2025年全球企业合规风险基准调查报告：人工智能、非授权通信、合规激励与自愿披露

Perspectives on AI, off-networkmessaging, incentivizing complianceand voluntary disclosure Contents Insights from the globalcompliance risk benchmarkingsurvey 2025 Page 1 Key takeawaysPage 2 Artificial intelligence in thecompliance functionPage 3 Off-network messagingand compliance Page 9 Incentivizing compliance anddisincentivizing non-compliance Page 14 Voluntary self-disclosurePage 17 Survey methodologyand demographicsPage 20 Insights from theglobal compliance riskbenchmarking survey 2025 In a world that moves at break-neck speed,corporate legal and compliance teams have neverfaced greater pressure to stay ahead of the game.The result is a function that is not just reactive to risk,but increasingly proactive in shaping corporate behaviorand decision-making. The conversation around compliance incentivizationshows promising signs of maturity. Many organizationsare now integrating compliance metrics intocompensation and performance frameworks. This findingsuggests a shift from relying solely on punitive measurestoward building a culture where ethical behavior isactively recognized and rewarded. Yet, the effectivenessof these programs depends not just on their existence,but on whether and, if so, how consistently they areimplemented and whether they are aligned with broaderbusiness goals. The survey sheds light on the growinguse of compliance-linked key performance indicators(KPIs) and how these are shaping both corporate cultureand accountability. This year’s Global Compliance Risk BenchmarkingSurvey offers a timely snapshot—based on insightsfrom 265 senior compliance, legal and risk professionalsworldwide—of how today’s legal and compliance leadersare adapting to new technologies, regulatory expectationsand cultural shifts in business conduct. The themes explored in this year’s survey reflectthe changing nature of legal and compliance riskmanagement. Artificial intelligence (AI) is becoming anoperational reality within legal and compliance teams.Our findings show that while a growing number oforganizations are deploying AI to drive efficiency andclarity in investigations and reporting, concerns aboutaccuracy, governance and data privacy remain significant.As adoption increases, so does the need for guardrailsto ensure that the use of AI enhances—rather thanundermines—operational integrity. In the final section, the report explores howcompanies are approaching voluntary self-disclosureto the United States Department of Justice (DOJ).While many companies now have formal processesto assess potential misconduct and to consider self-reporting, concerns about cost, reputational risk and theperceived benefits of disclosure continue to hold someorganizations back. These concerns should be consideredin the context of the global landscape. It remains tobe seen, for example, the extent to which updated UKguidance on corporate self-reporting will factor into theequation for multinational organizations. We explore not only whether organizations are usingAI, but also how long they have been doing so; theprimary motivations driving adoption; the specific usesbeing prioritized; and the perceived advantages gainedby users. Crucially, we also investigate the key concernssurrounding AI utilization; the prevalence of governancepolicies; the integration of AI risk into broader enterpriserisk management (ERM) frameworks; and controls beingimplemented to ensure the trustworthiness and reliabilityof these tools. Together, these findings offer a nuanced view of howlegal and compliance teams are navigating the demands ofa digital, distributed and demanding business environment.From emerging technologies to traditional risk domains,the survey provides practical benchmarks and insightsfor organizations aiming to build resilient, forward-lookingcompliance programs. We hope you find this year’s report both informativeand thought-provoking. Additionally, we examine the use of off-networkmessaging applications—tools that are convenientfor employees, but often challenging for legal andcompliance teams to monitor and access. The findingssuggest that while many companies are implementingwritten policies, only a minority actively collect or auditoff-network communications, raising questions aboutwhether they do and, if so, how well these policiesare being enforced and whether they are sufficientlycomprehensive in scope, as well as emphasizing theimportance of clear risk leadership and the right “tonefrom the top”. Regulators are watching this space closely,and companies must consider whether their currentapproaches are sufficient in both spirit and substance. Key takeaways traction and positively shapingbehavior. To be effective, however,these programs must apply acrossemployee levels and extend tothird parties. Selective or symbolicapplication risks underminingtheir impact. Given the far-reaching natureof the survey and thefindings within, as well asthe changing nature of the compliancefunction, below are five takeaw