GRC World Forum 2025: Highlights

The GRC World Forum held its annual #Risk conference, hosted by Fordham Law School, on July 9 and 10, 2025. The event provided an opportunity to validate and socialize what Chartis is writing about the future of governance, risk and compliance (GRC) and related innovations. Aside from a heavy dose of marketing from session leaders and vendors, a few influential drivers that are shaping a future GRC industry solidly resonated with event attendees. Here’s a summary.

Overall, attendees were aligned on a central trend: GRC is being fundamentally reshaped by cost and performance pressures, disruptive innovation, AI, a new generation of risk managers and a relentless push for value that’s been unrecognized for decades.

What’s fueling this trend?

• Innovation and costs are creating a long tail of solutions and choices for risk professionals. Innovation has disrupted the market and created a long tail of solutions and choices dedicated to the buying patterns of a broader landscape of business leaders. More than 50% of risk managers are now considering a switch in GRC vendors, according to a recent Risk.net benchmark study. The same study shows that at least four of five large UK financial institutions are rethinking the relationship between the three lines of defense and enabling GRC technologies.  New buying patterns are characterized by several archetypes, including risk domains specific to critical functions, specific regional and business-line demands, and the level of sophistication of the end user.
• AI in GRC is finding early value. The AI buzz is real, but it’s no longer just hype. Early investments in AI-driven linguistics, AI as UI and risk intelligence are generating measurable gains. Key use cases – AI governance, third-party risk, code generation/validation, workflow automation, regulatory obligation management and cyber risk – are prime investment areas for the balance of 2025. Both established players and startups are racing to deliver these innovations, and the impact is beginning to be felt across the GRC value chain.
• AI regulation: the new geopolitical battleground. AI regulation isn’t just another chapter of prescriptive rule making. Instead, AI regulation has become how nations signal their ambitions, values and boundaries. And while traditional geopolitical risk largely focuses on factors such as resources, military might, etc., AI regulation has become a pathway to technological leadership and dominance.
• GRC as enterprise infrastructure. GRC is stepping out of the back office and onto the board agenda. It’s now intertwined with critical business infrastructure, sometimes even eclipsing cybersecurity as a board-level priority. Success in this environment demands integrated workflows, robust risk data management, and personalized analytics tailored to a diverse array of stakeholders. The end game? Value, resilience with agility and a connected approach to risk.
• New tools for digital risks. While some CROs have ‘checked the digital transformation box’ for GRC and see compliance with the Digital Operational Resilience Act (DORA) in the rearview mirror, the journey is far from over. The latest wave of GRC transformation is driven by the emergence of new digital tools and the ability to monitor and manage ‘connected risks’ at a granular level.
• Risk quantification and operational resilience. At the heart of modern GRC is data. The ability to turn structured and unstructured information – media, net flows, documents, sensor data and other technical signals – into actionable intelligence is transforming risk management. Organizations are now quantifying risks, both for offensive and defensive purposes, that were once intangible, providing deeper, more nuanced insights for decision-makers and risk managers.

Find more behind these drivers and related RiskTech perspectives at www.chartis-research.com and Risk.net.