How exposed is your business to political violence risk?

2026 report

Allianz 2026 Political Violence & Civil Unrest Trends Report

What’s in this report from Allianz Commercial:

War has displaced civil unrest as the political violence exposure companies fear most, according to Allianz Commercial’s 2026 analysis of global political violence and civil unrest trends. The shift reflects a risk landscape that has grown considerably in scale and complexity: areas affected by armed conflict have expanded 89% in the past five years, an estimated 36,000 business assets now sit in conflict zones and a new conflict in the Middle East is already reshaping global trade routes, energy markets and insurance exposures.

Some key findings:

• Business interruption and supply chain disruption are the top concerns among companies facing political violence exposure, cited by 72% of respondents each.
• Civil unrest is no longer a risk confined to fragile states: Analysis shows that “mid-resilient” economies accounted for 70% of global strikes, riots and civil commotion events between 2020 and 2025, with countries like France, Germany and the US among those experiencing high protest frequencies.
• “Gray zone” activities — sabotage, cyber-attacks and disinformation campaigns — are increasingly being deployed by state and non-state actors against critical infrastructure and high-profile businesses, blurring the line between peace and open conflict.

The post Political Violence & Civil Unrest Trends appeared first on Corporate Compliance Insights.

Companies struggle to keep up with the use of AI tools

Nearly two in three audit, GRC and IT decision-makers (62%) say they are worried about employees inputting sensitive data into AI tools, and 59% are concerned about “shadow AI,” employees using unapproved tools, according to a survey by GRC software provider Optro, formerly AuditBoard

The survey of 822 leaders at companies with at least $100 million in annual revenue and 250 employees found that despite their worries about how AI is being used at their companies, only 18% are in organizations where unauthorized AI domains are actively blocked, only 34% have an AI model inventory, and just 31% have AI incident response procedures.

The concerns about AI tools don’t stop there.

“They’re daily behavior patterns happening right now, across every function, in tools often invisible to governance teams,” Optro said in the report on the survey. “And this is directly leading to a significant uptick in AI-enabled attacks.”

Of respondents, 82% reported an increase over the past year of AI-enabled attacks with 39% saying attacks have significantly increased. The kind of attack is changing, too. Social engineering is the top threat, and 61% said it has increased.

More work, same team in governance

Governance professionals are facing increased workloads with many having to shoulder that burden without a coordinating increase in team members, according to a recent survey by GRC software company Diligent.

Nearly three out of four (74%) governance professionals surveyed reported the scope of their work has expanded in the past two years, and almost half (46%) reported that workloads had increased without headcount going up.

Diligent surveyed 309 senior governance practitioners from North America, Latin America, Asia Pacific, the Middle East and Europe.

Technology gaps and regulatory complexity are compounding the workload, according to the survey, with about 47% citing those two issues as the biggest barrier.

Other key findings:

• 64% said AI governance was the most critical skill for the next three years, ranking it above every traditional legal capability.
• Asked if they would be comfortable with AI completing basic actions without approval, 38% said they would be and 36% said they wouldn’t be.
• 56% of governance professionals said they saw themselves as strategic advisers to the board, but only 17% believe their board sees them that way.
• 52% said boards underestimate the complexity of governance, often viewing it as administrative rather than strategic.

UK organizations: Ready or not for new AML rules?

More than half of UK compliance professionals don’t see their organizations being on solid footing when it comes to new national AML rules, according to a survey by VinciWorks, a compliance eLearning and software provider.

Of compliance professionals polled, 57% said their organizations have not started preparing or were unsure of their preparations for 2026 amendments to money laundering and terrorist financing regulations, which are expected to come into force in late June or early July. Only about 4% said they had new policies ready.

VinciWorks surveyed 334 compliance professionals across the UK’s legal, financial services and accounting sectors.

Despite unsure preparations for AML rule changes, organizations’ compliance leaders are confident that their current AML training could adapt to the 2026 amendments, the survey found. More than three quarters (77%) of respondents said they are fairly or very confident the changes can be addressed by today’s AML training.

“The confidence figures look reassuring until you set them alongside the readiness data,” Nick Henderson-Mayo, head of compliance at VinciWorks, said in the survey report. “That gap could be where firms get caught. Regulators do not accept good intentions as a defence.”

Chief legal officers getting that money

Chief legal officers (CLOs) among S&P 500 and Russell 3000 companies had double-digit percentage increases in pay from 2022 to 2025, according to a survey by The Conference Board, Major, Lindsey & Africa and ESGAUGE.

Median compensation for CLOs at S&P 500 companies rose from $3.3 million to $4.2 million, or 27%, and at Russell 3000 companies $1.9 million to $2.1 million, or 11%, in that time period, the survey said.

The study also found that these companies are increasingly hiring CLOs from the outside rather than the inside. External hires rose from 50% to nearly 60%.

The survey also looked at gender and found the share of women CLOs barely moved, staying around 40% for S&P 500 companies and modestly increased from 33% to 35% at Russell 3000 companies. Among S&P 500 companies, women CLOs made less than men (a median of $3.8 million compared to $4.2 million), while women and men earned the same at the median, $2.1 million, at Russell 3000 companies.

