Why accelerating compliance transformation is critical in an era of disruption

Nearly three-quarters of businesses (71%) say the complexity and volatility of the current operating environment makes it harder than ever to keep pace with change, and this is shaping the way they perceive risk.

Our research shows that macroeconomic and trade volatility is the most disruptive force for today’s compliance teams, outpacing geopolitical shifts, tech disruption and regulatory complexity. The unpredictability of this challenge threatens the capabilities and response times of current operating models.

Now is the time to assess compliance practices and accelerate transformation. But while most organizations (67%) are making improvements to their compliance function, just 31% are seizing the opportunity to strategically rethink the role compliance plays within their business over the next two years. Meanwhile, 36% say they're making only focused improvements and one-third (33%) believe their current approach is effective in today’s environment.

The data suggests a lack of agility is inhibiting organizations’ ability to cope with threats. This is most apparent for complex challenges involving external partners: just one third of businesses say they are well-prepared to react quickly and effectively to third-party risk, and 62% claim their processes or systems limit the speed or coordination of their response.

These findings highlight how organizations often struggle to maintain oversight across extended networks. For example, a company might engage a third-party supplier that falsifies carbon credit certifications to inflate its environmental credentials (greenwashing), while also bribing local officials to secure those certifications and violating sanctions by operating in restricted regions.

These risks span multiple jurisdictions and regulatory domains, presenting a significant compliance challenge. As highlighted by the data, a lack of visibility, fragmented processes and resource constraints add further complexity, making it difficult for organizations to holistically manage risks without significant investment in technology, expertise and coordination.

“Too often, third-party risk management is focused on finding a needle in the haystack, rather than consistently managing the haystack itself. Today’s operating environment requires a more adaptable framework — one that integrates both structured and unstructured information and links directly to business activity. This will become increasingly critical as businesses look to capture opportunities in new and developing markets,” says Liban Jama, EY Americas Forensic & Integrity Services Leader.

What’s restricting flexibility? About half (49%) of businesses claim their compliance function is unable to pivot when it needs to without resistance or red tape. In addition, almost two-thirds (65%) say they are under pressure to deliver faster, more sophisticated compliance and risk management outcomes, but their budget is too low.

These findings reflect a tendency to undervalue the compliance function, with many organizations viewing it primarily as a safeguard against potentially adverse headlines.

But compliance can positively contribute to an organization’s overall success. Organizations recognized among the World's Most Ethical Companies by Ethisphere outperformed the market capitalization of a comparable global index by 7.8% over the past five years (as of 2025).¹

Compliance due diligence in M&A deals also helps uncover hidden risks, such as regulatory violations, environmental liabilities or anti-corruption issues, which can be quantified and leveraged to negotiate a lower purchase price, favorable indemnities or escrow arrangements — potentially saving millions and ensuring post-acquisition value preservation.

Organizations rethinking compliance are better prepared for disruption

Businesses transforming their compliance functions for the future are better positioned to react quickly and effectively to today’s most pressing challenges. When it comes to third-party risk, for example, 54% of transforming businesses say they are well-prepared, compared with just 18% of businesses maintaining their current approach.

The data also suggests that a wider mindset shift is taking place. Just 34% of transforming businesses say their compliance function’s responsiveness is restricted by red tape, compared with 58% of the businesses that are staying the course. Organizations that are more attuned to the need for adaptability in a fast-moving operating landscape appear to be placing greater trust in their compliance teams to act decisively in the face of risk.

Compliance teams must take the lead in driving this change in mindset. Jama explains, “For organizations to see compliance as a strategic business function, compliance teams need to demonstrate how they support decision-making and drive growth. This means linking compliance activities to bottom-line business outcomes and proactively bringing solutions to the table alongside challenges.” 

Investing in new technology and automation tools is compliance teams' top focus in the current regulatory landscape: 40% of businesses rank it in their top three priorities. Meanwhile, 38% are looking to revise their compliance operating models, signaling a broader push to overhaul the structures that underpin the function.

Strategic priorities at the organizational level reflect this shift. Half of businesses say adopting AI to enhance compliance is a top focus for investment, followed by compliance monitoring and internal auditing (49%) and compliance risk assessment and program reporting (47%).

Modernization is integral to transformation. But is it taking precedence over more immediate issues? Just a quarter of businesses are prioritizing the expansion of governance and oversight to include emerging risk areas.

There is also a clear gap in opinion across functions. Those working in non-compliance roles with regular exposure to compliance issues and initiatives — such as legal, audit or corporate governance — place an immediate focus on overhauling the compliance operating model. Compliance leads, however, recognize a more pressing need to enhance core capabilities, such as strengthening internal controls and expanding employee awareness.

“Compliance data fuels business intelligence, empowering informed decision-making through trend analysis and anomaly detection. For instance, behavioral analytics of employees, suppliers or customers can uncover efficiencies and actionable insights. Moreover, it can directly enhance profitability by identifying and mitigating losses, leakages and fraud perpetrated against an organization”, says Dilek Çilingir, EY Global Forensic & Integrity Services Leader.

