Issue 3 Q3 2025
FEATURING
Compliance to competitive advantage
Regulatory trends and navigation strategies for multinational companies
Prev. article
Next article
Issue 2 Q2 2025
Introduction It is my pleasure to introduce the third edition of Risk Quarterly, a publication designed to provide clarity on today’s fast-evolving risk landscape and what it means for global business. This edition brings together insights from Clyde & Co lawyers around the world, alongside contributions from external voices, on the most pressing risks facing boards, general counsel, and senior business leaders today. Regulation remains a key challenge for multinational businesses navigating a complex and shifting global landscape. In our lead article, Lucille Dolor, a highly regarded ethics and compliance consultant, offers a compelling view on how strong governance, ethical leadership, and values-based decision-making can underpin sustainable growth, particularly in decentralised and high-risk environments. Building on this, she explores how organisations can manage increasingly divergent regulatory regimes while transforming compliance into a source of strategic advantage. From data and AI governance to economic crime, climate accountability, and operational resilience, she examines how embedding integrity at the core of business operations can drive success in a fragmented and demanding world. This edition also summarises the findings of our latest Corporate Risk Radar, based on insights from over 400 business leaders globally on the risks that are top of mind. We unpack a range of emerging threats, including the growing implications of water scarcity and the evolving liabilities linked to the use of lithium batteries. As AI continues to reshape business operations, we explore how it is transforming data centres, examine the risks posed by ‘silent AI’, and consider the legal implications of AI-washing. At Clyde & Co, we believe that risk—when handled strategically—can be a source of resilience and differentiation. Drawing on deep experience across jurisdictions and industries, we’re proud to share practical insights to support our clients in turning challenge into opportunity. We hope you find this edition thought-provoking and valuable. Our thanks go to everyone who contributed their time and insights. If there are risk areas you’d like us to explore in future issues, we welcome your ideas at riskquarterly@clydeco.com.
Sam Tate Partner and Global Head of Regulatory and Investigations, London
headshot 200x200px
Back to contents
Introduction It is my pleasure to introduce the second edition of Risk Quarterly, a publication designed to provide insights on the ever-changing risk landscape and its implications for business. Risk Quarterly draws insights from our annual Corporate risk radar report, featuring perspectives from Clyde & Co lawyers globally on the key risk areas that are top priorities for C-suite executives, in-house legal teams, and claims departments. With 71% of businesses using genAI in at least one business function, this edition reframes the AI conversation by exploring a less discussed but critical perspective: the risks of not adopting AI, using it as a cornerstone of any future-proofed strategy. We also explore the transformation of HR through AI. Also in this issue, we look at the insurance risks of green technologies, the latest developments in cyber risk, the rise and cost of obesity drug use and the global impact of shifting tariffs. At Clyde & Co, we believe that nobody handles risk like we do, bringing to life the legal expertise we have managing emerging risk and handling new commercial complexities borne out of nearly a century operating at the heart of global commerce. We hope you find real value in this edition. If there are topics or themes you would like to see covered in future editions, please let us know at riskquarterly@clydeco.com.
By Lucille Dolor
Global Directors’ and Officers’ survey report 2024/2025
Is buying land in Africa a high-stakes gamble?
Green technology Risks for 2025
Adjusting to major global market shifts as tariffs hit home
5 key steps employers should take when using AI in the workplace
The year in virtual assets2024 recap, 2025 preview
Cyber risk rundown
The rise of obesity drugs
Analysing and planning for the unknown
Emerging risk
Corporate risk radar
Senior leaders’ perception and management of risk
In this issue...
Introduction Kevin Sutherland
Scroll down
The shifting power dynamic, conflicts, and uncertain economic outlook are influencing how governments and international bodies are designing and enforcing regulations. There are different views as to whether globalisation has ended but what is evident is that there is an increased imposition of trade tariffs, sanctions, and localisation mandates driven by the upsurge in protectionism. National interests are also shaping policy. India’s new personal data protection law mandates local data storage and processing in order to boost national security and domestic AI development2. Conversely, regions and countries keen to develop regional cooperation and growth and attract investment are seeking to streamline and harmonise regulation to provide a consistent and predictable environment. By way of example, the European Commission is aiming to simplify European Union (EU) rules on sustainability and investments which could deliver over EUR 6 billion in administrative relief3 and the UK Government published its agenda to reform the regulatory landscape to support growth and innovation4.
Geopolitical and economic landscape equals regulatory quagmire
What this results in is a global regulatory environment marked by divergence. Some regions are accelerating deregulation to fuel competitiveness, for example, data centre deregulation in Latin America or the US’s push to loosen AI oversight to retain technological dominance1. Elsewhere, rising concern over the societal costs of economic crime is prompting a tightening grip, though enforcement remains uneven across countries.
Compliance to competitve advantage
In some markets, we are seeing greater cohesion and harmonisation, while in others, increasing fragmentation and divergence. Since his re-election, Trump has delivered a seismic shift with a pro-business deregulatory agenda in areas such as food and drug administration, ESG and AI. But there is divergence between Federal, State, and local laws and between States, often shaped by political and social ideologies. These factors and varying approaches have converged to create a complex regulatory environment with overlapping and conflicting priorities, further complicated by the extra-jurisdictional reach of many laws.
The US, focused on national interests, is leaning towards deregulation, favouring market-driven progress over tight controls. The EU, by contrast, is charting a rights-first course: its AI Act puts human rights and privacy at the forefront, backed by strict enforcement — including fines of up to 7% of global turnover for serious breaches. The UK, still carving its post-Brexit identity, is considering a potential shift away from its 2024 AI Action Plan with the reintroduction of the AI Bill which, if passed in its current form, would impose AI-specific legal obligations, demonstrating the current policy debate in the balance of encouraging innovation and mitigating risk. Over in Asia, South Korea is blending light-touch rules with innovation incentives in its AI Framework Act, due to take effect in 2026. Japan, too, is prioritising research and growth, having passed its AI Bill in May. Meanwhile, several Latin American countries — including Brazil, Peru, and Chile — are aligning with the EU’s risk-based model, suggesting a global fault line is emerging between those who consider that risk management and innovation may work in tandem and those who view risk management as a stifler of innovation.
The big issues: AI, data protection, fraud, operational resilience
Data protection We continue in a data-driven era and laws are rapidly expanding across the globe to manage data-related risks. Whilst the initial focus of the legislators was on the protection of personal data, we are now seeing an increase in regulation to address risks associated with both personal data and non-personal data). The EU’s data protection landscape, shaped by GDPR, continues to evolve through regulatory guidance and enforcement and more recent data and digital laws including the Digital Services Act, the Data Act and the Data Governance Act. The UK’s Data (Use and Access) Act (DUAA) received royal assent in June 2025. With phased implementation underway, it introduces updates to existing UK data legislation designed to modernise UK data protection law, balancing innovation with privacy safeguards. It will make it easier for organisations to reuse personal data in specific circumstances such as scientific research and introduces the concept of recognised legitimate interests (RLIs).
AI regulatory divergence The lack of harmonisation and potential inoperability of national AI frameworks pose a challenge for MNCs. We will see the rise of “AI Havens,” with some businesses opting to operate in countries with less stringent regimes and lighter accountability.
AI governance committees AI governance frameworks are becoming crucial for companies using AI to drive growth. Some are forming AI committees to provide oversight; one such company has established a cross-functional team including legal, ethics, compliance, security, IT, marketing, sales, and product development etc. This organisation is also using the stringent risk classification standards of the EU AI Act to assess risks. It chose to adopt standards from the strictest regulatory regime because it aligns with its principles and values and will engender stakeholder trust.
Fraud The UK is taking a significant step forward in tackling “outward fraud” with the introduction of the new corporate offence of failure to prevent fraud effective from September. In short, this offence will hold companies criminally liable for failing to prevent fraud, unless they can demonstrate that they had reasonable fraud prevention measures in place. This law shifts focus from fraud committed against the organisation to fraudulent actions of its employees or agents that may benefit the company at the expense of shareholders, investors or customers. MNCs that fall within the scope of the legislation should already be conducting risk assessments and gap analysis to identify and gauge fraud risks and assessing existing fraud prevention procedures to leverage and/or adapt, as necessary. Conducting these and other compliance risk mitigations required by statutory guidance is the only defence to prosecution.
Operational resilience Recent events such as the pandemic, the 2023 collapse of Silicon Valley Bank, disruptions caused by the 2024 CrowdStrike IT outage, interruptions to UK banking services earlier this year, the closure of Heathrow Airport in March, and the Spain power outage underscore the urgent need for robust operational resilience.
In today’s world, cyberattacks are becoming increasingly common. Climate change and geopolitical events can also severely disrupt business operations and regulators are taking notice. There’s a growing wave of regulations aimed at ensuring businesses can withstand, respond to, and recover from operational disruptions, particularly in the financial and other critical sectors. The EU’s Digital Operations Resilience Act (DORA) is a key piece of legislation designed to ensure that financial entities and their critical third-party service providers can maintain operations during severe disruptions caused by cyberattacks and ICT issues. The UK’s operational resilience framework mandates that UK-regulated firms identify important business services, set impact tolerances, and conduct scenario testing. Meanwhile, regulators in the US, Canada, Mexico, South Africa, Hong Kong, and Saudi Arabia are all introducing their own frameworks. For firms operating across different jurisdictions, it’s crucial for them to analyse their ecosystems to identify and understand regulatory overlaps and gaps to achieve robust compliance.
Reference list
The White House. (2025, January 23). Removing barriers to American leadership in Artificial Intelligence Ahuja, K., Bhatt & Joshi Associates. (2024, August 6). The impact of data localization requirements on global trade: A case study of India’s data protection laws. European Commission. (2025, February 26). European Commission simplifies rules on sustainability and EU investments. UK Government. (2025, March 31). New approach to ensure regulators and regulation support growth. OECD.AI. (n.d.). OECD AI Policy Observatory. https://oecd.ai/en/ California Lawyers Association. (n.d.). Privacy Law Guide. https://calawyers.org/section/privacy-law/privacy-law-guide/ U.S. Securities and Exchange Commission. (2025, June). Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. https://www.sec.gov/rules-regulations/2025/06/s7-17-22 Clyde & Co. (2025, June). Corporate Risk Radar: Operating in a web of complex risks. https://www.clydeco.com/en/reports/2025/06/crr-operating-in-a-web-of-complex-risks Hartwell, C. A., & Devinney, T. M. (2024, April). The demands of populism on business and the creation of “corporate political obligations”. International Business Review. https://www.sciencedirect.com/science/article/pii/S0969593122001032#:~:text=We%20term%20these%20demands%20on,and%20overt%20displays%20of%20nationalism Barlow, A. (2018). Profiting from Integrity: how to use the pro-integrity business model to deliver superior profitability. Big Innovation Centre (2016, June). The Purposeful Company Interim Report Byrne, E. S. (2025, March 13). The Five-Year Ethics Premium Shows How Integrity Pays Off. https://ethisphere.com/the-five-year-ethics-premium-shows-how-integrity-pays-off/#:~:text=Ethisphere%27s%20Five%2DYear%20Ethics%20Premium,January%202020%20to%20January%202025 Azmi, R. A. (2006, July). Business Ethics as Competitive Advantage for Companies In the Globalization Era. Azmi, R. A. (2006, July). Business Ethics as Competitive Advantage for Companies In the Globalization Era. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1010073 Clyde & Co. (2025, June). Corporate Risk Radar: Operating in a web of complex risks. https://www.clydeco.com/en/reports/2025/06/crr-operating-in-a-web-of-complex-riskslyde & Co. (2025, June). Corporate Risk Radar: Operating in a web of complex risks. https://www.clydeco.com/en/reports/2025/06/crr-operating-in-a-web-of-complex-risks
Business Ethics & Compliance Consultant
rom geopolitical fragmentation and economic volatility to breakthroughs in Artificial Intelligence (AI)
F
and data innovation, a powerful confluence of forces is reshaping the global regulatory landscape. Governments are responding, placing AI, data privacy, climate risk, and systemic resilience at the top of their agendas. At the same time, public expectations are evolving, and regulators are being pulled in opposing directions: the drive for innovation and growth on one side, and the imperative to combat economic crime, protect the environment, and safeguard privacy on the other.
The question to ask is, how can multinational companies (MNCs) not only keep pace with this evolution and divergence, but transform regulatory compliance into a driver of competitive advantage?
View Figure 1 here
Global regulatory landscape Diverging factors create tension and complexity
Super governance
Fragmentation
Simplification
Divergence
Interventionist
Deregulation
Cohesion
Harmonisation
Self-Regulation
Figure 1
Meanwhile, the pace of change is accelerating in regions like the Middle East and Asia-Pacific, with laws such as Indonesia’s Data Protection Law and India’s Digital Personal Data Protection Act coming into force in the near future. In Latin America and the Middle East, countries
are drafting new regulations inspired by the EU’s GDPR model, reflecting a broader global convergence toward more comprehensive data governance but with important differences which MNCs must address in their compliance models.
Data use and access - UK pivots away from EU context-based approach RLIs are a statutory list of pre-approved lawful public interest bases for which personal data may be disclosed. The exemptions afforded by RLIs will introduce a new layer of complexity for MNCs operating in the UK and EU. They will need to reconcile the RLI exemptions with the GDPR’s requirement for a case-by-case contextual balancing test.
Regulatory complexity is driving increasing divergence
AI:Over 60 countries and the European and African Unions have AI policies and strategies. These range from super prescriptive governance such as the EU AI Act to light regulation in pro-innovation regimes. See: OECD AI. Policy Observatory5.
US environmental, social and governance (ESG):The US ESG regulatory landscape is changing rapidly. At the Federal level, differing priorities and anti-ESG sentiment have led to the withdrawal of the US SEC’s Enhanced Climate Disclosure rules. See: US SEC Final Rule on ESG Enhanced Disclosures7.
At state level, California is implementing pro-ESG mandates, requiring large businesses to report on climate emissions and financial risk. Other states, such as Colorado, Maryland, Oregon, and Utah, are also implementing pro-ESG mandates. Conversely, some states are enacting anti-ESG investing laws, for example, targeting financial institutions that invest in state assets or contract with states.
Data privacy: The US has a patchwork of Federal, State, and local data privacy regulations. Sector-specific laws also exist at state and federal levels. California alone has in excess of 20 data privacy laws including the extensive Consumer Privacy Act. See: Privacy Law Guide - California Lawyers Association6. States have diverging consent standards. Definitions of what constitutes a “sale” of data also differs across states.
Data protection frameworks are being enacted in Asia ranging from heavy to moderate regulation. New privacy laws are also being passed in Latin America modelled around GDPR.
Corporate Risk Radar 2025 notes that an increasingly complex regulatory burden continues to challenge businesses, with rising regulatory and compliance obligations materially impacting their investment and growth plans8. Regulatory over-reach, speed of change and divergence plus the sheer scale of regulatory regimes have created a difficult environment for MNCs to navigate. These factors have the potential to stifle innovation and growth.
Challenges for MNCs
What’s on the horizon
In the medium term, we can expect geopolitical uncertainty, protectionism, supply chain threats, and the tough economic outlook to continue to drive regulatory complexity. Populist governments will push “Country-First” policies, imposing “Corporate Political Obligations9 “ on MNCs, including localisation mandates, and increased trade barriers. National security concerns will drive up state ownership in critical sectors. Technological advancements, data privacy concerns, climate change, and the notion of certain businesses being “too big or critical to fail” will influence regulatory developments in AI, data, operational resilience, cybersecurity, and climate change. However, the need to boost competitiveness and innovation will lead to some deregulation and simplification. We are already seeing this – for example, with the EU’s Omnibus Simplification Package on ESG.
Impact of populism - Localisation mandatesGiven the geopolitical and regulatory challenges, it is likely that some businesses will scale back their global operations and new market entry. For others, entry into selected and high opportunity markets will be part of their growth strategies. For the latter, the development of dynamic playbooks looking at political, investment, sector, country, regulatory risk, etc., will help them navigate with agility. A refresh of existing operating procedures for entering into strategic partnerships and joint ventures should be conducted to reflect the new risk environment. MNCs should review the makeup of their investment committees to ensure the right people are considering the gamut of risks.
Regulatory compliance to competitive advantage
We can expect regulatory complexity to persist in the near to medium term. Businesses must navigate this proactively and position themselves to leverage the current landscape. Companies need to embrace strategies like operating with high integrity, leveraging technology, and improving their ability to anticipate future trends. The following explores several of these strategies and highlights how building an ethical culture can deliver a lasting competitive advantage.
