[interface] image of software security protocols (for a ai fintech company)
Governance

How to Read a GRC Score: What Your Rating Really Means

July 9, 2026

Your GRC score is the single number that tells your board where the organisation stands on governance, risk and compliance. But a number on its own means nothing without the context to interpret it. The GRC Index assessment produces three outputs: a numerical score from 0 to 100, a maturity level from 1 to 5 and a RAG rating for each of the six domains assessed. This guide explains what each component measures, what a good result looks like and what actions the board should take based on the findings.

Quick Answer: How to Read Your GRC Score

Numerical score (0-100): your overall GRC position. Higher is better. Most first-time assessments score between 35 and 65.

Maturity level (1-5): the stage your GRC programme has reached, from Ad Hoc (Level 1) to Optimised (Level 5).

RAG ratings: Red, Amber or Green for each of the six GRC domains assessed. Red requires immediate board action.

A score of 70 or above (Level 4: Managed) is the target for most UK regulated organisations.

What Is a GRC Score and What Does It Measure?

A GRC score is a structured measurement of an organisation's governance, risk and compliance position against a defined framework and best practice benchmark. It translates a complex set of controls, processes and governance structures into a clear, comparable output that the board can use to make decisions.

The GRC Index score measures six domains: Governance and Oversight, Risk Management, Regulatory Compliance, Information Security, Operational Resilience and Third-Party Risk. Each domain is assessed against a set of control requirements drawn from recognised GRC frameworks including COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2. The domain scores are weighted and combined to produce the overall numerical score.

The score answers three questions for the board. First, how mature is our GRC programme overall? Second, which domains are performing well and which have material gaps? Third, where should we focus remediation effort to achieve the greatest improvement?

A GRC score is not a pass or fail. It is a diagnostic output. Every organisation, regardless of its score, receives a prioritised action plan that translates the findings into specific, achievable steps. The score establishes the baseline. Subsequent assessments track improvement over time.

 

The Three Components of Your GRC Score

The GRC Index assessment report presents your results in three layers. Reading all three together gives you the complete picture.

Component 1: The Numerical Score (0-100)

The numerical score is your overall GRC position expressed as a single number between 0 and 100. It is calculated from your domain scores, weighted to reflect the relative importance of each domain in the context of your organisation's regulatory environment. The numerical score allows you to compare your position across time (before and after remediation) and, in aggregate form, against peer organisations in your sector.

Component 2: The Maturity Level (1-5)

The maturity level maps your numerical score to one of five stages of GRC programme development. Each level has a defined description of the governance, risk and compliance characteristics that organisations at that level typically display. Maturity levels provide a richer narrative than a number alone: a board that understands what Level 3 (Defined) means in practice can set a credible target for reaching Level 4 (Managed).

Component 3: Domain RAG Ratings

The RAG ratings give you a domain-by-domain view of your GRC position. Each of the six domains is rated Red, Amber or Green based on the control gaps identified in that domain. The RAG ratings are the most immediately actionable component of the report: they tell the board which areas need attention, in which order and with what urgency.

How to Read Your Numerical GRC Score

The numerical score bands map directly to the five maturity levels. Here is what each band means for your organisation.

Score 0-24: Level 1 (Ad Hoc)

A score in this range indicates that GRC activities are largely unstructured and undocumented. Controls may exist in individual teams but there is no consistent methodology, no central oversight and no board-level governance of risk and compliance. Organisations at this level are typically exposed to significant regulatory, operational and reputational risk. The immediate priority is to establish basic governance structures and begin documenting the most critical controls.

Score 0-24: What This Means for the Board

GRC activity is informal and inconsistent across the organisation.

There is no central risk register, no documented compliance obligations and no formal oversight of information security controls.

Immediate action is required. Multiple Red domain ratings are likely.

Board priority: appoint a named GRC owner and commission a detailed remediation plan before the next board meeting.

Score 25-49: Level 2 (Reactive)

A score in this range indicates that the organisation responds to GRC issues when they arise but does not manage them proactively. Some controls and policies exist, but they are not consistently applied and there is limited management information available to the board. Regulatory compliance is managed on a deadline-driven basis. Risk is identified after events occur rather than in advance. This is the most common score band for organisations completing a GRC assessment for the first time.

Score 25-49: What This Means for the Board

Controls exist in some areas but are not consistently applied across the organisation.

The board has limited visibility of the organisation's risk and compliance position between reporting cycles.

Remediation is achievable within 6 to 12 months with focused effort and clear ownership.

Board priority: implement a risk register, map compliance obligations and assign domain owners with quarterly reporting lines to the board.

