Shifting compliance strategies can help organisations respond quickly and stay prepared for whatever comes next.

---

In brief

• Many organisations are rethinking compliance to keep pace with rapid changes and unpredictable risks.
• Technology, especially AI, is becoming central to how businesses manage compliance and respond to new demands.
• Teams that update compliance practices are better able to make quick decisions and support business goals.

Today’s nonlinear, accelerated, volatile and interconnected (NAVI) operating environment makes it harder than ever for businesses to manage compliance and integrity risks. Building a strong culture of compliance is now non-negotiable, but success demands a strategic rethink of how people, processes and technology work together.

This new research explores the way businesses are adjusting their approach to integrity for the world. It finds that the most confident organisations are the ones that have culturally and operationally embedded compliance measures across their organisations and are strategically adopting artificial intelligence (AI) to manage compliance programs and risk. But although there’s growing pressure to transform, very few organisations that were surveyed form part of this group.

Key findings

• 71% of businesses say the complexity and volatility of the current operating environment make it harder than ever to keep pace with change. But less than one-third are taking this as an opportunity to strategically transform their compliance functions for the future.
• Organisations are least prepared to face their most pressing challenges: 41% of those that identify third-party risk as a top threat have limited to no confidence in their compliance team’s ability to manage it.
• 65% of businesses say they’re under pressure to deliver faster, more sophisticated compliance and risk management outcomes, but their budget is insufficient.
• Compliance teams are not being empowered to make fast decisions: half of organisations (49%) say their compliance function is unable to quickly pivot without resistance or red tape.
• AI is the top strategic compliance priority for businesses, but just 6% describe their tech capabilities as leading edge.

Chapter 1: Equipping Compliance Teams for Today’s Disruptive World

Disruption and complexity are pushing businesses to redefine their approach to compliance.

Nearly three-quarters of businesses (71%) say the complexity and volatility of the current operating environment makes it harder than ever to keep pace with change, and this is shaping the way they perceive risk.

Our research shows that macroeconomic and trade volatility is the most disruptive force for today’s compliance teams, outpacing geopolitical shifts, tech disruption and regulatory complexity. The unpredictability of this challenge threatens the capabilities and response times of current operating models.

Now is the time to assess compliance practices and accelerate transformation. But while most organisations (67%) are making improvements to their compliance function, just 31% are seizing the opportunity to strategically rethink the role compliance plays within their business over the next two years. Meanwhile, 36% say they’re making only focused improvements and one-third (33%) believe their current approach is effective in today’s environment.

Businesses are not confident that they can manage their most pressing risks

Organisations identify data privacy and cybersecurity as their top challenge: 41% rank it among their top three threats. But just 23% of these businesses say they are highly confident in their compliance function’s ability to manage it effectively.

Threats such as phishing, ransomware and advanced cyber-attacks are evolving rapidly. Their growing volume and sophistication — driven by advances in AI, automation and the inherent risks associated with third-party business partnerships — are outpacing the defensive capabilities of many organisations, leaving them vulnerable to significant breaches and financial losses.

Third-party and supply chain risk is identified as a threat by 32% of businesses. But this is the challenge that organisations are least prepared to manage: 41% say they have limited to no confidence in their compliance team’s capabilities.

The data suggests a lack of agility is inhibiting organisations’ ability to cope with threats. This is most apparent for complex challenges involving external partners: just one third of businesses say they are well-prepared to react quickly and effectively to third-party risk, and 62% claim their processes or systems limit the speed or coordination of their response.

These findings highlight how organisations often struggle to maintain oversight across extended networks. For example, a company might engage a third-party supplier that falsifies carbon credit certifications to inflate its environmental credentials (greenwashing), while also bribing local officials to secure those certifications and violating sanctions by operating in restricted regions.

These risks span multiple jurisdictions and regulatory domains, presenting a significant compliance challenge. As highlighted by the data, a lack of visibility, fragmented processes and resource constraints add further complexity, making it difficult for organisations to holistically manage risks without significant investment in technology, expertise and coordination.

“Too often, third-party risk management is focused on finding a needle in the haystack, rather than consistently managing the haystack itself. Today’s operating environment requires a more adaptable framework — one that integrates both structured and unstructured information and links directly to business activity. This will become increasingly critical as businesses look to capture opportunities in new and developing markets,” says Liban Jama, EY Americas Forensic & Integrity Services Leader.