The post 59% of Audit, GRC & IT Leaders Concerned About Shadow AI appeared first on Corporate Compliance Insights.

Government money-laundering watchdogs have proposed an overhaul of rules that dictate how financial institutions avoid the crime and prevent terrorism financing. The proposal is years in the making, writes Abhishek Bhasin, financial crime expert at TCS, and financial institutions should start preparing now.

In April, FinCEN issued a notice of proposed rulemaking (NPRM) introducing reforms aiming at modernization of the existing anti-money laundering and countering the financing of terrorism (AML/CFT) framework under the Bank Secrecy Act (BSA).

The proposed rule aims to shift the focus of AML programs from procedural compliance to operational effectiveness, closely aligning with AML Act 2020 and AML national priorities.

While the NPRM is open to industry for consultation, with a deadline of June 9, it is important for institutions to view this rule in conjunction with a series of events and recent regulatory developments. This will help institutions prepare for changes.

Recent themes

The current proposed rule is a culmination of regulatory events and changes over the past few years, providing a clear perspective of FinCEN’s overarching objectives of modernizing, standardizing and simplifying AML/CFT programs across financial institutions.

Since 2020, FinCEN, Congress and the Treasury Department have set the stage for the critical changes proposed this year, including passing the 2020 AML Act, issuing, updating and aligning national AML priorities, modernizing BSA regulations and reporting requirements as well as streamlining banks’ customer due-diligence mandates.

The 2026 proposed rule aims to create uniform and simplified guidelines for establishing and maintaining AML programs across financial institutions focusing on relevance, efficiency and transparency aligned with institutions dynamics and risk factors.

Enhancing AML/CFT programs

The rule proposal would create the following:

• Distinct guidelines for establishing and maintaining AML/CFT programs through encouraging institutions to establish robust AML/CFT frameworks along with effective implementation and ongoing maintenance aligned with the institutions’ size, structure, risk profile and complexity.
• Outlines for minimum components of establishing compliant AML /CFT programs entailing risk integrated internal policies, procedures, relevant controls and employee training with independent program testing and a designated US-based AML officer.
• Comprehensively designed, implemented and maintained risk assessment processes evaluating institutions’ money-laundering and terrorism financing risks corresponding to their business activities, including products, services, distribution channels, customers, geographic locations and enforcement feedback. The proposed rule emphasizes moving from periodic review of risk assessment processes to ongoing review of processes triggered by material changes in institutions’ money laundering/terrorism financing risks.
• Alignment and focus on national security priorities and high-risk areas by directing more attention and resources toward higher-risk customers and activities consistent with the risk profile of the financial institution.
• Integration of risk assessment, enabling mitigation of the identified gaps with updated policies, procedures, training and controls.
• Reinforcement of independent program testing and customer due diligence (CDD) requirements and its integration with new risk assessment processes, outcomes and risk-based policies, procedures and controls.
• Continuous, effective employee training aligned with individual roles, responsibilities and risk exposures corresponding with institution’s risk assessment processes, AML/CFT regulatory requirements and other relevant factors.
• Qualified designated AML/CFT officers based in the US with required access and independence not overburdened with other responsibilities. There are no explicit restrictions on use of AML support outside the US with restricted access to suspicious activity report (SAR) details and data.
• Additional focus on AML/CFT program implementation, maintenance and testing that pertains to non-performance of internal policies, procedures, gaps in risk assessment process and  implementation failures.

Enhanced flexibility & discretion

FinCEN believes that financial institutions know their customer base, businesses and risks better than regulators. Thus, financial institutions are best positioned to identify and evaluate their money laundering/terrorism financing risks and are provided with flexibilities and discretion to:

• Make decisions and determinations related to risk identification and resource allocation.
• Serve more customers by avoiding “one size fits all approaches to customer risk.”
• Direct more resources to high-risk areas than low risk customers and activities to generate highly useful information for law enforcement and national security agencies in defined priority areas.
• Design governance and oversight mechanisms aligned with institutions’ risk acceptance and business dynamics including approval of AML/CFT programs by senior management.

Encourage innovation & adoption of new technologies

FinCEN recognizes that fostering the use of innovative technologies is vital to improve financial crime compliance and fight illicit finance and therefore strongly encourages financial institutions to:

• Evaluate innovative approaches like machine learning, generative AI, digital identity, blockchain monitoring and analytics and APIs, which are especially useful in countering illicit finance activity involving digital assets.
• Responsibly innovate and adopt technologies to strengthen AML/CFT framework and operations by detecting, optimizing and deriving valuable insights for law enforcement and national security agencies in fighting financial crimes.

Consistency & consultation

The proposed rule not only focuses on establishing and maintaining effective AML/CFT programs by financial institutions, it also enhances the supervisory and enforcement approach by FinCEN through:

• Ongoing coordination with examiner authorities, ideally ensuring uniform, consistent assessment and evaluation practices with a risk-driven approach and focus on material gaps with relaxation on immaterial implementation deficiencies.
• FinCEN supervision and consultation review and feedback mechanism with agencies aiming to promote consistent approaches to AML/ CFT supervision and better outcomes for banks, law enforcement and national security agencies.

