Our thinking

2025 Global compliance risk benchmarking survey

Industry perspectives on the state of compliance today and effective strategies for managing compliance risk within the changing regulatory landscape

 

In a world that moves at break-neck speed, corporate legal and compliance teams have never faced greater pressure to stay ahead of the game. The result is a function that is not just reactive to risk, but increasingly proactive in shaping corporate behavior and decision-making.

Darryl Lew
Darryl Lew
Partner|Washington, DC
Services
International Arbitration, White Collar/Investigations, Litigation, Artificial Intelligence (AI), Technology, Economic Sanctions & Export Controls
Courtney Hague Andrews
Courtney Hague Andrews
Partner|Los Angeles
Services
Litigation, International Arbitration, White Collar/Investigations, Technology, National Security
Anneka Randhawa
Anneka Randhawa
Partner|London
Services
White Collar/Investigations, Tax, Mining & Metals, Technology, Consumer & Retail

This year’s Global Compliance Risk Benchmarking Survey offers a timely snapshot—based on insights from 265 senior compliance, legal and risk professionals worldwide—of how today’s legal and compliance leaders are adapting to new technologies, regulatory expectations and cultural shifts in business conduct.

The themes explored in this year’s survey reflect the changing nature of legal and compliance risk management. Artificial intelligence (AI) is becoming an operational reality within legal and compliance teams. Our findings show that while a growing number of organizations are deploying AI to drive efficiency and clarity in investigations and reporting, concerns about accuracy, governance and data privacy remain significant. As adoption increases, so does the need for guardrails to ensure that the use of AI enhances—rather than undermines—operational integrity.

We explore not only whether organizations are using AI, but also how long they have been doing so; the primary motivations driving adoption; the specific uses being prioritized; and the perceived advantages gained by users. Crucially, we also investigate the key concerns surrounding AI utilization; the prevalence of governance policies; the integration of AI risk into broader enterprise risk management (ERM) frameworks; and controls being implemented to ensure the trustworthiness and reliability of these tools.

Additionally, we examine the use of off-network messaging applications—tools that are convenient for employees, but often challenging for legal and compliance teams to monitor and access. The findings suggest that while many companies are implementing written policies, only a minority actively collect or audit off-network communications, raising questions about whether they do and, if so, how well these policies are being enforced and whether they are sufficiently comprehensive in scope, as well as emphasizing the importance of clear risk leadership and the right “tone from the top”. Regulators are watching this space closely, and companies must consider whether their current approaches are sufficient in both spirit and substance. 

The conversation around compliance incentivization shows promising signs of maturity. Many organizations are now integrating compliance metrics into compensation and performance frameworks. This finding suggests a shift from relying solely on punitive measures toward building a culture where ethical behavior is actively recognized and rewarded. Yet, the effectiveness of these programs depends not just on their existence, but on whether and, if so, how consistently they are implemented and whether they are aligned with broader business goals. The survey sheds light on the growing use of compliance-linked key performance indicators (KPIs) and how these are shaping both corporate culture and accountability.

In the final section, the report explores how companies are approaching voluntary self-disclosure to the United States Department of Justice (DOJ). While many companies now have formal processes to assess potential misconduct and to consider self-reporting, concerns about cost, reputational risk and the perceived benefits of disclosure continue to hold some organizations back. These concerns should be considered in the context of the global landscape. It remains to be seen, for example, the extent to which updated UK guidance on corporate self-reporting will factor into the equation for multinational organizations.

Together, these findings offer a nuanced view of how legal and compliance teams are navigating the demands of a digital, distributed and demanding business environment. From emerging technologies to traditional risk domains, the survey provides practical benchmarks and insights for organizations aiming to build resilient, forward-looking compliance programs.

We hope you find this year’s report both informative and thought-provoking.

Key takeaways

Given the far-reaching nature of the survey and the findings within, as well as the changing nature of the compliance function, below are five takeaways that every legal and compliance leader should keep front of mind.

1. AI adoption is accelerating—and governance must keep pace

As more compliance teams deploy AI to streamline investigations and analyze risk, oversight frameworks need to evolve in parallel. Clear internal policies, strong ERM integration and proactive controls are essential to avoid over-reliance and ensure ethical, defensible use of these tools.

2. Managing off-network messaging is now a baseline expectation

Having a policy on off-network messaging is no longer a differentiator—it’s a minimum requirement. Policy enforcement mechanisms, such as backup requirements and audit trails, are the next frontier, and organizations lagging here risk falling short of regulatory expectations.

3. Compliance incentives are working—but must go deeper

Tying compensation and recognition to compliance outcomes is gaining traction and positively shaping behavior. To be effective, however, these programs must apply across employee levels and extend to third parties. Selective or symbolic application risks undermining their impact.

4. Voluntary disclosure is still a difficult choice; decision frameworks help

While concerns about cost, reputational harm and prolonged regulatory scrutiny persist, many organizations are still investigating and remediating misconduct—even when they opt not to self-disclose to the DOJ. The trade-offs are real: Voluntary self-disclosure may lead to reduced penalties and credit for cooperation, but it can also trigger intense external investigation, significant legal fees and public exposure. Building robust internal frameworks to assess these scenarios—and engaging regulators early where appropriate—can help organizations make more confident, consistent decisions.

