The digital transformation acceleration we've witnessed since 2022 has created an expanded attack surface, increased regulatory scrutiny, and amplified the need for robust governance, risk, and compliance (GRC) capabilities. Despite this, many organizations still approach risk management as a compliance checkbox rather than a strategic imperative. McKinsey's latest research confirms what practitioners have observed for years: there's a substantial gap between GRC aspiration and implementation reality.
The Current State of GRC: Aspirational But Unfulfilled
McKinsey's 2025 Global GRC Benchmarking Survey delivers sobering insights about the state of governance, risk, and compliance. Their research confirms that "excellent governance, risk, and compliance (GRC) is a common aspiration, but how often is it a reality? For most companies, GRC is a work in progress."[1] This shouldn't surprise anyone who's worked inside enterprises great and small, but the data finally quantifies what we've known anecdotally for some time.
The survey reveals a striking correlation between leadership involvement and GRC effectiveness. McKinsey found that "almost half of institutions (44%) tell us that the head of risk is positioned more than one level below the CEO and that those companies, on average, report less mature risk functions."[2] This organizational positioning directly impacts critical capabilities like stress/scale testing and even the definition of risk appetite.
Not for nothing, but this research validates what ISACA has been telling us for years. As highlighted in many of their publications and certification tracks, "cyberrisk scenarios can be identified top down from business objectives or bottom up beginning with a list of potential threat actors, event types, target assets and types of impact."[3] While both approaches exist, the evidence increasingly shows top-down approaches yield better results.
The Bottom-Up Problem
I've spent the last couple of decades watching well-intentioned InfoSec managers build elaborate frameworks that executive leadership teams neither understand nor truly support. The result is this odd "security theater" that creates a false sense of protection while leaving critical vulnerabilities unaddressed. And, in many cases, the threats themselves are going unidentified until incident triage.
ISACA-published research on enterprise security architecture confirms this challenge: "It is important for all security professionals to understand business objectives and try to support them by implementing proper controls that can be simply justified for stakeholders and linked to the business risk."[4] This business alignment is precisely what bottom-up approaches struggle to achieve.
What's particularly troubling about the McKinsey findings is that while 93% of organizations have a framework or policy document in place, the implementation gaps are enormous:
About half of companies (48%) have no formal corporate governance procedures
58% do not use manuals
53% do not keep inventories of things as fundamental as board resolutions
In essence, we have frameworks without implementation, theory without practice, and in the case of bottom-up we have practice without theory or other rigor. These scenarios are all dangerous, especially as we start to see novel AI-assisted attacks at scale.
More With Less
Then there's McKinsey's finding about resource allocation in the large-scale enterprise, which we see echoed at scale in the SME market: "overall resourcing of GRC functions is quite small in absolute terms. In risk management, 66 percent of respondents have 20 or fewer full-time equivalents (FTEs) in total."[5]
When you have minimal resources you can't afford to waste them on zero-return approaches. (And let's be honest, most organizations dramatically understaff their GRC functions.) With so few managing risk for an entire enterprise, every hour spent on a bottom-up approach that won't gain executive traction is an hour wasted. The n^a potential workflows created by modern technologies demand smarter, more streamlined approaches.
The Matrix Approach: A Practical Solution
This resource constraint reality drove the development of my Matrix Approach to incremental DRP and BCP review. In my article The Matrix Approach to Incremental DRP and BCP Review, I outlined a multi-dimensional framework that addresses the exact challenges identified in the McKinsey research.
The Matrix Approach acknowledges resource constraints while still ensuring comprehensive coverage through:
Classification System for Recovery Components - A three-dimensional matrix that determines review frequency and validation requirements based on criticality and type. This enables focused allocation of limited resources where they'll have the greatest impact.
Incremental Review Cadence - Staggered review schedule that ensures continuous improvement while preventing review fatigue. Monthly reviews focus on Tier 0 systems, quarterly reviews on Tier 1, and semi-annual reviews on Tier 2—creating a sustainable approach even with limited staff.