Financial Services

Banks Are Joining the Race to Issue Stablecoins; Can Their Compliance Teams Keep Up With the Risks?

by David Soiles and Manish Chopra

March 13, 2026

Controls and infrastructure banks have built over decades were designed for a different speed of money

Read moreDetails

Preparing for changes

FinCEN has determined the proposed rule to be a ‘‘significant regulatory action’’ under section 3(f)(1) of E.O. 12866, as it may have an annual effect on the economy of $100 million or more, pointing to the need for changes in existing AML/CFT program and framework. 

Institutions, as part of their readiness planning, may consider:

• Reviewing their current risk assessment framework.
• Reviewing and aligning with national AML priorities. 
• Reviewing customer risk assessment framework and detection tools. 
• Testing technologies and responsible adoption. 
• Reviewing controls and training programs. 
• Planning and estimating resources. 

The proposed rule reinforces the shift from technical compliance to outcome-based program effectiveness supported by technology-enabled AML programs. As we near the end of the consultation period, it will be interesting to see the industry’s acceptance of the proposed changes and FinCEN’s eventual final rule. While FinCEN may append some proposed provisions, financial institutions can assess their current state to ascertain level of readiness considering the overarching objectives enlisted by FinCEN in historic and current NPRMs.

The post FinCEN’s Proposed New AML Rules: What You Need to Know appeared first on Corporate Compliance Insights.

Class settlements are designed for the average class member, and Fortune 500 companies are not average. Shinder Cantor Lerner’s Kellie Lerner examines the structural reasons large corporate buyers routinely recover less than their potential damages in antitrust class actions.

General counsels at Fortune 100 companies are paid to protect value. You negotiate contracts, manage risk and advise the board on decisions worth billions. So let me ask you something direct: When your company receives a class-action notice, what happens next?

If the answer is, “We file a claim and wait,” you may be systematically undervaluing one of your most significant legal assets quarter after quarter without ever realizing the cost. Antitrust class actions are not a back-office compliance exercise. For large corporate purchasers, they represent a genuine revenue-generation opportunity. 

The question is whether your legal department is positioned to capture it. Here are three reasons you should take a hard look at your current approach.

A staggering gap

Class settlements are designed for the average class member. Fortune 500 companies are not average.

See Settlement in Vitamin Case is Approved, N.Y. TIMEs, Mar. 31, 2000, at C5. See also In re Vitamins Antitrust litigation, No. 99-197 (TFH), 2000 U.S. Dist. LEXIS 8931, at *35 (S.D.N.Y. Mar. 30, 2000) (approving settlement agreement).

In In re Vitamins Antitrust Litigation, opt-out plaintiffs recovered $2 billion while the entire class settled for approximately $300 million. The University of California, as an opt-out plaintiff in In re AOL Time Warner, Inc. Securities & “ERISA” Litigation, recovered between 16 and 24 times more than it would have received had it remained a class member. In In re Linerboard Antitrust Litigation, each opt-out received $1.9 million from a single defendant while class members received $1,772. And in In re Methionine Antitrust Litigation, opt-out Quaker Oats recovered three times what class members received.

These are not outliers. They are the expected outcome when a sophisticated company with significant affected purchases decides to pursue its claims directly rather than accept whatever the class negotiated on its behalf.

The reason is structural. Class damages models are built on industry averages. They are designed to efficiently compensate thousands of class members across a wide range of purchase volumes and market positions. If your company was a major buyer in an affected market, those averages often understate your actual harm. When you stay in the class, you accept a pro-rata share of a settlement pool calibrated to the class as a whole, not to your company’s specific circumstances. Opt-out plaintiffs, by contrast, can build individualized damages models that reflect their actual purchasing data, business relationships and economic exposure. That difference in methodology translates directly into dollars recovered.

The gap between knowing and doing is striking. In a 2022 survey of 150 US general counsels and senior in-house litigation leaders, 60% reported that their companies mostly or always remain in the class, while 8% mostly or always opt out. The consequences are measurable: 56% of companies that stayed in their respective classes routinely recovered less than 25% of their potential monetary damages. Yet the barriers keeping companies in the class are largely structural, not strategic. 

Nearly two-thirds of those surveyed reported that the cost of opting out exceeds the available budget, not that opting out was the wrong legal call. Companies that typically opt out are also more than three times as likely to hold claims worth over $50 million than those that remain in the class. Among GCs whose companies do opt out, the two most compelling drivers are greater control over counsel, litigation strategy and settlement (54%) and the expectation of significantly higher monetary recovery than the class would yield (52%). 

In other words, the companies capturing the most value aren’t just chasing dollars; they’re treating litigation as a managed business function.