5. Compliance is becoming a strategic function

As risks grow more complex and digitalized, the compliance function is evolving into a strategic advisor to the business. This shift not only requires more resources, but also a change of mindset—embedding compliance thinking into executive-level planning.

Artificial intelligence in the compliance function

Read 10 min. article
Blurred abstract background

Off-network messaging and compliance

Read 10 min. article
King cross station in London

Incentivizing compliance and disincentivizing non-compliance

Read 6 min. article
King cross station in London

Voluntary self-disclosure

Read 7 min. article
Metallic surface reflecting lights

Survey methodology and demographics

Read 1 min. article
King cross station in London

Download

Print-friendly version 
2025 Global compliance risk benchmarking survey (PDF)

Contacts

Darryl Lew
Darryl Lew
Partner|Washington, DC
Services
International Arbitration, White Collar/Investigations, Litigation, Artificial Intelligence (AI), Technology, Economic Sanctions & Export Controls
Courtney Hague Andrews
Courtney Hague Andrews
Partner|Los Angeles
Services
Litigation, International Arbitration, White Collar/Investigations, Technology, National Security
Anneka Randhawa
Anneka Randhawa
Partner|London
Services
White Collar/Investigations, Tax, Mining & Metals, Technology, Consumer & Retail

Service areas

King cross station in London

Incentivizing compliance and disincentivizing non-compliance

Insight
|
6 min read

Key takeaways

01

A strong majority of organizations have compensation clawback or withholding policies in place, but actual use is limited 

02

The mere status of individuals being under investigation can influence compensation and recognition decisions, particularly in public and higher-revenue companies

03

Compliance-related incentives are widely used, with an overwhelming majority incorporating them into compensation structures

04

The most common incentives are KPIs and formal recognition programs, signaling that organizations increasingly view ethical conduct as part of performance management

The relationship between employee compensation, recognition, and an organization's culture of compliance is increasingly under scrutiny. Regulators, stakeholders and boards are recognizing that how employees are paid, rewarded and potentially penalized can significantly influence behavior.

Effectively integrating compliance considerations into compensation structures requires an integrated approach, encompassing mechanisms to penalize wrongdoing and strategies to proactively incentivize ethical behavior and adherence to
compliance norms.

Effectively integrating compliance considerations into compensation structures requires an integrated approach, encompassing mechanisms to penalize wrongdoing and strategies to proactively incentivize ethical behavior and adherence to compliance norms.

Withholding and recouping compensation

One of the most direct ways organizations can signal accountability for misconduct is through policies allowing for the withholding or recoupment of compensation from employees involved in wrongdoing, or those who fail to comply with their supervisory duties. These policies act as a deterrent and demonstrate a commitment to ensuring that individuals do not profit from unethical behavior or significant compliance failures occurring under their watch. Regulatory authorities, particularly in the financial services sector, have mandated these policies while other authorities have encouraged their use. For example, the ECCP underscores that "the design and implementation of compensation schemes play an important role in fostering a compliance culture." Prosecutors examining corporate compliance programs are therefore directed to assess the use of compensation structures, including clawbacks, to incentivize compliance and punish non-compliance. To incentivize companies to use clawback rights, in 2023 the DOJ adopted a Compensation Incentives and Clawbacks Pilot Program whereby companies can receive reductions in otherwise applicable fine amounts by compensation withheld from culpable individuals.

Our findings indicate widespread adoption of such policies. A significant majority (78 percent) of respondents report having a policy in place that allows them to withhold or "claw back" compensation from employees who engage in misconduct or who fail to adequately supervise others involved in misconduct. This high prevalence suggests that companies recognize the importance of having this mechanism available to them, likely driven by regulatory expectations and a desire to establish clear consequences for serious compliance breaches.

Does your organization have a policy to withhold or recoup compensation from employees who engage in misconduct or who fail to supervise others who engage in misconduct? View full image: Does your organization have a policy to withhold or recoup compensation from employees who engage in misconduct or who fail to supervise others who engage in misconduct? (PDF)

Adopting a policy is not, however, the same as enforcing it. Despite the prevalence of these policies, they appear not to be applied frequently. Among those respondents with clawback policies, a notable 55 percent stated they had not actually withheld or sought to recoup compensation within the past 24 months from employees meeting the criteria. This finding indicates a potential gap between policy intent and practical execution. 

Several factors might contribute to this state of affairs, including the legal challenges in enforcing clawbacks (which can vary significantly by jurisdiction and depend on employment contract specifics), potential negative impacts on employee morale, difficulty in definitively assigning responsibility, or a lack of sufficiently severe incidents triggering the policy during the period. Consistency of application of such policies therefore requires close attention, particularly when it comes to holding senior executives and potentially third parties to the same standard as employees.

Even when clawbacks are used, they are not always triggered by external scrutiny. Of those (40 percent) that do have a clawback policy, 32 percent utilized them in the past 24 months based on internal findings, independent of any investigation initiated by enforcement authorities. 