What’s restricting flexibility? About half (49%) of businesses claim their compliance function is unable to pivot when it needs to without resistance or red tape. In addition, almost two-thirds (65%) say they are under pressure to deliver faster, more sophisticated compliance and risk management outcomes, but their budget is too low.

These findings reflect a tendency to undervalue the compliance function, with many organisations viewing it primarily as a safeguard against potentially adverse headlines.

But compliance can positively contribute to an organisation’s overall success. Organisations recognised among the World’s Most Ethical Companies by Ethisphere outperformed the market capitalisation of a comparable global index by 7.8% over the past five years (as of 2025).¹

Compliance due diligence in M&A deals also helps uncover hidden risks, such as regulatory violations, environmental liabilities or anti-corruption issues, which can be quantified and leveraged to negotiate a lower purchase price, favorable indemnities or escrow arrangements — potentially saving millions and ensuring post-acquisition value preservation.

Organisations rethinking compliance are better prepared for disruption

Businesses transforming their compliance functions for the future are better positioned to react quickly and effectively to today’s most pressing challenges. When it comes to third-party risk, for example, 54% of transforming businesses say they are well-prepared, compared with just 18% of businesses maintaining their current approach.

The data also suggests that a wider mindset shift is taking place. Just 34% of transforming businesses say their compliance function’s responsiveness is restricted by red tape, compared with 58% of the businesses that are staying the course. Organisations that are more attuned to the need for adaptability in a fast-moving operating landscape appear to be placing greater trust in their compliance teams to act decisively in the face of risk.

Compliance teams must take the lead in driving this change in mindset. Jama explains, “For organisations to see compliance as a strategic business function, compliance teams need to demonstrate how they support decision-making and drive growth. This means linking compliance activities to bottom-line business outcomes and proactively bringing solutions to the table alongside challenges.”

Chapter 2: The Gap Between Awareness and Action May Leave Organisations Exposed

Businesses are focused on modernising compliance, but their leaders are not aligned.

Investing in new technology and automation tools is compliance teams’ top focus in the current regulatory landscape: 40% of businesses rank it in their top three priorities. Meanwhile, 38% are looking to revise their compliance operating models, signaling a broader push to overhaul the structures that underpin the function.

Strategic priorities at the organisational level reflect this shift. Half of businesses say adopting AI to enhance compliance is a top focus for investment, followed by compliance monitoring and internal auditing (49%) and compliance risk assessment and program reporting (47%).

Modernisation is integral to transformation. But is it taking precedence over more immediate issues? Just a quarter of businesses are prioritising the expansion of governance and oversight to include emerging risk areas.

“Compliance data fuels business intelligence, empowering informed decision-making through trend analysis and anamoly detection – directly enhancing profitability.”

Dilek Çilingir, EY Global Forensic & Integrity Services Leader

There is also a clear gap in opinion across functions. Those working in non-compliance roles with regular exposure to compliance issues and initiatives — such as legal, audit or corporate governance — place an immediate focus on overhauling the compliance operating model. Compliance leads, however, recognise a more pressing need to enhance core capabilities, such as strengthening internal controls and expanding employee awareness.

“Compliance data fuels business intelligence, empowering informed decision-making through trend analysis and anomaly detection. For instance, behavioral analytics of employees, suppliers or customers can uncover efficiencies and actionable insights. Moreover, it can directly enhance profitability by identifying and mitigating losses, leakages and fraud perpetrated against an organisation”, says Dilek Çilingir, EY Global Forensic & Integrity Services Leader.

A business that doesn’t address this misalignment might underinvest in critical areas such as staffing, training and monitoring. Ultimately, this will lead to weak implementation of compliance controls and undermine the function’s ability to effectively manage risk.

Integrated compliance teams are in a position to react to disruption

More than three-quarters of businesses (78%) say their compliance team works closely and effectively with legal, audit and other key functions. Almost three-quarters of these more integrated organisations (74%) say they have strong visibility at board level and receive enough resources to effectively manage risk, compared with just 40% of the less integrated organisations.

Organisations with more integrated compliance teams are also 8 percentage points more likely to be transforming their compliance functions for the future, while less integrated teams tend to take a more piecemeal approach to change.

Chapter 3: How Compliance Teams Can Use Technology Strategically to Navigate Risk

Most businesses lack leading-edge tech capabilities to transform their compliance programmes.

