Skip to content.

Secondary navigation

Get Your Demo
A modern building facade with alternating vertical green and translucent panels, and blue-tinted windows revealing office interiors. A green geometric shape is visible in the foreground on the right side.

Risk-based compliance is widely adopted – but unevenly executed

Most organizations conduct risk assessments and claim to use the results to guide their compliance programs. However, polling from compliance leaders shows a persistent execution gap. Risk data is often reviewed and documented, but not consistently translated into clear priorities, actionable steps, or board-ready insights. That gap turns “risk-based compliance” into a leadership test, especially when decisions must be explained to boards, regulators, and executives over time. 

What is “risk-based compliance?” 

Risk-based compliance is an approach to managing compliance programs that identifies, prioritizes, and addresses the risks most likely to affect the organization. In practice, this means using risk assessments to guide decisions about policies, training, monitoring, investigations, and reporting, rather than applying uniform controls across all areas. 

A look at recent webinar insights reveals why this approach remains challenging, even for mature programs. 

When risk-based compliance becomes a leadership test 

Risk-based compliance is not a new concept. Most senior compliance leaders have discussed it for years, and many organizations would say it already informs how their programs operate. 

Yet polling and audience questions from a recent NAVEX webinar on top risk and compliance trends revealed a familiar tension. While risk assessments are widely conducted and broadly valued, many organizations still struggle to consistently translate those insights into clear priorities, defensible decisions, and sustained action. 

That gap matters, especially for leaders accountable to boards, regulators, and executive teams.

Webinars

Top 10 Compliance Trends: Preparing for 2026’s New Rules of Risk

Explore expert predictions for the year ahead in compliance. This NAVEX webinar covers AI regulation, enforcement updates, and emerging global standards shaping the next era of ethics and risk …

Risk assessments are common. Translation is harder

Webinar polling showed that many organizations are actively using risk assessment results to inform elements of their compliance programs.

Among the webinar poll respondents:

  • Nearly two-thirds (64.24%) said they are prioritizing keeping policies current with evolving regulations
  • More than half (51.31%) said they are focusing on adopting AI-powered tools for policy and regulatory management
  • Over four in ten (41.54%) said they are working to better connect employee training outcomes to key risks
  • More than one-third (36.45%) cited the need to centralize risk and compliance reporting for the board

By contrast, far fewer respondents emphasized downstream execution. Only one in five respondents (20.91%) said they are prioritizing reducing hotline case resolution time and improving case visibility, despite the role investigations play in validating risk assessments and surfacing emerging issues.

The data suggests that while risk insights are clearly valued, they do not always translate into integrated, end-to-end action across the compliance program. Some organizations also indicated that they have not conducted a formal risk assessment, while others acknowledged that results may be reviewed, documented, and then largely set aside.

Audience questions during the webinar reflected that reality:

  • How do you prioritize when multiple risks feel equally urgent?
  • How often should risk assessments change program focus?
  • How do you explain those decisions to leadership without appearing reactive or inconsistent?

These are not tactical questions. They are leadership questions.

A man sits on a modern green sofa in a brightly lit office space, working on a laptop. The environment is open with glass partitions and additional seating areas in the background.

Uncertainty is not new. Judgment is what differentiates programs

During the discussion, Rebecca Walker, partner at Kaplan and Walker and a longtime compliance advisor, emphasized that regulatory and enforcement uncertainty is not a new condition for compliance leaders. Priorities shift. Headlines change. What remains constant is the expectation that organizations understand their most significant risks and can explain how they are managing them. 

In other words, uncertainty does not relieve organizations of responsibility. It raises the bar for judgment. 

Risk-based compliance is not about producing a perfect heat map or adopting the latest framework. It is about making deliberate choices and clearly articulating why those choices make sense now, given the organization’s risk profile, operating environment, and culture.

Boards want insight, not just activity

Another theme that surfaced during the webinar was board engagement. Polling suggested that while board exposure to compliance information is common, deeper engagement remains inconsistent. 

Among our poll respondents: 

  • Nearly two-thirds (64.07%) said their board primarily receives compliance reports and metrics 
  • Just over half (51.06%) said their board asks questions about trends and emerging risks

Fewer respondents described more active engagement: 

  • 31.54% said their board engages in regular dialogue outside formal meetings 
  • 25.6% said boards help shape compliance strategy 
  • Only 19.38% said boards influence compliance budgets

More than one in six respondents (16.27%) said board engagement is mostly event-driven, and 13.3% said they are not sure how engaged their board is at all. 

Boards increasingly expect help interpreting compliance data. They want insight into trends, root causes, and changes since the last reporting period. Most importantly, they want confidence that risk priorities are intentional and defensible. 

This is the leadership test behind “risk-based.” 

For decision-makers, the question is not whether a risk assessment exists. The question is whether the organization can clearly explain its priorities to the board today and defend those decisions six months from now. 

That is where risk-based compliance either delivers on its promise or quietly falls short.

Frequently asked questions about risk-based compliance

  • What is the goal of risk-based compliance?

    The goal is to focus compliance resources on the risks most likely to affect the organization, rather than treating all risks equally.

  • Why do organizations struggle with risk-based compliance?

    Polling shows that while risk assessments are common, organizations often struggle to translate results into integrated action, clear priorities, and board-ready insight.

  • How should boards engage with risk-based compliance programs?

    Boards are most effective when they move beyond receiving reports to asking questions about trends, root causes, and how risk priorities are set and revisited over time.

This article is part of our 2026 Top 10 Risk & Compliance Trends eBook. Check out the full eBook for more expert predictions for the year ahead.

eBooks

Top 10 Risk & Compliance Trends for 2026

Stay ahead of AI regulation, cultural pressure, and global governance change with insights that prepare you for what’s next.

You may also like…

Ready for more? Check out our latest related articles.

See more on similar topics: