Busy, but not connected: What 67 per cent of risk leaders told us in our 2026 survey
The alignment between governance work and business objectives isn't broken - it's incomplete. Here's what the gap costs, and what it tells us about where modern GRC is heading.
Earlier this year, we put a question to risk and compliance leaders. “Is the governance, risk, and compliance work in your organisation actually connected to the business objectives you’re trying to achieve?”
The responses came back with a particular shape. Not a single respondent said their program was unaligned, but only one in three said the alignment was strong. The other two thirds, sixty-seven per cent, sat in the middle ground of ‘somewhat aligned’.
That’s not a disconnect. It’s an incomplete connection. And the cost of an incomplete connection turned out to be the rest of the survey.
The intent is there. The execution is still catching up.
The 33 / 67 / 0 split is, on its own, a hopeful number. Risk and compliance professionals across our respondent base agreed on something the industry sometimes acts as if it doesn’t believe: GRC work should be tied to business objectives. The intent is settled.
The trouble is the next question. When work is only somewhat connected, almost everything else gets a little harder. Control priorities drift. Review cycles run on calendars that don’t match decision-making cadences. Risk frameworks express what matters in language the business doesn’t quite recognise. Reporting takes longer to produce and lands with less weight when it arrives.
If a third of respondents are strongly aligned, two thirds are operating in a model that is working, but not yet directed. That gap is where the rest of the data sits in silos.
Where the work breaks: structural barriers
When we asked what most limits respondents’ ability to achieve their objectives, the answers were specific and practical.
Forty-three per cent named fragmented data and tools as their single biggest structural barrier. Twenty-four per cent pointed to lack of shared visibility across functions. Nineteen per cent flagged a compliance-first governance culture. Fourteen per cent cited reporting cycles running ahead of insight cycles.
Taken together, those four responses describe a coherent operating problem. Risks live in one system. Controls live in another. Objectives live somewhere else entirely, often in a strategic plan a risk leader never sees on the same screen as the register they’re trying to align it to. Even when frameworks are sound, the day-to-day experience becomes joining things up by hand. Nearly half of respondents are still doing that joining work manually, which is why ‘less manual effort’ appeared, repeatedly, on the wish list.
This isn’t a technology gap in the sense of ‘more software needed’, but it is a significant architecture gap. The pieces exist. They just don’t share a backbone.
Why good governance still speaks too quietly
The cultural finding was one that landed hardest. Sixty-two per cent of respondents named ‘unclear link between success and governance outcomes’ as the biggest cultural barrier to achieving their objectives. By contrast, only fourteen per cent said governance was seen as the brake rather than the engine. Only fourteen per cent cited a lack of executive sponsorship. And only ten per cent pointed to fear of losing control through automation or AI.
That is a meaningful pattern. The real cultural friction isn’t resistance to GRC, but the invisibility of it.
When governance contributes to a business outcome, the contribution doesn’t always show up in the language the business uses. A risk averted shows up as nothing happening, which is hard to take credit for. A control that works keeps a quarterly result stable, which is hard to attribute. A compliance cycle that closes cleanly produces no story at all, only the absence of a story that would have been bad.
That is why so many GRC functions feel they are working hard and still being seen as a cost centre. The work is real, but the visibility of the work isn’t.
The implication for the next generation of GRC platforms isn’t subtle. If success in governance is ‘nothing went wrong’, the platform has to make the contribution visible by tying it back to what the business actively cares about: business objectives, business performance, business priorities. Otherwise good governance keeps speaking, and the business won’t hear a thing.
The 76 per cent everyone should be talking about
The clearest single signal in the whole survey came from the behavioural barriers question. Seventy-six per cent of respondents named cognitive overload as their biggest limitation to achieving objectives. Four times more than the next answer (change fatigue, at fourteen per cent). Fifteen times more than fear of exposure, or comfort in control.
The GRC industry has spent a decade asking risk leaders to care more, build more controls, run more workshops, lift more capability. The data says they already care. They are already trying. What they are running out of isn’t will, it’s capacity.
That changes the design brief for what good GRC software should do. If three quarters of the user base are pointing to cognitive overload, the case for change isn’t about persuading people to engage. It is about reducing the manual coordination work that is eating their bandwidth before they get anywhere near the strategic conversation.
This is also the finding that points most directly to where AI earns its place in governance. Not as a chatbot bolted on top of a dashboard, but as an execution layer that takes the manual coordination work, and gives risk and compliance leaders their week back.
What risk leaders actually want, in their own words
When we asked what would most strengthen the connection between business objectives and GRC, the responses landed on five themes:
- One connected view, across objectives, risks, controls, obligations, incidents, and performance.
- Stronger alignment to business priorities, so governance reflects what the organisation is actually trying to achieve.
- Less manual effort, less spreadsheet drag, less duplicate handling.
- Better ownership across the business, with clearer accountability and stronger collaboration with the first line.
- Reporting that drives action, not reporting that takes a week to produce and gets skimmed.
What is notable is how practical the wish list is. Nobody is asking for a new philosophy. Simply a more connected operating environment.
What this means for modern GRC
Risk leaders want governance that is more closely connected to strategy, easier to action, and easier to defend in terms of business value.
That is the shift that all signs point to. Objective-led GRC, where every risk, every control, every requirement, every piece of evidence ladders back to a business objective. AI-native execution, where the manual coordination work is handled by specialist agents so risk and compliance leaders move back up the value chain. Reporting that explains the contribution in the business’s own language. One connected platform instead of seven.
The intent is there. The architecture is what’s still catching up.
Full survey findings, including the structural and behavioural barriers, board conversation patterns, and what risk leaders said would change the picture.
