Our thinking

2025 Global compliance risk benchmarking survey

Industry perspectives on the state of compliance today and effective strategies for managing compliance risk within the changing regulatory landscape

 

In a world that moves at break-neck speed, corporate legal and compliance teams have never faced greater pressure to stay ahead of the game. The result is a function that is not just reactive to risk, but increasingly proactive in shaping corporate behavior and decision-making.

Darryl Lew
Darryl Lew
Partner|Washington, DC
Services
International Arbitration, White Collar/Investigations, Litigation, Artificial Intelligence (AI), Technology, Economic Sanctions & Export Controls
Courtney Hague Andrews
Courtney Hague Andrews
Partner|Los Angeles
Services
Litigation, International Arbitration, White Collar/Investigations, Technology, National Security
Anneka Randhawa
Anneka Randhawa
Partner|London
Services
White Collar/Investigations, Tax, Mining & Metals, Technology, Consumer & Retail

This year’s Global Compliance Risk Benchmarking Survey offers a timely snapshot—based on insights from 265 senior compliance, legal and risk professionals worldwide—of how today’s legal and compliance leaders are adapting to new technologies, regulatory expectations and cultural shifts in business conduct.

The themes explored in this year’s survey reflect the changing nature of legal and compliance risk management. Artificial intelligence (AI) is becoming an operational reality within legal and compliance teams. Our findings show that while a growing number of organizations are deploying AI to drive efficiency and clarity in investigations and reporting, concerns about accuracy, governance and data privacy remain significant. As adoption increases, so does the need for guardrails to ensure that the use of AI enhances—rather than undermines—operational integrity.

We explore not only whether organizations are using AI, but also how long they have been doing so; the primary motivations driving adoption; the specific uses being prioritized; and the perceived advantages gained by users. Crucially, we also investigate the key concerns surrounding AI utilization; the prevalence of governance policies; the integration of AI risk into broader enterprise risk management (ERM) frameworks; and controls being implemented to ensure the trustworthiness and reliability of these tools.

Additionally, we examine the use of off-network messaging applications—tools that are convenient for employees, but often challenging for legal and compliance teams to monitor and access. The findings suggest that while many companies are implementing written policies, only a minority actively collect or audit off-network communications, raising questions about whether they do and, if so, how well these policies are being enforced and whether they are sufficiently comprehensive in scope, as well as emphasizing the importance of clear risk leadership and the right “tone from the top”. Regulators are watching this space closely, and companies must consider whether their current approaches are sufficient in both spirit and substance. 

The conversation around compliance incentivization shows promising signs of maturity. Many organizations are now integrating compliance metrics into compensation and performance frameworks. This finding suggests a shift from relying solely on punitive measures toward building a culture where ethical behavior is actively recognized and rewarded. Yet, the effectiveness of these programs depends not just on their existence, but on whether and, if so, how consistently they are implemented and whether they are aligned with broader business goals. The survey sheds light on the growing use of compliance-linked key performance indicators (KPIs) and how these are shaping both corporate culture and accountability.

In the final section, the report explores how companies are approaching voluntary self-disclosure to the United States Department of Justice (DOJ). While many companies now have formal processes to assess potential misconduct and to consider self-reporting, concerns about cost, reputational risk and the perceived benefits of disclosure continue to hold some organizations back. These concerns should be considered in the context of the global landscape. It remains to be seen, for example, the extent to which updated UK guidance on corporate self-reporting will factor into the equation for multinational organizations.

Together, these findings offer a nuanced view of how legal and compliance teams are navigating the demands of a digital, distributed and demanding business environment. From emerging technologies to traditional risk domains, the survey provides practical benchmarks and insights for organizations aiming to build resilient, forward-looking compliance programs.

We hope you find this year’s report both informative and thought-provoking.

Key takeaways

Given the far-reaching nature of the survey and the findings within, as well as the changing nature of the compliance function, below are five takeaways that every legal and compliance leader should keep front of mind.

