Regulatory or Legislative Changes

Top 10 Global Risks

05 of 10

This insight is part 05 of 10 in this Collection.

November 8, 2023 11 mins

Regulatory or Legislative Changes

Regulatory/Legislative Changes

Regulatory or Legislative Changes are the fifth biggest risk facing organizations globally today, and are predicted remain the fifth most critical risk by 2026, according to our survey.

What Are Regulatory or Legislative Changes?

In response to concerns about public safety, market trends or emerging societal and environmental challenges, a government or regulatory body may introduce a set of new laws and rules or update an existing one, which, in turn, may substantially reshape the business environment, affecting anything from operational costs to market dynamics.

For example, to meet new regulatory obligations, a business may need to invest in new technologies or hire more staff, thereby increasing the costs of operations. Alternatively, a business may consider that the cost of compliance with new or updated regulation creates a barrier to entry or reduces incentives for growth. In this way, a government policy could significantly alter the competitive landscape.

Why Are Regulatory or Legislative Changes a Top Risk for Organizations Today?

The impact of new laws and regulations can be targeted toward individual sectors or apply more universally. In March 2023, for example, the U.S. Securities and Exchange Commission (SEC) proposed new cyber security requirements for market participants, such as broker-dealers. Other regulations can be more sweeping: the European Union’s Corporate Reporting Sustainability Directive, due to go into effect in 2025, will apply to 50,000 large EU companies as well as multinationals with annual revenues of more than €150 million ($160 million), requiring them to report on matters such as sustainability, diversity and anti-corruption.

Organizations must monitor and adhere to regulations set by governments to meet a wide variety of policy aims. These policies, rules and laws may vary dramatically across countries and industries.

Compliance and regulatory costs are not a new or unforeseen burden for business. However, uncertainty about upcoming regulatory changes may affect business confidence. Companies active in multiple jurisdictions must track and comply with a wide variety of complex laws and regulations. The following are some examples.

Cyber Regulation

Businesses already grapple with the direct costs of being targeted in cyber attacks. Now, some regulators are also initiating actions against those businesses that, among other things, fail to notify those affected by the breach or demonstrate that the businesses made reasonable efforts to protect the data they hold.

Privacy Laws

More than five years on from the enactment of the General Data Protection Regulation (GDPR), compliance remains critical, and companies have further enhanced their processes to protect personal data. In the U.S., a patchwork of data protection legislation across states increases the complexity of compliance.

Pay Transparency

The EU is set to introduce new legislation that will require employers to disclose pay ranges in job listings and to current employees. Certain U.S. states have already enacted similar legislation. This could expose organizations to legal claims when there is pay inequality that could be perceived as discriminatory.

Climate and Sustainability

Regulations aiming to limit global warming and protect the environment continue to be introduced around the world.1 However, companies face uncertainty regarding the level of detail and information required by disclosure rules, as well as the cost of compliance.

Artificial Intelligence

Proposed amendments to the EU’s Artificial Intelligence Act would impose penalties as high as 7 percent of annual revenues for violations, a level that exceeds even the penalties posed by GDPR.

Biometrics Laws

The use of biometrics — the automated recognition of individuals based on unique physical characteristics — by companies, including social media firms, has led to new legislation. The Artificial Intelligence Act, for example, would prohibit biometric systems that categorize people, and an Illinois law could lead to significant damage awards against employers that record or transmit biometric employee data without consent.

Losses and preparedness

A quarter of respondents suffered a loss due to Regulatory or Legislative Changes, with half having plans in place to respond to the risk.

  • 26%

    of respondents indicated this risk contributed to a loss for their organization in the 12 months prior to the survey.

    Source: Aon's 2023 Global Risk Management Survey

  • 50%

    of respondents stated their organizations had set up a plan to respond to risk.

    Source: Aon's 2023 Global Risk Management Survey

Why Are Regulatory or Legislative Changes a Top Risk for Organizations in the Future?

Regulatory change will continue to be a source of uncertainty and an organizational risk for companies in the coming years. Increased levels of political polarization across the globe mean changes in government could come with significant policy changes that affect the environment businesses operate in, causing heightened volatility.

In addition, with the greater integration of digitalization, artificial intelligence and data and analytics in business models, we expect the tech sector to come under heightened scrutiny to protect consumer privacy and strengthen copyright protection for content creators. The timing of changes and how each government or regulator chooses to tackle these issues are unclear, elevating risk for companies as they look to develop long-term strategies and make investment decisions.

How Can Organizations Mitigate the Impact of Regulatory or Legislative Changes?

To keep pace with the evolving regulatory environment, business leaders have several options. Organizations can set up in-house teams to track regulatory changes and implement new compliance measures. Investment in regulatory monitoring systems can back up these efforts. The pace and scope of change can be daunting, so companies could also engage internal and external counsel to identify trends in regulatory enforcement.

Companies can also focus on ways to influence the development, passage and implementation of new laws and regulations. Joining trade associations and engaging lobbying and advocacy groups on key topics of interest can ensure that decision makers consider the industry’s interests.

In addition, the workforce is often the first line of defense. When the regulatory environment changes, organizations should ensure any new rules are communicated clearly and quickly to all relevant employees. This action could help prevent possible regulatory breaches and mitigate financial and reputational effects.


See, for example, the SEC’s proposed rule requiring public companies to disclose carbon emission details, the EU’s European Sustainability Reporting Standards requiring similar disclosures and the EU’s new tax on “carbon intensive” imports.




Regulatory or Legislative Changes have risen one rank compared to our previous survey.

Source: Aon's 2023 Global Risk Management Survey

General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss caused by reliance on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Contact Us

Let’s Connect

Talk to Our Team

Contact our team today to learn more about how we can help your business.