The business case for high integrity – Tangible and quantifiable
Adopting an ethics strategy as a competitive advantage is often promoted, from driving innovation to attracting and retaining talent. Alan Barlow, in his book Profiting from Integrity, shows through case studies that when CEOs lead with heightened integrity, superior financial performance follows10. In 2016, the Big Innovation Centre called for UK companies to be more purposeful, demonstrating how purposeful companies align business success with purpose and outlined measurable benefits of operating with purpose as set out in Figure 211. The case study company in Barlow’s book delivered against all the metrics.
Superior share price performance
Improved accounting and operational performance
Lower cost of capital
Improved recruitment, retention and motivation of employees
Less adversarial industrial relations
Larger firm size and decentralisation
Smaller regulatory fines
Greater resilience in the face of external shocks
Figure 2
Measurable business benefits from being a Purposeful Company
Source: The Purposeful Company, Big Innovation Centre 2016
View Figure 3 here
A purposeful company is one that exists not just to generate profit but to contribute positively to society. These businesses are better positioned to battle geopolitical and regulatory headwinds, crisis, and disruption. They are more resilient and sustainable. The Johnson & Johnson (J&J) Tylenol case powerfully demonstrated J&J’s commitment to purpose and values by prioritising public safety over profit, recalling Tylenol products from every outlet globally not just the state where the tampering occurred. Figure 3 highlights the impact of the Tylenol poisoning and the decisions taken by J&J leadership.
ETHICS PREMIUM
Earlier this year, Ethisphere published its annual list of the World’s Most Ethical Companies®. 2025 honourees outperformed comparable global companies by 7.8%, demonstrating the alignment between ethical practices and financial success. Ethisphere considers the 7.8% premium to be a respectable number: given wider signs of economic headwinds and uncertainty12. This correlation has been evident since Ethisphere began the calculation 19 years ago. There is a strong business case for a high integrity culture. It’s not just a “nice to have” – it can deliver growth and profitability.
CREATING COMPETITIVE ADVANTAGE THROUGH AN ETHICAL CULTURE
To leverage integrity or ethics as a competitive advantage, firms need to pivot from the “Ethics of Scandal” to the “Ethics of Strategy.13” At the moment, enforcement trends and activity is causing much consternation within the in-house regulatory legal and compliance community. But a fundamental shift in thinking and approach is required to navigate the new geopolitical and regulatory landscape. “It is increasingly important for companies to deal with ethics as a corporate strategy that, if uniquely implemented, could achieve competitive advantage for the company.14” The key point here is “uniquely implemented.” Best practice abounds, but businesses need to develop and embed an ethics strategy tailored to their own business strategy, ambitions, operating model, go to market strategies, territories, and markets. That uniqueness will be the “secret sauce.” That said, we share some strategies for businesses to consider.
The decision guide itself was and is not unique – many companies have them. What was distinctive was a sales leadership team that had embraced driving an ethical culture and understood its value in helping it achieve its commercial objectives.
the power and shadow of leadership
The writer has long argued that building an ethical culture is not solely the responsibility of the General Counsel (GC) or legal or compliance function, but all business leaders including the CEO. Evidence shows that leaders who model a company’s values and ethical standards inspire and motivate employees and foster discretionary effort. Beyond this, an ethics strategy calibrated around purpose and competitive advantage should, with time, create a culture where ethics and compliance considerations form part of decision-making as it relates to matters such as strategy, the business model, objective setting, new product development - even if the General Counsel or Chief Integrity Officer is absent from the room.
Sales team integrity leadership
An “Ethics Decision Making Guide” app was developed by a multinational corporation operating and selling its products in over 80 countries following the launch of a new Code of Ethics. This new Code sought to embed ethical culture as a competitive advantage.
The sales leadership team in one of the Group’s business units decided to pre-load the app onto the mobile phones of all new sales staff. During their induction, alongside discussions on sales strategies, targets, markets, and the customer landscape, the sales leadership presented the new recruits with their phones - introduced them to the app, emphasised the Group’s values, the importance of conducting business ethically, and provided guidance on making high-integrity business decisions.
Innovative thinking
Business leaders, GCs and Chief Compliance Officers are encouraged to be innovative in their thinking in leveraging an ethical culture, navigating the regulatory landscape, and achieving positive compliance outcomes. Companies must also break down silos and make integrity a commitment across the entire organisation. There should also be a deliberate alignment between the ethics and business strategies.
Purpose before profit: Johnson & Johnson, the Tylenol case
Figure 3
We believe our first responsibility is to the doctors, nurses, and patients, to mothers and fathers, and all others who use our products and services.
The J&J Credo
IMPACT of crisis
IMPACT of response
Tylenol accounted for 17% net income in 1981
Share of GBP 1.2 billion analgesics market plunged from 37% to 7%
USD 100 million spent on 1982 recall and product relaunch
Share price drop from 52 week high
Tough decisions created goodwill for J&J
Share price rebound within two months
Regained 30% share of market within a year
View Figure 4 here
Case study
Leveraging business strategy to deliver positive business and compliance outcomes
In one MNC, leaders used a change in the business strategy to deliver a critical compliance objective. Its business strategy had been updated to have a customer-centric value proposition. This meant a move from selling products (predominantly through intermediaries) to developing customer intimacy. Leaders were able to calibrate the imperative to reduce and mitigate intermediary risk around the new business strategy. In one of the Group’s larger business units, this resulted in a reduction in order values via “one-off intermediaries” from a historic 72% to 1% and an increase in order values via direct sales from 4% to 62% in a high risk but critical market.
In this case study, the ability to leverage the business strategy in this way reduced margin attrition for the business and improved its regulatory risk posture.
Interplay of regulatory compliance and high integrity
Upholding integrity and strong ethical standards is essential for long-term success. To translate these values into effective action, businesses need the right tools, foresight, and capabilities to navigate today’s complex geopolitical and regulatory environment.
Implementing a zero-tolerance bribery policy in markets with endemic facilitation payments
An Industrial MNC faced significant challenges with facilitation payments in an overseas market, including issues with product flow through customs. Instead of simply imposing a strict zero-tolerance policy, group and regional leadership showed care for the local team. They acknowledged the challenges and worked closely with the country manager to develop resistance strategies that protected employees and achieved positive compliance and business outcomes.
Horizon scanning
The following are additional strategies and enablers that can help companies embed ethical commitments into everyday decision-making and strategic planning.
Companies that operate globally will need to get sophisticated in their horizon scanning. This is a strategic tool for business leaders and legal professionals to anticipate risks, trends and opportunities that will impact their businesses.
Outside counsel
Effective and close working relationships with outside counsel, who have deep understanding and knowledge of your business and industry sector, can deliver valuable advice and input in understanding the regulatory landscape, helping companies zero in on the interconnectedness of risks and spot opportunities.
Intelligent management of risk
Businesses have and will prioritise compliance with regulations that are enforced15. That said, a more nuanced approach to compliance would be to look beyond enforcement to regulations that have the most potential to impact growth strategies and operations.
AI can help - Leveraging technology
Companies should use regulatory intelligence tools for existing or new markets – using powerful technologies and AI for information and data analysis. AI can help
Capability
Organisations should invest in and develop robust multi-disciplinary capabilities, beyond just legal and regulatory compliance, to proactively navigate risks and seize opportunities.
The geopolitical and regulatory landscape will remain dynamic and complex. We will continue to see this complexity in the form of divergence and fragmentation versus harmonisation, simplification and de-regulation, new corporate political obligations and increasing interconnectedness of risks. Businesses that will win will be those that operate with purpose and high integrity, are agile and have strategic flexibility.
Click photos to find out more
MEET THE AUTHOR
Lucille Dolor Business Ethics & Compliance Consultant
Five-Year Ethics Premium: 7.8%
Figure 4
*Selective GBS Global market all cap USD index TR
The listed 2025 World's Most Ethical Companies® Honorees outperformed a comparable index of global companies by 7.8% from January 2020 to January 2025
Lucille Dolor is a legally qualified Business Ethics & Compliance (E&C) Consultant who helps global businesses achieve ethical, sustainable growth while maintaining strong financial performance. Lucille works with boards and leadership teams to build integrity-led cultures and drive values-based decision-making, particularly across decentralised, cross-border environments. She is adept at aligning diverse teams around a common purpose and designing and developing robust governance and compliance frameworks that enable and protect the business. She positions ethics and regulatory compliance as a source of competitive advantage, integrated with strategy, culture, and commercial objectives. She has deep experience operating in high-risk, operationally complex markets and has led global compliance programmes across a number of regulatory areas. Prior to embarking on her consulting career, Lucille worked in a cross-sector of global businesses in senior governance, business ethics and compliance roles. A recognised voice in her field, Lucille champions business integrity and contributes to the wider E&C community through public speaking, thought leadership and cross-sector engagement.
businesses keep abreast of legal and regulatory changes across different operating territories. It can also deliver operational efficiency and aid monitoring, reporting, and risk mitigation. Organisations should ensure they understand the AI model they are using to ward against the risk of inaccurate reporting.