1. AI adoption is accelerating—and governance must keep pace

As more compliance teams deploy AI to streamline investigations and analyze risk, oversight frameworks need to evolve in parallel. Clear internal policies, strong ERM integration and proactive controls are essential to avoid over-reliance and ensure ethical, defensible use of these tools.

2. Managing off-network messaging is now a baseline expectation

Having a policy on off-network messaging is no longer a differentiator—it’s a minimum requirement. Policy enforcement mechanisms, such as backup requirements and audit trails, are the next frontier, and organizations lagging here risk falling short of regulatory expectations.

3. Compliance incentives are working—but must go deeper

Tying compensation and recognition to compliance outcomes is gaining traction and positively shaping behavior. To be effective, however, these programs must apply across employee levels and extend to third parties. Selective or symbolic application risks undermining their impact.

4. Voluntary disclosure is still a difficult choice; decision frameworks help

While concerns about cost, reputational harm and prolonged regulatory scrutiny persist, many organizations are still investigating and remediating misconduct—even when they opt not to self-disclose to the DOJ. The trade-offs are real: Voluntary self-disclosure may lead to reduced penalties and credit for cooperation, but it can also trigger intense external investigation, significant legal fees and public exposure. Building robust internal frameworks to assess these scenarios—and engaging regulators early where appropriate—can help organizations make more confident, consistent decisions.

5. Compliance is becoming a strategic function

As risks grow more complex and digitalized, the compliance function is evolving into a strategic advisor to the business. This shift not only requires more resources, but also a change of mindset—embedding compliance thinking into executive-level planning.

Artificial intelligence in the compliance function

Read 10 min. article
Blurred abstract background

Off-network messaging and compliance

Read 10 min. article
King cross station in London

Incentivizing compliance and disincentivizing non-compliance

Read 6 min. article
King cross station in London

Voluntary self-disclosure

Read 7 min. article
Metallic surface reflecting lights

Survey methodology and demographics

Read 1 min. article
King cross station in London

Download

Print-friendly version 
2025 Global compliance risk benchmarking survey (PDF)

Contacts

Darryl Lew
Darryl Lew
Partner|Washington, DC
Services
International Arbitration, White Collar/Investigations, Litigation, Artificial Intelligence (AI), Technology, Economic Sanctions & Export Controls
Courtney Hague Andrews
Courtney Hague Andrews
Partner|Los Angeles
Services
Litigation, International Arbitration, White Collar/Investigations, Technology, National Security
Anneka Randhawa
Anneka Randhawa
Partner|London
Services
White Collar/Investigations, Tax, Mining & Metals, Technology, Consumer & Retail

Service areas

Metallic surface reflecting lights

Voluntary self-disclosure

Insight
|
7 min read

Key takeaways

01

Most companies now have formal processes in place to assess potential misconduct for DOJ disclosure, highlighting a shift toward more structured and intentional compliance protocols

02

Almost half of the organizations have considered self-disclosure under the DOJ’s 2023 revised CEP, showing significant engagement with the updated incentives. It remains to be seen whether the DOJ’s 2025 revisions to the CEP, which postdated the data-gathering for this survey, will reinforce this trend

03

Public companies and those with higher revenues are more likely to consider self-disclosure, suggesting that resource availability and external scrutiny play a major role

04

Internal remediation remains a top priority even when companies opt not to disclose, with larger organizations showing a greater tendency to investigate and correct issues 

05

Concerns around costs, duration and reputational risk continue to deter many from self-disclosing, despite DOJ incentives and potential leniency. These concerns are likely to remain despite the most recent policy changes to encourage voluntary disclosure

Whether to voluntarily self-disclose potential corporate misconduct to the DOJ presents one of the most challenging and complex decisions a company facing compliance issues can encounter. Multinational organizations will also need to consider self-disclosure regimes in other jurisdictions, notably the UK.

