Governance, Risk, and Compliance: Where Companies Stand and How to Improve

McKinsey’s Governance, Risk, and Compliance: A New Lens on Best Practices shows that GRC remains a work in progress for most organizations, even though many understand its importance. As companies navigate shifting regulations and evolving threats, the need for strong GRC capabilities has never been clearer.

At Cherry Hill Advisory, we share that sense of urgency. GRC is not just a support function, it is central to resilience, better decisions, and sustained growth. Here are the key findings from McKinsey, our take on what matters most, and guidance on closing the gap.

What McKinsey Found and Why It Matters

Widespread Room for Improvement

McKinsey surveyed 193 senior leaders across industries and regions. Common pain points surfaced in tech readiness, tight resourcing, and fragmented governance.

Our view: You cannot build good governance with outdated tools or thin teams. Fixing foundational issues matters more than adding high-profile features.

Governance Practices Vary

Half the companies surveyed use a “strategic board” setup with subcommittees and board diversity, but documentation such as board resolutions or assessments is often missing. Around half of firms lack full governance documentation.

Our view: Strong governance starts with structure but is sustained through discipline, regular reporting, assessments, and clear escalation paths.

Risk Management Trends

The average risk maturity score was 2.6 out of 4. Insurance scored highest at 3.2, showing it is ahead on scenario planning and appetite setting. Most industries still need to level up.

Our view: Identifying risks is only the beginning. Companies need to stress test, engage the board, and embed risk thinking into strategy. This is where value is preserved and decisions improve.

Compliance Still Chasing Discipline

Average compliance maturity stood at 2.9 out of 4. Many companies rate well on having policies, training programs, and whistleblowing channels. But leadership incentives tied to compliance are almost always missing, with 68 percent saying they are not where they need to be.

Our view: Policies alone do not create a compliance culture. If leaders are not held accountable through incentives, you get box-ticking instead of meaningful change.

Resourcing and Tech Remain Weak Links

Even in large organizations, GRC teams are small. Two-thirds of risk functions and 62 percent of compliance teams have fewer than 20 full-time staff. Forty-two percent admit they underuse GRC and IT tools.

Our view: Small teams and outdated systems slow progress. Until companies leverage smarter tools, they will remain reactive and stretched.

What McKinsey Recommends and What We Echo

McKinsey highlights five priorities:

1. Tone from the top – GRC leaders need senior mandates and direct board access.
2. A strategic lens for risk – Move beyond daily controls to horizon scanning and board-aligned risk thinking.
3. Fix the fundamentals – Build road maps, measure GRC value, and track progress consistently.
4. Bring in the right technology – Automate control testing, policy checks, and training.
5. Tie incentives to GRC outcomes – Reward balanced decisions and learning cultures.

We agree, and we see the most impact when companies:

• Give CROs and compliance heads visibility and influence instead of burying them in the hierarchy.
• Embed risk thinking into capital allocation, acquisitions, and strategic planning.
• Make better use of existing GRC software by training teams and refining processes.
• Show leaders how GRC creates measurable business value, such as avoided losses and faster decision cycles.

Final Word

McKinsey’s findings match what we see in our work. Most GRC functions need improvement, but the path forward is clear. Strengthen governance structure, develop strategic risk capabilities, improve technology adoption, and align leadership incentives with GRC priorities.

At Cherry Hill Advisory, we help high-growth companies turn GRC weaknesses into strengths. Strong GRC is not only about avoiding trouble, it is about enabling confident, well-informed decisions in any environment.

Stay connected: follow us on LinkedIn and explore more at www.CherryHillAdvisory.com.