As a governance, danger, and compliance (GRC) software program market analysis analyst at G2, I’ve a front-row seat to the evolving GRC software program business.
From operational danger administration to IT safety compliance to anti-money laundering (AML) software program, GRC software program is geared toward making certain organizations have the proper processes to cut back dangers to their enterprise.
However what’s GRC? The which means of every of those particular person phrases is fairly intuitive. Governance is the method by which finest practices and requirements are decided and controlled. Threat means figuring out, managing, and remediating threats. Compliance is a course of to evaluate whether or not organizations and programs align with finest practices and steps for correcting misalignment. All of those work collectively to assist organizations guarantee their processes are aligned with inner insurance policies and exterior frameworks and supply help for mediating dangers and correcting noncompliance.
Does this sound summary and nebulous to you? It does to me. What does all of this imply in follow? And the way did we get right here? What’s coming subsequent? Let’s begin by exploring the historical past of GRC, then take inventory of the GRC software program market in the present day, and think about the following evolutions on this dynamic market.
Previous: the foundations of GRC
It might be stunning to study, however the historical past of GRC began not so way back. Whereas GRC has existed in follow for many years, requirements and laws will not be that new; the late Nineteen Nineties and early 2000s are largely considered the beginning of the GRC that we consider in the present day.
A lot of the present subject got here out of a handful of high-profile company scandals and the beginning of some particularly impactful regulatory occasions.
Arguably, probably the most well-known company scandal of this period is the Enron scandal. The Enron Company, based mostly in Houston, United States, was discovered to be misrepresenting earnings and hiding the corporate’s true monetary standing. The dearth of correct oversight and corrective actions resulted in Enron submitting for chapter in late 2001. Workers and shareholders collectively misplaced billions of {dollars}, a few of which was recovered by means of ensuing lawsuits. A number of Enron executives had been prosecuted for numerous monetary crimes.
Shortly after, the WorldCom scandal emerged in 2002, additionally within the US. Like Enron, WorldCom was discovered to have fabricated accounting spreadsheets and artificially inflated the corporate’s monetary efficiency to mislead traders. Once more, some executives had been prosecuted for monetary crimes, and shareholders and bondholders later acquired some compensation.
One of the crucial impactful laws on this period is the Sarbanes-Oxley Act of 2002, often known as SOX, in the US. SOX establishes the Public Firm Accounting Oversight Board (Board) to: (1) oversee the audit of public firms which can be topic to the securities legal guidelines; (2) set up audit report requirements and guidelines; (3) examine, examine, and implement compliance on the a part of registered public accounting companies, their related individuals, and authorized public accountants.
This may increasingly look like only a historical past of GRC in the US. Nevertheless, as a big financial system with huge international affect, the US has been, for higher or for worse, a pattern setter on this business.
I’d be negligent if I didn’t point out a minimum of one non-US regulation that has formed the business. Inner Management: Steering for Administrators on the Mixed Code, often known as the Turnbull Report, first printed in 1999, predated all of the occasions above. The report directed organizations to set agency inner controls and frequently audit to catch fraud and dangerous monetary standing.
Since then, extra regulatory efforts have emerged, particularly round information privateness. I’ve detailed a few of the most vital in a earlier weblog on navigating regulatory adjustments. In information privateness, specifically, we’ve began to see an emergence within the up to date subject of GRC resulting from elevated internet-based actions. The 2010s noticed an explosion of software program marketed to help organizations of their GRC efforts. Whereas most of the laws that emerged within the early 2000s addressed monetary governance, danger, and compliance, information privateness considerations additionally emerged, and alongside them, a want for regulation.
The web additionally supplied a chance to highlight organizations that had been discovered to be conducting enterprise in unpopular methods. Involved with organizational status, firms additionally expanded their GRC efforts to handle extra dangers and compliance round points like human rights and environmentalism, which can or might not be regulated based mostly on location however are vital to customers and stakeholders.
All of those points, nonetheless, can really feel disconnected and confused. Even because the software program market developed to assist organizations meet these challenges, instruments weren’t essentially complete or well-integrated with different programs and enterprise processes.
Current: GRC as a strategic enterprise perform
Because the scope of what falls below GRC broadens, one may anticipate an explosion within the varieties of software program developed to help increasing dangers and laws. Nevertheless, information on G2 suggests in any other case.
Development of GRC product sorts is constant however average
From 2018, when G2 broke out the GRC “mother or father” class, to 2024, the variety of GRC software program classes grew from 10 to 18.
Whereas this illustrates a rise within the varieties of software program within the GRC market, the expansion is modest. I don’t view this as an absence of innovation; it’s clear there are some new markets. Slightly, this progress displays the GRC software program market’s dedication to growing options that may be tailored to altering laws and requirements. There’s no must invent a brand new answer to each danger or compliance downside when markets evolve to accommodate altering circumstances.
