In boardrooms across industries, from financial services to technology to healthcare, a growing concern is beginning to surface, one that is less headline-grabbing than market volatility or geopolitical risk, but just as structurally threatening: the escalating global shortage of professionals in governance, risk and compliance (GRC).
Companies need a steady stream of skilled GRC professionals to keep their operations not just compliant, but also ready for emerging threats. The talent pipeline is lagging behind, however, with the consequences becoming harder to ignore.
Carolyn Clarke, founder of UK-based GRC firm BRAVE and vice-president of the Chartered Institute of Internal Auditors, believes that organizations need to look at the problem through a strategic lens. ‘Companies need to think and act strategically. GRC is a combination of skills: legal, regulation, compliance, risk, audit, assurance and controls. Understanding the strategic challenge and bringing in individuals with the clarity and experience to address this is most important.’
Carolyn Clarke, BRAVE
It’s a viewpoint that reflects how the GRC function has evolved. Once considered a back-office responsibility, GRC today is a key part of the strategic engine of a business. But as expectations for GRC have grown, the workforce has struggled to keep up – not just in terms of numbers, but also in the diversity and breadth of skill required.
According to Ty Francis, chief advisory officer at LRN Corporation and a former vice president of governance at the New York Stock Exchange, the gap is no longer just a question of hiring more widely, but about finding the right people. ‘Global regulatory demands, particularly in ESG, cyber and AI governance and compliance, have surged faster than the available talent pool has managed to bring itself up to speed,’ he says. ‘Many senior GRC professionals are retiring… while the role itself has become more strategic and cross-disciplinary, making qualified candidates harder to find and retain.’
Ty Francis, LRN Corporation
The emergence of AI regulation, the proliferation of global data privacy frameworks and more demanding ESG disclosure standards have created a GRC environment that’s complex, technical and urgent, as a result not enough professionals have the multidisciplinary capabilities to keep pace.
Camilo Artiga-Purcell, general counsel at Kiteworks, summarizes the challenge succinctly: ‘Modern GRC roles require hybrid expertise spanning cybersecurity, data privacy, legal compliance and business operations, a rare combination that 90 percent of organizations struggle to find.’ He adds that universities and training programs simply haven’t evolved fast enough to close the gap.
Clarke suggests that the issue is not just technical, but also interpersonal. ‘GRC talent is in short supply in large part because we have historically focused on technical knowledge, rather than the interpersonal skills and relationships that are required to drive insight.’
Modern ways of working are also becoming more complex: remote work, cloud migration and global expansion are fundamentally changing risk profiles in real time. ‘The shift to cloud infrastructure and remote work has fundamentally changed risk landscapes faster than professionals can reskill,’ Artiga-Purcell notes.
Camilo Artiga-Purcell, Kiteworks
Faced with this evolving complexity, many organizations are now rethinking their approach to talent. Francis advocates for tapping into existing employees with adjacent skill sets. ‘Organizations can close the GRC talent gap by building stronger internal pipelines and focusing on retention as much as recruitment… Legal, audit, or operations staff can become strong GRC candidates if they’re given structured rotations, mentoring and real on-the-job exposure,’ he explains.
That internal development must be intentional. Gary Maguire, chief risk officer at global logistics company Crown Worldwide, believes the first step is to stop treating GRC as a silo. ‘Organizations need to stop treating GRC as a niche function and start embedding it across the business,’ he adds. ‘That means investing in internal career pathways, offering flexible work models and redesigning roles to suit different skill sets.’
Maguire also suggests that while temporary staff can help, real resilience comes from within: ‘Freelancers and remote consultants can fill short-term gaps, but long-term resilience depends on building a culture where GRC is understood, valued and actively developed.’
Gary Maguire, Crown Worldwide
For smaller firms competing against multinationals for top talent, Clarke says the opportunity lies in offering more expansive and meaningful roles. ‘In larger companies, GRC will be siloed… Smaller companies can create broad-based governance roles that are at the intersection of these capabilities,’ she adds. ‘This can be a much more exciting role that is attractive to GRC talent.’
While some businesses are growing more creative in their recruitment strategies, others are turning to global talent pools. Francis believes there is untapped value in cross-border hiring, as it can ‘help multinational firms tap into underutilized talent pools and source niche regulatory expertise… Professionals with multi-jurisdictional knowledge can bridge cultural and regulatory gaps.’
Technology, too, has a role to play but it must be implemented thoughtfully, as Francis notes: ‘AI-powered compliance monitoring, automated risk assessment tools, and regulatory change-tracking platforms can reduce manual effort… Used wisely, technology augments rather than replaces GRC talent.’
