Legal and compliance leaders rate the level of risk in the current business environment as 7.9 out of 10. 1 is negligible and 10 is critical. Although this is a 16% increase from Q1 levels, this figure has remained relatively flat since Q3, suggesting that the increase in risk may be stabilizing.
While a new year often brings a renewed sense of optimism and a reset of mindset, legal and compliance leaders will end 2025 with deep-seated concerns about the risk landscape. corporate director and the Diligent Institute point out that pressures across the economic, regulatory and political realms combine to create a volatile environment for business.
One respondent said, “These factors are directly related.'' “When one risk increases, so do the others.”
“In 2025, risk levels have not just spiked, they have settled into an 'always on' baseline,” said Dottie Schindlinger, executive director of the Diligent Institute. “In a world where extremely high risk levels remain constant, the GC’s agenda is likely to become increasingly defined by exposure to AI and broader technology. Legal teams are already preparing, and we predict increased regulatory tracking, auditing and policy review in 2026.”
Technology and AI lead risk concerns
The most striking finding in this survey is the predominance of technology-related concerns. Currently, 60% of respondents cite technology as a risk, far ahead of other issues such as the economy (33%) and tariffs (23%). Legal, compliance, and audit leaders view increasingly sophisticated cyberattacks as a key threat vector.
“Cyber threats and supply chain instability continue to put pressure on technology and service companies, especially those that rely on stable and secure environments,” said Taras Litovchenko, chief legal and compliance officer at Trinitex.
“From an IT business perspective, regulatory uncertainty is the biggest factor, especially when it comes to data protection, AI governance, and cross-border compliance,” added another respondent. “On top of that, cyber threats and supply chain instability continue to create pressure.”
“Technology risk is now the connective tissue of the entire risk registry,” said Kira Ciccarelli, senior manager of research at the Diligent Institute. “We know that boards are also experimenting with new technologies, such as AI tools, to improve oversight, but relatively few organizations are using AI-powered dashboards to monitor risk. Closing the execution gap can separate the leaders from the laggards.”
AI risks are expected to continue
Those surveyed expect most risks to be reduced as companies gain greater clarity on issues such as trade, regulation and economics, with AI-related risks being a notable exception. A majority continues to cite it as the top risk to their organization in 2026, far ahead of the economy (23 percent) and regulation (19 percent).
When asked which key risk indicators (KRIs) they are closely monitoring in the new year, market conditions came first with 33% of votes, followed by cyber alerts (27%).
Budget constraints despite growing threats
The survey revealed a worrying disconnect. Despite reports of increased risk and weaknesses in cross-functional collaboration, one-third of respondents said their organizations will reduce or flatten their risk management operating budgets in 2026.
One respondent warned that “the focus on cost reduction is increasing risks around the world.”
“My concern is that there is a potential risk mitigation gap due to changes in roles and employees, as well as the recognition of a cultural shift where companies are accepting more risks if they are unscrupulous.Employee morale is also low, which can lead to apathy and a lack of focus needed to perform risk mitigation at a high level.”
For organizations looking to increase their budgets, the most common investments are regulatory tracking and monitoring technology (26 percent) or data privacy and cyber defense (23 percent).
ask for better coordination
When asked what they would improve if given the chance, interdepartmental collaboration took the top spot with 44 percent of the votes.
One respondent stated, “We are a large company and there are many opportunities to be even better than we are now.” “My idea is to create less siled systems and activities to see trends at a higher level and enable more detailed reviews for continuous improvement.”
“We would like to prioritize stronger and faster visibility into external regulatory changes, especially changes in trade policy, tariffs, and cross-border rules that affect IT outsourcing,” said another official. “We need smoother ways to detect these changes early, assess their impact, and adjust delivery models before clients feel pressured.”
“Cross-functional collaboration is key to operating in a world where top risks are interdependent and self-amplifying, where geopolitics, regulation and technology flows move together,” says Ciccarelli. “Yet, significant implementation gaps remain in the integration of governance, risk, and compliance.”
A recent study by the Diligent Institute found that only 4% of governance professionals say GRC systems and financial systems are fully integrated, meaning risk data can remain locked in silos. “In an ideal future state, GRC systems should flow in one stream so that one trigger automatically notifies others, such as a cyber alert, rate change, or AI policy change,” Schindlinger said.
