As organizations operate in an increasingly complex and volatile business landscape, the role of Governance, Risk, and Compliance (GRC) has never been more crucial. To better understand the challenges and priorities of global GRC professionals, MetricStream and the GRC Report conducted a comprehensive survey in December 2024 and January 2025, gathering insights from over 100 industry professionals worldwide, including Chief Risk Officers (CROs), Chief Compliance Officers (CCOs), Chief Information Security Officers (CISOs), risk and compliance managers, and audit professionals.
The survey captured key concerns and priorities shaping GRC strategies today. Participants shared their perspectives on regulatory complexity, enterprise resilience, cybersecurity, and AI’s growing role in risk management. Their responses highlight the most pressing issues and opportunities in the field, providing a benchmark for organizations to assess and refine their own GRC approaches.
Here are five critical findings from the survey that every risk and compliance leader should know.
With new guidelines, evolving requirements, and unexpected policy shifts occurring almost weekly, more than half of respondents (51%) stated that navigating the complex regulatory landscape is among their top challenges this year.
Regulatory requirements are growing in number and complexity across industries, making compliance a moving target. From data privacy laws like GDPR and CCPA to sector-specific regulations such as DORA and NIS2, organizations are under increasing pressure to stay ahead of evolving mandates. One of our respondents accurately captured the sentiment: “Multiple regulations to comply with in the same timeline is a huge risk.”
To tackle this challenge, risk and compliance teams must adopt agile compliance strategies, leverage technology for automated tracking, and foster cross-functional collaboration to ensure regulatory readiness.
The rapid digitization of business processes, coupled with the rising threat of ransomware attacks, supply chain vulnerabilities, and AI-driven cyber risks, is putting organizations on high alert. “The increase in sophistication of cyber-attacks and breaches remains top on the agenda,” said one of our respondents, reflecting the views of 48% of professionals who said they struggle to keep up with increasingly sophisticated cybersecurity threats.
GRC and cyber risk leaders must prioritize robust cybersecurity frameworks, implement continuous monitoring, and enhance threat intelligence capabilities. Proactive measures such as cyber resilience planning, zero-trust architectures, and employee training will be key to mitigating these evolving risks.
Artificial Intelligence (AI) has the potential to revolutionize GRC by automating risk assessments, detecting anomalies in near real-time, and streamlining complicated compliance processes. However, adoption remains slow, indicating that many organizations are still in the early stages of leveraging. AI-driven insights. According to the report, those who have embraced AI use it for risk monitoring, automating compliance tasks, and enhancing threat detection.
When asked about their concerns regarding AI in GRC, respondents emphasized the need for governance frameworks specific to AI. Some highlighted “the challenge of adding in governance for AI while also leveraging AI within security responsibly,” while others warned that "AI is being pushed and adopted too rapidly, regardless of compliance."
Overcoming barriers such as lack of expertise, integration challenges, and regulatory uncertainties will also be crucial to accelerating AI adoption in GRC. Companies that successfully incorporate AI-powered analytics and automation into their risk management strategies stand to gain a significant competitive advantage.
From geopolitical disruptions to climate-related risks, organizations are facing a deluge of challenges that demand a more resilient approach. 46% of respondents highlighted an urgent need to build resilient enterprises to navigate an unpredictable risk landscape. One respondent captured the importance of resilience accurately, “Juggling all sorts of challenges, but Operational Resilience will probably be the highest focus.”
Resilience in GRC goes beyond risk mitigation—it involves anticipating disruptions, strengthening supply chains, and ensuring business continuity under any circumstances. Leaders must invest in scenario planning, stress testing, and integrated risk management frameworks to enhance organizational resilience and adaptability.
Enterprise Risk Management (ERM) is at the core of an organization’s ability to identify, assess, and respond to risks effectively, and 45% of respondents agree that it will be a top priority for them in 2025. ERM featured in the biggest concerns listed by GRC professionals when it came to planning for GRC and risk for the year ahead. As one respondent captured it, the key priority is to “break down silos between risk, compliance, and operations teams to improve collaboration.”