Voluntary self-disclosure offers a potential pathway to leniency, including possible declinations or significantly reduced penalties, under the CEP. The January 2023 revisions to the CEP sought to further incentivize prompt and comprehensive disclosure, cooperation and remediation, and underscore the DOJ's emphasis on corporate accountability and proactive compliance. More recent revisions announced in May 2025 are designed to provide even greater certainty and transparency to companies that voluntarily self-disclose, fully cooperate and timely and appropriately remediate. Most notably, the latest revisions to the CEP provide that companies meeting these criteria are entitled to a declination of prosecution—absent aggravating circumstances underlying the misconduct—whereas the previous version of the CEP provided that such companies were entitled to a presumption of a declination. The 2025 revisions to the CEP also create a new category for "near miss" voluntary self-disclosures, where a company self-reports in good faith but falls short of full voluntary self-disclosure criteria, among other scenarios.  In such "near miss" voluntary self-disclosures, the form of resolution is a non-prosecution agreement (absent particularly egregious conduct or multiple aggravating factors) with a term of less than three years, a reduction of 75 percent off of the low end of the applicable fine range and no independent compliance monitor.

The path of self-disclosure, however, is fraught with perceived risks and uncertainties, demanding a careful calculus of potential benefits versus substantial costs that often lead companies to refrain from stepping forward.

Does your organization have a process to identify and assess compliance escalations involving potential corporate misconduct for potential voluntary self-disclosure to the U.S. Department of Justice (“DOJ”)?

Formalizing the disclosure assessment process

Given the high stakes involved, a structured approach to identifying and evaluating potential misconduct for self-disclosure is highly desirable. Recognizing a potential issue is only the first step; determining its severity, scope and implications under DOJ policy requires a robust internal process involving legal and compliance personnel and usually external counsel.

Encouragingly, a majority of organizations appear equipped, at least procedurally, for this task. Our findings show that 69 percent of respondents have established a formal process specifically designed to identify and assess compliance escalations involving potential corporate misconduct for the express purpose of evaluating potential voluntary self-disclosure to the DOJ. 

This finding suggests that most organizations understand the need for a systematic framework to handle these critical decisions, ensuring that potential disclosures are considered deliberately and consistently, rather than on an ad-hoc basis. The existence of such processes allows for timely internal investigations, thorough analysis of the facts against the DOJ's criteria and informed recommendations to senior management and the board.

Engagement with the 2023 revised DOJ policy

The DOJ's revisions to its CEP in January 2023 aimed to provide greater transparency and stronger incentives for companies to come forward promptly upon discovering misconduct. These changes clarified the benefits available for companies meeting specific standards of disclosure, cooperation and remediation, even where aggravating circumstances exist. As noted above, the CEP was further revised in May 2025 following the completion of this survey.

Since the 2023 CEP revisions, nearly half (49 percent) of surveyed organizations have actively considered voluntarily self-disclosing potential corporate misconduct to the DOJ. This indicates a significant level of engagement with this topic, perhaps motivated by the DOJ's efforts at greater certainty and transparency in this context.

Has your organization considered voluntarily self-disclosing potential corporate misconduct to the Department of Justice (DOJ) since the DOJ revised its Corporate Enforcement and Voluntary Self Disclosure Policy in January 2023? View full image: Has your organization considered voluntarily self-disclosing potential corporate misconduct to the Department of Justice (DOJ) since the DOJ revised its Corporate Enforcement and Voluntary Self Disclosure Policy in January 2023? (PDF)
If you considered voluntary self-disclosure but decided not to disclose, did your organization nonetheless investigate and appropriately remediate any misconduct?*

Publicly listed companies, which generally face heightened regulatory oversight and shareholder expectations, have been more inclined to consider voluntary self-disclosure. A 57 percent majority of public company respondents considered self-disclosure under the revised policy, compared with only 37 percent of private company respondents. Similarly, scale is important, with 56 percent of the highest-revenue-generating respondents having contemplated self-disclosure, compared with just 33 percent of the lowest-revenue-generating respondents. 