Artiga-Purcell sees promise in unified data governance solutions. ‘Real-time monitoring, including AI anomaly detection, detects policy violations instantly… pre-built templates for GDPR, HIPAA, SOC 2 and other regulations eliminate the need for specialized expertise.’
However, as Maguire warns, tools are only as effective as the people using them. ‘Technology alone isn’t enough, organizations still need professionals who can interpret data, proactively manage risk and make informed decisions.’
As the demands on GRC professionals grow, so does the need for ongoing education. Francis is blunt: ‘Many companies have great tag lines saying they invest in their employees, but Glassdoor ratings say otherwise,’ he says. ‘Financially, companies should fund industry-relevant certifications, conference attendance, and the occasional online course.’
He also believes firms should be encouraging their teams to invest in understanding emerging technologies: ‘Firms should encourage their GRC employees to invest in further AI education not just how ethics intertwines with AI, but how it works and what its implications are.’
Artiga-Purcell recommends training beyond the GRC function itself. ‘Make compliance everyone’s responsibility by integrating legal requirements into job descriptions, performance metrics and business decisions,’ he advises. ‘Invest in continuous learning that helps IT teams learn privacy regulations and finance teams understand data retention.’
Maguire agrees and stresses the importance of structure. ‘Organizations need to build structured upskilling programs, offer mentoring, and partner with universities to create clearer entry points into GRC.’
For Ciaran Bollard, CEO of The Corporate Governance Institute, building internal capability is essential. ‘It’s time to start investing in the upskilling of key staff members, especially if you can’t get the talent you need from outside the company,’ he explains. ‘Even the brightest minds of today are in new territory when it comes to things like compliance, cybersecurity and AI.’
He also emphasizes succession planning: ‘It’s crucial to provide personnel with every opportunity to join in that learning now… so that when you need someone to take over a key role, they’re ready.’
Ciaran Bollard, Corporate Governance Institute
When it comes to skills, most experts agree that technical knowledge is just one piece of the puzzle. Clarke notes that the most critical capabilities are analytical thinking and judgment. ‘Yes, you need technical knowledge and that can be obtained through qualifications,’ she says. ‘But the experience and personal credibility to recognize what is really happening and apply a mindset of constructive challenge is most important.’
Skill development should come along existing lines of responsibility, says Francis. ‘Governance professionals should understand board dynamics and ESG integration… Risk specialists require scenario planning and certifications like CRISC or FRM… Compliance practitioners should go beyond policy design and develop skills in measuring program effectiveness.’
Both Maguire and Artiga-Purcell agree that privacy-focused credentials are gaining value. ‘Core certifications include CISA, CRISC and CIPP. But beyond certifications, legal acumen, technical implementation skills and business savvy are essential,’ explains Artiga-Purcell.
Bollard takes a broader view: ‘The core skills across all three competencies are communications, financial management, tech expertise and the ability to question and think outside the box.’
Despite these efforts, companies are still wrestling with the question: is the GRC shortage really a matter of limited supply, or is it a problem of perception?
‘It ultimately depends on the industry and company size,’ says Bollard. ‘Pipeline problems have been an issue to some extent for all industries… Perception problems are tougher to measure. The first step would be to analyze your required skillsets against the people already on your board and management teams.’
Whatever the diagnosis, it’s clear that conventional thinking won’t solve the problem. Maguire points out that some companies are already experimenting with more flexible hiring models. ‘Some are hiring foreign graduates or tapping into remote international talent… others are using platforms like Upwork and Fiverr to source freelance GRC experts for short-term projects,’ he adds. ‘Flexible contracts and hybrid roles are attracting mid-career professionals and retirees, while job redesign – splitting technical and strategic tasks – is helping match talent more effectively.’
Closing the GRC talent gap will require businesses to do more than simply hire their way out. It calls for a fundamental rethink of how GRC is integrated, valued and developed across the organization. That means looking beyond credentials, investing in people and building cultures where compliance, risk and governance aren’t seen as constraints but as enablers of long-term value and resilience.
As Clarke puts it: ‘Bringing in individuals with the clarity and experience to address this is most important. These people could have diverse backgrounds, rather than the more traditional pools of talent.’
What’s clear is that the status quo is no longer sustainable. With regulatory scrutiny increasing, digital risks escalating and public trust under constant threat, GRC must shift from being viewed as a niche support function to a strategic pillar of modern business. The companies that succeed won’t just be the ones that hire the best talent, they’ll be the ones that build it.