New GRC product improvement illustrates market progress
In the identical interval, there’s a transparent spike in new GRC merchandise added to G2 in 2022. Whereas a few of that is catching up on merchandise developed earlier however not captured by G2, there’s a transparent divide between earlier than and after 2022.
As a substitute of counting new GRC merchandise by the dozen, we are able to now rely them by the a whole lot every year. As of March 2025, there are slightly below 2,000 merchandise on G2 listed in GRC software program classes.
With so many new merchandise flooding the market, it could be stunning to replicate once more on the primary chart, the place we see regular however modest progress within the varieties of merchandise rising. Once more, this can be a reflection of software program distributors growing merchandise which can be adaptable to altering market circumstances.
The variety of new merchandise in the marketplace displays the growing significance of getting a well-developed GRC program. GRC is a fast-growing business, which is mirrored within the progress of GRC merchandise, not within the scope of the market itself.
Closely regulated industries make the most of GRC merchandise
We are able to additionally acquire some insights by trying on the variety of opinions submitted on G2.com for merchandise within the GRC classes. Reviewers choose “Industries” from a dropdown menu when writing GRC product opinions on G2.
Unsurprisingly, the highest industries represented are closely regulated industries, like data expertise and providers (assume GDPR and ISO 27001). Or monetary providers, considering again to SOX. Hospital and well being care is regulated by HIPAA.
There are simply over 20,000 opinions on G2.com for merchandise within the GRC classes. The 5 industries above replicate practically half the entire opinions for GRC merchandise.
Enhance in evaluate counts suggests growing GRC adoption
The numbers are much more stark once we examine the variety of opinions submitted in 2018 by reviewers in these identical industries to these submitted in 2024.
This enhance within the variety of opinions submitted in 2018 in comparison with these submitted in 2024 means that extra organizations are recognizing the significance of a well-planned GRC technique and spending cash on software program to assist them obtain their objectives.
However what may that appear to be if this progress continues in a couple of years?
Future: the place GRC is headed (and the way AI suits in)
After all, the subject on everybody’s thoughts is the emergence of AI. We’ve all learn the headlines highlighting moral and authorized considerations surrounding how AI is utilized. From the current Studio Ghibli fashion AI artwork technology controversy to the considerations round coaching AI on materials that, usually unintentionally, generates dangerous content material, the potential for harm with out regulation may be very actual. And the pace with which AI expands and improves capabilities means any impactful laws will battle to maintain up.
Nevertheless, the necessity to think about AI danger shouldn’t be restricted to regulatory compliance. Suppose again to the beginning of this weblog. Enron is perpetually tainted for these sufficiently old to recollect the controversy. Authorized penalties apart, organizations danger vital reputational harm for “doing the mistaken factor”. Reputational and different much less tangible dangers shouldn’t be minimized.
This highlights organizations’ want for a complete GRC technique. This isn’t a “good to have”; it’s essential. Organizations that proactively account for danger can mitigate losses if and when occasions happen.
Healthcare organizations, for instance, which have sturdy enterprise continuity plans perceive their danger profile and have plans to reply to an occasion, corresponding to a ransomware assault, that shuts down their enterprise and opens them to fines. On this instance, a healthcare group that may get its enterprise again and operating faster and reply in a means that minimizes additional publicity to regulatory violations is in a significantly better enterprise place than one which doesn’t.
Anticipate to see extra consideration on the government degree to points surrounding danger and compliance as a enterprise technique.
Together with understanding danger and navigating compliance, anticipate to see extra nimble and customizable GRC platforms in the marketplace. With the considerations round AI talked about earlier and the challenges adapting to the pace of technological innovation, danger and compliance managers might be challenged to remain in compliance with continually evolving regulatory necessities. I anticipate to see extra regulatory change administration software program in the marketplace, both as some extent answer or as a extra superior perform of bigger GRC platforms.
Lastly, anticipate to see extra danger domains emerge. One subject that’s being mentioned is human danger administration. Anybody working in cybersecurity is aware of that your largest organizational danger is your folks. 79% of organizations that do safety consciousness coaching skilled a human-related information breach over the previous 12 months. Coaching and consciousness will not be sufficient to guard a corporation. They should proactively handle human danger past training.
What’s subsequent?
Solely time will inform what new danger and compliance issues will emerge. Will there be a 2020s Enron that reshapes the regulatory panorama? Will that come from AI? How will the market reply? How will rising dangers impression enterprise choices and useful resource allocation? All these unknowns spotlight the significance of a complete GRC technique and the necessity for software program options to help altering environments.
GRC is not the one factor altering. Learn how G2 continues to prioritize innovation within the age of AI and past.
Edited by Supanna Das
![How To Drive Extra Conversions With Fewer Clicks [MozCon 2025 Speaker Series]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Mozcon2025_Speaker-OGimage_1600x900_RebeccaJackson_London-120x86.png)
