- GRC
The SureCloud Risk Reckoning report highlights the underlying issues preventing compliance, risk and audit control

- Written by
- 3rd Sep 2025
- 1 min read
Contents

In Short
- Although GRC teams are confident, a problematic landscape of reliance on spreadsheets, disconnected systems and manual processes tells another story. SureCloud is ready to share it.
The Risk Reckoning report, a seminal maturity study from GRC specialist, SureCloud has revealed an extremely high-level of confidence from both enterprise and scaling organisations in their level of preparedness for dealing with a major compliance or security event.
The report, which is based on insights from nearly 200 GRC leaders, found that 87 per cent of enterprise executives and 95 per cent of mid-sized business leaders were confident in their ability in dealing with a large compliance or security event. Whilst, on the face of things this points at a sector that is well armed to deal with an increasingly sophisticated cyber threat and complex regulatory landscape, the report has also found some troubling trends that point to deep underlying issues that could impact businesses’ ability to deal with a crisis.
Critical skills gap in enterprise and mid-sized businesses
Despite the level of confidence from executives there are some immediate findings that point to a very different reality. One of those is the GRC skills gap that exists for all companies.
Nearly 2/3rds of enterprise respondents admitted that there was a lack of GRC expertise within their teams. For scaling organisations this gap is compounded by a lack of head count, with the report showing that 63 per cent of SMBs only had between 1-5 people within the business who were allocated to deal with GRC.
GRC is no longer a ‘nice to have’ but a critical element to every business, no matter what sector or size. Not having the right skill-sets or enough people to deal with governance, risk and compliance, is now a real problem. Set against a backdrop of increasingly sophisticated cyber threats and complex regulatory landscapes, remaining secure and compliant is a day-to-day challenge.
Indeed, the Risk Reckoning report also highlighted that GRC teams are being asked to do more with less, particularly in SMBs. 84 per cent of SMB respondents cited limited capacity as the number one challenge for completing risk assessments and audits in time.
Use of inadequate tools
The challenges facing overstretched teams lacking the right experience are compounded by the common use of inadequate tools.
The Risk Reckoning report has shown that spreadsheets remain the primary tool for GRC teams in most organisations. 60 per cent of enterprises still use them to some extent as part of their key workflows and a worrying, 86 per cent of mid-sized businesses are reliant on them. Indeed, for those businesses with fewer than five compliance professionals, the use of spreadsheets is universal.
These workflows are held together with ad hoc managements methods such as spreadsheets, email chains, shared folders and manual reporting. This creates fragmented records and inconsistent audit trails, no longer acceptable nor effective in today’s GRC landscape.
So why are businesses clinging onto the past? Cost and familiarity are factors, particularly for SMBs. Even though they are not fit for modern compliance purposes, the fact they are free and relatively easy to use is a real plus point.
Spreadsheets are at the opposite end of the scale to the enterprise level solutions that dominate the market, which are expensive and incredibly complex, meaning that most SMBs do not even consider implementing them.
Slow, manual and inefficient processes
The Risk Reckoning report has also shown that evidence collection is still largely manual, reporting cycles are delayed, and risk assessments are inconsistent. This is not helped by an overcrowded market of GRC solutions that very rarely work together. 62 per cent of enterprise organisations use four or more GRC tools, but less than half have achieved integration. As a result, nearly half (49 per cent) struggle to keep up with complex regularity requirements.
The report has highlighted key issues for all businesses looking to remain compliant and secure. Despite the initial confidence in GRC teams, the results have shown that there are key issues that need to be overcome if businesses are to achieve their goals, as Nick Rafferty, Co-founder and CEO at SureCloud explains:
“The Risk Reckoning report has highlighted a huge gap between GRC executive’s confidence and the reality of their ability to remain compliant and secure. Over-stretched, under skilled teams, a reliance on ineffective solutions and slow, manual processes are all showing that real issues remain, against a backdrop of complex regulatory landscapes and sophisticated cyber threats.
“However, new solutions, particularly those designed specifically for scaling businesses are now help bridge the gaps and help bring a level of automation that up until now have been unavailable to smaller businesses because of high pricing and complexity barriers. The issues are not going away, and with many only reacting after a breach, audit failure or missed deadline, this lack of urgency must be replaced by proactivity and a realisation that most companies are not as well prepared as they might think,”
Rafferty concluded.
To find out more, download the Risk Reckoning and get ahead of your GRC struggles.
About SureCloud
Since its founding in 2006, SureCloud Ltd. has two decades of experience as a leading provider of Governance, Risk, and Compliance (GRC) solutions. Headquartered in the UK, with offices in the US, SureCloud supports a global portfolio of organisations with its holistic and intelligent GRC platform. Whether addressing cyber risk, data privacy, third parties, or compliance demands, SureCloud has a proven record of empowering organisations to continuously identify, manage and automate their risk and regulatory alignment.
“In SureCloud, we’re delighted to have a partner that shares in our values and vision.”

Read more on how Mollie achieved a data-driven approach to risk and compliance with SureCloud.
“SureCloud’s solution has brought a comprehensive clarity to data processing that was impossible to achieve with spreadsheets.”

Read more on how Everton FC achieved GDPR with SureCloud
"Their transparent approach made the process feel collaborative and constructive, creating a solid foundation for a productive partnership.”

Read more on how Specsavers achieved a proactive approach to risk and compliance with SureCloud.