McKinsey Confirms the Limits of GRC and Points Toward Integration

McKinseyIRMGRC
Written By Ori Wellington

In its May 2025 article Governance, Risk, and Compliance: A New Lens on Best Practices, McKinsey & Company delivers a candid assessment of the widespread shortcomings in today’s governance, risk, and compliance (GRC) functions. Based on survey data from nearly 200 corporate leaders, the article highlights persistent underperformance across all three pillars of GRC and outlines five imperatives for reform. But what McKinsey never quite says—though it clearly suggests—is that the GRC model itself may be past its expiration date.

The findings echo what many in the risk management profession have long understood: legacy GRC frameworks are no longer adequate in a world defined by interconnected risks, real-time decisions, and strategic uncertainty. Below, we examine the key insights from the report and explain how they point—whether intentionally or not—toward Integrated Risk Management (IRM) as the future-facing alternative.

Ori Wellington

Orion “Ori” Wellington is the lead editor for The RiskTech Journal and The RTJ Bridge, where he helps shape editorial direction, guide strategic narratives, and support media relations across Wheelhouse Advisors. As a digital editorial advisor, Ori synthesizes trends in risk, technology, and governance, drawing from roles modeled on information security, risk analytics, and IT leadership.

Part of Wheelhouse’s AI-augmented research team, Ori works to distill complex signals into actionable intelligence—bridging expertise across domains and elevating the voice of integrated risk thinking.

https://wheelhouseadvisors.com
Sign up to read this post
Join Now
Previous

Integrated Risk Thinking: The Mindset That Unlocks the Power of the IRM Navigator™ Model
Next

AI Insurance Emerges as Chatbot Failures Highlight New Liabilities