In 2026, risk and compliance leaders are navigating expanded export controls, tighter sanctions enforcement, widening regulatory divergence, and growing data-localization requirements. At the same time, generative and agentic AI systems are creating new opportunities to strengthen foresight, enhance coordination, and scale risk and compliance management capabilities.
BCG’s Risk and Compliance 2026 provides insights into how leading organizations are adapting in this new landscape. It draws on proprietary data from more than 100 senior risk and compliance executives across six industries and seven regions. With more than two-thirds of participating companies ranging from $0.5 to $5 billion in annual revenue and 50% employing over 10,000 people, the findings reflect the realities of global organizations operating at scale.
Exposure is concentrated in three interconnected domains:
- Geopolitical and regulatory divergence, which increasingly forces trade-offs between compliance certainty, cost, and market access. Nearly all respondents cite fast and unpredictable regulatory change as a top external burden, and an overwhelming majority report struggling with conflicting laws across jurisdictions.
- Supply chain risks and compliance requirements, where due-diligence needs, trade restrictions, and technology controls demand defensible evidence deep into sub-tier networks. Supply chain transparency remains among the lowest-maturity areas for companies, even as respondents identify it as a near-term priority.
- Technology, data, and cyber risks, which have evolved into enterprise-resilience challenges amplified by ecosystem complexity and third-party exposure. Cybersecurity and data protection consistently rank among the top enterprise risks, yet only a small minority of organizations describe their capabilities as fully mature.
Stay ahead with BCG insights on risk management and compliance
The progression of forces is clear. Rising geopolitical volatility and regulatory divergence drive operational complexity—most visibly in supply chains and digital ecosystems—where traditional, human-centric models struggle to keep pace. These shifts converge in an intensifying risk and compliance squeeze, where leaders must address the budget, talent, and capacity constraints. As complexity accelerates, advanced analytics, GenAI, and agentic systems become part of the solution—not only as levers for scale but as necessities to enhance both effectiveness and efficiency. (See the exhibit.)
Global players cannot manage the sustained volatility resulting from these forces through incremental controls, additional headcount, or isolated technology deployments. Success requires companies to:
- Institutionalize geopolitical foresight to enable proactive decisions on market access, footprint, and capital allocation.
- Redesign supply chains for defensibility and resilience by enhancing traceability, dependency mapping, and trade compliance.
- Elevate tech, data, and cyber resilience into enterprise governance through board-level oversight of digital interdependence and third-party exposure.
- Adopt AI-first operating models with end-to-end redesigned workflows.
- Ease the risk and compliance squeeze by prioritizing investments and reallocating scarce talent toward the highest-impact activities.
Taken together, these shifts define a new risk and compliance mandate: proactive, integrated, AI-empowered, and deliberately designed for a world where volatility is persistent and trade-offs are unavoidable.
The authors thank Ramón Bravo and Eva Kalteier for their contributions to the writing of this report.