AIGovernments and businesses are eager to harness AI’s growth potential. However, there’s a growing need to manage the legal, data privacy and usage, social, and environmental risks associated with it. Different countries are introducing frameworks based on their unique situations and interests.
B
The evolving risk landscape through the lens of leading decision-makers
Corporate Risk Radar
Taking decisive
MEET THE Authors
Ben Knowles Partner & Chair of the Global Arbitration Group, London
Jared Kangwana Managing Partner, Nairobi
Eva-Maria Barbosa Partner and Chair of the Global Corporate & Advisory Group, Munich
action as risks interlink
usiness risks are diverse and constantly changing in the modern world, but in the past few years, they have become more
For 8 years, we have charted the views of C-Suite decision-makers, board members, General Counsel and in-house legal teams around the nature of risks their organisations are facing and their readiness to meet those challenges in our Corporate Risk Radar report. This year’s edition reveals that operational risk, on which all other risks have a bearing, has jumped to the top of the risk rankings, up from 6th place last year. The findings also suggest that, although there is much uncertainty, particularly around how the geopolitical situation will play out, many business leaders around the world are clear-sighted about the critical challenges ahead, and for the most part, feel ready to tackle them.
interconnected, and the threat level has intensified. In 2025, the landscape has been rocked by sudden geopolitical shocks, alongside intense economic pressures, increasing regulatory complexity and radical technological change, all of which are having a major impact on how businesses operate, altering market dynamics and re-shaping legal frameworks. Businesses are having to take decisive action to adjust to these new realities.
View risk rankings tables here
Risk rankings (2025 vs 2024)
2025 RISK CATEGORIES BY HIGHEST IMPACT (% OF RESPONDENTS)
Growing geopolitical turmoil is putting the brakes on globalisation and prompting a re-drawing of the map in terms of how international trade is conducted and supply chains are configured. Fast-moving trade wars, escalating military conflicts, sanctions and the threat of logistical disruption loom large. Three in five board-level respondents to our survey (59%) identified geopolitics as a key concern, while a similar proportion (58%) of businesses said geopolitical issues increased their exposure to supply chain risks and litigation. Companies are responding by being as agile as possible and strengthening their resilience: almost half (46%) of businesses said they are now reconsidering, or actively making changes to, where they operate, as a direct result of tariffs and policy decisions. However, corporate strategy is being affected in other ways too, notably in businesses’ appetite for mergers and acquisitions (M&A). Respondents told us that many deals are having to be restructured, or purchase prices adjusted due to geopolitical friction, while deal volumes have taken a hit in many sectors.
Facing up to global instability
At the same time, geopolitical upheaval is increasing the range and complexity of regulatory requirements with which companies must comply. They are expected to adhere to a patchwork of (sometimes contradictory) rules across different jurisdictions, while regulatory reach continues to extend into new markets and sectors. As companies grapple with simultaneously fragmented, overlapping and changing rules, the cost of doing business rises, and so too does the potential for breaches, investigations and litigation. Almost two thirds of respondents (64%) reported that mounting compliance obligations are materially impacting their business’ investment and growth plans. Technology, data and privacy regulations were seen as posing the greatest risk to organisations, closely followed by bribery and corruption legislation. Against this backdrop, organisations are rethinking their approach to compliance, focusing primarily on those regulations that are being enforced.
Grappling with regulatory complexity
Environmental, social and governance (ESG) regulations are a particular area of concern, with 46% of respondents of the opinion that divergent rules in the US and Europe are negatively impacting their businesses. It’s also worth noting that, given the predominance of other risks, a significant minority (36%) said climate change is now a second order concern. That may not change until it has a significant, sustained and material impact on their operations, supply chains and customer bases.
Economic conditions are ripe for corporate conflict
Most business leaders (73%) said they feel well-prepared to deal with economic issues as they look ahead, such as rising labour costs, currency volatility, inflation and interest rates. However, in difficult economic times, the possibility of disputes arising is heightened, as counterparties may find it harder to perform their contractual obligations, and business performance comes under a harsher spotlight. Respondents are on their guard for an uptick in corporate conflicts.
Nearly half (48%) expect to see more contractual disputes arise as economic conditions lead to more renegotiation and termination of contracts. It’s often the case that, when parties have more at stake, they are prone to pore over issues like pricing, project scope and service delivery more closely. If they are unhappy, they tend to be less inclined to put up with delays or to try to compromise. Furthermore, 57% think investor scrutiny will increase this year, with shareholders more likely to seek assurance about how companies are being run, their financial stability and their returns prospects. Many respondents believe shareholder actions over perceived mismanagement or failure to meet expectations are already becoming more assertive.
Getting a grip on cybercrime
The threat of cyberattacks remains extremely high, with 67% of respondents calling cyber security breaches and data loss “high-impact” risks facing their organisations. Encouragingly though, more than three quarters (77%) said they feel more confident in their ability to defend against and respond to cyberattacks and breaches than they were five years ago. Business leaders are now acutely aware of the risks, as well as the regulatory obligations and reporting requirements expected, and have signed off heavy investments in cybersecurity measures, including staffing and training in addition to cyber defence technologies. Managing and monitoring online threats from bad actors has now become an integral part of businesses’ everyday operations, with many creating playbooks and undertaking simulations to ensure they are ready to prevent threats and deal effectively with attacks if they happen. However, the rapidly-evolving nature of cybercrime means companies cannot afford to let their guards down, and keeping up with the increasingly sophisticated tactics and techniques of cybercriminals remains a perpetual challenge.
Charting a path through interconnected risks
Today, a confluence of macro global developments is creating an intricate web of risks that reach into almost every facet of corporate operations. Unpredictability around the direction of trade policy, concerns over economic indicators like labour costs and currency volatility, and complexity over the plethora of rules imposed on companies look set to continue for some time. Meanwhile, businesses must watch out for the rising risk of corporate conflict and remain vigilant over the ever-present danger of cybercrime. While this year’s Corporate Risk Radar report highlights these issues in particular, the list of risks on business leaders’ minds is extensive and fast-changing, while new threats are emerging all the time.
Click here to learn more about our full 2025 findings and download the 2025 Corporate Risk Radar report.
Rebecca Kelly Partner & Chair of the Global Corporate & Advisory Group, Brisbane
Sam Tate Partner and Global Head of Regulatory & Investigations, London
Three in five board-level respondents to our survey (59%) identified geopolitics as a key concern
OF RESPONDENTS SAID THEY FEEL MORE CONFIDENT IN THEIR ABILITY TO DEFEND AGAINST AND RESPOND TO CYBERATTACKS AND BREACHES THAN THEY WERE FIVE YEARS AGO
77%
Latest report out now
A spotlight on the newly released Corporate Risk Radar
Robbie Pilcher Associate, Sydney
William Page Special Counsel, Sydney
Hannah Chua Legal Director, Singapore
Celeste Koh Trainee Solicitor, Singapore
Leon Alexander Partner, Singapore
1=
Water scarcity economic impact is expected to increase in the years to come, with industries such as energy, agriculture, and manufacturing among the more likely to be affected, and the insurance market is not the exception. Issues deriving from water scarcity could be of particular interest for the following insurers:
D&O: Certain industries are more prone to loss of investments due to water scarcity, which could lead to D&O liability. This is the case of the tech industry that highly relies on water supply for the production of semiconductors and the cooling of data centres.
The consequences of water scarcity are severe. Bodily injury and health risks arise from waterborne diseases and starvation due to food shortages. Environmental harm includes habitat loss, reduced biodiversity, and increased frequency of wildfires. Economic impacts are felt across agriculture, manufacturing, and energy sectors, with significant losses reported. For instance, the drought in 2012 in the United States impacted 80% of agricultural land and resulted in losses of nearly USD 14.5 billion1. Overall, it is forecasted that, due to high water stress, almost a third of global GDP (31%) could be exposed by 2050.2
Spain, on the other hand, faces an arid climate with decreasing rainfall and increasing temperatures, affecting water availability. The Pyrenees and Sierra Nevada snowpacks have reduced, impacting water supply during spring and summer. Climate change, overuse by agriculture, urban sprawl, and poor infrastructure are major contributors to water scarcity. Illegal wells and outdated irrigation systems exacerbate the problem.
