The digital transformation acceleration we've witnessed since 2022 has amplified the need for robust governance, risk, and compliance capabilities. Yet McKinsey's latest research reveals a substantial gap between GRC aspiration and implementation reality.
McKinsey's 2025 Global GRC Benchmarking Survey found that "excellent governance, risk, and compliance (GRC) is a common aspiration, but how often is it a reality? For most companies, GRC is a work in progress." Despite 93% of organizations having framework documents, implementation gaps are enormous—nearly half lack formal governance procedures.
The survey reveals a striking correlation: organizations where the head of risk is positioned more than one level below the CEO report significantly less mature risk functions. This validates what ISACA has long advocated—that top-down approaches yield better results than bottom-up initiatives.
Perhaps most concerning is the resource reality: 66% of companies operate risk management with just 20 or fewer full-time staff. When resources are this constrained, organizations can't afford ineffective approaches.
This is precisely why I developed the Matrix Approach to incremental DRP and BCP review—a multi-dimensional framework that addresses the exact challenges identified in McKinsey's research through classification systems, incremental review cadences, and progressive live drills.
So we don't really have a framework problem, we have an adoption problem. The research is clear: pragmatic-to-a-fault bottom-up approaches fail to deliver needed maturity. It's time to embrace top-down, matrix-based frameworks that connect executive priorities to operational activities.