Are these statistics free to cite?

Yes. These figures are compiled from public reports by the original research organizations. Each statistic on this page links to its primary source so you can cite the original. When you reference a number, attribute it to the source listed, not to RiskWatch.

How current are these numbers?

This page was last updated in June 2026 and draws on the most recent published editions available, including the IBM Cost of a Data Breach Report 2025, the Verizon 2025 Data Breach Investigations Report, the 2024 AICPA and NC State State of Risk Oversight, and the 2026 Regology State of Regulatory Compliance Survey. We refresh figures as new editions publish.

Why does the page note sample sizes and survey sources?

Because provenance matters. Some figures come from large analyst datasets, others from practitioner surveys with stated sample sizes. We label each so you can judge the weight of the number. The cost-of-non-compliance multiplier, for example, is from a 2017 study and is marked accordingly.

What is the single most important number here?

For most teams it is the spreadsheet figure: more than 80% of compliance teams still run their program primarily on manual workflows and spreadsheets. The risk-oversight data tells the same story, that formal programs have not kept pace with rising risk. The gap between manual tracking and a managed program is where most of the cost and exposure on this page lives.

Free resource

14 risk and compliance statistics for 2026

A curated, fully-sourced set of risk, compliance, cybersecurity, and physical-security statistics for 2026. Every figure carries a primary source and year.

See the platform Try the ROI calculator

The short version

What the data says about risk and compliance in 2026

Risk and compliance statistics are the published numbers that describe how organizations manage regulatory obligations, enterprise risk, cybersecurity exposure, and physical security. The throughline across the most recent reports is simple: the majority of teams still run these programs in spreadsheets, formal programs have plateaued, and third-party exposure is climbing. Every figure below links to its primary source.

Last updated June 2026. 14 statistics, every one sourced. Free to cite with attribution to the original source.

Compliance management

Most compliance programs still run on the tool they started with: a spreadsheet.

80.9%

of compliance teams still rely primarily on manual workflows and spreadsheets to manage their regulatory obligations.

Source: Regology, 2026 State of Regulatory Compliance Survey (n=204), 2026

57.8%

of compliance teams operate with five or fewer compliance professionals.

Source: Regology, 2026 State of Regulatory Compliance Survey (n=204), 2026

2.71x

is how much more non-compliance costs organizations than maintaining compliance ($14.82M vs $5.47M average).

Source: Ponemon Institute & GlobalScape, The True Cost of Compliance (n=53), 2017

Enterprise risk management

Risk complexity keeps rising, but formal risk programs have plateaued.

37%

of organizations report having a complete, formal enterprise risk management process in place.

Source: AICPA & NC State ERM Initiative, 2024 State of Risk Oversight, 15th ed. (n=377), 2024

30%

rate their organization's overall risk-management oversight as mature or robust.

Source: AICPA & NC State ERM Initiative, 2024 State of Risk Oversight, 15th ed. (n=377), 2024

net change: complete and formal ERM processes are about as common today as they were five years ago, despite a decade of rising interest.

Source: AICPA & NC State ERM Initiative, 2024 State of Risk Oversight, 15th ed., 2024

Cybersecurity and third-party risk

Breach costs eased as containment improved, but third-party exposure is climbing fast.

$4.44M

is the global average cost of a data breach, down 9% from $4.88M the prior year as AI-assisted defense sped up containment.

Source: IBM, Cost of a Data Breach Report 2025, 2025

30%

of breaches involved a third party, double the share from the prior year.

Source: Verizon, 2025 Data Breach Investigations Report, 2025

44%

of breaches involved ransomware, up 37% year over year.

Source: Verizon, 2025 Data Breach Investigations Report, 2025

34%

increase in exploitation of vulnerabilities as an initial access vector for breaches.

Source: Verizon, 2025 Data Breach Investigations Report, 2025

12,195

confirmed data breaches were analyzed in the 2025 DBIR, drawn from more than 22,000 security incidents.

Source: Verizon, 2025 Data Breach Investigations Report, 2025

Physical security

Threats to people and critical infrastructure remain a board-level concern.

458

U.S. workplace homicides in 2023, part of 740 fatal work injuries caused by violence by persons or animals.

Source: U.S. Bureau of Labor Statistics, Census of Fatal Occupational Injuries, 2023

~1,700

physical-security incidents against the electric grid were reported to the E-ISAC in 2022, up 10.5% from 2021.

Source: NERC Electricity Information Sharing and Analysis Center (E-ISAC), 2022

175+

physical attacks or threats against U.S. grid infrastructure were reported in 2023.

Source: U.S. Department of Energy, 2023

A note on sourcing: figures on this page are drawn from the publishing organizations named above. Some are large analyst datasets (IBM, Verizon), others are practitioner surveys with stated sample sizes (Regology, AICPA and NC State). We label provenance and year so you can weigh each number, and we flag older studies. If you spot a figure that has been superseded by a newer edition, tell us and we will update it.

FAQ

Frequently asked questions

Move off the spreadsheet

Turn these numbers into a managed program

RiskWatch runs risk, compliance, and physical-security assessments across 40+ frameworks in one platform. Start a free trial or request a quote.

Start free trial Book a demo

No credit card required · 30-day free trial · Cancel anytime