Water scarcity impact on insurers
The energy renewables sector, particularly hydropower, is heavily reliant on water availability. Fluctuations in water levels affect the reliability and efficiency of power generation. The manufacturing sector, including semiconductors and textiles, faces challenges due to water scarcity. For example, Taiwan’s semiconductor sector, which accounts for 90% of the world’s production, experienced a 15% decrease in water consumption during 2021 due to dry conditions, nearly causing a supply chain collapse.4 The textile sector in China faced losses of around USD 7.6 billion due to drought conditions affecting the Poyang Lake.5 The impact of water scarcity in certain industries can lead to contractual or management-related insurance exposure.
The insurance market faces significant challenges due to water scarcity.
Insurance issues: Insurance gap and challenges
Water scarcity
Emerging risks and implications
The causes of water scarcity are multifaceted. Climate change is a significant driver, with global warming leading to the melting of glaciers, increased frequency of extreme weather events like El Niño, and rising sea levels, which impact freshwater availability. Agriculture is another major contributor, with inefficient irrigation systems, water-intensive crops, and over-extraction of groundwater exacerbating the problem. Population growth and increased demand for water in urban areas, as well as for industrial and energy needs, further strain water resources. Poor water management and pollution from nitrogen, pesticides, and industrial waste lead to water quality deterioration.
Impacts in specific sectors
Population growth and increased demand for water in urban areas, as well as for industrial and energy needs, further strain water resources
Latest insurance news and opinions to help you navigate the unknown
Emerging Risk
Construction: Water scarcity could lead to the stoppage or delay in completion of infrastructure projects, which would result in claims over loss of profit.
Property: Water scarcity could cause severe damage to buildings and infrastructure.
Energy: Claims arising from the effects of water scarcity on the production of energy from renewables could potentially trigger coverage disputes over these policies.
Casualty: Water scarcity can result in bodily injury and property damage claims arising from drought and water pollution.
Environmental Impairment Liability: One of the causes of water scarcity is pollution that could result in environmental damage.
Water scarcity is a pressing global issue with far-reaching implications across various sectors, including pharmaceuticals, renewables, manufacturing, agriculture, and the insurance market. The increasing demand for water, coupled with the effects of climate change, has heightened the relevance of water scarcity risks for stakeholders. These sectors rely heavily on water for production, cooling, irrigation, and maintaining hygiene standards, making them particularly vulnerable to water shortages. The insurance market must adapt to these emerging risks, which include property damage, business interruption, and liability claims.
Causes, effects, and case studies
MEET THE AUTHORS
David Ktshozyan Senior Counsel, Los Angeles
Laura Ranz Senior Associate, Madrid
Miguel Lozano-Salazar Associate, London
Neil Beresford Partner, London
Miguel is a Colombian qualified lawyer in our IFPD department in London. He works on complex and cross-jurisdictional disputes, including domestic and international arbitration across Latin America.
David Ktshozyan advises and represents insurers in disputes across construction, energy, professional and products liability, and specialty insurance. He has extensive experience in insurance coverage litigation, including cyber, EPL, D&O, and E&O claims. He regularly appears in state and federal courts across California. David also volunteers with the Alliance for Children’s Rights, supporting adoption and guardianship cases through his pro bono practice.
Laura joined Clyde & Co’s Madrid office in 2020, bringing experience from leading national firms. She specialises in litigation and dispute resolution, handling domestic and international claims. Her focus includes construction, fire-related matters, insurance coverage disputes, tort law, and professional indemnity. Laura advises clients through pre-litigation stages and out-of-court settlements, and collaborates with lawyers and experts globally to monitor cross-border claims.
Click here to watch the webinar Water scarcity: The risk of running dry
Click here to listen to Beyond the drought: Water scarcity and global risk
Risk of litigation Human rights arguments have already been used in several cases concerning climate change, such as the 2024 KlimaSeniorinnen v. Switzerland European Court of Human Rights ruling. The court found that the Swiss government had violated Article 8 of the European Convention due to insufficient efforts to reduce carbon emissions. It’s possible that the same reasoning could be applied to other environmental risks such as water scarcity. Climate change allegations are also being brought against companies, and corporate duty of care arguments like those used in Milieudefensie v. Shell could similarly translate across to water scarcity issues.
Evolving regulation Several new EU laws could impact insurance exposure, including:
The Representative Actions Directive, which enables non-governmental organisations (NGOs) and consumer bodies to file collective environmental claims;
The Corporate Sustainability Reporting Directive, which requires large companies to disclose sustainability risks, including water stress and water governance; and
The Corporate Sustainability Due Diligence Directive, which requires businesses to identify and mitigate environmental risks throughout their supply chains.
Therefore, companies would be well-advised to embrace sustainability and incorporate water availability and usage considerations into their risk assessments and policies. For insurers, the combination of litigation and regulatory risks means demand could well increase for coverage for environmental liability, including cover for legal costs, and D&O insurance for those involved in water management decisions.
Water scarcity is a critical issue that demands immediate attention from all stakeholders. The implications for property claims, business interruption, and potential legal liabilities are significant. Insurers must stay vigilant and adapt to these emerging risks to mitigate their impact effectively. The case studies of California and Spain highlight the urgent need for comprehensive strategies to address water scarcity and ensure sustainable water management for the future.
Reidmiller, D. R., Avery, C. W., Easterling, D. R., Kunkel, K. E., Lewis, K. L. M., Maycock, T. K., & Stewart, B. C. (Eds.). (2018). Impacts, risks, and adaptation in the United States: Fourth National Climate Assessment, Volume II. U.S. Global Change Research Program (USGCRP) Kuzma, S., Saccoccia, L., & Chertock, M. (2023). 25 countries, housing one-quarter of the population, face extremely high water stress. World Resources Institute. https://www.wri.org/insights/highest-water-stressed-countries Biswas, A., et al. (2025). Water scarcity: A global hindrance to sustainable development and agricultural production – A critical review of the impacts and adaptation strategies. Cambridge Prisms: Water, 1, 1–22 Li, L. (2023, March 29). Taiwan braced for further water shortages in its chipmaking hubs. Financial Times.Zhang, K. (2024, September 19). How water scarcity threatens Taiwan’s semiconductor industry. The Diplomat. https://thediplomat.com/2024/09/how-water-scarcity-threatens-taiwans-semiconductor-industry/ BBC Visual Journalism Team. (2022, August 24). What China’s worst drought on record looks like. BBC News. https://www.bbc.co.uk/news/world-asia-china-62644870 and Gora, A. (2024, March 22). Is fashion’s impact on water being overlooked? Global Fashion Agenda. https://globalfashionagenda.org/news-article/is-fashions-impact-on-water-being-overlooked/
Agriculture, which consumes 80% of water, is significantly affected, and economic losses due to droughts have been substantial.3 Spain has implemented emergency measures during droughts and long-term strategies like the River Basin Management Plan, which includes modernising irrigation, increasing desalination capacity, and promoting water reuse.
Two significant case studies could be mentioned: California and Spain. In California, the semi-arid climate and uneven water distribution exacerbate water scarcity. The state experiences periodic droughts, with most rainfall occurring in the northern regions while the south remains dry. Key factors contributing to water scarcity include climate change, over-extraction of groundwater, and mismanagement of water resources. Severe droughts have led to significant economic losses and groundwater depletion. Agriculture, which uses 80% of the state’s developed water, is heavily impacted, and the energy sector faces challenges due to reduced hydropower capacity. In response, California has implemented infrastructure improvements, water conservation measures, groundwater management laws, and is developing desalination and wastewater recycling systems.
Insurance gap There is a notable disparity in insurance coverage between the Global North and Global South. In Latin America, for example, the economic loss due to water scarcity is much higher than the insured loss, highlighting the need for better insurance solutions. Parametric policies, which provide payouts based on predefined triggers, can help bridge the insurance gap. These policies are particularly useful for sectors like renewables that are vulnerable to water scarcity.