Opinion

Canaries in the Coal Mine: Law’s Crashout Over AI Is Coming for Everyone

by Brad Harmon

June 2, 2026

Shadow AI & lack of proper guardrails are problematic combination

Read moreDetails

Timing is a trap

The opt-out decision is not something you revisit when the clock is already running. Courts are unforgiving, and the procedural requirements are strictly enforced.

Consider what happened to two potential opt outs in the In re Turkey Antitrust Litigation. There, two companies missed an opt-out deadline by a single day, attributing the error to honest internal mistakes. The court was unmoved and denied a request to opt out. This is a recurring story, and it happens to sophisticated companies with capable legal teams who simply did not have the right system in place.

One more assumption worth dispelling: Don’t expect a second opt-out opportunity at settlement. Neither due process nor Rule 23 requires it, and courts rarely exercise their discretion to provide one. If you miss your window at class certification, you are in the class. Period.

The practical default recommendation is to wait until class certification before opting out to benefit from class counsel’s investigative work and your limitations period often stays protected. But that only works if your monitoring infrastructure is already in place before the certification order lands.

Many companies lack effective internal processes, but they’re not complex

This is the blunt reality for many legal departments. Class-action notices arrive, get routed somewhere and often don’t receive the rigorous financial analysis they warrant. The right people aren’t always in the room. Deadlines aren’t always communicated with the urgency they deserve. And critically, no one has analyzed the value of an individual opt-out recovery relative to the company’s pro-rata class share.

Companies that consistently capture opt-out value operate differently. They have built a deliberate system: centralized identification of relevant antitrust lawsuit notices routed directly to the legal department; a dedicated reviewer responsible for tracking the opt-out triggering events; automated deadline calendaring so that opt-out windows never quietly close; and a financial analysis protocol that calculates affected purchase volume, estimates individualized damages and compares that figure against the company’s projected pro-rata class share.

These companies also apply a clear threshold test: the stronger the underlying case — particularly where there are DOJ guilty pleas or FTC findings that de-risk the liability question — and the larger the company’s financial stake relative to the class, the stronger the case for opting out. Business relationship considerations, resource appetite for litigation and jurisdictional factors are also part of the calculus. But none of that analysis can happen if the notice of the class action has already been forwarded to accounts payable and the deadline has passed.

Opting out is not the right move in every case. It requires resources, carries litigation risk and demands clear-eyed assessment across multiple dimensions. But for large corporate buyers in significant antitrust matters, staying in the class by default — without ever seriously evaluating the alternative — is a passive decision with an active cost.

The post On Antitrust Class Actions, You May Be Leaving Value in the Mailroom appeared first on Corporate Compliance Insights.

New products & platforms

Diligent, the GRG software company, announced Diligent Cyber Risk Management, an AI-powered platform to more effectively analyze cybersecurity data and risk, following its release of Diligent Stewardship Intelligence in April.

DataBee, a cybersecurity company, announced a new user access reviews system to more quickly complete and track identification certification campaigns.

ThetaRay, the fincrime compliance software maker, launched Spot The Money Mule, a high-speed online game that challenges players to find a money mule hidden in plain sight across five everyday scenes.

Sovos, an invoicing and tax compliance solutions provider, released Sovos Compliance Network, a global e-invoice and continuous transaction controls platform promising to allow multinational businesses to manage e-invoicing compliance in multiple countries, formats and government platforms.

Veeam Software, a data and AI trust company, unveiled new agentic AI capabilities for Veeam DataAI Command Platform to help speed up and prove the effectiveness of governance policies.

Other news

Allegiance Search launched as a specialist executive search firm focused on the digital infrastructure and energy sectors.

The post GRC News Roundup: Diligent, Sovos, DataBee & More appeared first on Corporate Compliance Insights.

The roller coaster journey of the SEC’s rules on public company reporting of climate-related risk has reached another valley, though experts tell CCI’s Jennifer L. Gaskin that the ride isn’t over yet.

As many had expected since Donald Trump’s return to the White House and Paul Atkins’ return to the SEC, the commission formally announced May 29 that it had begun the process to rescind rules on certain climate-related reporting by public companies. A 60-day public comment period began June 3 and will end Aug. 3.

The climate rule, proposed in 2022 before a scaled-back version was formally adopted in 2024, would have required all SEC registrants to report certain material climate-related risks in annual reports and registration statements. It also required disclosure of greenhouse gas (GHG) emissions data by a smaller number of registrants. 

Immediate court challenges followed, and the commission stayed the effectiveness of the rule just a month after issuing it. In 2025, just before Atkins began his chairmanship, the Trump Administration stopped defending the rule in court, presumably rendering it moot for the remainder of Trump’s second stay in the White House before moving to formally rescind it.

The US Chamber of Commerce was among the first to challenge the rules in court, and it issued a quick statement praising the commission’s move: “The SEC’s climate disclosure rule would have far-reaching negative effects on the US economy and further disincentivize companies from going public in the United States.”

Indeed, the SEC’s move to rescind its climate rule seems to be of a piece with Atkins’ desire to return to the salad days of the 1990s when Atkins was a commissioner and more than 7,800 companies were listed on US exchanges. 

