![[interface] image of software security protocols (for a ai fintech company)](https://cdn.prod.website-files.com/69bc9c2bc7894aa4ed499bff/6a4282ba1665ad20b3396fac_Rick.jpg)
A GRC maturity model is a structured framework for benchmarking how effectively an organisation's governance, risk management, and compliance practices are embedded and operating. Most models define five progressive levels — from Level 1 (Ad Hoc) to Level 5 (Optimised). GRC Index assessment data shows that 85% of UK organisations currently operate at Level 1, 2, or 3 — leaving the majority with significant, addressable exposure to regulatory sanction, reputational damage, and failed enterprise due diligence.
This article explains what each level looks like in practice, how to identify where your organisation currently sits, and the specific actions required to progress — with realistic timelines at each stage.
GRC maturity describes how systematically, consistently, and effectively an organisation manages its governance structures, risk processes, and compliance obligations. Low maturity is not simply a compliance gap — it is a business risk. Organisations at lower maturity levels are more likely to suffer regulatory penalties, fail enterprise client procurement processes, struggle with cyber insurance underwriting, and experience operational disruptions caused by unmanaged risks.
The concept was formalised by the Open Compliance and Ethics Group (OCEG), whose GRC Capability Model — often called the Burgundy Book — defines GRC as the integrated set of capabilities that enable an organisation to reliably achieve objectives, address uncertainty, and act with integrity. The five-level maturity scale derived from this model has become the industry standard for GRC benchmarking.
The GRC Index applies this framework across five assessment dimensions — governance, risk management, compliance, resilience, and data security — to produce an independent GRC Score and a maturity level placement for each assessed organisation. Only 15% of assessed organisations reach Level 4 or 5. The remaining 85% have a clear, structured improvement path available to them.
Each level represents a distinct stage of organisational capability. The descriptions below are grounded in GRC Index assessment data from 300+ organisations across the UK and internationally. For each level, we identify the defining characteristics, the warning signs that indicate an organisation is operating at that level, and the regulatory exposure it creates.
1
Level 1: Ad Hoc
High Risk | ~35% of UK orgs
GRC activities are entirely reactive. There are no documented processes — issues are addressed individually as they arise, often by whoever is available. Compliance obligations are discovered late, if at all. Risk management exists in name only. Board oversight of GRC is absent or purely nominal.
Signs Your Organisation Is At This Level
▸ No documented risk register or risk assessment process
▸ Compliance managed reactively — regulations discovered after they apply
▸ Policies exist in email threads, not formal repositories
▸ No defined ownership of governance, risk, or compliance functions
▸ Audit findings repeat year after year with no systemic resolution
Regulatory Exposure: Very high. UK GDPR breach notification obligations are frequently missed. DORA and NIS2 readiness is near zero. Enterprise client due diligence cannot be passed.
2
Level 2: Siloed
Elevated Risk | ~50% of UK orgs
Individual departments manage risk and compliance independently. An IT team may have a data security policy while HR manages its own compliance obligations — with no unified framework, shared language, or cross-functional visibility. Significant duplication, contradictory policies, and dangerous gaps exist between departments.
Signs Your Organisation Is At This Level
▸ GRC activities exist within departments but are not coordinated centrally
▸ Risk registers exist in some teams but use different formats and criteria
▸ Compliance reporting is inconsistent across business units
▸ No enterprise-wide GRC vocabulary or policy hierarchy
▸ Board receives fragmented, inconsistent risk information from multiple sources
Regulatory Exposure: High. Siloed compliance creates gaps in controls coverage. Third-party risk is frequently unmanaged. DORA and NIS2 obligations that span multiple teams are routinely missed.
3
Level 3: Repeatable
Moderate Risk | ~15% of UK orgs — target baseline
Core GRC processes are documented, consistently followed, and reviewed on a defined schedule. A unified risk register exists. Compliance obligations are tracked proactively. Policies are formally approved, version-controlled, and communicated. The board receives structured, periodic GRC reporting. This is the minimum viable level for organisations subject to DORA, NIS2, or enterprise procurement requirements.
Signs Your Organisation Is At This Level
▸ A unified, maintained risk register with defined ownership and review cycles
▸ All major compliance obligations documented with named owners and deadlines
▸ A formal policy framework with version control and approval records
▸ Regular board reporting on risk and compliance status
▸ Defined incident response process with documented escalation paths
Regulatory Exposure: Moderate. Organisations at Level 3 can satisfy baseline DORA, NIS2, and UK GDPR requirements. Enterprise client due diligence is typically passable. ISO 27001 certification is achievable from this level.
