2022 年全球 ESG 合规与风险报告波士顿咨询

2022GLOBALESG,RISKREPORTValuecreationamidrisingglobaluncertaintyTHEAUTHORSDR.BERNHARDGEHRALORENZOFANTINIHANJOSEIBERTMANAGINGDR.BERNHARDGEHRALORENZOFANTINIHANJOSEIBERTMANAGINGDIRECTORANDPARTNERMATTEOCOPPOLANICOLANICOLDR.KATHARINAHEFTERREITANAKAMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORANDSENIORPARTNERMANAGINGDIRECTORANDPARTNERFANTINI.LORENZO@BCG.COMGEHRA.BERNHARD@BCG.COMGEBHARDTFANTINI.LORENZO@BCG.COMGEHRA.BERNHARD@BCG.COMGEBHARDT.JULIA@BCG.COMCOPPOLA.MATTEO@BCG.COMSEIBERT.HANJO@BCG.COMTANAKA.REI@BCG.COMNICOL.NICOLA@BCG.COMPIERREROUSSELTADROSELUNDPAULO’ROURKEKENPIERREROUSSELTADROSELUNDPAULO’ROURKEKENCARLSTEDTJULIANEBUTTERSPROJECTLEADERJANNIKLEIENDECKERPARTNERANDASSOCIATEDIRECTORELISABETHBENAZIRLIPPERTMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORANDPARTNERMANAGINGDIRECTORANDSENIORPARTNERSENIORKNOWLEDGEANALYSTMANAGINGDIRECTORANDSENIORPARTNERGLOBALTRADE&INVESTMENTROUSSEL.PIERRE@BCG.COMROSELUND.TAD@BCG.COMOROUSSEL.PIERRE@BCG.COMROSELUND.TAD@BCG.COMO’ROURKE.PAUL@BCG.COMCARLSTEDT.KEN@BCG.COMLIPPERT.ELISABETH@BCG.COMBUTTERS.JULIANE@BCG.COMBICKFORD.JEANNE@BCG.COMINTRODUCTIONOuranalysisrevealedthefollowingsevencoretopicsandconclusionsINTRODUCTION1.COMPLIANCEMANDATETheclearerthemandateofthecompliancefunction,themoreitcancreatevalueforthecompany.2.1.COMPLIANCEMANDATETheclearerthemandateofthecompliancefunction,themoreitcancreatevalueforthecompany.2.GEOPOLITICSIfacompanyisequippedwithcrisisresponseplans,andwithproceduresforswiftactioninresponsetovolatiledevelopmentsinsupplychainsandsanctions,thecompanywillprovemoreresilientduringtimesofgeopoliticaltension.past.Compliancefunctionshavebeenheavilyaffectedasaconsequence.Theymustdealwithmultiplegrowingchallenges,suchassanctionsandtradecomplianceandsupplychainrisks,aswellasageneralriseinregulationandregulatoryenforcement,especiallyintheenvironmental,socialandgovernance(ESG)area.Tocompoundmattersfurther,thepaceofchangewillonlyaccelerateinahighlynetworkedanddigitizedworld.3.ESGCOMPLIANCETakingconcertedactiontomitigateriskofESGregulationenforcementonlyworksifthegapsbetweenESGexpectationsandtherealityare3.ESGCOMPLIANCETakingconcertedactiontomitigateriskofESGregulationenforcementonlyworksifthegapsbetweenESGexpectationsandtherealityaresignificantlynarrowed.thecompanyandforgeaheadofrivals.Asregulatorsraisethebarforallkindsofrisks,thecompliancefunctionissettoplayapivotalroleinmanagingtheseregulatorydevelopmentssuccessfullyandsteeringorganizationsthroughcrises.Forexample,theproliferationofsanctionsoverthepastyearhasshoneanewlightonthecrucialroleofcompliancedepartmentsinallindustries.Similarly,headlinesexposinggreenwashingclearlydemonstratehowimportantcompliancedepartmentsareinguidingimplementationoftherelevantrequirements.4.DIGITIZATIONAdequateoperatingmodelsenablecompaniestomeetfuturechallengesandseizetheopportunitytoreducethecostofcompliance.5.Adequateoperatingmodelsenablecompaniestomeetfuturechallengesandseizetheopportunitytoreducethecostofcompliance.5.CYBERSECURITYInsufficientinvestmentincybersecurity,resilienceandtesting,resultinginafailuretokeeppacewithdigitizationorrespondtoescalatingcyberthreats,couldhaveasignificantimpactonbusinessperformanceandleadtoanerosionofcustomertrust.determinetheroleoftheircompliancefunctionfortheserisks,andthenoptimizethefunctionsothatitlivesuptothemandate.Tocreatevalue,thecompliancefunctionneedstofulfilldifferentroles,accordingtotheparticulartopicandspecificrisk.Companiesthatsucceedinthisendeavorwillgainsustainablecompetitiveadvantage,boostcustomerloyaltyandtrust,attractandretaintalent,andenhancetheirreputationforactingresponsiblyinatestingbusinessenvironment.6.BUSINESSETHICSConsequentimplementationofadefinedethicalcultureisthecrucialsteptoestablishasustainablecomplianceawarenessacrossthe6.BUSINESSETHICSConsequentimplementationofadefinedethicalcultureisthecrucialsteptoestablishasustainablecomplianceawarenessacrosstheorganization.7.WORKFORCEAstrongworkforcestrategy,involvingcarefullyconsideredrecruitment,training,andretention,isessentialinunleashingthepotentialforcomplianceasacompetitiveadvantage.totheirTargetOperatingModel(TOM)?FollowingourfirstRISKANDCOMPLIANCESURVEYFROM2021,werepeatedtheexerciseinMayandJune2022,thistimewiththegoalofidentifyingandthenanalyzingthecoreissuesrelatingtoriskandcompliance.Weinterviewed250complianceprofessionalsfromcompaniesacrossvariousindustriesaroundtheworld,andaskedthemtonametheforemostissuesandchallengesfacedbycomplianceorganizations,andhowaretheyfulfillingtheircompliancemandates.Inaskingthesequestions,wewantedtobuildacompletepictureoftheriskandcompliancefunction,andhowcompaniesingeneralarecopingwithvarioustypesofriskandthemyriadgrowinguncertaintiesinthegloballandscape.Inamorecomplexworld,simplywritingpolicyguidelinesandinstructingemployeestofollowtheruleswillnotbeenoughtostayaheadofthegame.Everycompanyneedsastrategynotjusttomanagecurrentrisksbutalsotoadaptquicklyascircumstances,rules,regulations,andexpectationsdevelop.Thegoalofthisstudyistoprovidecompanieswiththeperspectiveandtoolstheyneedtodeveloptheircompliancestrategy,andthenimplementitsuccessfullyinthefaceofdiverseandevolvingcompliancerisks.COMPANYSIZE(#FTE)INDUSTRIESAUNDERINGTERRORISTFINANCINGCYBERSECURITYREGULATIONSOTHERCOMMERCIALCRIMINALLAWINTERNALTHEFTANDFRAUDPROTECTIONTRADELAW(IMPORT/EXPORT)HUMANRIGHTSSUSTAINABILITYCOMPANYSIZE(#FTE)INDUSTRIESAUNDERINGTERRORISTFINANCINGCYBERSECURITYREGULATIONSOTHERCOMMERCIALCRIMINALLAWINTERNALTHEFTANDFRAUDPROTECTIONTRADELAW(IMPORT/EXPORT)HUMANRIGHTSSUSTAINABILITY1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7WorkforceSURVEYPARTICIPANTS1.COMPLIANCEMANDATE:EmphasizingvalueSURVEYPARTICIPANTSFIGURE1:OURFINDINGSAREBASEDONFEEDBACKFROM250COMPANIES…REGIONSAgainstabackgroundofdiverseandevolvingcompliancerisksandrisinguncertainties,settingoutthecompliancemandateandtheroleofthecompliancefunctionfordifferenttypesofriskiscritical.Thesurveyrevealsthatcomplianceorganizationsarealreadydealingwithawiderangeofriskcategories:fraudandfinancialcrimerisk,competitionrisk,informationsecurity/informationtechnologyrisk,corporateandcapitalmarketrisk,andemployeerisk.Interestingly,ouranalysisrevealsthatkeyESG-relatedtopics,suchassustainability,environmentallawandhumanrights,areonaverageonlyincludedinFIGURE1:OURFINDINGSAREBASEDONFEEDBACKFROM250COMPANIES…REGIONSFIGURE2:KEYRISKSUNDERCOMPLIANCEMANDATE(IN94%93%EXTERNALTHEFTANDFRAUDEXTERNALTHEFTANDFRAUDCORPORATEGOVERNANCERULESBRIBERY/CORRUPTIONANTITRUSTANTITRUSTEMBEZZLEMENTDIEMBEZZLEMENTSTANDARDSPARTICIPANTSCOMPANYREVENUEThispointhighlightsacrucialthemewhenitcomestothevaluecreationambitionsofacompliancefunction-theimportanceofagementThemanagementofriskisnotthesolepreserveofthecomplianceandriskfunctions.Individualdepartmentshaveinthepastoftenusedtheirownpiecemealriskmanagementmethodstokeepupwithregulations.Onefrequentexampleistheprocurementdepartment.Thissiloedresponsefailstoprotectthebusinessfromfinancialpenaltiesandnegativepublicopinion.Asmanyrisksaffectavarietyofdepartmentsandprocesseswithinanorganization,effectivePARTICIPANTSCOMPANYREVENUEThekeytocreatingtruevaluefromthesecross-functionalcollaborationsisacleardelineationofroles,settingoutwhichfunctionhasoverallownershipofaparticulararea,andwhichisresponsibleforeachpartoftheprocess.Theroleofthelworldexamplewouldinvolvecompliancedepartmentscollaboratingcloselywiththeircolleaguesinsoftwareandproductdevelopmentduringagiledevelopmentphases,makingsurethattheyareinvolvedearlyintheprocessandachievingspeedtooutput.1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce2.GEOPOLITICS:RespondingtoglobaleventsMuchoftheeverydayworkofcompliancefunctionsiscurrentlytakenupwithrespondingtotherequirementsofeconomicandtradesanctionsduringgeopoliticaltensions,andwiththehandlingofglobalcrisessuchasthepandemic.Asthesanctionslandscapebecomesmorecomplexanddynamic,sanctionscompliancesystemsmustbecomemoresophisticatedinresponse,andmustinterfaceseamlesslywithbroadertradecompliancecapabilities.Resoluteconsensusamonggovernmentsisforcingcompaniestotakeapoliticalstance,willinglyornot.Thishasbecomeparticularlytruewitheconomicflowsbeingincreasinglyusedasastrategicweaponinforeignandsecuritypolicy.Companiesneedtobecarefulnottocircumventthegrowingnumberoffinancialandtradesanctions,includingtherecentwaveofexportcontrolsrelatedtohigh-endsemiconductors.Theyneedtodevelopacomprehensiveorganizationalstrategythatallowsthemtomonitorthedetailsofanavalancheofnewlyintroducedsanctionsandrespondaccordinglyinatimelymanner.Thelimitedambitionsimplytofollowruleswillnotbesufficientinaworldthatismovingsoquickly.Thisyear’ssurveyshowsthatsanctionsandtradecompliancehavebecomeevenmoreimportanttocomplianceorganizations,andnowranksamongthetopfivekeytopics.Thisisajumpof15placesfromourprevioussurveyin2021.Evenwithoutchangesinregulatoryorgovernmentalrequirements,anykindofupheavalcandestabilizetheenvironmentinwhichthecompaniesareoperating.Theglobalpandemicissuchanexample,anditshowshowdisruptionsinsupplychainscanposeamajorthreattomultinationalcompanies.Decisionshadtobetakeninashortertimespan,whilenewbusinesspartnershadtobeonboardedornewtraderoutesidentified.Regularprocesseshadtobeexpeditedanddifferentprocessesimplemented.Allthesechangesincreasedtheriskofinsufficientduediligenceorofoverlookingrequirements.ompanyspreviousworktoestablishtransparencyontheserisksaswellasitspreventivemeasureswerebothcrucialduringthesetimesandhavecertainlypaidoff.Thereisclearlyaneedforcrisisresponseplanswhichfacilitateswiftdecisionmakinginrelationtovolatiledevelopmentsinsupplychainsandgovernmentsanctions,asnumerousjurisdictionscontinuetoimplementandenforcelocalregulations.nsurprisinglygivendevelopmentsinEuropeoverrecentmonthssurveyparticipantsforthefirsttimerankgeopoliticaltensionsasakeytopicforcomplianceorganizations(itisrankedatnumber11).Thiscorrelatestotheupwardjumpinsanctionsandtradecompliance,asgeopoliticaltensionsleadtoexpandedtraderegulationsandretaliations.Arobustcomplianceoperatingmodelensuresresilienceagainstexternalshocksanduncertaintiesandstrengthenscrisismanagement.Themajorchallengeincrisismanagementissimultaneouslyhandlingamultitudeofissuesthatdemandabroadrangeofskillsandcapabilities.FIGURE3:KEYTOPICSFORCOMPLIANCEORGANIZATIONSCYBERSECURITY(incl.Datasecurity)BUSINESSETHICSDIGITIZATION&DATAANALYTICSESG(Environmental,socialandgovernance)SANCTIONS/TRADECOMPLIANCEDIVERSITY&RACIALEQUITYM&A(incl.duediligenceoftarget’sbusinesspartners)Globalharmonizationofstandards/regulationNewbusinessmodelsEUDirectiveonCorporateSustainabilityDueDiligence,GermanSupplyChainDueDiligenceActNeedforefficiencygainsGEOPOLITICALTENSIONSDigitalMarketsAct(DMA)EUWhistleblowerProtectionDirective(2019/1937)EUDigitalServicesAct(DSA)EUAMLActionPlanEUTaxonomyforsustainableactivities("Greentaxonomy")Adversemediacoverage(e.g.InfluencerMarketing)EUArtificialIntelligenceAct(Draft)52%2%0%17%16%15%14%14%13%12%10%001ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce3.ENVIRONMENTAL,SOCIALANDGOVERNANCE(ESG):MeetingstakeholderexpectationsEnvironmental,socialandgovernance(ESG)issueshavebecomeacriticalcomponentofmodernbusinesspractices.Thereasonsareclear–risingregulatoryexpectations,anincreasingawarenessofthethreatofglobalwarming,andmoreconcernabouttheimpactofcompanyoperationsontheworldaroundthem.Since2018,authoritiesworldwidehaveissuedmorethan170neworamendedESGregulations.GuidelinessuchastheEUCorporateSustainabilityReportingDirective(CSRD)aresettobefurthercodifiedbyclearstandardscurrentlybeingdevelopedbytheEuropeanFinancialReportingAdvisoryGroup(EFRAG)(seetherecentlypublishedBCGpaper“ESGCOMPLIANCEINANERAOFTIGHTERREGULATIONS”).CompaniesmusthandlechangingESGregulationsontopicssuchasclimatechange,humanrights,anddiversity.Giventhemajorgapbetweenexpectationsandcurrentreality,ESGcompliancehasplacedcompaniesunderconsiderablepressure.Whilecross-divisionalcollaborationcanhelptoaccelerateactionandmitigatetheriskofregulatoryenforcementorlosinginvestorsandclients,breachesofso-calledsocialcomplianceleadtosignificantreputationalrisks.DEEPDIVE:THENEEDFORANHOLISTICAPPROACHInFebruary2022,theEUCommissionadoptedaproposalforadirectiveoncorporatesustainabilityduediligence.Theaimofthisdirectiveistofostersustainableandresponsiblecorporatebehavior,andtoanchorhumanrightsandenvironmentalconsiderationsincompanies’operationsandcorporategovernance.ThedraftregulationrequireslargeEUcompanies,andsomenon-EuropeancompanieswithsignificantbusinessoperationsinEurope,toassesstheiractualandpotentialhumanrightsandenvironmentalimpactthroughouttheiroperationsandtheirsupplychains,andtotakeactiontoprevent,mitigate,andremedytheharmstohumanrightsandtheenvironmentthathavebeenidentified.Similarly,thesoon-to-be-implementedGermanSupplyChainDueDiligenceActisdesignedtoprotecthumanrightsandtheenvironmentinsupplychainoperations.Companiesneedtorespondwithaholisticratherthanasiloedapproach.Indeed,agovernancetriangleshouldbeformed:theprocurementfunctionshouldexaminevendorsindetail;thehumanresourcesfunctionshouldlookathowemployeesaretreatedinthesupplychain;andahumanrightsdepartmentcanbeintroducedtoconsolidatethecompany’soverallapproachandmanagereporting(seerecentlypublishedBCGpaper“MANAGINGSUPPLYCHAINRISK–ANUPDATEONLEGALANDSTRATEGICREQUIREMENTS”).Somejurisdictions,suchasAustralia,actuallyhavearegulatoryrequirementtonominateahumanrightsofficer.AholisticprocessisalsonecessaryforESGmeasurement,steeringandreporting,wheresimilarmethodologiesshouldbeusedthroughouttheorganization.TheincreasingimportanceofESGisclearlyreflectedinoursurveyresults,irrespectiveoftheparticularcompany’sregion,industryorsize.Asignificantproportion(43%)ofrespondentsselectedESGasoneofthetopfivetrendsortopicsthataremostrelevantfortheircomplianceorganization.Moreover,alargemajority(79%)reportedthattheircommitmenttoESGhasintensifiedoverthepasttwoyears.ThisisinpartbecausetheyseeanotableincreaseintheamountofESGregulation,andgreaterenforcementoftheseregulationsforcompanieswhichengageingreenwashingorhavenotimplementedtherequiredchangestotheirproducts,services,reportingmechanismsororganizationalstructure.Indeed,approximately60%ofrespondentssaythatregulatorsarehavingthegreatestimpactontheirESGefforts.Afterregulatorsintherankingcomecustomers(48%),andemployees(47%).Respondentsarefullyawarethatincreasingregulatorydemandsthreatenacompany’ssurvival.IfitspursuitofESGislessthancomprehensive,itwillbuckleundertheweightofsanctionsandaworseningreputation.FIGURE4:MAINDRIVERSFORESGEFFORTS600Thesurveyrevealsthattheroleofthecompliancefunctiondiffersfromcompanytocompany.ItcanrangefromoversightoverallESGtopicstoresponsibilityforcertainselectedareas.TheroleofthecompliancefunctionforESGineachcompanyshouldbeappropriatefortherelevantbusiness,operatingmodelandESGfactors.However,giventhatESGspansseveralexistingriskcategoriesthattypicallyfallwithinthecompliancemandate,thecompliancefunctionusuallyplaysanimportantroleinESGmanagement.Inparticular,itsexperienceofriskmanagementsystemsshouldbesoughtwhensettingupgovernance,standardsandreportinglinessothatthecompliancefunctioncancreatethegreatestpossiblevalueinagivenarea.1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce4.DIGITIZATION:MakingupforlosttimeDealingwithburgeoningregulationcaneasilyleadtospiralingcosts.Sohowthendocompaniesandtheircompliancefunctionsmanagetoinjectefficiencyintothisprocesswhilestilloperatinginthemosteffectivewaypossible?Digitizationisthemostcommonanswertothisquestion.However,itisimportanttohaveacleardefinitionofwhatthisentails.Companiesneedtounderstandwhattheirproblemsare,whatneedstobedoneandhowdigitizationcanhelptoreachtheseobjectives.Upgradingthefrontendwhiletheback-endprocessesarestillmanualandinefficientdoesnotadduptogenuinedigitization.Cross-divisionalcollaborationforrethinkingtheend-toendclientjourneysisnecessary,focusingatalltimesonwhatbenefitstheclientexperience.Inthatregard,digitizationcancertainlycontributegreatlytoraisingefficiency,forexamplebystreamlininglabor-intensiveprocessessuchasKnowYourCustomer(KYC),transactionmonitoring,screeningandriskassessments,makingcontrolsmoreautomatedanddata-driven,andreporting.Automateddocumentcaptureandread-outofrelevantdatasuchas“useofgoods”canreducethecostofcomplianceanderrorrates(see,forexample,theBCGLinkedInarticle“FUTUREPROOFINGCOMPLIANCEWITHTECHNOLOGY&DIGITAL”).Despitedigitization’spotential,manycompaniesarenotproperlypreparingtheiroperatingmodeltomeetfuturechallenges,andaremissingtheopportunitytoreducethecostofcompliance.Indeed,aTOMandanintegratedarchitecture(processes,data,applications,andtools)areoftenlacking,despitethefactthatdigitizationrequiresanoverarchingstrategyandclearobjectives.Forexample,universalbankshaveofteninvestedintoolswhichcomefromvarioussourcesandaredisconnectedfromeachother.Asaresult,businessesoftenlacksupportwhenitcomestodata,artificialintelligence,anti-financialcrimeandfraudefforts,andgettingaheadinthewarfortalent.Respondentstooursurveycertainlyseetheimportanceofdigitization.Theyciteddigitizationanddataanalyticsasoneofthetopfivetrendsincompliance,andonethirdofrespondentspointedtoitasakeychallengefortheircomplianceorganization.Moreover,theintegrationofbusinessanddigitalgoalsisseenasamajorchallengeamongtheparticipants.Morethanhalf(54%)claimtheyarewellorverywellpositionedtoadapttothedigitizationtrend.However,moredetailedquestionsondigitizationmaturityshowthereismuchworkstilltobedone.Althoughthemajoritysaytheyarewellorverywellpositionedtoadapttothedigitizationtrend,morethanhalfofrespondents(52%)statethattheyhavenotadvancedveryfaralongthisroad.Theyareonlyjuststartingtoairideasandintroducepilotsforone-offdigitalinitiativeswithinselectedpartsoftheircomplianceorganization,butarenotfullyawareofthedigitalusecasesthatexist.CompanieswithamoreadvancedComplianceTOMappeartohavestartedthedigitizationjourneyearlier.Theyaremoreawareoftheroledigitalcanplay,andunderstanddatastrategy.ThosewhosaytheyhavemadeconsiderableprogressattributetheirsuccesstomakingdigitalcompliancetheirtoppriorityandanintegralpartoftheCEOagenda.ThisfindingreaffirmsthehypothesesreachedintheBCGESG,COMPLIANCEANDRISKREPORT2021.FIGURE5:DIGITIZATIONREADINESS6000Attheotherendofthescale,24%ofrespondentsadmittedtheyaredealingwiththedevelopmentofdigitalcompliancestrategyeitherpoorlyorverypoorly.Indeed,respondentsateverylevelofcompliancematuritysaidtheyarestillworkingonthedevelopmentofafullydigitizedcompliancefunction.FIGURE6:DIGITIZATIONREADINESS01ComplianceMandate/21ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7WorkforceTheeffectiveapplicationoftechnologyincompliancerequiresexcellentplanningandcarefulorchestrationofmanydifferentelements.Companiesneedtobeabletoanalyzethevendorlandscape,andensurethattheselectedcompliancetechnologyfitsneatlywithoperationalneeds.Thisinturnrequiresdeepknowledgeofdataprotectionregulationindifferentjurisdictions,andaninnovative,digitallyorientedmindset.Aswithcybersecurity,thecomplianceworkforcemustcompriseadiverserangeofsubjectmatterexpertsifitistoimplementasuccessfuldigitalcompliancestrategy.Thereisagrowingdemandforcyberriskprofessionals,whocanbringriskdomainexpertisetoaddresstheincreasingrisksofcyberattacksandcompromise.Indeed,theslowpaceofdigitizationwithinthecompliancefunctioncanbemainlyputdowntoalackofsufficientknow-howwiththerequiredexpertisetoexploitthepotentialofdigitalacrossthecomplianceunit.Agoodexampleofsuchupskillingeffortswouldinvolvebuildingupahubteam,staffedwithdatascientistsandengineers,aswellasaspoketeam,comprisingdatascientistsandengineerswhoonlyworkwithcompliance-relatedprojectsandhencebuildsubjectmatterexpertise.AscompaniesdeploytransformativeArtificialIntelligence(AI)tools,theymustensurethattheyintroducethesesolutionsinaresponsibleway,mitigatinganypotentialriskstotheirbusinessandprotectingconsumers.WiththeimminentarrivaloftheEuropeanUnion’sAIAct,oneofthefirstbroad-rangingregulatoryframeworksonAI,thefailuretoimplementResponsibleAIsuccessfullywillleadtoseriousimplications(seeBCGpaper“RESPONSIBLEAIFORANERAOFTIGHTERREGULATIONS”).TohavepeoplewhoarecarefullyanddiligentlyworkingonandlearningfromthesetechnologiesisofcriticalimportancefororganizationsandforthepeoplewhowillsuffertheconsequencesofAIsystemsthatarenotequippedwithethicalguardrails.5.CYBERSECURITY:AddressingcriticalgapsIncreasingimpactsfromcyberandprivacyattackscontinuetoescalateinprominenceandfrequency.Ascompaniesoperateinanincreasinglydigitizedway,themoretheywillneedtoassessandenhancetheircyber-resilience.Whenaskedwhichtopicwasmostrelevantfortheircomplianceorganizations,theclearwinnerwascybersecurity.Indeed,thetopicwascitedby62%ofrespondents,10percentagepointsmorethanbusinessethics,thenextmostcitedtopic.Thiscomesasnosurprise,giventheconsiderablerisks—tothebusiness,customers,andreputation—inneglectingcybersecurity.Cyberthreatactorsarebecomingmoreaggressive,moresophisticated,morepersistentandmoresuccessful.Companieshavethereforebeenstrengtheningtheircommitmenttocybersecurity,especiallyamidheightenedgeopoliticaltensions.Manycompaniesdonotyethaveadequatecybersecuritycapabilities,managementandgovernanceprocesses,withinsufficientinvestmentinsecurity,resilienceandtesting.Theycurrentlylacktherightmonitoring,controlsandwarningindicatorstobothprevent,respondtoandrecoverfromcyberthreats.Lackofsecurityinvestment,resultinginafailuretoke