That the specter of SEC climate rule compliance is now gone is a positive development for many companies, Charles D. Riely, a partner at Jenner & Block, told CCI.

“The debate reflected both the SEC’s decision to mandate disclosure of specific subject matter and the significant compliance burdens involved,” Riely said. “Although companies will still have to grapple with how to handle ESG-related disclosure, the fact that no version of this rule will go into effect is welcome news at many public companies.”

But not being required to report risks or GHG metrics on certain SEC forms does not absolve all companies of similar requirements, said Lance C. Dial of K&L Gates. And the lack of a blanket rule in the US could make matters more complex rather than making things simpler.

“Across the globe, governments and regulators have adopted several versions of climate risk reporting requirements, and the state of California has its own regime,” Dial told CCI. “So, companies, especially larger ones, still have climate risk disclosure compliance obligations, even without the SEC rules. In fact, to the extent the SEC rules could have served as a standard for US issuers, their rescission may make this global reporting more inconsistent and complex.”

California’s climate reporting rules, while not applying to every single firm to which the SEC’s rules would have, in many ways are more expansive than the commission’s. They require public and private US companies in scope, a qualification based on size and doing business in California, to report climate risks and GHG emissions. Notably, they also require reporting of Scope 3 emissions, or indirect upstream and downstream emissions, which are estimated to account for as much as 95% of companies’ carbon impact. Those rules, too, are subject to court challenge, and some aspects are on hold pending the outcome of litigation. Other states are also considering their own climate reporting regimes.

Rules in the European Union also require much more extensive disclosure than the SEC’s rules, extending to ESG policies, energy consumption, emissions, labor practices, diversity and energy consumption. Those rules are expected to apply to about 3,000 non-EU entities, many of them in the US. In addition, EU rules also require companies not just to report certain metrics but to mitigate their negative effects on people and the planet.

The SEC’s rules could have been viewed as an attempt to shame companies into mitigating or reducing their climate impact, Dial said, but the rules also would have given investors a window into corporate decision-making that’s now voluntary rather than federally mandated.

“Climate risk reporting rules are generally focused on disclosure alone,” Dial said. “In fact, it would be clearly outside the jurisdiction of the SEC to impose specific climate risk or emissions requirements on issuers. That said, by requiring disclosure, these frameworks are also effectively requiring governance and allowing the investing public to understand who has effective climate risk management.”

The rules finalized in 2024 and up for rescission now were not the only disclosure obligation that could capture climate risk, Abbey Raish of BCLP told CCI: “Back in 2010, the SEC published guidance acknowledging that factors such as climate-related regulations, business trends and the physical effects of climate change could have a material effect on a registrant’s business and operations, and where that materiality threshold has been met, companies are required to make climate change disclosures under Regulation S-K — e.g., in the description of the business, discussion of legal proceedings, risk factors and/or management’s discussion and analysis.”

Compliance

The EPA’s Retreat on Emissions Threatens to Make ESG Reporting More Complicated — Not Less

by Jennifer L. Gaskin

February 12, 2026

Agency rescinds determination that serves as foundation for most federal emissions regulation

Read moreDetails

The latest turn but not the last one

Dial said he expects the SEC’s rescission move to be challenged in court by those who supported the original reporting requirement, and for companies that already were reporting some of this data — nearly 90% of the S&P 500 disclose Scope 1 and Scope 2 GHG emissions — there’s little reason for them to stop. Dial pointed out that the SEC used investor demand and companies’ voluntary reporting as a reason for rescinding the rule to begin with, suggesting the commission is letting the market decide.

And a future SEC could bring a version of the rules back, Dial said, and rescission itself is not yet a done deal.

“One important thing to consider is that the story here is not complete. The SEC made clear that it has concerns about the scope of its authority throughout the proposed rescission, but those comments are not binding law,” Dial said. “A later SEC could repropose the same or different climate risk disclosure rules. In other words, this proposal may withdraw the SEC climate rules for now, but it is unlikely to end the broader debate over climate disclosure.”

Companies also aren’t off the hook regarding climate and the SEC, Riely said. That’s because their climate-related statements could trigger anti-fraud investigations. And shareholders can have their say, too.

“The SEC — under this administration or the next — could still bring an enforcement action if it alleges that a company’s statement about climate issues was wrong or omitted material information,” Riely said. “So could shareholders. What matters is that there is no new obligation, and no new set of disclosures, that public companies are required to make.”

Absent regulatory mandates, the decision about whether to publicly disclose ESG-related metrics is a complicated one, said Riely, who agreed the removal of the SEC’s mandate doesn’t eliminate enforcement risk. 

“I’ve been watching this rule since the SEC first proposed it in 2022. The enforcement risk around climate and ESG disclosures was never purely about the rule itself,” Riely said. “Companies making voluntary ESG disclosures to satisfy investors or foreign regulators are still making statements the SEC can scrutinize.”

Potential reputation risk will be primary among the drivers keeping companies reporting their ESG-related metrics, Raish said. In other words, once they start, it’s hard to stop.

“[Halting] this disclosure altogether once you’ve set the market expectation can pose real reputational risk as it may raise questions about consistency, credibility and what may be changing behind the scenes,” she said. “Once disclosure becomes standard practice, silence stands out more than absence ever did.”

Further, the infrastructure many companies have built have embedded ESG reporting into corporate systems and culture, Raish said. 

“Governance and controls are now a baseline expectation for climate and ESG information. Audit committees, boards and management teams have already elevated oversight of climate and ESG disclosures,” she said. “Most are unlikely to unwind that, given ongoing scrutiny from investors and other stakeholders. [If] the SEC climate rule is rescinded, we haven’t seen the end of climate disclosure requirements, it’s just a pivot to a more fragmented and less predictable environment. For compliance and risk leaders, the focus should shift from ‘whether to comply’ to how to manage across multiple regimes while maintaining credible, decision-useful disclosure.”

The post The SEC Is Killing Its Climate Rule, but ESG Risk Remains appeared first on Corporate Compliance Insights.

Every queer person has a story. So does every compliance professional. Here, those two stories meet. Hosted by Jennifer Gaskin, editorial director of Corporate Compliance Insights, this podcast sits down with out LGBTQIA+ people working in compliance, ethics, risk, legal, governance and related fields to talk about the personal and professional journeys that brought them here — the challenges, the triumphs, the funny moments and the ones that still sting years or even decades later.

In a post-DEI world that would have queer people head back to the closet and stay there, there’s never been a more important time to tell these stories. The arts, education, even sports — queer voices and queer stories are commonplace. In the corporate world — well, not so much. Queering Compliance is here to change that. Because joy is medicine. And so is being seen.

Want to be on the show? Drop us an email.

Jennifer L. Gaskin is editorial director of Corporate Compliance Insights. A newsroom-forged journalist, she began her career in community newspapers. Her first assignment was covering a county council meeting where the main agenda item was whether the clerk’s office needed a new printer (it did). Starting with her early days at small local papers, Jennifer has worked as a reporter, photographer, copy editor, page designer, manager and more. She joined the staff of Corporate Compliance Insights in 2021 and became editorial director in 2023.

READ MORE

Featured

The SEC Is Killing Its Climate Rule, but ESG Risk Remains

by Jennifer L. Gaskin

June 3, 2026

Compliance

What the Enforcement Record Says About ‘Timely’ Disclosure

by Jennifer L. Gaskin

May 13, 2026

Compliance

SEC Formally Proposes Making Quarterly Reporting Optional for Public Companies

by Jennifer L. Gaskin

May 6, 2026

Featured

Layoff Two-Step Underscores AI’s Limitations

by Jennifer L. Gaskin

April 22, 2026

Load More

The post Queering Compliance appeared first on Corporate Compliance Insights.

How to stay resilient as regulatory, geopolitical and tech pressures rise

eBook

Third-Party Risk in an Age of Engineered Volatility and Fragmentation

What’s in this eBook from Ethixbase360:

Third-party risk management has grown considerably more complicated. Shifting trade policy, tightening sanctions, diverging regulatory frameworks across jurisdictions and the rapid spread of AI-driven threats have all changed the calculus — as have the ways third parties themselves respond to pressure. This guide from Ethixbase360 examines what organizations need to account for as those pressures intensify.

Download the guide to:

• See how tariff shifts, sanctions tightening and supply chain fragmentation can quietly reshape third-party compliance risk.
• Get an overview of the current regulatory landscape, including FCPA enforcement, the EU CSDDD and Forced Labor Regulation, the UFLPA and Modern Slavery Act reforms in the UK and Australia.
• Understand why beneficial ownership due diligence needs to be continuous and audit-ready, and how the OFAC 50% rule and export controls have raised the stakes.
• Learn how synthetic identities, automated fraud and vendor access risk are changing cyber due diligence requirements.
• See how import bans, product detentions and mandatory due diligence laws are turning human rights risk into a direct operational and legal concern.

About Ethixbase360

With Ethixbase360, organizations can operationalize ownership transparency by integrating UBO into third-party risk management and sanctions compliance within a single, defensible framework.

The post Third-Party Risk in an Age of Engineered Volatility & Fragmentation appeared first on Corporate Compliance Insights.

By now, AI’s public blunders are legion, and many of the most jaw-dropping have come from one field: law. But that’s not because lawyers are sloppier than other workers; it’s because a judge is the one looking at the work product. Brad Harmon of HunterMaclean offers a sobering angle: The types of headline-making AI hallucinations playing out in law are happening elsewhere, too, you just don’t know about it yet.

Here’s something most companies don’t want to talk about: their people are already using AI at work, and leadership has no idea how. No policy, little vetting, thin guardrails. Employees are uploading sensitive documents to public models, submitting AI-generated work without review and making decisions based on outputs that are often unverified. It’s happening in marketing departments, finance teams, consulting firms and HR offices. The only reason it hasn’t blown up yet is that the consequences are usually invisible. 

Nobody gets publicly sanctioned for a hallucinated slide deck during a lunch-and-learn. In my profession, they do.