Additionally, water scarcity can lead to increased litigation with potential claims against both public authorities and private companies. Recent legal developments in Europe and the US highlight the growing importance of addressing water risks in corporate policies.
Click here to listen to our podcast: PODCAST NAME HERE
Meredith White Associate, London
Steven Crocchi Senior Associate, Phoenix
Dave Dhillon Senior Counsel, Toronto
Dr Frake is an engineering physicist with extensive experience in technical consulting across product development, failure analysis, safety, and regulatory compliance. He has worked on technologies including batteries, medical devices, sensors, and metrology systems, and across sectors from healthcare to energy and consumer goods. His PhD focused on quantum semiconductor devices, developing expertise in precision measurement, cryogenics, and RF electronics. Before joining Exponent, Dr. Frake worked as a consultant at Sagentia Ltd., a science, technology and product development consultancy in Cambridge, UK.
There is evidence in some cases of a differential between claimed and real-world battery performance. Regulatory standards in respect of lithium batteries tend to focus only on safety. A battery’s performance specifications are defined by agreement between the vehicle manufacturer and its technology supplier. James Frake, Managing Consultant Scientist at Exponent, said: “OEMs [Original Equipment Manufacturers] need to come to an arrangement with their supplier to provide a battery that meets their needs for the end product while also meeting safety standards”.
The marketing of sustainable or environmentally conscious products is fraught with hazards. Although EVs are marketed as an environmentally friendly alternative to conventional vehicles, the calculation of their carbon footprint and total environmental impact is complex. Bold sustainability statements are often best avoided, and it is essential that any sustainability claims are supported by data. Generic words such as ‘clean’ are subjective and susceptible to interpretation: the eventual substantiation of those claims will depend upon factors such as how and where the vehicle is manufactured, the source of the energy used to charge the vehicle and the recycling technology available at the end of the vehicle’s life. EVs are also significantly heavier than petrol and diesel vehicles, and their weight has environmental consequences. An overall sustainability assessment is likely to include the carbon start-up cost of a battery, the sourcing of raw materials, the transparency of the supply chain, the processes required to manufacture the cells, the consequences of day-to-day use and eventual recycling.
Lithium batteries contain a variety of materials: heavy metals such as cobalt and nickel, organic solvents and other chemicals which, can be dangerous to human health and the environment. Risks may materialise at various stages of the product cycle, including toxic exposures during manufacturing and the escape of chemicals while the product is in use. There are reported examples of dangerous fumes being released, toxic chemicals persisting after lithium battery fires and harmful residues leaching into the soil or watercourses where batteries have not been properly disposed of.
“There is a risk of claims activity from exposure to the toxic chemicals contained in lithium batteries,” said Steven Crocchi, Associate at Clyde & Co in the US “We could see allegations related to toxic exposure from assembly workers, consumers and potentially those who are concerned by environmental damage.”
Material toxicity
One source of risk is through “off-gassing”, where lithium batteries swell or combust and release toxic fumes. There have been several instances in the US requiring evacuations of battery plants and the adjacent areas. Natural disasters may exacerbate the risk. During the 2025 California wildfires, firefighters contended with toxic fumes released by the batteries of an estimated 400,000 EVs in the area, which were carried over a large area by the wind. Battery fires are comparatively difficult to extinguish, requiring up to 40 times more water than a conventional fire. Escaping extinguishment waters can in turn lead to soil and watercourse contamination.
The recent trend of greenwashing claims is highly relevant in this context. Companies should be aware of the importance of regulatory and environmental compliance, as rules and penalties become increasingly stringent.
Lithium batteries and sources of emerging risks
lectric vehicles [EVs] are a progressive alternative to fossil-fuelled vehicles, but there is still
A battery’s real-world performance – and hence its ability to deliver on the manufacturer’s specifications – depends upon several factors. Climate is highly relevant: in cold weather, for instance, electric vehicles may lose around 40% of their range. Age is another, as batteries can lose 2-3% of their capacity per year. As Meredith White, Associate at Clyde & Co in London pointed out, “Manufacturer performance claims are a source of risk and should be carefully reviewed to ensure that they cannot be criticised as being misleading.” Claims activity has already begun, and claimant lawyers could conceivably look to build upon the ‘Dieselgate’ cases, which centre upon real-world compliance with manufacturer emissions claims.
ESG implications
Increasing demand for EVs could create pressures in the supply chain, causing consequences such as:
Sam Lawton, Senior Consultant Scientist at Exponent, made the point that meeting ambitious targets for electrification – not just of vehicles but of the entire energy grid – is likely to result in a significant increase in demand for critical materials. “The lack of access to these materials is one side of the problem. The other side is getting the expertise in the right places to ensure a consistent supply of the materials”, he said.
To learn more about this issue,watch our webinar here
Performance issues
Marketing a sustainable solution
Adverse environmental impacts of extracting raw materials on ecosystems, water availability and effective, responsible recycling.
The protection of human rights in the supply chain.
Corporate transparency and accountability, adherence to local laws and compliance with disclosure requirements.
“Complex questions are starting to arise around the expanding use of lithium battery technology,” concluded Dave Dhillon, Senior Counsel at Clyde & Co in Toronto. “In a changing landscape, it’s essential that companies stay up to date with new developments and regulations in this area”.
Parodi, A. (2025, January 14). Global electric vehicle sales up 25% to record in 2024. Reuters. https://www.reuters.com/business/autos-transportation/global-electric-vehicle-sales-up-25-record-2024-2025-01-14/
James Frake Ph.D., CPhys, MSaRS - Managing Scientist - Materials Science and Electrochemistry, Exponent
GUEST SPEAKERS
Sam Lawton Ph.D., CSci - Managing Scientist - Materials Science and Electrochemistry, Exponent
Dr Samuel Lawton specialises in energy storage devices, with expertise in lithium-ion and lithium-metal battery design, testing, and failure analysis. He has a strong background in polymer synthesis and materials characterisation for commercial and research applications. His PhD focused on semiconducting polymers for next-generation photovoltaics, with experience in thin film formation and surface analysis. Prior to joining Exponent, he researched Li-metal anode protection and solid-state battery materials.
Click here to listen to Beyond the flames: Lithium batteries
Complex questions are starting to arise around the expanding use of lithium battery technology
E
a great deal to be learned about the technology that powers them. In the second of our 2025 Emerging Risk webinar series, we look at performance, safety and sustainability issues surrounding lithium batteries and evaluate them as a source of risk. The review is timely as a record 17 million EVs were sold last year1.
To learn more about these issues and the other ECCTA measures being introduced, read our full, in-depth analysis here.
To learn more about this issue, watch our webinar here
John Whittaker Partner, London
Judith Pastrana Knowledge Lawyer, London
Chris Hill Partner, London
Osama Al Jayousi Consultant, London
Anousheh Bromfield Partner, London
Osama is a consultant in Clyde & Co’s white collar and sanctions group. He is a compliance subject matter expert with significant experience in regulatory investigations, risk management, ESG, and governance. Osama was previously the Head of Compliance for a FTSE 100 company in the support services and construction sector and is regularly invited to speak at industry conferences for professionals.
Judith is a highly experienced knowledge lawyer specialising in regulatory and investigations, and marine and international trade. With a strong background in legal analysis and knowledge management, she supports legal teams by delivering strategic insights, maintaining up-to-date legal resources, and ensuring close monitoring of evolving regulatory frameworks. Judith plays a key role in shaping client-focused content and initiatives.
The UK’s fraud crackdown
What British businesses and multinationals need to know
raud is on the increase: last year in the UK, the number of cases reported to the National Fraud
Database fraud hit record levels.1 Not only is it a serious problem in itself, with major adverse impacts on consumers, businesses, and the public sector, but the fact that the proceeds are often used to fund further criminal activities amplifies the risks involved.
Importantly, securing a corporate conviction does not require evidence that directors or senior managers knew about the fraud, which means the bar for prosecution has been lowered considerably. Even if the fraudster’s primary motive was personal (e.g. to earn more commission), corporate liability may still apply if the organisation indirectly benefits. However, even if the company has not actually received any gain from the fraud, it can still be held accountable.
Multinationals with operations or personnel in the UK should take note. Government guidance states that, ‘If a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based. If an employee or associated person of an overseas-based organisation commits fraud in the UK, or targets victims in the UK, the organisation could be prosecuted.’ Multinationals should therefore consider implementing fraud prevention measures across their entire corporate structure.
