The headline point is that health and safety risks continue to be the top concern for D&Os, with 80% of respondents considering it a very or extremely important concern. The exact reason is not precisely clear, though high-profile cases (such as in the UK where high fines have been imposed and the 92% conviction rate of the health and safety executive[1]) leading to significant criminal and regulatory actions, have definitely had an impact. In Australia, industrial manslaughter has now been introduced in all States and Territories, and a number of workplace legislative reforms came into effect in 2024. There is also no doubt that the pandemic highlighted the importance of healthy employees. There is also a growing willingness by boards to accept that mental health is as important as physical health, and a recognition that companies that consider and look after their employees’ wellbeing leads to greater productivity and improved financial performance.
Whilst the health and safety concern numbers have reduced slightly on last year (down 4%), social risks as a whole feature prominently in the list of concerns and, when looked at over a five-year period, the increase in concern is notable. For example, breach of human rights within or by business operations has risen from 23% of responders considering it a very or extremely important concern in 2021 to 62% in 2025, and in several regions, making it into the top seven risks. Similarly, concern about supplier business practices has risen from 27% in 2021 to 59% in 2025.
Why have social risks climbed in the rankings over this period? Our view is that it is now accepted that by integrating social risk considerations, directors can ensure their companies are better positioned for sustainable growth and resilience in an evolving business landscape, coupled with some studies[2] that conclude that responsible social practices results in better financial performance. Failure to adequately embed social risks within company operations could lead to a range of exposures, including:
There are potentially huge knock-on effects not only for the company and its workforce but also in the broader communities and economies in which companies operate. Boards will need to fully understand all this before acting or could bear the brunt of claims arising from the mishandling of their corporate and social responsibility policies.
Interestingly, despite the global focus on Corporate Social Responsibility and the E of ESG being such a hugely important topic, climate change has not featured in the top 7 risks for any region or Industry this year. It has dropped away completely from its number one spot in Great Britain in our 2023 Survey. For further consideration of the ESG-related results from the Survey, please see our article here: Global Directors’ and Officers’ Survey Report 2025 – Where are we with ESG in 2025?
Concern about data loss comes in second place, having swapped positions since last year with concern about cyber risks (though it is worth noting that concern levels for both have remained fairly steady over the last five years). It is no surprise that these risks remain near the top, given the significant costs that can flow from data loss, which is often (but not always) linked to a cyber event (for example, leaving confidential information on public transport, improper disposal of sensitive info (not shredding), physical theft etc).
Regulatory and legislative frameworks are constantly evolving in this area – for example, in the UK the Data (Use and Access) Bill is currently progressing through the UK parliament, which seeks to make changes to the UK GDPR and DPA 2018, with the cyber security and Resilience Bill also set to become law. Both will increase regulators’ enforcement powers and place a burden on D&Os to get data management and cybersecurity right. In Australia, long awaited reforms to the Privacy Act introduced a statutory tort for serious invasion of privacy.
In addition, the prospect of a company facing a group action has increased. For example, in the UK, claimants are testing the boundaries of the UK mechanisms to bring mass data loss claims.
Elsewhere, in the EU, the German Federal Court of Justice recently determined that a simple temporary loss of control over personal data resulting from a GDPR breach could be considered non-material damage, warranting a compensatory award, even in the absence of direct misuse of the data to the detriment of the individual or any other harmful effects. This could embolden group claims in the EU to be brought on this basis. Shareholder actions are also possible (already present in the US) – for example, in Australia a shareholder class action was brought in 2023 following a data breach that saw an 18% share price drop.
These proceedings claim that the company in question did not have adequate systems and processes in place to deal with a data breach and that this, in and of itself, was material information not provided to the market. These proceedings are the first of their kind in Australia and are separate to the additional privacy litigation brought by the customers who were affected by the breach.
This last point leads us to the fifth concern on the top seven list – risks deriving from systems and controls failures, which was a new entry on the top seven last year. Failures in this regard provide the foundation and launchpad for an array of exposures for companies in a multitude of different areas. For example, criminal proceedings due to inadequate financial crime controls, civil actions (such as the shareholder class action mentioned above) and significant regulatory fines for breaches which could have been prevented by the implementation of robust controls. It is vital that D&Os adequately address internal controls, or risk severe consequences.
Regulatory risk, more generally, continues to be of concern (here, the number four concern), and with good reason. The regulatory landscape is complex, with a range of new rules and regulations continually being introduced (especially in the financial services sector), thus increasing the chances of non-compliance, leading to significant penalties for companies and, potentially, personal liability for directors. Additionally, as we explain in more detail in our Regulatory article, the political environment has a profound impact on the regulatory agenda, making it difficult, especially for global enterprises, to understand what is expected of them.
A new entry, at number six on the top seven list, is the risk of civil litigation, creeping one spot above ‘bribery and corruption’ and knocking ‘breach of sanctions’ out of the top seven. It is worth noting that concern regarding breaching sanctions is still high overall, but when one looks at the split by company size and region, this concern is largely felt by D&Os in the largest companies in Europe, which is to be expected. It is also worth noting that the percentage of D&Os considering civil litigation a very or extremely important concern in 2025 has not changed since 2024 (63% of responders), but both years saw a significant jump from the 38% of responders in 2023 which considered it a very or extremely important concern. We explore why civil litigation has risen up the ranks in our separate Civil Litigation article, including the impact of social inflation and the key drivers behind litigation.
Rounding off the top seven list is concern about bribery and corruption. Whilst it has made the list, concern is felt more in the largest of companies – 81% of respondents in companies with a revenue over $5bn ranked bribery and corruption as a very or extremely important concern, compared with 51% of responders in companies with revenue below $50m (there was no notable difference when viewed by sector). There are many reasons for this, including that large companies typically operate in many jurisdictions, meaning they need to navigate different regulatory landscapes and the complexity of operations in large companies makes it harder to detect and prevent corrupt practices (linking back to the need for robust internal systems and controls). Large companies also come under greater regulatory and public scrutiny and scandals can lead to significant penalties and large civil actions, such as shareholder group actions. Indeed, some of the UK’s current large group actions follow findings of bribery and, in Australia, an action by the corporate regulator against the entire board of directors of a gambling company for failing to give sufficient focus to the risk of money laundering and criminal associations for high spending international customers continues to be monitored closely.
Overall, the list of the top seven risks reveals the various difficulties and challenges that D&Os encounter, which could have serious implications for them. To avoid and reduce these risks, it is essential to have effective risk management strategies and appropriate systems and controls in place. A failure to ensure robustness of these may not only have a material impact on business operations and financials, from large fines and penalties, there is also the potential for shareholder litigation following stock drops brought about because of the reputational damage to companies caused by such failure.