Score 50-69: Level 3 (Defined)

A score in this range indicates that GRC processes are documented, approved and communicated across the organisation. Policies are in place for the key risk and compliance domains. The board receives regular management information on GRC status. Controls are operating in most areas, although effectiveness varies and some gaps remain. Organisations at Level 3 are on the right trajectory and are typically 12 to 18 months of focused effort away from reaching Level 4 (Managed).

Score 50-69: What This Means for the Board

A solid foundation is in place. Policies, processes and ownership are defined.

The board has management information but control effectiveness is inconsistent in some domains.

The gap to Level 4 is bridgeable with targeted investment in control monitoring and evidence management.

Board priority: focus on control testing, exception reporting and closing the specific gaps identified in the Amber domain ratings.

Score 70-84: Level 4 (Managed)

A score in this range indicates that the GRC programme is well-established, with defined controls operating consistently and measurable performance data available to the board. Risk appetite is formally set and monitored. Compliance obligations are tracked proactively. Information security controls meet or approach certification standard. Organisations at Level 4 are in a strong position to pass ISO 27001 certification audits, SOC 2 audits and regulatory inspections. This is the target score band for most UK regulated organisations.

Score 70-84: What This Means for the Board

GRC is well-managed and the organisation has strong, consistent controls across most domains.

The board has reliable management information and can demonstrate GRC maturity to clients and regulators.

The focus at this level is on monitoring, continuous improvement and preparing for formal audit if not already certified.

Board priority: pursue ISO 27001 certification or SOC 2 if not yet in place, and target the specific improvements needed to reach Level 5.

Score 85-100: Level 5 (Optimised)

A score in this range indicates that GRC is integrated into the organisation's strategic planning and operational management. Controls are continuously monitored and improved. The board receives forward-looking risk intelligence, not just backward-looking compliance reports. GRC data informs business decisions at the highest level. Organisations at Level 5 are typically certified against one or more international standards and can demonstrate GRC maturity credibly to any regulator, client or auditor.

Score 85-100: What This Means for the Board

GRC is a genuine strategic capability, not a compliance overhead.

The organisation is certified or certifiable against ISO 27001, SOC 2 or ISAE 3402 and can demonstrate this to any stakeholder.

The priority at this level is maintaining the programme, adapting to regulatory changes and benchmarking against peers.

Board priority: maintain certification cycles, review against new regulatory developments (DORA, NIS2, UK GDPR updates) and ensure succession in GRC ownership.

 

Understanding Your Domain RAG Ratings

The RAG ratings are the most immediately actionable part of your GRC score. Each of the six assessed domains receives one of three ratings. Here is what each means and what the board should do in response.

Red Rating: Immediate Action Required

A Red rating means the domain has significant control gaps that present a material risk to the organisation. Red findings are not theoretical risks: they are specific, identified weaknesses in controls, processes or governance that leave the organisation exposed to regulatory sanction, operational failure, data breach or reputational damage.

When the board sees a Red rating, the response should be immediate. The first step is to appoint a named owner for the remediation plan before the next board meeting. The second step is to define a specific action plan with deadlines, resources and a reporting line to the board. The third step is to assess whether any contractual, regulatory or legal notification obligations are triggered by the finding. Red ratings should not be deferred to the next planning cycle.

Amber Rating: Planned Improvement Needed

An Amber rating means the domain has controls in place but they are not operating consistently, are not fully documented or have specific gaps that create moderate risk. Amber findings are manageable but require structured attention. Left unaddressed, Amber ratings typically deteriorate to Red over time, particularly as the regulatory environment evolves or as the organisation grows and becomes more complex.

The board's response to an Amber rating should be to include the domain in the next formal planning cycle with defined targets and a named owner. Amber domains should be reassessed at the next assessment to confirm improvement. Where an Amber rating exists in a domain that is subject to regulatory scrutiny, for example Information Security under UK GDPR or Regulatory Compliance under FCA rules, the urgency should be treated as closer to Red.

Green Rating: Maintain and Monitor

A Green rating means the domain has strong, consistent controls operating effectively with appropriate board-level oversight. Green does not mean perfect. It means the domain is in a managed, defensible position relative to the applicable framework requirements.

The board's response to a Green rating is to maintain the existing controls, ensure the evidence base is kept current and monitor for changes in regulatory requirements that might affect the rating in future assessments. Green ratings can drift to Amber if controls are not actively maintained, particularly where staff turnover affects key roles or where new regulations create gaps in previously adequate processes.

 

The Six GRC Domains Scored by GRC Index

The GRC Index assessment scores six domains. Here is what each domain covers and why it matters to the board.

