State of Risk & Compliance Report

2025 Global Risk & Compliance Statistics

Introduction

A global risk & compliance pulse check

NAVEX has been delivering leading-edge market benchmark reports to the risk and compliance (R&C) industry since 2010. In the years since, we have continued to refine and enhance our global risk and compliance survey to provide critical risk and compliance statistics, benchmarks and global survey data to R&C professionals.

NAVEX partnered again with independent research firm The Harris Poll to survey nearly 1,000 R&C professionals from a wide range of industries about the design, priorities and performance of their programs. Read on to learn what our analysis reveals about your own organization – and ways to improve.

Global risk & compliance survey participants

The 2025 research was conducted online by The Harris Poll on behalf of NAVEX among 999 adults age 18+ who are nonacademic professionals (management/ non-management or higher) and knowledgeable about risk and compliance in the United States (n=458), United Kingdom (n=123), France (n=119), Germany (n=107), Japan (n=104) and other countries (n=88). The survey was conducted between April 23 – May 29, 2025.

Their responses help us understand what’s happening in risk and compliance not only at a macro level, but within countries, regions, and specific sectors.

See more in full report

Simple infographic showing the job function of nearly 1,000 risk and compliance professionals who participated in NAVEX’s 2025 State of Risk & Compliance global survey. 28% of respondents are in compliance, followed by 14% in information security, 10% in risk, 10% in HR, 9% in finance, 8% in supply chain or procurement, and 21% representing other functions.

Simple infographic showing the country of residence of nearly 1,000 risk and compliance professionals who participated in NAVEX’s 2025 State of Risk & Compliance global survey. 46% of respondents are located in the US, followed by 12% in the UK, 12% in France, 11% in Germany, and 11% in other countries.

Simple infographic showing the job level of nearly 1,000 risk and compliance professionals who participated in NAVEX’s 2025 State of Risk & Compliance global survey. 32% are senior manager or director level, followed by 28% in the C-suite, 27% in other management, and 13% in non-management roles.

Simple infographic showing the number of employees within the organizations of nearly 1,000 risk and compliance professionals who participated in NAVEX’s 2025 State of Risk & Compliance global survey. 37% of respondents represent small businesses with 0-999 employees, followed by 17% at 1,000-2,499, 15% at 2,500-5,999, 13% at 10,000-49,999, 8% at 6,000-9,999, 5% at 50,000-99,999, and 5% at organizations with more than 100,000 employees.

Executive summary

What you’ll learn in our State of Risk & Compliance Report

Leveraging the feedback of nearly 1,000 risk and compliance (R&C) professionals globally, this annual State of Risk and Compliance Report provides insights that enable readers to benchmark their programs’ performance metrics and open conversations within their organizations about ways to improve.

Below are some of the notable storylines we identified from this year’s compliance survey data.

Key findings & top takeaways from our global compliance survey

Does compliance have enough influence on corporate AI policies?

Our survey data suggests organizations are roughly divided into thirds regarding Compliance’s engagement with artificial intelligence decision making:

33% of respondents say compliance is a “very involved” group
32% are “somewhat involved”
A remaining third is either “minimally,” “not involved” or “not sure” (35%)

While the opportunities arising from AI are monumental, these technologies also introduce a new range of risks. Compliance needs a seat at the table for AI decision making within organizations, along with Risk and other disciplines, to navigate those risks that may include ethical use of AI and compliance with emerging regulations.

Bar chart showing compliance team involvement in AI use within their organizations. Most compliance teams are very or somewhat involved in AI use decision-making, but more than 2/3 are minimally involved, not involved or unsure. From NAVEX’s 2025 State of Risk & Compliance report, a global survey of nearly 1,000 risk and compliance professionals.