I’ve been a trial lawyer for over 20 years, and I’ve managed a 60-attorney firm. Law has become, almost by accident, the first profession where unmanaged AI adoption has produced visible, documented and very public consequences. Attorneys have been sanctioned for submitting fabricated case law generated by AI. Cases have been thrown out. Careers have been irreparably damaged. And it’s all on the record.

That makes law a useful case study, not because lawyers are uniquely reckless, but because our mistakes happen in public. The same patterns playing out in every other profession just don’t have a judge waiting at the end to check the work.

The numbers should make any leader uncomfortable, regardless of industry. Microsoft says that 75% of knowledge workers now use AI at work, with usage nearly doubling in just six months. And 78% are bringing their own tools to work without employer guidance or clearance. More than half (57%) are reluctant to tell their manager they’re doing it, not out of embarrassment or fear of job loss, but because nobody has trained them.

Your people are already using these tools, without permission and without guardrails, and most of them aren’t saying a word. 

Ethics

AI: Reliable or Reliably Unsafe?

by Andrew Bloom

May 28, 2026

Recent lawsuits over AI applicant-screening tools highlight important differences

Read moreDetails

When AI goes wrong, it goes wrong in public

In law, we’ve all seen what unsupervised adoption can do. A California attorney was fined $10,000 after 21 of 23 case citations in his appellate brief turned out to be fabricated. He told the court he hadn’t read the AI-generated text before filing it. In Colorado, an attorney accepted a 90-day suspension after acknowledging in a text message that he hadn’t checked an AI-drafted motion for fabrications. A researcher who tracks AI sanctions across US courts has documented more than 1,000 cases since 2023.

The pattern in every case is the same: Someone used the tool, skipped the verification and nobody at the firm had written a policy saying they had to. Swap “brief” for “proposal,” “investor deck” or “compliance report” and the exposure is identical.

The irony is that AI, used well, has genuinely revolutionized the way I practice law. That’s something many veteran attorneys are hesitant to admit publicly. I can feed a 200-page deposition transcript into a language model and ask it to identify every statement a witness made about a specific topic, organized chronologically with page and line citations. That used to take an associate an entire afternoon. A well-structured prompt can produce a first draft of a legal motion that hits 70% to 80% of the arguments I’ve already identified, organized logically with the right legal standards. I spend my time on the remainder that requires judgment, strategy and knowledge that only comes from years of practice.

I also find AI is remarkably good at pressure-testing my thinking. I upload my work and ask it to identify the strongest counterarguments the other side is likely to raise. I ask it to find the weaknesses in my reasoning. That’s a workflow any strategist, analyst or executive could use tomorrow to improve their output.

But none of that value matters if people are using these tools without oversight. And right now, in most organizations, that’s exactly what’s happening.

AI still hallucinates. It fabricates citations, invents data points and presents nonsense with total confidence. In law, the verification failure is obvious — a fake case gets flagged by a judge. In other fields, a hallucinated statistic lands in a board presentation, a fabricated source makes it into a published report or a confidential dataset gets fed into a model that trains on user inputs. The damage is just as real but harder to trace.

Regulators are starting to respond, and the legal profession is being forced to figure out governance on an accelerated timeline. And when the nature of law firms is change-averse, that can be hard. Regardless of the outcome in law, every other industry should assume they’re next.

The fix is simpler than you think

You don’t need a six-figure technology budget. You don’t need a dedicated innovation team. You need written guidance, two or three vetted tools and employees who own the initiative to use them. You need to decide what can be uploaded to external models and what can’t. You need a verification standard for AI-generated work product. You need people trained not just on how to use these tools but when and how not to.

AI won’t replace professionals who do complex, judgment-intensive work. But it will push out the ones who don’t do it efficiently, and the organizations that sort out governance first will capture the value without absorbing the risk.

The competitive window has opened. But it won’t stay open forever. And right now, while leadership debates whether to even have the AI conversation, their people have already made the decision for them.

The post Canaries in the Coal Mine: Law’s Crashout Over AI Is Coming for Everyone appeared first on Corporate Compliance Insights.

ISO standards declare risk management as integral to all corporate activities and suggest it should be comprehensive and integrated. Indeed, more organizations are talking about risk in this way, but when it comes to hiring for risk-focused roles, the hard skills listed in job postings are anything but comprehensive: accounting, audit and finance remain the dominant disciplines. Risk management professional Adley John Fisher suggests that until the hiring market catches up, risk will remain siloed.

If risk management is to be integrated, as suggested by ISO standards, it cannot exist in isolation — organizationally, cognitively or professionally. This raises a fundamental question: Do current hiring practices reflect this principle, or have they continued to reinforce silos despite the language of enterprise risk management (ERM) and integrated governance?

Over the past two decades, risk management has clearly evolved beyond its original concentration on insurance and financial loss. Today it spans operational resilience, cybersecurity, third‑party dependencies, ESG, climate transition risk, supply chains, AI governance and strategic decision‑making. In theory, this evolution requires interdisciplinary expertise and deep operational understanding across domains. The core issue, however, is whether global hiring behavior has intellectually and operationally caught up with this reality.

