CCI staff share recent surveys, reports and analysis on risk, compliance, governance, infosec and leadership issues. Share details of your survey with us: editor@corporatecomplianceinsights.com.
70% of chief legal officers handle functions beyond legal duties
Chief legal officers are increasingly taking on responsibilities outside their traditional legal roles, with 70% now managing at least two additional areas such as risk, compliance, privacy and ethics, according to new research from the Association of Corporate Counsel.
The organization’s 2025 survey, conducted in partnership with FTI Consulting, reveals that 58% of CLOs are heavily involved in mergers and acquisitions and other corporate transactions. Additionally, 44% view advising the CEO and shaping business strategy as their greatest organizational impacts.
The global study of 772 CLOs across 48 countries highlights growing challenges in the legal landscape, with 44% reporting increased litigation volume and 60% facing rising litigation costs.
“CLOs are key strategic business partners, their responsibilities beyond legal roles are growing, and they are assuming greater leadership across organizations,” said Veta T. Richardson, ACC president and CEO. “This is happening amid numerous internal and external challenges, such as a complex regulatory landscape, geopolitical instability and mounting budget pressures.”
Other key findings:
- Legal technology adoption is planned by 44% of CLOs in the coming year, with contract management being the primary focus for 62% of respondents.
- Industry-specific enforcement tops regulatory concerns for more than 70% of CLOs, followed by labor and employment issues at 37%.
- Legal departments plan to grow, with 30% expecting to increase lawyer hiring this year, a figure rising to 50% among larger companies.
- Cost increases for internal and external investigations were reported by nearly 30% of respondents.
84% of US corporate retirement plans contain regulatory or fiduciary violations
A comprehensive analysis of retirement plans has revealed that 84% of US-based corporate retirement plans have at least one regulatory or fiduciary violation that could expose companies to fines and legal penalties, according to new research from Abernathy Daley 401k Consultants.
The study, which analyzed Form 5500 filings for more than 764,000 plans, found that 43% of companies have major red flag violations that could lead to governance and compliance issues, while 76% show signs of fiduciary failure from either the plan administrator or plan sponsor.
Abernathy-Daley’s findings come as regulatory scrutiny intensifies, with the Employee Benefits Security Administration’s legal proceedings restoring nearly $1.4 billion to employee benefit plans, participants and beneficiaries in 2024.
“Plan sponsors and employees are not only overpaying for their retirement plans on a widespread scale; they are also being underserved and exposed to unplanned and potentially damaging legal, compliance and financial risks,” said Steven Abernathy, CEO of Abernathy-Daley, a consultancy specializing in 401(k) plan administration and employee education.
Other key findings:
- Plan violations fall into two categories: Regulatory infraction red flags and egregious plan mismanagement red flags, potentially affecting over 600,000 American companies.
- Common violations include insufficient fidelity bonds, lack of qualified default investment alternatives and failure to transmit payments on time.
- Criminal investigations in 2024 resulted in 68 indictments and 161 convictions or guilty pleas from plan officials and corporate officers.
IIA releases cybersecurity assessment requirements for internal auditors
The Institute of Internal Auditors has released new requirements establishing baseline standards for how internal audit functions should assess cybersecurity governance, risk management and control processes within organizations.
The cybersecurity topical requirement is the first in a series of requirements aimed at providing consistent approaches to evaluating major risk areas. While the requirements don’t mandate specific audits, they establish frameworks for addressing priority risks identified in audit plans.
Requirements cover areas like organizational roles and responsibilities for cybersecurity objectives, risk management approaches for recurring cyber risks, and evaluation of internal control environments.
“While internal audit priorities naturally evolve, some key risks will remain consistently critical to organizations and their internal audit plans well into the future,” said Anthony Pugliese, president and CEO of the IIA, which serves more than 260,000 members globally.
Additional requirements in development will address third-party risk, business culture, business resilience and anti-corruption/anti-bribery. The requirements are developed by subject matter experts and global internal audit leaders, drawing on risk surveys and external trend reports.
