RiskMap 2025 for legal and compliance

RiskMap 2025 | Mark Young | Tung Jung Tan

How should legal and compliance teams be preparing for the year ahead? Our Top Risks for next year are a good place to start. Ignoring these risks, including those not traditionally considered by legal and compliance teams, is no longer an option.

Compliance amid the decline of Pax Americana

The US remains extremely influential, but its diminishing global influence has given way to a more fragmented world order. Even if sanctions teams remain alert, overarching legal functions will need to turn some focus away from the US when tracking regulatory compliance risks. As the geopolitical power vacuum reinflates, pockets of new regulatory activity will create a mélange of new risks across jurisdictions.

Centralised legal teams will struggle to keep pace with vague requirements from regulators, potentially leading to panic and overreaction. China’s Personal Information Protection Law (PIPL) is one such example. Business functions will look to compliance teams for guidance, not just on achieving elusive PIPL compliance, but for expert advice on balancing regulatory risk with business interests.

A web of red lines

Corporates will need to know which red lines to watch in their space and be ready for rapid changes in regional and global stability.

Major red line zones in Asia include the South China Sea and Taiwan. In Europe, repeated transgressions and muted responses in Ukraine are increasing risk tolerance. In the Middle East, red line violations are driving the escalating conflict between Israel and Iran (and its regional proxies).

Geopolitical risks are becoming a key consideration for legal and compliance teams. A local manufacturer in Malaysia may need to closely assess its supply chain to know whether suppliers are using Russian materials for products that are being exported to the United States, or if the manufacturer’s finished products are being diverted to sanctioned countries.

For legal and compliance teams, the main risk is running afoul of sanctions or being exposed to secondary sanctions via a third party.  With multiple, sometimes blurred, red lines in a globalised supply chain, corporates are being forced to unravel their supply chains with devastating cost implications. Digitising sanction monitoring, employing data analytics and then applying this across a corporate’s entire supply chain is one way to mitigate sanction risks.

Opportunities in a coming global trade war

As China reinvigorates its manufacturing sector by increasing exports, the trend towards protectionism in US trade policy will accelerate under the incoming Trump administration. All the while, concerns of conflict in Asia are on the rise. Multinationals will find themselves taking sides, with one option being to de-risk and divest onshore operations. Legal expertise will be leveraged in areas such as trade compliance, sanctions and supply chain security.

Decoupling from China is not the only option, particularly for non-US multinationals. Our experts have seen European manufacturers in particular doubling down by transferring research and development operations into growing China operations focused on increasing domestic presence.

Such a bold approach demands robust due diligence of prospective partnerships, careful crafting of technology transfer agreements and thorough research into any perceived benefits of localisation in China – such as tax relief and access to public procurement. Intellectual property protection is also critical, as the industries most likely to benefit from localisation in China are critical technologies that are by nature geopolitically sensitive.

Political violence: time to recalibrate

In 2025, political violence fuelled by online propaganda and disinformation will become more widespread and less predictable. Beyond the traditional focus on physical threats to supply chains, facilities and employees, corporates will need to be vigilant against non-traditional political threats: asset theft, data leaks or reputational attacks. These might be conducted by a lone employee sympathiser or external threat actor, either in the name of a political agenda or as retribution against a corporate’s perceived (or actual) political leanings. Violence perpetrated by lone actors, radicalised by geopolitical, economic, environmental and social crises – amplified if not wholly manufactured online – will continue to pose unique challenges for corporates.

Even when corporates are not the actual targets of political violence, they may suffer negative spillover effects in the form of deteriorating business stability and increased crime. Vigilance across the whole gamut of risks, from sanctions to security, is key.

For legal and compliance teams, digitised compliance monitoring represents the first line of defence. Data analytics can be leveraged to monitor large data volumes, both internally (to identify compliance red flags, like systematic theft or sabotage) and externally (to identify potential sources of external reputational threats by trawling seemingly random online chatter).

Digital concentration: deepening cyber risk

The trend of increasing centralisation of digital assets and ecosystems has deepened the risks of cyber attacks. The proliferation of new technologies, like artificial intelligence (AI), the internet of things (IoT) and autonomous devices, challenges traditional concepts of operational control over infrastructure and consumer products. Legal and compliance teams must upgrade their digital risk skillset to address new threats.

Legal teams can reduce risk and build resilience by diversifying technology suppliers where feasible and ensuring effective risk management where diversification is not possible. Existing due diligence processes must account for this growing concentration risk. 

Legal teams must also be prepared to support reactive efforts to manage high stake cyber attacks. The pervasive nature of technology is fundamentally changing the type of impacts successful cyber attacks can have on companies. Consider the possible disruption to autonomous vehicles following an attack and the likely physical damages that would ensue. Resilience is no longer an option when cyber attacks now have the potential to range from criminal extortion to physical harm.

Get comfortable being uncomfortable

2025 will challenge legal and compliance teams to step outside their comfort zone. They will need to monitor non-US-centric regulatory risks. They must be ready for the complexities of operating outside traditional markets as a global trade war looms. And geopolitical turmoil will add unprecedented intricacies to legal and compliance responsibilities, be it guarding against lone wolf political attacks, secondary sanctions or cyberattacks. Teams that can stay ahead of these risks will position their organisations to seize opportunity in the year ahead.