With risks becoming more interconnected, GRC teams must move beyond siloed risk management approaches and adopt a holistic, enterprise-wide view. Aligning ERM strategies with business objectives, embedding risk culture at all levels, and leveraging real-time data analytics will be critical to managing uncertainties in 2025 and beyond.
The survey findings underscore the evolving nature of GRC and the need for organizations to stay prepared to effectively manage regulatory shifts, cybersecurity threats, AI-driven transformations, and resilience-building efforts. As risk and compliance leaders navigate the complexities of 2025, a proactive and technology-driven approach will be essential to ensuring long-term success. Investing in advanced GRC solutions, fostering a culture of risk awareness, and embracing innovation will position organizations to thrive in an increasingly uncertain world.
Download the full report: Looking into 2025 – A Journey Through GRC Challenges and Priorities
A MetricStream and GRC Report survey of over 100 global GRC professionals found that navigating regulatory complexity was the most commonly cited challenge, identified by 51% of respondents. Cyber risk followed at 48%, while resilience, AI adoption, and integrated ERM rounded out the top concerns.
Regulatory requirements are growing in both number and complexity, with data privacy laws, financial resilience mandates like DORA, and sector-specific directives like NIS2 creating overlapping obligations across industries. Managing multiple simultaneous regulatory timelines was highlighted as a major pressure point by survey respondents.
Forty-eight percent of GRC professionals in the survey identified cyber risk as a critical priority, driven by increasing sophistication of ransomware and supply chain attacks, AI-enabled threats, and stricter regulatory requirements. The majority of respondents flagging cyber risk came from compliance, audit, and risk management roles, signaling how broadly cyber risk has spread across the enterprise.
The survey found that while 47% of GRC professionals recognized AI's value for risk monitoring and compliance automation, only 14% had successfully integrated it into their programs. Key barriers include lack of in-house AI expertise, integration complexity, regulatory uncertainty around AI tools, and concerns about governance when AI is deployed rapidly without standardized controls.
In GRC, resilience involves anticipating disruptions, strengthening supply chains, ensuring business continuity, and embedding adaptability into core operations, going well beyond traditional risk mitigation. Forty-six percent of respondents ranked resilience as a critical priority, reflecting the growing regulatory push for firms to prove they can absorb and recover from adverse events.
Siloed approaches to risk management remain the most significant barrier, with 45% of survey respondents citing ERM as a top priority and emphasizing the need to break down silos between risk, compliance, and operations teams. When each function manages risk independently, organizations lose the cross-functional visibility needed to identify interconnected risks before they escalate.
The MetricStream and GRC Report survey gathered input from over 100 global GRC professionals, including Chief Risk Officers, Chief Compliance Officers, Chief Information Security Officers, risk and compliance managers, and audit professionals. This cross-functional representation provides a broad view of GRC challenges across disciplines.
AI must be integrated with clear governance frameworks rather than adopted in an ad hoc manner, including standardized policies for how AI tools are trained, deployed, and monitored and centralized controls to prevent shadow IT risks from low-code tools. AI-driven insights must remain explainable, auditable, and aligned with the organization's compliance posture.
Organizations should adopt agile compliance strategies that combine automated regulatory tracking, cross-functional collaboration, and technology-driven regulatory intelligence. Platforms that map regulatory updates directly to affected controls, policies, and processes allow teams to view regulatory change as a catalyst for operational improvement rather than a compliance checkbox.
The survey data shows that resilience is moving from a compliance requirement to a core business strategy, with GRC professionals investing in scenario planning, stress testing, and integrated risk frameworks to respond to geopolitical disruptions, climate-related risks, and operational shocks. Those who embed resilience into daily operations are better positioned to sustain business continuity under pressure.
Subscribe for Latest Updates
Subscribe Now