Enforcement risk is expanding, not narrowing.
That is the headline message from Hogan Lovells’ Global Bribery, Investigations and Enforcement Outlook 2026, which deliberately broadens the frame beyond bribery into the wider set of risks now travelling together: sanctions and trade controls, fraud, data privacy, ESG, supply chain due diligence, and technology-driven investigations.
What used to be a more narrowly framed Global Bribery and Corruption Outlook has now been expanded into the Global Bribery, Investigations and Enforcement Outlook 2026, published on 13 January 2026. The change is more than cosmetic. It reflects how enforcement actually works in 2026: bribery risk is still central, but it increasingly overlaps with fraud, sanctions and export controls, data privacy, ESG, and supply chain due diligence. Investigations are also moving faster, becoming more cross-border, and relying more heavily on data and technology.
The Outlook’s core message is that multinationals should expect more pressure, from more directions, with less tolerance for compliance that only exists on paper. Regulators are widening their focus, sharpening incentives for cooperation, and placing more scrutiny on the real-world effectiveness of corporate controls. That includes tougher expectations on third parties and subcontracting chains, a clearer focus on personal accountability, and growing attention on how organisations use AI in both compliance monitoring and internal investigations.
Here are five trends from the Outlook, and what they mean in practice.
1. Compliance programmes have to be “fully implemented” and continuously updated
The Outlook’s first takeaway is blunt: compliance programmes are now “non-negotiable”, and they need to cover multiple risk areas, not sit in silos.
That reflects how investigations actually unfold today. A bribery issue rarely stays as bribery:
- Third-party due diligence gaps turn into supply chain and ESG questions
- Payments and hospitality reviews raise fraud and books-and-records issues
- Cross-border data collection triggers data privacy and retention constraints
- Sanctions and export control questions appear as soon as geography is involved
What to do now
- Treat your compliance programme as a living system: regular risk refreshes, targeted training updates, and documented changes based on incidents, audit findings, whistleblowing, or sector enforcement trends.
- Build a single view of “business partner risk” that can serve anti-bribery, fraud, sanctions, and ESG due diligence without duplicating effort.
2. “Carrots for cooperation” are real, but only if you can move fast and show your working
A central theme is incentives for self-disclosure and cooperation, including deferred prosecution agreements (DPAs) and declinations.
This is especially relevant in the United Kingdom, where the Outlook highlights a more active corporate enforcement environment, led by the Serious Fraud Office and a stated presumption in favour of DPAs for self-reporting corporates.
The catch is that “cooperation” has become more operational than rhetorical. It typically means speed, preservation, clear remediation, and credibility on root cause.
What to do now
Pre-build a triage playbook:
- Who makes the self-report decision
- What evidence must be preserved immediately
- What “first 72 hours” steps look like
Run a table-top exercise that tests your ability to:
- lock down documents and devices
- pause high-risk third-party activity
- produce a coherent timeline and control narrative
- demonstrate remediation that is already underway
3. Expanding corporate liability and personal exposure are raising the stakes
The Outlook flags expanding liability and increased focus on individual accountability, including strict liability-style offences and senior manager attribution trends.
In the UK, the Hogan Lovells analysis points to two changes that materially raise risk:
- The Failure to Prevent Fraud offence (in force from 1 September 2025) increases expectations on “reasonable procedures” and creates strict liability exposure for in-scope organisations if fraud is committed for the company’s benefit.
- A senior manager attribution change under the same reform package makes it easier to attach corporate liability to senior management conduct, without a “reasonable procedures” defence.
What to do now
Make senior management ownership auditable:
- named control owners
- board reporting cadence
- tracked actions and decisions (especially where profit, growth targets, or third parties are involved)
Ensure your “reasonable procedures” evidence is real and current:
- risk assessment is documented and regularly revisited
- training is maintained, targeted, and measured
- monitoring exists and is capable of detecting circumvention
4. AI is reshaping compliance and investigations, and regulators expect you to keep up
The Outlook’s AI chapter frames AI as both opportunity and risk:
- Regulators in several jurisdictions are voicing an expectation that companies integrate AI into compliance programmes
- AI increases capability (monitoring, detection, review), but also creates new threats (AI-enabled fraud, cyber risks, deepfakes, data leakage)
- Governance and human oversight become non-optional, not “nice to have”
It also notes that enforcement expectations are shifting towards technology-enabled compliance.
What to do now
Define what AI is allowed to do in your compliance function (and what it is not):
- data types permitted
- approval requirements
- retention and audit logs
Treat AI outputs as investigatory leads, not conclusions:
- keep a human sign-off process
- document how decisions are made
Update fraud risk scenarios to include AI-enabled methods:
- impersonation requests
- deepfake audio/video approvals
- synthetic identity red flags
5. Third-party and supply-chain scrutiny is intensifying as ESG and anti-corruption converge
The Outlook is clear that anti-bribery and supply chain due diligence are becoming inseparable.
It points to evolving approaches in Europe, including:
- A growing trend towards integrating governance, anti-corruption, and human rights risks into supply chain due diligence, driven by emerging EU directives (such as the CSDDD) and national laws (like Germany’s LkSG), as well as increasing pressure from regulators.
- continued enforcement activity under national frameworks, such as in Germany (including enforcement by BAFA under the LkSG)
- targeted enforcement action in Italy using existing legal powers to address exploitation and supply chain issues in high-risk sectors
The practical point is not “add another questionnaire”. It is to build a single operating model where governance, anti-corruption, and human rights risks are assessed together.
What to do now
Build one business partner framework that covers:
- bribery and corruption indicators
- labour exploitation and forced labour risk
- sanctions and export control exposure (where relevant)
- ownership and control transparency
Create escalation routes that work across teams (procurement, compliance, legal, ESG), so red flags do not get lost in handovers.
A practical 2026 checklist for compliance teams
If you do nothing else, prioritise these actions:
- Refresh your risk assessment using current enforcement trends and your real incident data.
- Map your third parties and identify where subcontracting obscures risk.
- Stress-test “reasonable procedures” with evidence: what can you produce in a week if asked?
- Run a self-reporting table-top exercise: decision-making, preservation, investigation steps, and remediation plan.
- Tighten controls around approvals, payments, and incentives in high-risk regions and functions.
- Review investigation protocols for legal privilege and cross-border data handling.
- Add AI-enabled fraud scenarios to your training and controls programme.
- Put AI governance in writing for compliance and investigations: permitted tools, data rules, oversight.
- Align anti-bribery and ESG due diligence so risks are assessed together, not sequentially.
- Make board oversight visible: documented decisions, follow-up actions, and measurable outcomes.