Technology repeatedly emerges as a strategic focus for compliance teams in today’s environment. But just 6% of businesses say they have “leading edge” capabilities — seamless, real-time systems that incorporate predictive tools and dashboards. Instead, the largest proportion (42%) describe their capabilities as “functional,” meaning they have core systems integrated across compliance areas but lack more sophisticated, cross-functional capabilities such as data analytics and predictive insights.

Organisations that say they have advanced or leading-edge capabilities are more than twice as likely as organisations with limited or foundational systems to say they are well prepared to deal with accelerated, interconnected challenges such as cybersecurity and emerging tech risk, as well as third-party risk.

Mature companies are also more likely to be allocating resources strategically: 60% are transforming compliance for the future, compared with just 1% of organisations with only limited or foundational capabilities. In addition, these organisations are 45 percentage points more likely to say their organisation allows them to quickly pivot without resistance.

The most resilient organisations are empowering their compliance teams by investing in tools that help them to navigate today’s complex, unpredictable challenges — reinforcing the link between organisational mindset and resilience.

Lack of vision could be undermining the value of advanced tech

Automating routine tasks is the number one area where businesses see the potential for AI or advanced analytics to add value for compliance and risk management: 44% rank it within their top three perceived benefits. More complex uses, meanwhile, are seen as less valuable: generating cross-domain insights from disparate sources, such as audit and risk, is the least popular response.

Businesses could be prioritising AI for quick efficiency gains because of the accelerated pace of change. But underplaying more complex applications could be limiting its longer-term ability to create business value.

Sally Trivino, EY Global Forensic & Integrity Services Technology Co-Leader, adds: “There are two key factors influencing whether AI is currently being implemented within compliance. First, compliance professionals tend to be risk averse by nature, so their initial question around any new technology is always going to be: Can I trust it? AI is constantly evolving, so part of their job is assessing its risk. Second, compliance is a function that does not directly impact a company’s revenue streams, so the business case for investing in AI for compliance is not particularly strong when compared to other areas of the business that have a more direct impact. As a result, teams often have limited influence over how and where AI is implemented.”

Our data suggests uncertainty about implementing AI within compliance is the main cause for hesitation. AI bias, cyber threats and regulatory uncertainty are the top three most significant risks businesses identify.

There’s a deeper readiness gap. Uncertainty about the effectiveness of AI use and a lack of investment in the resources required for effective implementation are identified within the top three organisational hurdles to implementation.

To unleash the true transformational power of AI, organisations will need to shift toward purpose-built tools that anticipate and navigate risk in a disruptive environment.

“Compliance should be a seatbelt, not a brake. Businesses that don’t invest in AI for compliance are forcing their compliance teams to rely on slow, outdated systems that can’t keep pace with today’s business demands. This not only puts them on a back foot against competitors but also leaves them exposed to failures that could ultimately result in later overinvestment under the scrutiny of a regulator-appointed monitor,” says Trivino.

Chapter 4: Three Compliance Imperatives for Navigating Disruption

Clear steps help compliance teams adapt, work together and lead with confidence as business conditions keep changing.

(1) Transform – or Be Left Behind
Organisations must take a deliberate, strategic approach to transformation to create lasting value.

• Empower the experts: Compliance teams must be equipped with the right tools and entrusted with decision-making authority to enable decisive, agile responses to risk.
• Integrate risk and strategy: Compliance should be a proactive driver of resilience and growth — not just a safeguard.
• Invest in tech as a strategic enabler: To create maximum value, AI should be embedded within the operating model and regularly updated in line with business needs and industry advances.

(2) Redesign for Resilience

Businesses must prioritise the integration of their compliance function on both an operational and cultural level.

• Lay the foundations first: This means robust controls, clear monitoring frameworks and a workforce that’s educated on what modern compliance means.
• Structure the organisation around compliance: It’s no longer a parallel function — it’s a non-negotiable element of business strategy.
• Prioritise seamless communication and data flow: This will create alignment across functions and enable the compliance team to pivot at speed when it needs to.

(3) Lead with Authority

• Elevate the leaders: In a disruptive operating environment, it’s more important than ever for compliance leads to have a voice at senior level.
• Be decisive: Move beyond slow, measured decision-making processes to match the accelerated pace of change.
• Own decisions: As cross-functional integration blurs accountability, compliance professionals must assert their authority as recognised risk leaders.

Summary

Businesses are updating compliance strategies to keep up with rapid change and new risks. Technology, especially AI, is becoming more important for managing compliance. Teams that adapt quickly and work together are better able to support business goals and respond to challenges.

The article was first published by EY.

Photo by Walls.io on Unsplash.