This disparity likely reflects factors similar to those seen in the adoption of AI and other compliance practices: larger, public companies may have more sophisticated monitoring systems that detect potential issues sooner; greater resources dedicated to legal and compliance functions enabling thorough evaluation against DOJ policy; and perhaps a greater sensitivity to the potential reputational and financial consequences of not disclosing if the misconduct were later discovered by authorities.

Internal remediation: A priority regardless of disclosure

Crucially, the decision not to self-disclose does not necessarily mean inaction. Effective compliance programs emphasize not only detection but also thorough investigation and remediation of identified issues, regardless of external reporting decisions. Among organizations that considered voluntary self-disclosure but decided not to disclose, nearly half (48 percent) nonetheless proceeded to conduct an internal investigation and appropriately remediate any confirmed misconduct. This outcome underscores a commitment within many organizations to address compliance failures internally, fixing processes, implementing stronger controls, and potentially disciplining employees, even when choosing not to involve the DOJ.

Once again, larger organizations demonstrate a stronger tendency toward internal resolutions. A substantial 80 percent of the highest revenue-generating organizations investigated and remediated misconduct even when not disclosing, compared with only 32 percent of the lowest revenue-generating companies. This gap may reflect differences in internal investigation capabilities, resources dedicated to remediation efforts, or potentially a higher baseline level of compliance program maturity in larger firms.

Why did your organization decide not to voluntarily self-disclose? (Select all that apply) View full image: Why did your organization decide not to voluntarily self-disclose? (Select all that apply) (PDF)

Barriers to disclosure: Cost, duration, and uncertainty 

Despite the DOJ's incentives, there remain hurdles to self-disclosure that dissuade companies from coming forward.

The most cited barrier is a pragmatic concern that the potential costs would ultimately outweigh the potential benefits (49 percent). This cost-benefit analysis is complex. While self-disclosure might lead to reduced fines, the costs of conducting the necessary rigorous internal investigation to the DOJ's expectations and of cooperating fully, which can involve extensive document production and employee interviews and, in extreme cases, paying for an independent compliance monitor, can be substantial.  In assessing whether to self-report, companies typically also consider the likelihood of the government discovering the misconduct absent a self-report, and the potential benefits that can be obtained from cooperation and remediation alone should the government later come knocking. As one member of the legal function of a US private equity firm says, "Our concern has always been about the potential costs of voluntary self-disclosure. There should be a balance between the costs and the potential benefits. If the company is eventually at a loss due to this voluntary disclosure, it does not justify the step."

Closely related is the concern about the resulting duration and cost of the ensuing DOJ investigation itself (47 percent of those that do not voluntarily disclose). Initiating a voluntary self-disclosure invites government scrutiny, and companies worry about protracted, resource-intensive investigations that can disrupt business operations, consume significant management time and incur substantial legal fees, even if the ultimate penalty is reduced. The lack of certainty around timelines is a key deterrent. "Concern about the resulting duration of a DOJ investigation was the most troubling," says the general counsel of a Japanese company. "We cannot predict these timelines. It may involve a lot of negative publicity as well. I'm not sure that a voluntary disclosure was in the best interest of the business at the time." Further, a member of the compliance and ethics function of a US company echoed this sentiment, saying: "A full-fledged DOJ investigation was not something we were prepared for. Apart from the uncertain time and cost of the DOJ investigation, we were also concerned with the possible effects on the reputation of the company. There were a few positives to back the decision about going in for a voluntary self-disclosure."

The fear of a lengthy, costly and potentially reputation-damaging process, even when initiated voluntarily, clearly weighs heavily on the decision-making process. The emphasis on promoting efficiency in DOJ investigations in the most recent Department policy announcements are alone unlikely to assuage these concerns. 

Adding to the complexity for multinational organizations are the disclosure regimes found in other jurisdictions. In the UK, the Serious Fraud Office (SFO) has recently updated its guidance with the aim of incentivizing corporate self-reporting by offering a clearer and quicker pathway to a deferred prosecution agreement for those who come forward voluntarily. It remains to be seen to what extent this new guidance will affect decision-making within multinational organizations.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Service areas

Top