Managing 10+ Compliance Frameworks? You’re In Good Company

Benjamin Franklin famously spoke about death and taxes as the only two certainties in this world — but if he were alive today, he might be tempted to add regulations to his list.

Businesses of all sizes are facing a constantly evolving and increasingly complex regulatory landscape. Researchers from the University of California and the University of Southern California estimate that businesses spend $289 billion on regulatory compliance every year, and the cost is only growing. One report by the U.S. Chamber of Commerce shows that 39% of small businesses stated they were spending more time or resources fulfilling compliance requirements than they did even six months ago. 

New research from the second annual State of Continuous Controls Monitoring Report explains the costs.

The report, which surveyed over 250 InfoSec leaders across 10 industries, revealed a landscape of businesses heavily burdened by regulations. We found that 72% of organizations use six or more different compliance frameworks — while 22% use more than 10. 
 
The cost of this regulatory complexity is significant. Nearly three-fourths of organizations have increased their GRC team headcount or budget over the past year, yet they’re still struggling to keep pace. More than one-third said that over half of their current compliance workload is dedicated to regulatory requirements introduced in just the last five years. 

It’s an unsustainable situation, and it’s only getting worse. Armies of employees won’t solve the regulatory burden.

Automation will.

Instead of brute-forcing compliance with more bodies or hiring more people to manually collect evidence and perform periodic assessments, companies are turning to automation technology. Solutions that automate evidence collection, for instance, can free up team members to focus on risk analysis and strategic decision-making rather than manually updating spreadsheets. Similarly, solutions that offer automated framework mapping can allow organizations to identify and reuse common controls, transforming duplicated efforts into a scalable compliance program.

The data validates this approach. Among organizations already automating GRC processes, nearly one quarter (23%) have cut time spent on compliance tasks by more than half. As the regulatory landscape grows more and more complex, these companies are setting themselves up to reallocate thousands of person-hours toward more valuable tasks.

At the end of the day, the question isn’t whether your organization can afford to automate; it’s how long you can afford to put it off.

To read the full research about GRC automation trends, challenges, and successes, download the 2026 State of Continuous Controls Monitoring Report.