The state of risk and compliance in 2025
2025 was a significant year for multinational companies all around the world. In the United States, for example, companies have had to adjust to a new administration, new regulations and new enforcement priorities – all of which have drastically altered the risk and compliance landscape.
To help risk and compliance (R&C) professionals benchmark their organization’s R&C program and organizational culture against those of their peers, the NAVEX 2025 State of Risk & Compliance Benchmark Report, in partnership with independent research firm The Harris Poll, gathered insight from nearly 1,000 R&C professionals globally from a wide range of industries to ask them about the design, priorities and performance of their compliance programs.
In addition to polling respondents about the current state of the fundamental elements of an E&C program – policy and procedures management, ethics and compliance training, hotline and incident reports, and third-party risk management – the 2025 report also gauged new insights about how R&C programs and organizational culture are evolving.
Below are top three risk and compliance trends drawn out of the 2025 benchmark data that are likely to remain strong and steady going into 2026.
AI technologies intersect with risk and compliance
Artificial intelligence (AI) is changing the way businesses operate in dramatic and remarkable ways, but with new opportunities come new risks. Rapid adoption in the use of AI technologies makes it more important than ever that risk and compliance officers literally and figuratively have a “seat at the table” as organizations navigate a complex web AI-focused matters, like the ethical and responsible use of AI, and ensuring compliance with mounting AI regulations.
Not surprisingly, the findings revealed that the IT department often leads the charge for developing AI policies. Outside the IT department, however, respondents cited a wide range of departments responsible for AI policy development, including compliance, a cross-functional committee, legal, risk, data privacy, the board of directors, and more.
The findings also revealed that most compliance teams are involved in AI decision making to some degree. Most respondents (65%) said compliance was either “very” or “somewhat” involved in decision-making regarding how their organizations use AI.
Examples of internal risk areas include “lack of visibility to risks across our organization” or “gaps in implementation of compliance controls” regarding AI risks, as cited by 67% of respondents.
Sixty percent of respondents cited data leaks as a key risk, such as use of others’ intellectual property (37%), or data loss from within the organization (23%). Over a quarter (27%) cited concerned over “incorrect responses,” while just 10% cited concern about bias in data.
One key compliance lesson from the findings is that much opportunity remains for the risk and compliance functions “to forge closer ties with IT to lend their respective expertise in this area,” the report suggests.
Lines between compliance and risk mitigation getting blurrier
In recent years, risk-based strategic decision-making has emerged as “an increasingly important guiding principle for organizations,” as the report’s executive summary highlights. The report’s findings reflect the evolving role of compliance officers as both champions of risk mitigation and ethical organizational cultures that inherently reduce the many risks organizations face.
According to the report, 70% of respondents said their compliance function is “highly engaged” in risk assessments, while another 24% said they are “moderately engaged.”
Sixty-one percent said their organization uses the results of the risk assessment to review, test and improve the risk and compliance program. Ideally, all organizations should be doing this, given that the findings of a risk assessment can positively inform areas where the compliance program may need to be revisited or enhanced.
Few respondents cited “fear of exposing weakness and increasing the risk of discovery” as the biggest barrier to conducting an effective compliance risk assessment, but just 24% said their risk assessment process is effective. This finding draws attention to the fact that risk and compliance teams need to collaborate better and ensure they are speaking the same language when discussing organizational risks, as well as how they are measured, and remediated.
A centralized, integrated risk management program complements effective communication between the various business units. However, 31% of respondents with knowledge of risk management said their organization has a centralized, integrated risk management program, while 44% said they’re currently on the journey toward full integration.
Organizational culture is a top compliance issue
Respondents ranked organizational culture has the third most important compliance issue, after “regulatory compliance,” and “data privacy, protection and security.”
When asked to rank “important considerations” when making decisions, 47% of respondents cited “ensuring that the organization builds and maintains an ethical culture of compliance” as a top consideration, while another 42% ranked “ensuring those within the organization are committed to doing what is right” as a top consideration. Harassment and discrimination were cited as a top compliance issue as well.
Appropriate tone-from-top and mood-in-the-middle are each critical elements of organizational culture. Survey results from the benchmark report show promising progress – but not perfection.
For example, as it relates to senior executive leadership, 73% of respondents with knowledge of ethics and compliance said senior leaders have “encouraged compliance and ethics” within the organization. Sixty-five percent of respondents said the same thing of their middle management, while 62% said the same of their first-line management and supervisors.
In another finding, 60% of respondents said their senior executives have “modeled proper behavior,” while 62% of respondents said the same thing of their middle management, and 57% said the same of their first-line management and supervisors.
While these findings are promising, they also signal that approximately 40% of senior executives, middle management, and first-line management and supervisors do not encourage or model ethical and compliant behavior.
Additionally, the findings uncovered certain negative behaviors that continue to raise red flags. Sixteen percent of respondents said senior leaders have “impeded compliance personnel from effectively implementing compliance’s duties,” consistent with responses regarding middle management (16%) and first-line management and supervisors (17%).
Nine percent of respondents said senior leaders have “encouraged employees to act unethically to achieve a business objective,” consistent with responses regarding middle management (9%) and first-line management and supervisors (11%).
Whether these findings represent the factual reality of R&C programs today, or are merely a perception of them, matters not. If employees do not see their senior leaders, middle managers, and first-line managers as champions of compliant and ethical behavior, sending the wrong signal is never an effective way to foster trust or build a truly mature R&C program that stands the test of time.
With the rapid adoption of AI and the variety of new risks that it creates – from bias in AI to new deepfake technologies – the stakes are only growing higher for organizations that don’t commit to a healthy and ethical culture. Today’s generation demands transparency and accountability, and will not accept anything less. We have entered an era where genuine leadership is king.
Dive into the full report
with even more data and insights into the current state of risk and compliance.