A business that doesn't address this misalignment might underinvest in critical areas such as staffing, training and monitoring. Ultimately, this will lead to weak implementation of compliance controls and undermine the function’s ability to effectively manage risk.

Integrated compliance teams are in a position to react to disruption

More than three-quarters of businesses (78%) say their compliance team works closely and effectively with legal, audit and other key functions. Almost three-quarters of these more integrated organizations (74%) say they have strong visibility at board level and receive enough resources to effectively manage risk, compared with just 40% of the less integrated organizations.

Organizations with more integrated compliance teams are also 8 percentage points more likely to be transforming their compliance functions for the future, while less integrated teams tend to take a more piecemeal approach to change.

Technology repeatedly emerges as a strategic focus for compliance teams in today’s environment. But just 6% of businesses say they have "leading edge" capabilities — seamless, real-time systems that incorporate predictive tools and dashboards. Instead, the largest proportion (42%) describe their capabilities as "functional," meaning they have core systems integrated across compliance areas but lack more sophisticated, cross-functional capabilities such as data analytics and predictive insights.

Organizations that say they have advanced or leading-edge capabilities are more than twice as likely as organizations with limited or foundational systems to say they are well prepared to deal with accelerated, interconnected challenges such as cybersecurity and emerging tech risk, as well as third-party risk.

Mature companies are also more likely to be allocating resources strategically: 60% are transforming compliance for the future, compared with just 1% of organizations with only limited or foundational capabilities. In addition, these organizations are 45 percentage points more likely to say their organization allows them to quickly pivot without resistance.

The most resilient organizations are empowering their compliance teams by investing in tools that help them to navigate today’s complex, unpredictable challenges — reinforcing the link between organizational mindset and resilience.

Lack of vision could be undermining the value of advanced tech

Automating routine tasks is the number one area where businesses see the potential for AI or advanced analytics to add value for compliance and risk management: 44% rank it within their top three perceived benefits. More complex uses, meanwhile, are seen as less valuable: generating cross-domain insights from disparate sources, such as audit and risk, is the least popular response.

Businesses could be prioritizing AI for quick efficiency gains because of the accelerated pace of change. But underplaying more complex applications could be limiting its longer-term ability to create business value.

Sally Trivino, EY Global Forensic & Integrity Services Technology Co-Leader, adds: “There are two key factors influencing whether AI is currently being implemented within compliance. First, compliance professionals tend to be risk averse by nature, so their initial question around any new technology is always going to be: Can I trust it? AI is constantly evolving, so part of their job is assessing its risk. Second, compliance is a function that does not directly impact a company’s revenue streams, so the business case for investing in AI for compliance is not particularly strong when compared to other areas of the business that have a more direct impact. As a result, teams often have limited influence over how and where AI is implemented.”

Our data suggests uncertainty about implementing AI within compliance is the main cause for hesitation. AI bias, cyber threats and regulatory uncertainty are the top three most significant risks businesses identify.

There's a deeper readiness gap. Uncertainty about the effectiveness of AI use and a lack of investment in the resources required for effective implementation are identified within the top three organizational hurdles to implementation.

To unleash the true transformational power of AI, organizations will need to shift toward purpose-built tools that anticipate and navigate risk in a disruptive environment.

“Compliance should be a seatbelt, not a brake. Businesses that don’t invest in AI for compliance are forcing their compliance teams to rely on slow, outdated systems that can’t keep pace with today’s business demands. This not only puts them on a back foot against competitors but also leaves them exposed to failures that could ultimately result in later overinvestment under the scrutiny of a regulator-appointed monitor,” says Trivino.

1. Transform — or be left behind

Organizations must take a deliberate, strategic approach to transformation to create lasting value.

• Empower the experts: Compliance teams must be equipped with the right tools and entrusted with decision-making authority to enable decisive, agile responses to risk.
• Integrate risk and strategy: Compliance should be a proactive driver of resilience and growth — not just a safeguard.
• Invest in tech as a strategic enabler: To create maximum value, AI should be embedded within the operating model and regularly updated in line with business needs and industry advances.

2. Redesign for resilience

Businesses must prioritize the integration of their compliance function on both an operational and cultural level.

• Lay the foundations first: This means robust controls, clear monitoring frameworks and a workforce that's educated on what modern compliance means.
• Structure the organization around compliance: It’s no longer a parallel function — it's a non-negotiable element of business strategy. 
• Prioritize seamless communication and data flow: This will create alignment across functions and enable the compliance team to pivot at speed when it needs to. 

3. Lead with authority

• Elevate the leaders: In a disruptive operating environment, it's more important than ever for compliance leads to have a voice at senior level.
• Be decisive: Move beyond slow, measured decision-making processes to match the accelerated pace of change.
• Own decisions: As cross-functional integration blurs accountability, compliance professionals must assert their authority as recognized risk leaders.