1. Governance and Oversight

This domain assesses the board's governance structures for risk and compliance: committee terms of reference, accountability frameworks, policy ownership, board-level reporting and the organisation's tone at the top. Poor scores in this domain typically indicate that GRC is managed at an operational level without adequate board visibility or accountability. This is often the root cause of poor scores in other domains.

2. Risk Management

This domain assesses the organisation's enterprise risk management programme: risk identification and assessment processes, the risk register, risk appetite definition and monitoring, escalation procedures and integration of risk management with strategic planning. The assessment maps against ISO 31000 and COSO ERM principles. Organisations that score Red or Amber in this domain typically lack a functioning risk register or have one that is not regularly reviewed.

3. Regulatory Compliance

This domain assesses how the organisation manages its regulatory obligations: the completeness of the compliance obligations register, the currency of policies and procedures, the frequency of compliance monitoring, training and awareness programmes and the process for managing regulatory change. UK regulated organisations are typically assessed against FCA rules, UK GDPR, NIS2 and sector-specific requirements. Red or Amber findings in this domain carry direct regulatory risk.

4. Information Security

This domain assesses information security controls against ISO/IEC 27001:2022 and NIST CSF 2.0 requirements. It covers access management, change management, incident response, data protection controls, security testing and the information security management system (ISMS). This is typically the domain where organisations planning ISO 27001 certification have the most to gain from a pre-audit GRC assessment. A Red rating here indicates material exposure under UK GDPR Article 32.

5. Operational Resilience

This domain assesses the organisation's ability to prevent, adapt to, respond to and recover from operational disruptions. It covers business continuity management, disaster recovery, critical service identification and important business services mapping. UK financial services firms are assessed against FCA and PRA operational resilience rules. Other sectors are assessed against ISO 22301 and DORA requirements where applicable.

6. Third-Party Risk

This domain assesses the organisation's management of risk in its supplier and outsourcing relationships. It covers third-party due diligence processes, ongoing monitoring, contractual protections, TPRM (Third-Party Risk Management) governance and concentration risk. The FCA's operational resilience rules and DORA both require regulated firms to manage third-party risk formally. A Red or Amber rating in this domain is common in organisations that have grown quickly through outsourcing without building a commensurate third-party risk management capability.

 

What to Do With Your GRC Score: A Board Action Plan

Receiving a GRC score is the beginning of the process, not the end. Here is how the board should use the results.

1. Present the score at the next board or audit committee meeting

The GRC score and domain RAG ratings should be presented as a board-level agenda item, not delegated to management. The board is the accountable body for governance, risk and compliance. The score gives the board the factual basis it needs to fulfil that accountability.

2. Prioritise Red domains for immediate remediation

Appoint a named owner for each Red domain finding and require a remediation plan to be presented within 30 days. Set a timeline for re-assessment of Red domains to confirm that the gaps have been closed. Red findings should not wait for the annual planning cycle.

3. Include Amber domains in the next planning cycle

Amber domains should be incorporated into the organisation's planning and budgeting process with defined targets, owners and resource allocation. The board should receive a quarterly update on Amber domain progress until the rating improves to Green.

4. Set a target score for the next assessment period

Use the current score as a baseline and set a target score for the organisation's next GRC assessment, typically 12 months later. A realistic improvement target for a well-resourced remediation programme is 15 to 25 points. The target score should be aligned with the organisation's regulatory and certification objectives.

5. Use the score in client and regulator conversations

The GRC score and the remediation plan provide credible, documented evidence of the organisation's approach to GRC for use in client due diligence, regulatory conversations and audit preparation. A documented action plan is far more effective in regulatory conversations than an unsubstantiated claim of good governance.

6. Schedule a reassessment

Book the next GRC assessment before leaving the current one. Regular, annual assessments create a time-series record of GRC maturity improvement that is valuable both internally and externally. The GRC Index assessment can be repeated at any time and the results are directly comparable across assessment periods.

 

How to Improve Your GRC Score

The most effective improvements are specific to the gaps identified in your assessment report. However, the following actions consistently drive score improvement across most organisations.

  • Formalise governance structures: appoint a named GRC owner at board level, define committee responsibilities and ensure the board receives a quarterly GRC management information pack
  • Implement a risk register: a documented, regularly reviewed risk register is one of the highest-impact steps for organisations at Level 1 and Level 2; it improves the Risk Management domain score and supports the Governance domain score
  • Map compliance obligations: a complete, current register of all applicable regulations, standards and contractual requirements is the foundation of a functioning compliance programme; it moves the Regulatory Compliance domain from Red or Amber to Amber or Green in most cases
  • Strengthen information security controls: for organisations with a Red or Amber rating in the Information Security domain, the highest-priority actions are typically: access management controls, a documented incident response plan, data processing records under UK GDPR and a security testing programme
  • Document third-party risk processes: a formal supplier assessment process, a maintained list of critical third parties and contractual protections covering data security and business continuity are the minimum requirements for a Green rating in the Third-Party Risk domain
  • Test and evidence controls: many organisations have controls in place that are not documented or tested; collecting and maintaining evidence of control operation (access reviews, audit logs, training records, test results) is a high-impact, low-cost improvement that raises scores across multiple domains

Organisations that address their specific Red and Amber findings systematically, with named owners and defined timelines, typically achieve a score improvement of 15 to 30 points within 12 months of their initial assessment. The improvement is most rapid at the lower end of the scale (Level 1 to Level 2, Level 2 to Level 3) where foundational controls are absent and straightforward to implement.

 

How GRC Index Calculates and Reports Your Score

The GRC Index assessment is a structured questionnaire that takes approximately 20 minutes to complete. It covers all six domains across over 80 control areas, drawing on the requirements of COSO, ISO 31000, ISO 27001:2022, NIST CSF 2.0 and SOC 2 Trust Services Criteria. The assessment is designed for completion by a C-Suite or Board member with oversight of the organisation's GRC programme.

On completion, the assessment generates an immediate indicative score and RAG overview. The GRC Index team then prepares a detailed written report that includes the full domain-by-domain findings, the prioritised action plan, the maturity level assessment and guidance on next steps. The report is written for a board-level audience and is designed to be tabled directly at a board or audit committee meeting without further editing.

The GRC Index assessment is repeatable. Organisations can re-take the assessment at any time and the results are directly comparable across periods, giving the board a time-series view of GRC maturity improvement. The assessment is available at grci.net/questionnaire.

Get Your GRC Score Today

Visit grci.net/questionnaire to complete the GRC Index assessment.

Takes approximately 20 minutes. Immediate indicative score on completion.

Detailed written report follows from the GRC Index team.

Coverage: all six GRC domains across COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2.

Used by C-Suite and Board members at UK regulated organisations.

Frequently Asked Questions: GRC Score

What is a GRC score?

A GRC score is a numerical measure of an organisation's governance, risk and compliance position. The GRC Index score has three components: a 0-100 numerical score that shows overall GRC performance, a 1-5 maturity level that indicates the stage of development the GRC programme has reached, and RAG ratings (Red, Amber, Green) for each domain assessed. Together these three components give the board a complete picture of where the organisation stands and where it needs to focus.

What is a good GRC score?

A score of 70 or above (Level 4: Managed) is considered a good GRC score for most UK regulated organisations. It indicates that GRC processes are defined, documented and operating consistently, with management information available to the board. A score of 85 or above (Level 5: Optimised) represents best practice. Most organisations completing the GRC Index assessment for the first time score between 35 and 65, which reflects a Reactive to Defined level of maturity.

What does a Red RAG rating mean in a GRC assessment?

A Red RAG rating means the domain has significant control gaps that present a material risk to the organisation. Red findings require immediate board attention and a clear remediation plan with defined timelines and owners. A Red rating in a domain such as Information Security or Regulatory Compliance may indicate exposure to regulatory sanction, client loss or reputational damage if not addressed promptly.

How is the GRC Index score calculated?

The GRC Index score is calculated by assessing an organisation's controls, processes and governance structures across six domains: Governance and Oversight, Risk Management, Regulatory Compliance, Information Security, Operational Resilience and Third-Party Risk. Each domain is scored against a defined control framework drawn from COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2. The domain scores are weighted and combined to produce the overall 0-100 numerical score, which maps to a maturity level of 1 to 5.

What should the board do with a GRC score?

The board should use the GRC score to set priorities, allocate resources and track improvement over time. Red-rated domains require immediate remediation plans with board-level ownership. Amber-rated domains should be included in the next planning cycle. The numerical score and maturity level provide a baseline for the board to measure progress against in subsequent assessments. The score should be reviewed at least annually, or following any significant change in the regulatory environment.

How can an organisation improve its GRC score?

Organisations improve their GRC score by addressing the specific control gaps identified in the assessment report. The highest-impact improvements are typically: formalising the governance structure with clear board-level accountability, implementing a documented risk register, mapping compliance obligations, strengthening information security controls and documenting third-party risk management processes. A reassessment after 6 to 12 months of focused remediation work typically shows a score improvement of 15 to 30 points.

How often should an organisation reassess its GRC score?

Most UK regulated organisations should reassess their GRC score at least annually. Organisations undergoing significant change, such as a merger, a new regulatory obligation, a data breach or a change in senior leadership, should reassess immediately after the change has settled. Annual reassessment gives the board a comparable, time-series view of GRC maturity that is useful both for internal management and for demonstrating progress to regulators, clients and auditors.