As a governance, risk, and compliance (GRC) software market research analyst at G2, I have a front-row seat to the evolving GRC software industry.
From operational risk management to IT security compliance to anti-money laundering (AML) software, GRC software is aimed at ensuring organizations have the right processes to reduce risks to their business.
But what is GRC? The meaning of each of these individual words is pretty intuitive. Governance is the process by which best practices and standards are determined and regulated. Risk means identifying, managing, and remediating threats. Compliance is a process to assess whether organizations and systems align with best practices and steps for correcting misalignment. All of these work together to help organizations ensure their processes are aligned with internal policies and external frameworks and provide support for mediating risks and correcting noncompliance.
Does this sound abstract and nebulous to you? It does to me. What does all of this mean in practice? And how did we get here? What’s coming next? Let’s start by exploring the history of GRC, then take stock of the GRC software market today, and consider the next evolutions in this dynamic market.
It may be surprising to learn, but the history of GRC started not so long ago. While GRC has existed in practice for decades, standards and regulations are not that new; the late 1990s and early 2000s are largely regarded as the start of the GRC that we think of today.
Much of the current field came out of a handful of high-profile corporate scandals and the birth of some especially impactful regulatory events.
Arguably, the most famous corporate scandal of this era is the Enron scandal. The Enron Corporation, based in Houston, United States, was found to be misrepresenting earnings and hiding the company’s true financial status. The lack of accurate oversight and corrective actions resulted in Enron filing for bankruptcy in late 2001. Employees and shareholders collectively lost billions of dollars, some of which was recovered through resulting lawsuits. Several Enron executives were prosecuted for various financial crimes.
Shortly after, the WorldCom scandal emerged in 2002, also in the US. Like Enron, WorldCom was found to have fabricated accounting spreadsheets and artificially inflated the company’s financial performance to mislead investors. Again, some executives were prosecuted for financial crimes, and shareholders and bondholders later received some compensation.
One of the most impactful regulations in this era is the Sarbanes-Oxley Act of 2002, known as SOX, in the United States. SOX establishes the Public Company Accounting Oversight Board (Board) to: (1) oversee the audit of public companies that are subject to the securities laws; (2) establish audit report standards and rules; (3) inspect, investigate, and enforce compliance on the part of registered public accounting firms, their associated persons, and certified public accountants.
This may appear to be just a history of GRC in the United States. However, as a large economy with enormous global influence, the US has been, for better or for worse, a trend setter in this industry.
I’d be negligent if I didn’t mention at least one non-US regulation that has shaped the industry. Internal Control: Guidance for Directors on the Combined Code, known as the Turnbull Report, first published in 1999, predated all the events above. The report directed organizations to set firm internal controls and regularly audit to catch fraud and risky financial status.
Since then, more regulatory efforts have emerged, especially around data privacy. I’ve detailed some of the most important in a previous blog on navigating regulatory changes. In data privacy, in particular, we have started to see an emergence in the contemporary field of GRC due to increased internet-based activities. The 2010s saw an explosion of software marketed to assist organizations in their GRC efforts. While many of the regulations that emerged in the early 2000s addressed financial governance, risk, and compliance, data privacy concerns also emerged, and alongside them, a desire for regulation.
The internet also provided an opportunity to spotlight organizations that were found to be conducting business in unpopular ways. Concerned with organizational reputation, companies also expanded their GRC efforts to address additional risks and compliance around issues like human rights and environmentalism, which may or may not be regulated based on location but are important to consumers and stakeholders.
All of these issues, however, can feel disconnected and confused. Even as the software market evolved to help organizations meet these challenges, tools were not necessarily comprehensive or well-integrated with other systems and business processes.
As the scope of what falls under GRC broadens, one might expect an explosion in the types of software developed to support expanding risks and regulations. However, data on G2 suggests otherwise.
From 2018, when G2 broke out the GRC “parent” category, to 2024, the number of GRC software categories grew from 10 to 18.
While this illustrates an increase in the types of software in the GRC market, the growth is modest. I don’t view this as a lack of innovation; it’s clear there are some new markets. Rather, this growth reflects the GRC software market’s commitment to developing solutions that can be adapted to changing regulations and standards. There’s no need to invent a new solution to every risk or compliance problem when markets evolve to accommodate changing conditions.