While this finding demonstrates internal accountability, the relatively low overall usage rate raises questions about whether these policies are serving as the potent deterrent regulators envision, or if implementation challenges are limiting their effectiveness in practice. 

In the past 24 months, has your organization withheld or sought to recoup compensation from employees who engage in misconduct or who fail to supervise others who engage in misconduct?* View full image: In the past 24 months, has your organization withheld or sought to recoup compensation from employees who engage in misconduct or who fail to supervise others who engage in misconduct?* (PDF)
Does your organization consider an employee’s or third party’s status as the subject of an internal investigation in making decisions regarding compensation and/or other recognition (e.g., awards)? View full image: Does your organization consider an employee’s or third party’s status as the subject of an internal investigation in making decisions regarding compensation and/or other recognition (e.g., awards)?(PDF)

The shadow of investigation: Impact on compensation and recognition

Clawbacks aside, simply being under an internal investigation can also cast a shadow over an employee's or even a third party's standing within an organization, potentially impacting decisions related to compensation, bonuses, promotions or other forms of recognition. Organizations must navigate a delicate balance: protecting the integrity of their compensation systems and avoiding rewarding individuals possibly involved in wrongdoing, while also respecting due process and avoiding premature judgment before an investigation concludes.

Current practices show a divided approach. Overall, 42 percent of respondents consider both an employee's and a third party's status as the subject of an internal investigation when making decisions regarding compensation and other forms of recognition such as awards. This finding indicates that a significant portion of companies are proactively factoring investigation status into these decisions for both internal and external stakeholders. A slightly smaller, but still substantial, number of respondents (31 percent), however, limits this consideration to employees only, suggesting less willingness or less of a perceived need to apply the same scrutiny to third parties.

This consideration is not applied uniformly across all types of respondent organizations. Publicly listed respondents, often subject to greater external scrutiny and shareholders' governance expectations, are significantly more likely to factor investigation status into compensation decisions. Over half (51 percent) of public company respondents consider investigation status in making compensation decisions for both employees and third parties, compared with only 29 percent of private company respondents. It seems that due to public accountability pressures, public companies are apt to take a more cautious approach to rewarding individuals or entities potentially implicated in ongoing investigations.

Similarly, organizational size and resources, reflected by revenue, play a significant role in a company's decision to consider investigation status in making compensation decisions. Nearly two-thirds (64 percent) of the highest revenue-generating respondents take investigation status into account for compensation and recognition decisions concerning employees and third parties, which contrasts sharply with lower revenue respondents, where only 27 percent do so. Larger organizations may have more sophisticated internal investigation processes, dedicated resources to track investigation statuses, and potentially more formalized connections between human resources, compliance and legal functions to ensure this information is considered appropriately during compensation cycles.

Does your organization use its compensation structure to incentivize compliance? View full image: Does your organization use its compensation structure to incentivize compliance? (PDF)
How does your organization use its compensation structure to incentivize compliance?* (Select all that apply) View full image: How does your organization use its compensation structure to incentivize compliance?* (Select all that apply)

Incentivizing compliance: Rewarding the right behaviors

While penalties and clawbacks address negative behavior, a comprehensive approach also involves proactively encouraging and rewarding positive compliance conduct. Using the compensation structures to incentivize compliance signals that ethical behavior and commitment to the organization's compliance program are valued and contribute to success. An overwhelming majority of respondents recognize this connection, with 83 percent reporting that they use their compensation structure in some way to incentivize compliance.

The most common methods of implementing this incentive approach involve targeted performance indicators and formal recognition programs. Among the respondents who use their compensation structure to incentivize compliance, the vast majority (89 percent) incorporate compliance-related KPIs for designated employees. These individuals might include compliance officers, internal auditors, managers in high-risk functions, or designated "Compliance Champions" embedded within business units. 

Tying specific, measurable compliance objectives to performance evaluations and, consequently, compensation helps ensure that compliance responsibilities are taken seriously and prioritized alongside business objectives. As one member of the compliance and ethics function of a US corporate notes: "Compliance-related KPIs are present for designated employees who are responsible for managing compliance and audit activities. Recently, we decided to offer awards for compliance-related achievements, and it's driven positive results for us."

Beyond direct KPIs, formal recognition is equally important. Nearly four in five (79 percent) of respondents using compensation to incentivize compliance use employee recognition or award programs specifically for compliance-related achievements. These awards can highlight individuals or teams who demonstrate exemplary ethical leadership, implement innovative compliance approaches, champion a culture where people are empowered to raise concerns, and report wrongdoing, or successfully embed compliance practices into business operations. Such recognition not only rewards individuals but also serves to promote positive role models and reinforce desired behaviors across the organization. 

The overall sentiment is that integrating compliance into the compensation and reward framework adds tangible value. "All these measures are included in the compensation structure. It does add value to compliance management. It influences our employees positively, and they know that complying with the rules and regulations is an added advantage for them," says one member of the compliance and ethics function at a US company.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Service areas

Top