Why GRC Teams Are Struggling in 2025

Despite rising regulatory demands, growing cyber threats and increasing board-level scrutiny, many UK organisations continue to manage governance, risk and compliance (GRC) with outdated tools and manual processes. 

In our upcoming ‘Risk Reckoning’ report a 2025 maturity study based on insights from nearly 200 GRC leaders in both large enterprises and scaling organisations, confidence in preparedness sits at an all time.  

According to the report, 87% of enterprise executives and 95% of mid-sized GRC leaders believe they are ready to handle a major compliance or security event. 

However, the same research paints a more troubling picture beneath the surface.  

Their teams still rely on spreadsheets, disconnected systems, and informal, manual process.  

These limitations are especially seen in smaller organisations with limited resources and overstretched teams. The result is a widening gap between perceived control and actual operational resilience. 

Across both enterprise and mid-market organisations, the research uncovers four main pain points across risk and compliance teams. 

Whether it's a 5-person team managing a portfolio of frameworks or a lean function embedded within operations, GRC teams are being asked to do more with less. In small to mid-sized businesses, 84% of respondents cite limited capacity as the number-one challenge for completing risk assessments and audits on time. 

Nearly 2/3rds of enterprise respondents report a lack of internal GRC expertise. In scaling organisations, the challenge is compounded by headcount limitations: GRC responsibilities are frequently assigned to operational or IT staff who lack specialist risk or compliance skills. As regulatory demands grow more complex, these hybrid roles struggle to maintain oversight, leading to reactive incident-driven management, and inconsistent controls. 

Spreadsheets remain the primary tool for GRC in most organisations - 60% of enterprises still use them to some extent as part of their key workflows. Among mid-sized businesses, a higher 86% use spreadsheets, and for teams with fewer than five compliance professionals, that spreadsheet reliance is universal. 

These workflows are often held together with ad hoc task management methods like email chains, shared folders, and manual reporting. This creates fragmented records, and inconsistent audit trails, making it difficult to track accountability or demonstrate compliance. 

Evidence collection is still largely manual, reporting cycles are delayed, and risk assessments are often inconsistent. Even where GRC tools exist, they rarely work together. 62% of enterprise organisations use four or more GRC tools, but fewer than half have achieved integration, resulting in duplicated effort, gaps in oversight, and delays in responding to issues.  

Because of this, nearly half (49%) struggle to keep up with complex regulatory obligations. At the SMB level where manual methods are the highest, over a third have experienced a breach in the past 36 months, which is often the wake-up call to re-evaluate their GRC approach. 

The research points to several underlying causes: 

The data highlights a consistent pattern: overconfidence, manual processes, limited visibility, and a reliance on tools that were never designed for the scale or complexity of today’s GRC demands. Many teams continue to operate with resource and capacity constraints that leave little room for proactive risk management.

As regulatory pressure increases and expectations rise, these gaps are becoming more visible, presenting the result of overlooked decisions, outdated methods, and deferred improvements.

Recognising it is the first step toward closing the gap between confidence and capability.

Based on a survey of 195 UK-based GRC leaders, including C-level executives from organisations ranging from 51 to over 1,000 employees, The Risk Reckoning offers a rare, side-by-side view of the operational challenges facing both enterprise and scaling teams.

Produced by SureCloud, the report reveals how high confidence in GRC programmes often masks persistent gaps in skills, tooling, and process maturity, highlighting a growing divide between expectations and real-world capability.