Centralized whistleblowing investigation programs are most common – and used within the most mature organizations

67%of respondents overall said their organization had a centralized program for day-to-day compliance investigations, with only 23% saying they had a decentralized approach. Respondents who said their organization had a more mature R&C program (i.e., a program that is considered managing/optimizing) were far more likely (73%) than those with less mature programs (55%) to say they have a centralized approach.

Bar chart showing compliance team approaches to compliance investigations. Key finding: The majority of compliance investigation programs (67%) are centralized within organizations, with only 23% having a decentralized approach. From NAVEX’s 2025 State of Risk & Compliance report, a global survey of nearly 1,000 risk and compliance professionals.

Compliance functioning closely with Risk

Ten years from now, where will Compliance sit in the organization? Is it possible that Compliance will be incorporated under a Risk leader?

70% of global compliance survey respondents said their compliance function was “highly engaged” in risk assessment and management. Taken with those who said that Compliance was “moderately engaged,” a full 93% said Compliance was at least engaged to some degree in the risk assessment and management process.

Horizontal bar chart showing engagement of compliance functions in areas like data breach, reputation harm, and insider threat. Each bar is divided by color into four categories: highly engaged, moderately engaged, not at all engaged, and dont know.

Only two thirds of boards receive periodic compliance reports

Only 64% respondents who are knowledgeable about ethics and compliance say their boards of directors receive periodic reports on compliance matters. This number rises a bit for the largest organizations – respondents from organizations with 10,000 or more employees said the same at a rate of 71%. Only about half (52%) of respondents who are knowledgeable about ethics and compliance said the board of directors has oversight of the compliance program.

We would have hoped to see more respondents indicating their boards receive periodic reports on compliance matters, and for the level of engagement and expertise of boards regarding compliance to improve. This is a critical area where boards have an opportunity to understand how the organization is navigating a complex risk landscape that continues to evolve amid global regulatory shifts.

Bar chart showing corporate board engagement with compliance programs. Key finding: Only 64% of surveyed compliance professionals say their board receives periodic reports on compliance matters. Board oversight and engagement dwindles from there. From NAVEX’s 2025 State of Risk & Compliance report, a global survey of nearly 1,000 risk and compliance professionals.

Some leaders encourage employees to act unethically

It is encouraging to see most respondents flagging “positive” behaviors among different levels of leadership. For senior executives, for example, 73% of respondents who are knowledgeable about ethics and compliance were said to “have encouraged compliance and ethics” within the organization.

Negative behaviors fall off sharply in the distribution – but they do not reach zero. Roughly 10% say leaders across all levels have encouraged employees to act unethically to achieve a business objective. Specifically, 9% say senior executives and middle managers have acted in this way, while 11% report the behavior from first-line managers and supervisors. This reality – or even the impression that this may be true – could be an extremely detrimental signal in supporting a culture of ethics and compliance, and a signal of risk to organizations.

Bar chart showing global compliance survey responses to “True Statements About Mangement” from first-line mangers to senior execs. Key finding is that while most managers are said to encourage compliance and ethics within their organizations, roughly 10% of all managers are reported to have encouraged employees to act unethically to achieve a business objective. From NAVEX’s 2025 State of Risk & Compliance report, a global survey of nearly 1,000 risk and compliance professionals.

Are organizations doing enough to identify and manage third-party risk?

A majority of respondents who are knowledgeable about ethics and compliance said their organization was embracing two elements of screening third parties (regulatory compliance, 58%; cybersecurity and data protection, 54%), with all others failing to reach a majority. These included financial health and stability (49%), human rights (33%) and litigation history (30%).

It is true that not all third parties require the same level of scrutiny, yet some of these areas struck us as surprisingly uncommon in our respondent base. Financial health, for example, can be a leading indicator for a range of other potential risks by suggesting a level of resourcing to achieve elements like cyber resilience. This could serve as a reminder for organizations to take an intentional approach in the specific screening criteria for third parties.

