Navigating the future: Reflecting on responses to ICA’s governance, risk and compliance report

By James Thomas, 27 October 2025

How are governance, risk and compliance (GRC) professionals responding to the current challenging environment of economic headwinds, geopolitical uncertainty, and rapid technological change?

Earlier this year, ICA surveyed its membership to find out. The resulting report drew on insights from 383 individuals across 87 countries to reveal the key drivers influencing GRC, from the rising cost of compliance to the skills needed for the future.

In a recent webinar, Tim Tyler, VP, ICA, Rosalind Dixon-Burnett, Global Lead of GRC, ICA, and Paul Asare-Archer, ICA Advisory Board Member, dug deeper into the report’s findings to discuss their implications for GRC practitioners and to provide practical advice on how to succeed during these turbulent times.

Compliance maturity

Notably, the report found that GRC has assumed an increasingly embedded and strategic role within respondents’ organisations. This is evidenced by the fact that, despite the current economic environment and rising compliance costs of recent years, survey respondents did not report a significant reduction in investment in GRC. Instead, Dixon-Burnett suggested, compliance is increasingly demonstrating its value to the business rather than being seen merely as a cost centre.

‘We might not directly make sales, but compliance is a business enabler,’ she explained. ‘A compliant business – a business that puts customer outcomes at the forefront of what it does – will generate additional profits through customer retention, through staff retention, and through having better relationships with the regulator. So yes, compliance absolutely needs to be technically aware of what the regulator wants and needs and use that to support the business in achieving its business objectives.’ 

Asare-Archer agreed, citing examples such as whistleblowing helplines or compliance training programmes; initiatives which can repay the initial investment outlay many times over through improvements to culture, behaviours, and consumer outcomes.

The skillset required to fulfil this more strategic, supportive GRC role has also evolved. As Dixon-Burnett puts it: ‘We must talk business. We must be the translators between “regulatory speak” and “business speak”.’ 

Asare-Archer agreed: ‘We’re compliance leaders rather than officers because we are not just there as a figurehead, we are there as a key component of the organisation. And as part of leadership, you need to be able to communicate and engage across an organisation. That requires a skillset with regards to being a technician and being able to read regulatory guidance. But equally, if not more important is the ability to articulate that to a lay audience and engage an organisation from the CEO to the most junior member of staff.’

Importance of AI governance

Given the current challenging landscape, technologies such as AI offer, on the one hand, the potential for improved efficiencies, while on the other, introduce new risks to businesses and compliance.

Although the majority of survey respondents remained at the early stages of implementing AI into GRC processes, some 47% planned to increase investment in AI for GRC. Asare-Archer suggested that the last two years have seen a shift away from uncertainty around AI. ‘It’s not going away, and it’s really important for us to embrace it,’ he said. 

As our understanding of AI, its strengths and limitations, has evolved, a growing confidence is emerging regarding the impact of AI on GRC roles. Some 41% of survey respondents were ‘not concerned at all’ about GRC jobs being displaced by AI, compared with 11.3% being ‘very concerned’. 

Regarding AI’s shortcomings, Dixon-Burnett stressed: ‘We have to keep humans in the loop. Can AI be held accountable? Not at the moment. So where do we go to if something is wrong? Who is responsible?’ 

Arguably, therefore, the limitations of AI serve in part to highlight further where GRC professionals can add value. ‘Let’s be clear, AI has access to huge amounts of information, but that doesn’t equate to understanding,’ she continued. ‘When it comes down to it, it's still a computer and, just like a person, it can be wrong.’

Therefore, as organisations move at speed towards AI adoption, it is important to remember that AI, while powerful, is no substitute for the assurance that comes from human understanding, experience, judgement and oversight. ‘Fundamentally, in business, we are people working with people, supported by lots of data,’ Dixon-Burnett concluded. ‘What does good governance look like? Good governance enables people on the board to feel confident, that they have the right information, that they are safe. And I would suggest that AI can’t yet do that.’

Asare-Archer shared some practical advice for AI governance. ‘As compliance leaders we will be challenged on the use of AI,’ he said. ‘We need to be able to understand both the pros and the cons of AI. When a new tool is brought into an organisation there are a few things we can do. One is to ensure that tool doesn’t have inappropriate biases, so “is the tool ethically sound?” Secondly, are you able to articulate whether that AI tool is achieving what it set out to achieve? Thirdly, the compliance individual can put parameters around AI as to what it can and can’t do.’

Looking to the future

The panel concluded with a discussion of the key skills that GRC professionals will require, now and into the future. Tellingly 29% of respondents to the survey had ranked ‘relationship management’ as the single most important future skill for GRC professionals, compared to just 2.5% who cited ‘technical expertise’.

These interpersonal and stakeholder management skills will continue to be important in the coming years, wedded to an understanding of rapidly evolving technology. Overlaying these, is the requirement for GRC professionals to adopt a growth mindset; an attitude of continuous learning and development.

As Dixon-Burnett explained: ‘The key thing for a career in compliance is that you have to be open and willing to learn all the time. You must have a curious mindset, and a willingness and motivation to continue to develop. And you need agility and the ability to cope with change and areas of grey, and the confidence to make a call in terms of what's best for the customer, what's right in terms of regulation, and what's best for the business.’

Asare-Archer agreed that GRC will remain a vibrant and engaging career. ‘There’s a home for everyone within compliance, regardless of race, gender, or sexuality,’ he said. His advice to those entering the profession was to ‘be visible, authentic, and prepared to challenge the organisation, as well as having the ability to find solutions for the organisations… See yourself not as a compliance officer, but as a leader.’