McKinsey Confirms the Limits of GRC and Points Toward Integration

McKinseyIRMGRC
Written By Ori Wellington

In its May 2025 article Governance, Risk, and Compliance: A New Lens on Best Practices, McKinsey & Company delivers a candid assessment of the widespread shortcomings in today’s governance, risk, and compliance (GRC) functions. Based on survey data from nearly 200 corporate leaders, the article highlights persistent underperformance across all three pillars of GRC and outlines five imperatives for reform. But what McKinsey never quite says—though it clearly suggests—is that the GRC model itself may be past its expiration date.

The findings echo what many in the risk management profession have long understood: legacy GRC frameworks are no longer adequate in a world defined by interconnected risks, real-time decisions, and strategic uncertainty. Below, we examine the key insights from the report and explain how they point—whether intentionally or not—toward Integrated Risk Management (IRM) as the future-facing alternative.

McKinsey’s GRC Findings: Symptoms of a Failing Model

The McKinsey article reveals five systemic weaknesses that mirror longstanding critiques of legacy GRC approaches:

1. Lack of Strategic Integration

Most organizations continue to manage GRC through fragmented reporting lines. Risk often sits under the CFO, compliance under the general counsel, and the board only engages episodically. This structure sidelines risk from strategic decisions. By contrast, IRM integrates these domains and elevates risk to a core executive function—where it belongs.

2. Technology Underutilization

Despite decades of investment, 42% of companies say their GRC systems “need improvement.” Many are using only a fraction of available capabilities. This highlights a core limitation of GRC platforms: they promise integration, but often deliver only documentation. It’s the “illusion of integration” that keeps companies reactive rather than responsive.

3. Undervaluing Risk Leadership

According to the report, 44% of heads of risk sit more than one level below the CEO. The result? Risk becomes operational, not strategic. IRM reverses this by embedding risk leadership at the C-suite level and aligning the function with forward-looking performance objectives.

4. Weak Alignment with Incentives

A striking 68% of respondents say their organizations do not tie executive compensation to compliance culture or ethical performance. GRC talks about “tone at the top,” but rarely supports it structurally. IRM frameworks promote a risk-informed performance model that connects strategy, metrics, and accountability.

5. Failure to Advance from Tactical to Strategic

McKinsey notes widespread gaps in foresight capabilities such as scenario planning, stress testing, and horizon scanning. These are foundational to IRM maturity but remain largely absent in GRC models, which rely on periodic reviews and static risk registers.

How IRM Answers McKinsey’s Call for Transformation

While the McKinsey article never uses the term Integrated Risk Management, its five imperatives align closely with IRM’s core principles:

Source: Wheelhouse Advisors

Strategic Implication: GRC as an Expired Paradigm

Despite its neutral tone, McKinsey’s article amounts to a de facto critique of the GRC operating model. It documents the failure of GRC to mature into a strategic discipline, even as regulatory demands and enterprise complexity continue to increase. The clearest endorsement of IRM is the article’s emphasis on integration as the missing ingredient:

  • Integration across governance and operations—not just board subcommittees.

  • Integration between strategy and risk appetite—not siloed registries.

  • Integration of technology and human expertise—not manual oversight.

  • Integration between risk awareness and business incentives—not box-ticking ethics training.

These aren’t mere enhancements to GRC. They’re foundational shifts in operating model—shifts that IRM is purpose-built to support.

Closing Thought

Rather than representing a refinement of GRC, McKinsey’s article confirms its structural inadequacy. The five imperatives McKinsey outlines are not patchwork solutions—they are signals that the traditional GRC model has reached its limits. The future belongs to organizations that adopt Integrated Risk Management: a model that unifies risk oversight with strategic execution, harnesses real-time insight, and empowers leaders to act—not just attest.

The risk environment has changed. The framework for managing it must change too.

Source Reference
McKinsey & Company. “Governance, Risk, and Compliance: A New Lens on Best Practices.” May 9, 2025.

Ori Wellington

Orion “Ori” Wellington is the lead editor for The RiskTech Journal and The RTJ Bridge, where he helps shape editorial direction, guide strategic narratives, and support media relations across Wheelhouse Advisors. As a digital editorial advisor, Ori synthesizes trends in risk, technology, and governance, drawing from roles modeled on information security, risk analytics, and IT leadership.

Part of Wheelhouse’s AI-augmented research team, Ori works to distill complex signals into actionable intelligence—bridging expertise across domains and elevating the voice of integrated risk thinking.

https://wheelhouseadvisors.com
Previous

Integrated Risk Thinking: The Mindset That Unlocks the Power of the IRM Navigator™ Model
Next

AI Insurance Emerges as Chatbot Failures Highlight New Liabilities