Bar chart showing level of due diligence in third party screening. Key findings: The most-reviewed aspects of third parties are regulatory compliance (58%), cyber security and data protection (54%), and financial health and stability (49%). From NAVEX’s 2025 State of Risk & Compliance report, a global survey of nearly 1,000 risk and compliance professionals.

Only half of respondents surveyed have an internal whistleblower hotline

As with previous years’ response cohorts, respondents in 2025 were surprisingly unlikely to say their organization has a hotline or whistleblower internal reporting channel as part of their organization’s incident management program. Only 53% of respondents – just more than half – said they have an internal whistleblower hotline or reporting channel.

This was less true for larger organizations (69% for those whose company has 10K+ employees vs. 43% with 0-999 and 54% with 1,000-9,999) and organizations based in North America (59% vs. 45% of whose companies are headquartered in Europe), but levels still remained far below what might be expected for this foundational program element. Similarly, fewer than half (49%) of respondents said their organization had a non-retaliation policy. As in years past, we find these numbers to be unexpected given the critical importance of internal reporting programs.

Bar chart showing key components of incident management programs. Key findings: While case management and investigation processes are the most prominent component at 58%, only half (53%) or organizations have a whistleblower hotline. From NAVEX’s 2025 State of Risk & Compliance report, a global survey of nearly 1,000 risk and compliance professionals.

Purpose-built risk and compliance software emerges as most common approach for ethics and compliance

Most organizations use purpose-built risk and compliance software to administer the various aspects of their ethics and compliance programs. This suggests organizations are finding value in such technologies that, in many cases, facilitate easier holistic management of compliance program processes “under one pane of glass.” When one program aspect can connect with another, as is often the case with such technology, new opportunities emerge for Compliance to serve as a strategic asset to the business.

Respondents who are knowledgeable about ethics and compliance were most likely to say they used purpose-built technology for ethics and compliance training (78%), yet other ethics and compliance program elements, such as policy management, also showed strong majority responses (between 59%-73%).

Bar chart showing use of purpose-built technologies used by risk and compliance professionals. Key findings: Training is the most common risk and compliance software technology used at 78%, followed by policy and procedure management (73%), whistleblowing hotline and incident management (71%), and risk management (70%). From NAVEX’s 2025 State of Risk & Compliance report, a global survey of nearly 1,000 risk and compliance professionals.

Improvements from 2024

There is much to celebrate within the findings of this 2025 State of Risk & Compliance Report.

A larger share of respondents in 2025 felt their organization’s R&C program had a strong level of maturity.

A majority said Compliance has a voice in guiding AI policies and risk management.

Leaders at all levels are generally likely to embody behaviors in support of ethics and compliance.

Ethics and compliance training is showing widespread success across organizations, and most are gaining the benefits of purpose-built technology supporting their R&C program elements.

Areas to watch for 2026

Still, we identified some red flags.

While Compliance typically helps to inform AI strategy, should that engagement be even stronger?

Why do only half of respondents indicate their organization has an internal reporting program – a crucial foundation for compliance, risk management and ethics?

Do enough boards of directors sufficiently engage with Compliance and have expertise in the subject?

Are organizations doing enough to screen for risk in their third parties and broader supply chains?

What will new U.S. government priorities and enforcement policies mean for Compliance?

Conclusion

See more in the full report

As with other NAVEX research publications, these global compliance survey results provide context as readers consider the efficacy of their own programs. Where an organization may be deviating from these findings, it may be positive, given the improvement opportunities identified – or it may help develop a rationale that helps senior leadership and other functional areas to understand the needs of R&C. In short, these findings are intended to help identify strengths and inform a path to improve – in resilience, compliance, business outcomes, ethics and organizational culture.

Meet the authors

Carrie Penman
Chief Risk and Compliance Officer
NAVEX
Eric Gneckow
Senior Content Marketing Manager
NAVEX
Isabella Oakes
Data Scientist Specialist
NAVEX
Anders Olson
Senior Manager, Data Science
NAVEX