4
Level 4: Managed
Low Risk | ~8% of UK orgs
GRC is actively monitored, measured, and continuously improved. A GRC function or designated role coordinates enterprise-wide activities. Board reporting uses defined metrics and KRIs (Key Risk Indicators). Risk appetite is formally articulated by the board and operationalised through control thresholds. GRC improvements are tracked, reported, and tied to business objectives. Regulatory changes are proactively monitored and integrated into the programme.
Signs Your Organisation Is At This Level
▸ Defined GRC KPIs and KRIs reported to board on a regular cadence
▸ Board-approved risk appetite statement operationalised across business units
▸ Formal third-party risk management programme covering critical suppliers
▸ Internal audit function actively testing GRC controls and reporting outcomes
▸ Regulatory change monitoring process with formal impact assessment workflow
Regulatory Exposure: Low. Level 4 organisations consistently pass enterprise due diligence, satisfy DORA and NIS2 reporting obligations, and maintain ISO 27001 or SOC2 certification with manageable effort.
5
Level 5: Optimised
Minimal Risk | ~2% of UK orgs
GRC is fully integrated into strategic planning and operational decision-making. Continuous improvement is embedded — not periodic. Regulatory changes and emerging risks are anticipated, not reacted to. GRC data flows in real time, informing executive and board decisions. The organisation is recognised externally as a GRC leader — with a verified GRC Index profile, active practitioner certifications, and a culture of compliance at every level.
Signs Your Organisation Is At This Level
▸ GRC outcomes are formally linked to executive KPIs and board strategy
▸ Predictive risk intelligence used to anticipate emerging threats
▸ Continuous control monitoring with automated alerting on threshold breaches
▸ GRC culture embedded from board to frontline — evidenced in staff surveys and audits
▸ Organisation contributes to industry GRC standards development or benchmarking
Regulatory Exposure: Minimal. Level 5 organisations are typically ahead of regulatory requirements, enabling them to lead — rather than respond to — evolving compliance obligations.
The distribution of GRC maturity across UK organisations reveals a significant structural gap between where organisations operate and where they need to be to satisfy current regulatory and commercial expectations:
Level 1 — Ad Hoc
~35% of assessed UK organisations
Level 2 — Siloed
~50% of assessed UK organisations
Level 3 — Repeatable
~15% of assessed UK organisations
Level 4 — Managed
~8% of assessed UK organisations
Level 5 — Optimised
~2% of assessed UK organisations
These figures reflect GRC Index assessment data and align with broader market research from OCEG and Gartner, which consistently show that the majority of organisations across all sectors underestimate GRC maturity gaps due to internal self-assessment bias.
Key Insight for Boards
The most common assessment finding is not that organisations have no GRC processes — it is that their
processes are siloed, inconsistently applied, and not visible at board level. Most organisations are at
Level 2, not Level 0. The gap to Level 3 — the regulatory compliance baseline — is bridgeable within
6–12 months with structured effort and clear ownership.
The following roadmap provides specific, actionable steps for progressing between each maturity level. Each section includes a recommended timeline, six priority actions, and a single quick win that delivers immediate, demonstrable improvement. These actions are sequenced based on GRC Index's experience assessing and advising 300+ organisations.
Level 1 → 2 From Ad Hoc to Siloed: Create the Foundation 3–6 months
1. Appoint a GRC lead or designate responsibility within an existing senior role
2. Conduct an initial risk identification workshop across all departments
3. Create a single, consolidated risk register — even a well-maintained spreadsheet is a valid starting point
4. Document your top 10 compliance obligations with named owners and due dates
5. Establish a basic policy repository with access controls and version tracking
6. Schedule a quarterly risk review meeting with leadership attendance
✓ Quick Win: A one-page risk register with five key risks, owners, and review dates demonstrates more maturity than years of reactive incident management. Create it this week.
Level 2 → 3 From Siloed to Repeatable: Unify and Standardise 6–12 months
1. Consolidate departmental risk registers into a single enterprise-wide framework using a common risk taxonomy
2. Map all regulatory obligations — UK GDPR, DORA, NIS2, ISO 27001 — to specific control owners
3. Establish a formal policy approval workflow with the board or a designated governance committee
4. Implement a structured incident response plan with defined escalation paths and test it annually
5. Begin structured board reporting: a one-page GRC dashboard covering top risks, open actions, and compliance status
6. Conduct a formal gap assessment against your primary compliance framework (ISO 27001 or COSO recommended)
✓ Quick Win: Map existing departmental policies to a single policy hierarchy. Identify gaps, duplicates, and contradictions — this mapping exercise alone surfaces immediate high-value fixes.