Sub-Plan Development and Ownership - Breaking monolithic plans into component sub-plans with clear ownership. This aligns with McKinsey's finding that "where senior decision-makers are less involved, or do not provide an adequate mandate... functional maturity tends to be lower."[6]
Live Drills Implementation - Progressive approach to validating actual recovery capabilities, addressing the gap between documentation and reality. This is precisely what McKinsey means when they talk about "implementing focused performance management and change management."
As ISACA research demonstrates, "A top-down approach generally has more lasting power and efficacy than a bottom-up approach because it makes data protection a company-wide priority instead of placing all the responsibility on one person or team."[7]
The Technology Integration Challenge
McKinsey's survey also reveals that "companies are generally failing to use basic GRC tools and systems as effectively as they would like to. For example, in the risk function, 42% of respondents across industries say their use of IT and GRC systems 'needs improvement.'"[8]
This technology and implementation gap presents a significant opportunity for integration of advanced AI capabilities. The Matrix Approach explicitly addresses how LLMs can enhance risk management processes while ensuring validation frameworks maintain accuracy and reliability.
McKinsey advocates for embracing technology, noting that "only a combination of human expertise and smart technologies in GRC will enable companies to tackle the increasingly demanding regulatory and risk environment."[9] The Matrix Approach provides concrete implementation pathways for this integration.
The Path Forward: Five Imperatives
The McKinsey article outlines five imperatives for GRC excellence that align perfectly with the Matrix Approach:
Focus on "tone from the top" and revisit your GRC mandate - The Matrix Approach starts with executive classification of system tiers and process categories, ensuring top-down alignment. An absolutely exhaustive inventory of systems and processes is critical.
Adopt a strategic lens, particularly in risk management - By classifying recovery components by business impact, the Matrix Approach ensures strategic priorities drive operational activities. Look to ISACA COBIT for inspiration here.
Fix the fundamentals first - The Matrix Framework provides a clear roadmap for implementing essential capabilities before moving to advanced ones.
Embrace technology to complement human expertise at scale - The LLM integration and validation frameworks in the Matrix Approach provide practical guidance for leveraging AI while maintaining reliability.
Review incentives and bonus structures to reflect risk and compliance priorities - The Matrix Approach explicitly addresses how recovery capability metrics can be incorporated into performance evaluations.
Conclusion: From Plans to Capabilities
The most elegant recovery plan is worthless if it doesn't work in practice. While the McKinsey research highlights the problems, it offers limited practical guidance on implementation. The Matrix Approach fills this gap with actionable frameworks, tiering models, and validation techniques.
Through a Matrix Approach framework, incremental review, cross-functional ownership, and progressive live drills, organizations can close the gap between documentation and reality—building genuine resilience rather than a false sense of security.
So we don't really have a framework problem, we have an adoption problem. The pragmatic-to-a-fault bottom-up approaches fail to deliver the maturity and effectiveness needed in today's risk landscape. It's time to embrace a top-down, matrix-based framework that connects executive priorities to operational activities. The future of effective risk management isn't about more frameworks, rather about better implementation of the ones we have.
CREDITS: cover image rendering of personal hobby project using D3.js; article image Gliffy from Claude 4.0 mermaid diagram; editorial review Anthropic Claude Sonnet 4.0
Notes
[1],[2],[5],[6],[8],[9] McKinsey & Company. "Governance, Risk, and Compliance: A New Lens on Best Practices." McKinsey & Company, May 2025. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/governance-risk-and-compliance-a-new-lens-on-best-practices
[3] Vohradsky, David. "The Cyberrisk Quantification Journey." ISACA Journal, vol. 2, 2022. https://www.isaca.org/resources/isaca-journal/issues/2022/volume-2/the-cyberrisk-quantification-journey
[4] Ghaznavi-Zadeh, Rassoul. "Enterprise Security Architecture—A Top-down Approach." ISACA Journal, vol. 4, 2017. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach
[7] "Approaches to Information Security Implementation." GeeksforGeeks, 1 Mar. 2024. https://www.geeksforgeeks.org/approaches-to-information-security-implementation/