The only defence to a FTPF prosecution is for a company to demonstrate that it had reasonable prevention measures in place at the time the fraud was committed. The government has published guidance on what these measures should look like, focusing on six high-level principles.
A one-size-fits-all or box-ticking approach will not be sufficient here. Detailed, comprehensive risk assessments should be undertaken to identify and evaluate fraud threats, controls must be tailored to individual company dynamics and the specific risks they face, and regular monitoring and updating of procedures is vital.
Companies should ensure their anti-fraud efforts have top-level commitment and appoint a senior person to oversee fraud risk management. Staff must be educated and trained on fraud risks, motivations to commit fraud need to be well understood, and a culture of integrity embedded internally.
What should fraud prevention measures look like?
crimes listed under ECCTA, such as fraud, money laundering and tax evasion. If the Bill is passed, it will be easier to prosecute organisations for an even greater range of offences committed by a potentially large range of employees.
The Act has widened the scope of the ‘identification principle’, which applies to small and medium-sized companies as well as large corporates (both UK and non-UK-based), in respect of economic crime offences and proposals have already been put forward to broaden the scope of its application.
The identification principle is a legal test designed to determine whether the actions and intentions of an individual can be attributed to an organisation, to make it easier to hold that organisation criminally liable for acts committed by certain individuals within it.
Cifas. (2025, April 3). Fraudscape 2025: Reported fraud hits record levels. Cifas. https://www.cifas.org.uk/newsroom/fraudscape-2025-record-fraud-levels
To crack down on fraud within organisations, important new measures are now being implemented under the Economic Crime and Corporate Transparency Act (ECCTA). The Act has implications for companies of all sizes, and even those from overseas could be impacted. Its reforms are extensive, but here we focus on two key aspects: the new failure to prevent offence and the amendments to the identification principle.
The ECCTA has created a new corporate criminal offence, known as the ‘Failure to Prevent Fraud’ (FTPF) offence, which will apply from 1st September 2025. This affects large organisations only (as defined under the Act), who could face charges for failing to proactively implement measures to prevent fraud from being perpetrated.
The new FTPF offence: lowering the bar for corporate prosecution
The FTPF offence is not concerned with fraud committed against the corporate itself, such as theft from the company or embezzlement. Instead, it relates to fraud perpetrated with the intent to benefit the company, its clients or customers, to the detriment of external parties such as other customers, clients, shareholders, competitors or regulators.
Large organisations could be found guilty if an ‘associated person’ (such as an employee, agent, subsidiary or partner) commits a specified fraud and reasonable fraud prevention procedures were not in place. Activities that may be deemed fraudulent under the FTPF offence include:
Misrepresenting the organisation’s products or services, such as making false claims about levels of expertise, mispricing or mislabelling products or exaggerating their ‘green’ credentials (i.e. greenwashing)
Deliberately selling customers products or services they don’t need
Defrauding suppliers, or misstating or withholding information in the procurement process
Misreporting information, such as misstating the organisations’ solvency position, or misleading regulators
Misstating timesheets on which fees are charged or expenses claims submitted to clients
Organisations should also be in a position to prove they have conducted thorough due diligence on third parties and associated persons. Consider also whether contractual provisions are required to support fraud prevention efforts.
The widening scope of the ‘identification principle’
In effect, an expanded pool of people may now be caught under this principle and so create criminal liability for their organisations. Since December 2023, it has included senior managers that commit a specified offence while acting within the scope of their authority – not just those deemed to be in charge of the company, such as company directors or the top layer of leadership. Fines for the most serious crimes are potentially unlimited.
A new approach
ECCTA represents a new approach to fraud, aimed at improving proactive prevention on the part of organisations, and making crimes easier to prosecute, in an area where securing criminal convictions has historically proved challenging. If they haven’t already done so, British and multinational businesses that could be affected should be getting ready for the new FTPT by developing and implementing adequate fraud prevention procedures to guard against fraudulent activity and to take the time to identify who their senior managers are to seek to avoid criminal corporate sanctions stemming from the actions of individuals.
Plans are now afoot under the Crime and Policing Bill to make any offence committed by a senior manager fall under this principle – not just the specified economic
Osama is a consultant in Clyde & Co’s white-collar and sanctions group. He is a compliance subject matter expert with significant experience in regulatory investigations, risk management, ESG, and governance. Osama was previously the Head of Compliance for a FTSE 100 company in the support services and construction sector and is regularly invited to speak at industry conferences for professionals.
Click here to listen to Episode 4: Government ransomware proposals part 2
Celest holds an LL.B from the National University of Singapore and a Diploma in Maritime Business (with Merit). Driven by a strong interest in international trade and shipping, she supports the EMNR team across a wide range of matters, spanning both contentious and non-contentious issues in the trade and maritime sectors.
The sanctions imposed on Russia highlight the challenging landscape that multinationals must navigate. Several states and groups including the US, UK and EU all levy their own autonomous sanctions regimes which are subject to sudden change. For example, the EU is currently pushing through its 18th package of sanctions and is additionally targeting ‘third countries’ outside the EU that trade with Russia. The UK recently announced 100 new sanctions designations.1 Meanwhile, Australia2 and Canada3 (which historically have tended not to impose autonomous sanctions regimes) have both just revealed that they will impose additional restrictions.
And that’s just one targeted jurisdiction. When the plethora of prohibitions affecting other states, including Iran, North Korea, Myanmar are taken into account, the extent to which multinational businesses are subject to multiple changeable and sometimes opaque sanctions regimes comes into sharp relief. All this affects how they do business with customers and suppliers around the world and impacts their staff in various locations.
New sanctions, as with any new law that comes into force, quickly are open to interpretation and grey areas will inevitably arise. Case law is being developed in some areas, however, it’s worth noting that while courts are likely to take a strict legal interpretation, regulators are typically inclined to take a more ‘purpose-driven’ approach, which assesses whether companies are complying with the aims behind the regulations. Businesses will need to bear both outlooks in mind.ke a more ‘purpose-driven’ approach, which judges whether companies are complying with the aims behind the regulations. Businesses will need to bear both outlooks in mind.
All this conflict and complexity may prompt some multinationals to take the decision to stay well away from doing business in regions where sanctions might be imposed or could (even tangentially) apply, given how hard it is for big businesses to be nimble in their response to events. Even when sanctions are finally lifted, they may not have the risk appetite to return to those markets, as was the case for many when sanctions against Iran were eased in 2016.
However, there are several steps companies can take to mitigate risk and build resilience into their operations, so that they can continue to conduct business and seize opportunities in at-risk regions.
Geopolitical shocks
sanction individuals and entities under that regime, many of whom may not necessarily be from Iran or Russia. Sanctions also affect different goods and services in different ways: for instance, plastics made in China with Russian oil may not attract trade sanctions, but products containing Russian steel will. Nor do they relate solely to goods: they also apply to many services provided to support trade in those goods, including banking, insurance and transportation. As such, they can affect a wide range of sectors involved in the supply chain. The role of financial services in facilitating conflicts as well as directly funding war efforts is under intense scrutiny.
Foreign, Commonwealth and Development Office. (2025, May 20). UK announces major sanctions in support of Ukraine. UK Government. https://www.gov.uk/government/news/uk-announces-major-sanctions-in-support-of-ukraine Minister for Foreign Affairs. (2025, June 18). Australia imposes sanctions on Russian shadow fleet vessels. Government of Australia. https://www.foreignminister.gov.au/minister/penny-wong/media-release/australia-imposes-sanctions-russian-shadow-fleet-vessels Global Affairs Canada. (2025, June 17). Minister Anand announces major additional sanctions in relation to Russia’s war of aggression against Ukraine. Government of Canada. https://www.canada.ca/en/global-affairs/news/2025/06/minister-anand-announces-major-additional-sanctions-in-relation-to-russias-war-of-aggression-against-ukraine.html
Responding rapidly to sudden sanctions
n a divided world, where geopolitical tensions are rising and military conflicts proliferating across many regions, the use of economic sanctions as a lever to apply pressure and achieve foreign policy goals could ramp up at any time. As well as the potential for new sanctions regimes to
I
target new state actors, existing regimes and their prohibitions may be extended and the number of countries imposing sanctions is increasing.
As this happens, businesses with global footprints face a heightened degree of risk and complexity around compliance. Knowing what will happen next and reacting quickly is not always easy but it’s essential to be as prepared as possible.