In the same period, there’s a clear spike in new GRC products added to G2 in 2022. While some of this is catching up on products developed earlier but not captured by G2, there’s a clear divide between before and after 2022.
Instead of counting new GRC products by the dozen, we can now count them by the hundreds each year. As of March 2025, there are just under 2,000 products on G2 listed in GRC software categories.
With so many new products flooding the market, it may be surprising to reflect again on the first chart, where we see steady but modest growth in the types of products emerging. Again, this is a reflection of software vendors developing products that are adaptable to changing market conditions.
The number of new products on the market reflects the increasing importance of having a well-developed GRC program. GRC is a fast-growing industry, which is reflected in the growth of GRC products, not in the scope of the market itself.
We can also gain some insights by looking at the number of reviews submitted on G2.com for products in the GRC categories. Reviewers select “Industries” from a dropdown menu when writing GRC product reviews on G2.
Unsurprisingly, the top industries represented are heavily regulated industries, like information technology and services (think GDPR and ISO 27001). Or financial services, thinking back to SOX. Hospital and health care is regulated by HIPAA.
There are just over 20,000 reviews on G2.com for products in the GRC categories. The five industries above reflect nearly half the total reviews for GRC products.
The numbers are even more stark when we compare the number of reviews submitted in 2018 by reviewers in these same industries to those submitted in 2024.
This increase in the number of reviews submitted in 2018 compared to those submitted in 2024 suggests that more organizations are recognizing the importance of a well-planned GRC strategy and spending money on software to help them achieve their goals.
But what might that look like if this growth continues in a few years?
Of course, the topic on everyone’s mind is the emergence of AI. We’ve all read the headlines highlighting ethical and legal concerns surrounding how AI is utilized. From the recent Studio Ghibli style AI art generation controversy to the concerns around training AI on material that, often unintentionally, generates harmful content, the potential for damage without regulation is very real. And the speed with which AI expands and improves capabilities means any impactful regulations will struggle to keep up.
However, the need to consider AI risk should not be limited to regulatory compliance. Think back to the start of this blog. Enron is forever tainted for those old enough to remember the controversy. Legal consequences aside, organizations risk significant reputational damage for “doing the wrong thing”. Reputational and other less tangible risks should not be minimized.
This highlights organizations' need for a comprehensive GRC strategy. This is not a “nice to have”; it’s a must-have. Organizations that proactively account for risk can mitigate losses if and when events occur.
Healthcare organizations, for example, that have strong business continuity plans understand their risk profile and have plans to respond to an event, such as a ransomware attack, that shuts down their business and opens them to fines. In this example, a healthcare organization that can get its business back and running quicker and respond in a way that minimizes further exposure to regulatory violations is in a much better business position than one that doesn’t.
Expect to see more attention at the executive level to issues surrounding risk and compliance as a business strategy.
Along with understanding risk and navigating compliance, expect to see more nimble and customizable GRC platforms on the market. With the concerns around AI mentioned earlier and the challenges adapting to the speed of technological innovation, risk and compliance managers will be challenged to stay in compliance with constantly evolving regulatory requirements. I expect to see more regulatory change management software on the market, either as a point solution or as a more advanced function of larger GRC platforms.
Finally, expect to see more risk domains emerge. One topic that is being discussed is human risk management. Anyone working in cybersecurity knows that your biggest organizational risk is your people. 79% of organizations that do security awareness training experienced a human-related data breach over the past 12 months. Training and awareness are not enough to protect an organization. They need to proactively manage human risk beyond education.
Only time will tell what new risk and compliance considerations will emerge. Will there be a 2020s Enron that reshapes the regulatory landscape? Will that come from AI? How will the market respond? How will emerging risks impact business decisions and resource allocation? All these unknowns highlight the importance of a comprehensive GRC strategy and the need for software solutions to support changing environments.
GRC isn't the only thing changing. Find out how G2 continues to prioritize innovation in the age of AI and beyond.
Edited by Supanna Das
The rate of change in the business world is mind-boggling.
.jpeg)
by Matt Kunkel
In part 1 of this series, we examined how fragmented AI regulations and the absence of...
by Kamaljeet Kalsi
As Drata’s CEO, I’ve watched governance, risk, and compliance (GRC) transform from a...
by Adam Markowitz
