UK executives are confident in their governance, risk, and compliance (GRC) programmes despite significant risks, according to new SureCloud research. 

Conducted in partnership with CIO Dive, the survey of 152 senior leaders at organisations with annual revenues exceeding £50 million found a striking contradiction. Even though 87% of executives claim their companies are ready to respond to major GRC events, most acknowledge persistent challenges that complicate their actual risk posture.

Key survey findings include:

• Fragmented tooling: 62% of respondents use four or more separate GRC tools, but fewer than half (45%) have integrated them for real-time visibility.
• Manual processes persist: Despite significant investments in automation, 60% of teams still rely heavily on spreadsheets and ad-hoc workflows for managing GRC.
• Talent and budget shortfalls: Nearly two-thirds (63%) of executives cite a lack of internal GRC expertise, while 57% point to budget constraints as major barriers to effective GRC.
• Regulatory overload: Organisations manage an average of five or more regulations simultaneously, with almost half (49%) admitting difficulty keeping pace with constant regulatory changes.
• Cybersecurity dominates concerns: Cyber threats are the leading risk area, cited by 89% of respondents as their primary concern today and by 81% as the biggest anticipated challenge over the next two years.

The findings reveal a significant gap between executives' confidence in GRC and the real challenges their organisations face. Leaders tout major investments and high board engagement as evidence of success, yet many also admit they struggle with disconnected systems, manual processes, budget constraints, and changing regulations.

It may seem harmless, but this disconnect is a risk. It signals that executives could be overlooking critical problems. The biggest risk today isn’t a breach or a fine, according to SureCloud. It’s thinking everything is fine when, in reality, it’s not. 

“Most GRC programmes look mature on paper,” says Nick Rafferty, Co-Founder and CEO at SureCloud, “especially when companies invest a lot in tools and people. But most leaders still can’t point out their biggest risks until something goes wrong.” 

To address these issues, executives can start by improving visibility across GRC. Adopting integrated platforms, clarifying roles, and modernizing outdated workflows will help close the gap between perception and reality.

Specifically, business leaders can:

• Integrate multiple GRC tools into a single, comprehensive platform.
• Clearly define and document roles to prevent duplication of effort.
• Automate reporting to improve accuracy and timeliness.
• Regularly reassess assumptions around GRC maturity and effectiveness.

The organisations that take these steps now will build stronger, more responsive GRC programmes–ones that support long-term growth and agility. 

SureCloud helps organisations address GRC risks with clear, real-time visibility into the health of their programmes. Its integrated platform combines Dynamic Risk Intelligence and Continuous Control Monitoring to expose the gaps executives might not otherwise see.

With SureCloud, organisations can:

• Quickly identify and prioritise critical risks.
• Automate manual workflows to eliminate inefficiencies and human error.
• Enforce accountability across teams to improve responsiveness.
• Access real-time insights and respond to regulatory changes and compliance demands faster.

Organisations that adopt integrated GRC platforms like SureCloud can manage risk proactively, stay compliant, and support sustained growth without unexpected results.

Survey Methodology:

SureCloud’s findings are based on a survey of 152 senior UK executives at organisations with annual revenues of £50 million or more, conducted by StudioID between March and April 2025. Respondents represented a range of industries, including technology, financial services, manufacturing, retail, transportation, and logistics. Of respondents, 81% held C-suite roles, with 19% at the EVP or VP level.

Learn More:

For full survey insights and recommendations, download the complete Risk Reckoning Report from SureCloud.