What happened
BCG surveyed over 100 senior risk and compliance executives across six industries and seven regions. The report identifies three interconnected exposure domains in 2026: geopolitical and regulatory divergence (nearly all respondents cite fast, unpredictable regulatory change as a top burden; overwhelming majority report conflicting laws across jurisdictions); supply chain risks and compliance requirements (supply chain transparency remains among lowest-maturity areas despite being a near-term priority); and technology, data, and cyber risks amplified by ecosystem complexity and third-party exposure (cybersecurity and data protection rank among top enterprise risks, yet only a small minority describe capabilities as fully mature). More than two-thirds of participating companies range from $0.5B to $5B in revenue; 50% employ over 10,000 people. The report frames generative and agentic AI as both a risk amplifier and a potential solution to scale risk and compliance management capabilities.
Why it matters
Risk and compliance leaders face a sustained volatility squeeze: geopolitical fragmentation, regulatory divergence, and AI-accelerated complexity are converging faster than organizations can scale traditional, human-centric controls. The low maturity in supply chain transparency—despite it being a stated priority—signals a structural gap that sanctions enforcement, ESG due diligence, and trade restrictions will exploit. For CROs and boards, this report quantifies the magnitude of the compliance capacity crisis.
Action needed
Risk committees: Institutionalize geopolitical foresight as a board-level input to capital allocation and market access decisions. CROs: Redesign supply chain compliance workflows with AI-first operating models to achieve traceability and dependency mapping at sub-tier scale. Do not treat this as a technology deployment—treat it as an enterprise architecture redesign.