Insights from the 2024 benchmark report

Navigating the complex world of IT risk and compliance can be daunting for many organizations. However, with the right insights, companies can better understand how to make the right decisions about Governance, Risk, and Compliance (GRC) operations. More than ever before, IT risk and compliance leaders need insights into how to staff their teams properly — and if compliance and security team sizes are shrinking or growing, especially among their peers. This year’s volatile economy also presents unique challenges for GRC professionals looking to expand their teams and programs. 

Hyperproof’s 2024 IT Risk and Compliance Benchmark Survey asked over 1,000+ GRC professionals about key trends and strategies in the industry. The final chapter of our report covers GRC buying patterns and where staffing is heading in 2024. Below, we’ll give you a quick summary of our findings. If you want to take a deeper dive into all of our findings (and trust us, you will), download the full report.

Decision-making is becoming increasingly collaborative

Collaborative decision making

Survey respondents reported a significant trend toward collaborative decision-making, particularly when buying new technology. 47% of respondents identified individuals in IT- and GRC-related roles as pivotal champions in evaluating new technologies. Moreover, 45% of respondents refer to Chief Financial Officers (CFOs) to approve new technology purchases.

A bar chart showing who the decision makers are that are involved when buying compliance or risk technology

By collaborating with executive-level stakeholders, it is easier to connect strategic compliance technology investments with business objectives. This can help mitigate the risk of executive-level cost-cutting initiatives impacting compliance, risk management, and security teams, especially as companies are tasked with doing more with less. Otherwise, these technology purchases may be cut entirely.

Fostering a culture of collaboration within decision-making processes can lead to greater innovation and increase buy-in across departments. By involving stakeholders from various functional areas, organizations can leverage diverse perspectives to identify opportunities and mitigate the risks associated with technology investments from all across the business.

How integrating risk and compliance impacts decision-making

The respondents who integrated risk and compliance saw better cross-functional collaboration and alignment with strategic objectives. On the other hand, those tackling risk in silos or on an ad-hoc basis saw more fragmented decision-making processes. These fragmented processes can result in less favorable outcomes, such as breakdowns in cross-departmental communications. By not having a collaborative approach to decision-making, these siloed teams may be more at risk for cost-cutting measures, potentially leading to fewer resources for their operations.

Embracing integrated risk and compliance workflows enables organizations to enhance their agility and responsiveness to emerging risks, driving more sustainable business outcomes in a rapidly evolving regulatory landscape.

Integrating risk and compliance promotes transparency and accountability across the organization. By centralizing risk and compliance data, organizations can gain a holistic view of their risk profile and ensure consistency in decision-making. This enables proactive risk management and fosters a culture of compliance throughout the organization, all the way to the C-level, in some cases.

Compliance oversight continues to the C-level

Overseeing compliance has reached its way to the c-level

One of our more noteworthy findings is that compliance oversight has been elevated to the C-level within organizations. 63% of respondents reported C-level executives as the highest level position overseeing compliance, indicating a stronger emphasis on the importance of effective compliance programs.

This shift underscores the pivotal role compliance professionals play in shaping strategic directives and mitigating business risks. Establishing clear lines of accountability and reporting enhances compliance governance, demonstrating an organization’s commitment to compliance and fostering stakeholder trust.

A bar chart depicting which levels oversee compliance, with the C-level being the highest and audit manager being the lowest

Elevated compliance oversight helps promote the culture of compliance throughout an organization. By establishing compliance as a top priority at the executive level, organizations can instill a sense of accountability and responsibility for compliance across all levels of the organization. This proactive approach helps mitigate compliance risks and can strengthen the organization’s reputation.

As compliance continues to be a brand differentiator and method for accelerating business growth, the importance of executive buy-in increases. Our findings are promising; these changes demonstrate an ongoing shift in how organizations view compliance. This often translates into more resources for GRC teams, helping them advocate for better and more efficient practices.