Level 3 → 4 From Repeatable to Managed: Measure and Monitor 12–24 months
1. Define 5–10 GRC KPIs and Key Risk Indicators (KRIs) with thresholds and escalation triggers
2. Present a formal Risk Appetite Statement to the board for review and approval
3. Implement a Third-Party Risk Management (TPRM) programme covering critical and high-risk suppliers
4. Establish an internal audit function — or commission independent assurance reviews — on an annual cycle
5. Deploy GRC technology to replace manual spreadsheet tracking (GRC platforms or risk management software)
6. Build a regulatory change monitoring process: assign responsibility, define review cadence, formalize impact assessment
✓ Quick Win: Define your risk appetite in a single board-approved statement. It does not need to be elaborate — three to five risk tolerance thresholds across key categories provides immediate governance uplift.
Level 4 → 5 From Managed to Optimised: Integrate and Anticipate 24+ months (continuous)
1. Embed GRC outcomes into executive compensation and board strategy reviews
2. Implement continuous control monitoring with automated alerting on defined thresholds
3. Build predictive risk intelligence capability — integrating threat intelligence feeds, regulatory horizon scanning, and scenario modelling
4. Develop a formal GRC culture programme: training, awareness, tone at the top, staff KPIs tied to compliance outcomes
5. Pursue industry leadership: publish benchmarking data, contribute to standards bodies, achieve and maintain a Level 5 GRC Index profile
6. Establish a GRC innovation function to evaluate and integrate emerging risk management technologies
✓ Quick Win: Commission an independent external GRC assessment to validate your Level 4 status before investing in Level 5 capabilities. External validation prevents internal bias from masking real gaps.
A GRC maturity model is a structured framework for evaluating how effectively an organisation's governance, risk management, and compliance practices are embedded and operating. Most models describe five progressive levels — from Ad Hoc (Level 1) to Optimised (Level 5) — helping organisations benchmark their current state and plan structured improvement.
Level 1 — Ad Hoc (reactive, undocumented); Level 2 — Siloed (departmental, inconsistent); Level 3 — Repeatable (documented, consistently applied); Level 4 — Managed (measured, board-reported, monitored); Level 5 — Optimised (fully integrated, anticipatory, embedded in strategy). GRC Index data shows 85% of assessed UK organisations currently operate at Level 1, 2, or 3.
The most reliable method is an independent GRC assessment aligned to a recognised framework. The GRC Index assessment evaluates your organisation across five dimensions and maps results to a maturity level with a published GRC Score. Self-assessments are possible but consistently overstate maturity due to internal bias — independent assessment is strongly recommended for board reporting purposes.
Moving from Level 1 to Level 2 typically takes 3–6 months with focused effort. Level 2 to Level 3 often takes 6–12 months. Achieving Level 4 typically requires 12–24 months of sustained investment. Reaching Level 5 is a multi-year continuous improvement journey. These timelines assume dedicated ownership and adequate resourcing — organisations that attempt GRC improvement as a secondary responsibility alongside other roles progress more slowly.
DORA's ICT risk management, incident reporting, and third-party oversight requirements broadly align with Level 3 as a minimum baseline — with documented, consistently-applied processes. Full ongoing compliance with DORA's operational resilience testing and continuous monitoring obligations aligns more closely with Level 4. The GRC Index assessment includes DORA readiness mapping in its results.
The OCEG (Open Compliance and Ethics Group) GRC Capability Model — also known as the Burgundy Book — is the foundational reference for GRC maturity assessment. It defines GRC as the integrated capabilities that enable an organisation to reliably achieve objectives, address uncertainty, and act with integrity. The five-level maturity scale used by GRC Index is aligned with the OCEG framework.
Based on GRC Index assessment data, approximately 50% of UK organisations operate at Level 2 (Siloed). A further 35% are at Level 1 (Ad Hoc) or transitioning to Level 2. Only 15% of assessed organisations operate at Level 4 or above. Most UK organisations have significant, directly addressable exposure in governance, risk, and compliance — and the path to Level 3 is achievable within 6–12 months with structured commitment.
Find Out Where Your Organisation Sits — Start Your GRC Assessment
The GRC Index assessment gives your board an independent, evidence-based view of your organisation's
current GRC maturity level — across all five dimensions — with a published GRC Score and a tailored
improvement roadmap.
Over 300 organisations across 50+ countries have used the GRC Index to benchmark, improve, and
demonstrate their GRC standing to customers, investors, and regulators.
Start Your Free Assessment: https://www.grci.net/questionnaire
Contact: info@grci.net | +44 203 1264430 | 63-66 Hatton Garden, London EC1N 8LE
© 2025 GRC Index. All rights reserved.