-rounded perspective of these findings, we took things one step further: we compared our data against reports from Accenture, BDO, PWC, KPMG, IANS, EY, Deloitte, Coalition, Forrester, and the CISO Society so that compliance officers, CISOs, and compliance professionals can understand how their current methods compare against industry best practices.
Top Findings in Numbers
Top Finding 1
Only 17% of organizations adhere to country-specific data security/privacy laws despite their growing prevalence
Why this matters
This contradicts the assumption that regulatory compliance is a universal priority. Based on this data, most organizations appear to be ignoring localized requirements despite legal obligations.
Top Finding 2
76% of CISOs report that regulatory fragmentation significantly impacts compliance efforts
Why this matters
This challenges the idea that mature organizations have solved cross-jurisdictional compliance, showing even sophisticated programs struggle with regulatory complexity.
Top Finding 3
94.2% of CISOs agree that continuous controls monitoring improves security and compliance, but only 72% have implemented such tools
Why this matters
This gap is primarily caused by budget constraints, legacy technology integration challenges, and organizational resistance to process changes to support automation. The disconnect between aspiration and implementation reflects the larger struggle that CISOs and compliance officers face when transforming theoretical security improvements into operational reality within modern enterprise environments.
Top Finding 4
While 82% of organizations believe they effectively assess control effectiveness, 45% of board directors still seek external validation
Why this matters
This exposes a fundamental trust gap between technical teams and governance leadership that contradicts claims of aligned security assurance. CISOs believe in the value of these assessments, even when board members don’t.
Access the report
Want to learn more? Unlock the complete 2025 IT Risk and Compliance Benchmark Report for free.
Top Finding 5
52% of audit committees have primary ERM oversight, while 40.4% of organizations lack centralized systems for risk management
Why this matters
The absence of centralized risk management systems in over 40% of organizations highlights a governance gap that requires greater cyber literacy among board members to effectively interpret fragmented risk data and make informed oversight decisions in the absence of including cyber risks as part of enterprise risk management.
Top Finding 6
84% of organizations have aligned risk management with compliance, yet only 44.1% report full synchronization
Why this matters
This reveals a significant gap between theoretical alignment and practical integration, challenging claims of mature GRC programs. When only 44.1% of organizations have fully synchronized risk management and compliance, this means the majority of CISOs are essentially operating with partial visibility.
Top Finding 7
53.7% of CISOs report compliance is not embedded in development pipelines, while 15% of organizations lack any automated risk monitoring tools
Why this matters
This challenges what vendors are saying about DevSecOps maturity and security-by-design implementation. The disconnect between development pipelines and regulatory requirements creates potential compliance blind spots that increase organizational risk exposure.
Top Finding 8
42% of organizations struggle with data and system silos, creating fragmented risk management approaches
Why this matters
This confirms what practitioners have experienced for years. CISOs cannot effectively communicate organizational risk to senior leadership or the board when working with fragmented data sources that tell conflicting or contradictory stories.
Top Finding 9
47.9% of organizations struggle with evidence gathering, while 40% find audit-related tasks tedious and time-consuming
Why this matters
This reflects the reality that evidence validation remains a time-consuming, manual process in most organizations. Manual collection can create bottlenecks when subject matter experts must pause security work to provide documentation, and increases the likelihood of human error in evidence collection and submission for audits.
Coming Soon …
Coming Soon …