The persistent financial lens on risk

There remains a largely unspoken but widespread assumption in corporate environments that risk management is fundamentally a financial or accounting discipline. While risk management certainly protects financial interests, ISO 31000 explicitly defines risk as the effect of uncertainty on objectives, not merely on financial statements. The COSO enterprise risk management framework similarly frames risk as a strategic, enterprise‑wide concept, rather than a narrow financial control exercise.

In practice, though, the hiring market tells a different story.

Across a range of global job postings I’ve observed for risk management roles (including enterprise risk, operational risk, risk and compliance and GRC), accounting, audit and finance backgrounds remain preferred with CPA, CIA, CFA or equivalent accounting credentials, commonly listed as qualifications even for enterprise‑wide operational risk roles. This applies even to roles explicitly framed as non‑financial or strategic. 

This preference reflects how many organizations operationalize risk governance rather than a formal exclusion of non‑financial expertise. ISO 31000 appears materially far less frequently in role requirements than accounting‑derived frameworks, such as SOX, IFRS, Basel or COSO, despite its explicit design as a cross‑sector, non‑financial risk standard and its widespread international recognition. This suggests that while language has changed, hiring cognition has not.

Audit and risk management: conceptually related, practically collapsed

Audit is undeniably part of the broader risk governance ecosystem. ISO 31000 acknowledges assurance activities as a supporting mechanism to risk management, not risk management itself. Audit, by design, is independent, retrospective and evidentiary, whereas risk management is embedded, forward‑looking, and decision‑facilitating.

Yet in hiring practice, this distinction is frequently lost.

Audit firms, particularly large and mid‑tier professional services firms, almost exclusively hire auditors with ACCA, ACA or equivalent accounting qualifications. This is understandable from a regulatory and liability perspective: Audit opinions are licensed products, and accounting bodies create legally defensible credentialing pipelines.

The problem arises when this audit hiring model is silently extended to risk management roles, a pattern repeatedly observed in enterprise risk recruitment and acknowledged by risk practitioners themselves.

Many organizations (including banks, insurers, listed companies and even technology firms) fill risk management positions primarily with: former auditors, finance controllers or accounting professionals transitioning laterally.

This pattern is consistently observed in risk recruitment analyses, which show that the dominant feeder pool for risk roles remains audit and accounting, even as risk portfolios expand into cyber, ESG and operational resilience.

Featured

The EU Is Making Forced Labor a Trade Compliance Problem, Not Just an ESG Issue

by Allison Raley and Nikita Kulkarni

May 20, 2026

Read moreDetails

What is missing from the hiring market

If risk management were genuinely treated as integrated and enterprise‑wide, hiring requirements would routinely include:

• Engineers (for infrastructure, operational, safety and systems risk)
• IT and cybersecurity specialists
• Sustainability and climate professionals
• Supply chain and logistics experts
• Certified risk professionals trained explicitly in ISO 31000 or ERM frameworks

Such profiles are rare exceptions rather than the norm, particularly for senior risk roles. Even when domain specialists are hired, they are often subordinated to finance‑led risk teams rather than integrated as equal contributors to risk identification and treatment. This creates a paradox: Risk management is declared enterprise‑wide, but its professional gatekeeping remains finance‑centric.

This disconnect is not accidental.

First, risk management lacks a protected professional boundary. Unlike accounting or law, risk management has no universally mandated license, allowing organizations to default to familiar credentials.

Second, corporate governance structures frequently anchor risk to CFO functions or audit committees, reinforcing the perception that risk is primarily a financial control issue rather than a strategic capability.

Third, audit education (even for certifications, such as CIA) remains heavily aligned with accounting‑based standards and financial assurance methodologies, further entrenching the financial lens through which risk is viewed.

A more integrated but undeveloped alternative

This does not mean accounting and finance professionals should be excluded from risk management. On the contrary, they are essential contributors. The issue is exclusivity, not inclusion.

A more robust risk function would:

• Pair accounting and audit professionals with engineers, technologists, sustainability experts and domain specialists.
• Treat ISO 31000 and ERM competence as core, not supplementary.
• Distinguish clearly between assurance (audit) and risk facilitation (management) in both role design and hiring.

Such a model aligns far more closely with how modern risks materialize and how major failures consistently occur outside purely financial controls.

Conclusion

Risk management in principle has moved decisively beyond insurance and finance. In practice, its hiring market has not fully followed. Many organizations still operationally collapse risk management into accounting and audit thinking, resulting in functions that are technically compliant but strategically brittle.

This approach is not wrong per se, but it is incomplete. It prioritizes familiarity over fitness and assurance over understanding. Until hiring practices reflect the interdisciplinary, integrated nature promised by ISO 31000, risk management will remain structurally siloed, regardless of how often integration is proclaimed.

The post If Risk Management Is Truly Integrated, Why Aren’t We Hiring That Way Yet? appeared first on Corporate Compliance Insights.