Complexity on the rise
(...) businesses with global footprints face a heightened degree of risk and complexity around compliance
Mitigating risk and building resilience
It’s important to understand and monitor where risk exists in customer bases, supply chains and strategic partnerships. By carrying out thorough due diligence, problems can be spotted ahead of time, e.g., if suppliers are controlled by sanctioned businesses or designated people, or if a counterparty subcontracts services to organisations that are sanctioned. Moreover, if someone you do business with is subsequently placed on a sanctions list, you will have a good understanding of your risk exposure.
Having the correct policies and procedures in place to protect against the risk of sanctions breaches is a must. If they are to be truly effective, they should not be generic but be tailored to the specifics of your organisation and dovetail with the risk management systems you use.
Including contractual protections, such as sanctions clauses, in agreements should ensure you can suspend your relationship with customers or suppliers or even void the contract, if doing so becomes necessary to comply with sanctions rules. Remember, though, that the effect and protections of such clauses may differ depending on which sanctions rules apply, and which country issued them. Be aware too that whilst sanctions clauses might afford a contractual right to suspend performance or exit a relationship, they will not necessarily protect you from financial loss if you are owed money when the clauses are triggered.
Beyond legal obligations: the impact of banking and insurance terms and conditions (T&Cs)
Government-imposed legal sanctions are not the only consideration, though. Just as critical for businesses are the restrictions that other parties, particularly banks and other financial institutions, may impose on their activities. Banks’ terms and conditions frequently prohibit borrowers (even in countries where no sanctions obligations exist) from doing business with sanctioned countries or using the proceeds of trade with sanctioned entities to repay loans.
Finding that contractual conditions in financing arrangements prevent a business from taking a particular course of action can come as a shock, potentially derailing strategic plans or operations. Worse, breaching these terms could have serious consequences: doing so could be an event of default, and cause the lender to pull their funding lines altogether. Insurance policies may also be voided if certain sanctions-related activities forbidden in their T&Cs are undertaken.
Sanctions are highly charged and fast-moving, fraught with legal, reputational and contractual risks, and they can cause businesses to have to rapidly rethink their operations and adapt to new scenarios almost overnight. Trying to stay ahead of what’s coming next can be challenging, but taking steps to ensure compliance and bolster resilience is not impossible even amid the uncertainty.
MEET THE AUTHORs
Patrick Murphy Partner, London
In addition, the way in which sanctions prohibitions work is nuanced. A sanctions regime may target a particular jurisdiction, such as Iran or Russia, but will
Lucy Nash Legal Director, Dubai
Vyasna Mahadevey Associate, Dubai
from healthcare and education to utilities, transport and governments themselves. Moves to stand up to ransomware demands are gaining traction. For example, the international Counter Ransomware Initiative (CRI), which comprises 68 countries, recently agreed that institutions that are government-authorised should not pay ransomware extortion demands,4 while Australia and the EU are now making incident reporting mandatory for certain entities.5
The UK government has put forward three key legislative proposals to increase visibility as well as control over the ransomware situation:
A ban on ransomware payments for all public sector bodies, including local government and operators of
What is the UK proposing and what could it mean?
Views are also being sought as to whether essential suppliers to these sectors should be included as well. If so, a very broad range of organisations are likely to fall within the scope of new rules, and there could be some grey areas around which suppliers are subject to a ban. Questions such as would cryptocurrency platforms be included under the finance banner, will digital service providers fall into the communications bracket, and could food suppliers even come within this regime, will need to be answered.
Adequate resourcing will therefore be vital to ensure that the entity that is to be responsible for reviewing these potential ransomware payments can meet demand.
Ransomware attacks are a significant threat to organisations everywhere. Last year recorded incidents were up 11% worldwide compared to the year before.1 The tactics and techniques used by criminal gangs are constantly evolving, with many offering their services for sale, and even as law enforcement activity shuts down groups such as LockBit and ALPHV/BlackCat, others emerge in their place.2 No wonder: with ransom payouts in 2024 averaging USD 2 million – five times higher than 12 months before - it’s a lucrative enterprise.3
Subscribe via:
The UK is proposing to go further, and the government has recently consulted on its plan for tackling ransomware attacks. What this involves and its potential implications was the focus of the third and fourth episodes of our Cyber Risk podcast series.
This goes beyond the existing prohibition on central government departments paying ransomware demands. 13 national infrastructure sectors are listed as being part of the UK’s CNI, including defence, energy, health, communications and finance. It remains to be seen whether the final draft of any legislation will contain room for manoeuvre in high-stakes situations, for instance if a public sector body or CNI provider finds its vital services are completely paralysed unless a payment is made.
“A lot of thought is going to have to go into the limits of the relevant definitions, and then it will be important to ensure that organisations are aware if they are affected by the proposals,” said Seaton Gordon, Partner in the cyber team.
In practice, this could create a significant administrative burden for the government if many organisations embark on this process. When a ransomware attack happens, time is often of the essence to minimise the operational downtime. Concerns over how long the approval or rejection process might take may prompt organisations to submit a notice of intention to make a payment sooner rather than later, even if they are not sure whether they will ultimately choose to pay up.
Cracking down on ransomware: plotting the way forward
A
s well as posing a major financial and business interruption risk for companies of all sizes, criminal gangs also use ransomware to disrupt the operation of critical national infrastructure,
1
critical national infrastructure (CNI).
This would require victims of ransomware attacks who are not covered by a ban to engage with the government before making a ransom payment. Officials will consider the position and confirm whether there is a reason to block a payment from being made, such as if doing so would breach sanctions or fall foul of terrorism finance
2
Ransomware payment prevention rules
Criminals are always looking for loopholes and workarounds that they can exploit. If (as it has indicated), the government defines ransomware as a type of malicious software, then there’s a possibility that attacks that don’t rely on software may not fall under these rules. For example, gangs may see growing advantage in deploying tactics such as phishing instead (where people are tricked into giving criminals access to systems or data), if it means their victims will not be subject to restrictions on making payments.
3
A mandatory reporting regime for ransomware incidents
“It will be interesting to know more about the rationale for the definition of ransomware as currently drafted, and to see if it changes in due course,” said Gordon. “The reality is that attackers will do what they can to try and work around any law in order to maintain their profitable business models.”
This sets out a two-stage ransomware attack reporting regime, whereby affected organisations will be required to submit an initial report within 72 hours of an incident, including information such as whether a ransom demand has been made and if a threat actor is identifiable. Then a full report must be submitted within 28 days, including further details about the attack such as whether resilience measures have been implemented. The duty to report would apply regardless of the victim’s intention to pay the ransom, but policy-makers are exploring whether this requirement should be universal or only apply to certain organisations.
Given that businesses are already expected to report cyberattacks and data breaches to other regulators, notably the Information Commissioner’s Office (ICO), this would add another layer to their existing compliance obligations. As the consultation document notes, government departments will need to work together to avoid creating conflicting reporting requirements during the development of any legislation.
A way around the rules?
Whatever form the final rules take, and whether existing laws will be updated or fresh legislation brought in, the UK government has made it clear that the nature and scale of the ransomware threat requires the development of new and targeted interventions. Will other countries follow suit?
legislation. In a sign of how seriously it is taking this issue, civil or even criminal penalties for non-compliance are being considered.
To find out more, tune into our podcast series.
MEET THE HOST
Seaton Gordon Partner, London
Bleih, A. (2025, January 13). Ransomware Annual Report 2024. Cyberint. https://cyberint.com/blog/research/ransomware-annual-report-2024 Poireault, K. (2024, December 27). The top 10 most active ransomware groups of 2024. Infosecurity Magazine. https://www.infosecurity-magazine.com/news-features/top-10-most-active-ransomware/ Sophos. (2024, April 30). Sophos ransomware payments increase 500% in the last year, Finds Sophos State of Ransomware Report. https://www.sophos.com/en-us/press/press-releases/2024/04/ransomware-payments-increase-500-last-year-finds-sophos-state CRI. (2024, January 30). International counter ransomware initiative members come together to strongly discourage ransomware payments. https://counter-ransomware.org/briefingroom/8ed7d1de-1a74-4a36-a2df-d5950624ebd8 Growley, K., Sinha, A., & Weeks, C. (2025, February 28). Targeted policy action against ransomware attacks emerging as a key global cybersecurity trend. Mondaq. https://www.mondaq.com/unitedstates/security/1591072/targeted-policy-action-against-ransomware-attacks-emerging-as-a-key-global-cybersecurity-trend
Chris Holme Partner, London