GRC is the new ESG

A few years ago, ESG was the hottest subject in town. Every organization was increasingly working on sustainability goals, Ecovadis scores were happily (or grudgingly if less positive) shared and the posts about solar energy, Electrification of the fleet and social responsibility were rife. Now, we see the ESG attention waning. Less media attention, less hype. Is this because there is no more need for ESG related activities? Absolutely not. But, and this is an important observation, there is a geopolitical attention shift ongoing, which doesn't really help. The ESG drivers are still there but now rely more on direct financial benefits and sustainability for the organization itself, rather than the need to make an external point. And in all honesty, that is not entirely a bad development.

At the same time, we see GRC shifting from a boring, dull corner where really nobody wanted to be, to a focus point of attention. The drivers for this are an enhanced focus on regulatory compliance due to an increased amount of geopolitical uncertainty and increased dependence on IT for the society as a whole.

A historical perspective

In the early days, companies treated governance, risk, and compliance as separate worlds: legal handled regulations telling other functions what they could or couldn't do, finance watched controls, and security quietly tried to keep threats out. Each function wrote its own rules, used its own tools, and reported in its own language. This meant leadership saw only fragments of the real risk picture.​

As regulations multiplied and globalization increased, these silos started to crack; scandals, fines, and reputational damage showed that isolated efforts were no match for complex, interconnected risks.

In response, organizations began to weave these strands into a single framework: Governance to set direction and accountability, Risk Management to identify and treat uncertainties, and Compliance to ensure behavior stayed within legal and ethical boundaries. This integrated GRC story promised a number of things executives wanted: fewer nasty surprises, better decisions, and a stronger foundation for long‑term growth and trust.​

Vendors and consultants turned this idea into platforms and methodologies, and the market for GRC solutions started to expand, with forecasts now projecting a lot of value and double‑digit annual growth.

IT enters the picture

Next, digital transformation rewrote the script: data volumes exploded, processes moved online, and even traditional industries became software‑driven. Risks that once evolved slowly like fraud, operational failures, or privacy breaches, began moving at network speed, forcing organizations to rely on technology, analytics, and automation to keep up.​

This wave made GRC more than a control function; it became a way to navigate disruption, with advanced tools using analytics and, increasingly, AI to scan for emerging risks, streamline compliance tasks, and support faster, data‑driven decisions.

Within this broader story, IT moves from supporting actor to protagonist: every strategic initiative—cloud migrations, remote work, SaaS adoption, AI—runs on technology, and therefore carries technology risk. GRC emerges as the discipline that connects cybersecurity, data protection, and technology operations back to the organization's governance, risk appetite, and compliance obligations.​ Business Continuity is key, as we have seen in some large scale outage events the past 12 months.

Frameworks, controls, and policies once discussed only in security or infrastructure teams became boardroom topics, as leaders needed assurance that digital projects complied with regulations like GDPR or NIS2 and that risk remained within acceptable bounds.

Is GRC here to stay?

Gartner published an article end of last year on the broader predictions of GRC functions. In this prediction we see a plot of different GRC aspects and functions on their own Hype Cycle. Interestingly, Gartner believes a lot of the initiatives are already on the downward slope into the trough through of disillusionment and predicted to enter the plateau of productivity in the coming few years. In Europe, this is likely being sped up with a number of regulations coming in effect, such as the Digital Services act and NIS2. A common misconception is that a large number of organizations are not affected by these developments due to them not being applicable to them. The reality is that due to, for instance, the supply chain principle, the larger organizations are still demanding compliancy from the smaller players. This makes GRC suddenly a management focus point for every organization.