Compliance teams — and their needs — continue to expand

A compliance team

Our data showed a growing emphasis on expanding compliance teams across industries. Year-over-year, respondents reported a significant increase when dedicating resources to compliance functions: 77% of respondents anticipate an increase in their compliance teams, compared to last year’s 70%. Meanwhile the proportion of respondents expecting no change in personnel remained relatively stable, coming in at 23% this year to last year’s 30%.

A bar chart depicting how many full time staff members organizations have dedicated to cybersecurity

Organizations leveraging integrated risk management tools tend to have larger compliance teams, reflecting the efficiency gains associated with automation and streamlined processes. ​​The majority of organizations surveyed (83%) have five or more full-time employees dedicated to compliance. Integrated programs were more likely to have larger team sizes of 10-25 people. Those operating within silos, however, tended to have a team size between 5-10 people.

A bar chart comparing compliance team size and approach to risk management

Expanding compliance teams also allows organizations to enhance their capabilities in areas such as risk assessments, monitoring, and reporting. By increasing the depth and breadth of expertise within the compliance function, organizations can better identify, react to, and mitigate risks, ensuring ongoing adherence to regulatory requirements and safeguarding the organization and its reputation.

A bar chart showing how surveyed companies describe the growth of their compliance team over the next two years

Looking ahead, our research indicates a strong inclination for further expansion of compliance teams. This emphasis on team growth is driven by a growing awareness of the strategic significance of compliance, positioning it as a competitive differentiator in today’s business landscape.

Enterprises with revenues exceeding $500 million are poised to witness significant growth, driven by the complex risk management needs inherent in enterprise risk management. The only segment anticipating a decrease in team size is companies with revenue under $10M. 

By anticipating staffing requirements and aligning talent acquisition strategies with organizational objectives, compliance leaders can better build agile and resilient teams. These teams can then more effectively address evolving regulatory challenges and continue to drive businesses forward.

A bar chart comparing expected team growth vs. revenue

Professional development matters for GRC

Organizations must invest in ongoing professional development and training to ensure that compliance teams are equipped with the skills and expertise needed to navigate increasingly complex regulatory environments. By prioritizing continuous learning and skill enhancement, organizations can empower their teams to adapt to evolving requirements and drive ongoing improvements in their compliance workflows.

Enhancing efficiency without adding headcount

Despite the optimism surrounding team expansion, GRC professionals face pressure to enhance efficiency without adding headcount. This demonstrates the need for innovative solutions that balance growth with operational efficiency. By leveraging software solutions that capitalize on automation, analytics, and visibility, GRC professionals can better streamline their compliance processes to better mitigate risks.

Teams are embracing technology to streamline processes

Teams are relying on technology to streamline processes

Technology is reshaping how companies handle IT risks and follow regulations. It’s vital for organizations to adopt advanced tools like artificial intelligence, machine learning, and generative AI to improve their processes. By using techniques such as data analysis and automation, companies can simplify compliance procedures, make smarter decisions, and maintain regulatory compliance. Embracing technology helps companies adapt more quickly to regulatory changes and enhance their compliance efforts, positioning them for long-term success in today’s digital landscape.

Encouraging innovation and experimentation within organizations is crucial for optimizing compliance operations. By promoting collaboration and creativity, organizations can effectively leverage technology to address compliance challenges and drive continual improvement. This proactive approach enables organizations to maintain a competitive edge and stay ahead in the fast-evolving industry.

Decision-making is constantly evolving in GRC

Decision making is ever evolving in the GRC world

There is a lot to learn about decision-making in GRC. Understanding how other companies are staffing their teams helps organizations better advocate for more resources. These trends also enable organizations to make informed decisions, optimize compliance operations, and drive sustainable business outcomes.

By embracing collaborative decision-making, elevating compliance oversight to the executive level, and investing in the integration of risk and compliance, organizations can navigate regulatory challenges more effectively and mitigate risks as a unified front.

To explore the full findings and gain comprehensive insights into the IT risk and compliance landscape, download the complete IT Risk and Compliance Benchmark Report today.

Monthly Newsletter

Get the Latest on Compliance Operations.
Subscribe to Hyperproof Newsletter