As organisations plan for the year ahead, the risk landscape is becoming more complex and fast moving than ever before. Horizon scanning can no longer be considered an optional exercise. It is a practical and essential tool to help business leaders anticipate both risks and opportunities, and to make informed decisions.
This horizon scanning article sets out some of the key risks for 2026 already visible across many sectors.
Building a resilient business
Effective horizon scanning is crucial to building a resilient business. Our Disputes Group explored this topic at our recent conference, led by an expert panel of business leaders.
One of the key routes to building a resilient business is ensuring you identify and plan for as many risks as possible, working with all parts of the business to understand where vulnerabilities might exist. There are inevitably risks that cannot be foreseen. But a resilient business will strive to be equipped to deal with the consequences of an unforeseen adverse event. Those can be dealt with if the right culture and processes are in place, building resilience from the bottom up and engaging all parts of the organisation.
Our short paper summarising these and other learnings from the event is here.
Regulatory change
In a constantly evolving regulatory landscape, it is more important now than ever that businesses stay ahead of legal change and assess their own practices to minimise the risks of enforcement action. The UK has strengthened its enforcement landscape, meaning greater activity and scrutiny from agencies should be expected.
2025 saw the CMA announce the first of its investigations under its significantly strengthened fining powers, with a major focus on pricing and sales practices. This underlines the significant exposure for consumer-facing businesses under the Digital, Markets, Competition and Consumer Act 2024. The new enforcement regime represents a stark change and underlines the need for such businesses to proactively review their practices and assess compliance with the new rules to minimise the risk of enforcement action. Businesses also need to continue to monitor policy and legislative developments closely as there remains scope for additional new rules to be added.
Separately, the UK sanctions regime continues to evolve in response to geopolitical developments and enforcement priorities, with a focus on expanded sanctions targets destinations, refined regulatory frameworks and clarified compliance expectations. We recently provided a brief sanctions update on key changes, new guidance and recent enforcement. The fast pace of change for sanctions shows no sign of slowing, with the possibility of increased civil monetary penalties on the horizon.
Environment
Climate related litigation remains a key risk for businesses across a wide range of sectors. This risk has been heightened by the possible introduction of an ‘opt-out’ regime for civil claims in Scotland. Whether it’s an activist organisation or stakeholder group challenging a failure to meet climate commitments, including so-called ‘greenwashing’ claims, or communities that have been exposed to incidents relating to climate change, an ‘opt-out’ group action regime will make it easier to bring large-scale claims in Scotland. We discussed the possible regime and its impact on the risk landscape in our recent insight.
The environment and sustainability remain key drivers in procurement and tendering, making remaining compliant a priority for 2026. Keeping pace with regulatory changes is key to managing corporate risks associated with environmental issues.
2025 saw the next stage of the Extended Producer Responsibility scheme on packaging come into force, requiring relevant businesses to not only collect data and report on packaging waste but also to cover packaging waste costs. Businesses should understand if the regulations apply to them and what is required to ensure compliance and avoid enforcement action.
Scotland also saw the changes to controlled activities regulation (water, waste management, and industrial activities), coming under the Environmental Authorisation (Scotland) Regulations 2018 from 1 November 2025, introducing a more streamlined approach to regulation, and bringing together processes for authorising and enforcing activities that may impact the environment.
Environmental issues remain on the domestic political agenda too. The Scottish Parliament is hearing evidence on the Ecocide (Scotland) Bill, which creates the criminal offence of ecocide, defined as the intentional or reckless causing of severe environmental harm, and would enable both organisations and individuals to be convicted.
Data and cyber
We will continue to see lots of change in the data, AI and cyber sphere over 2026. The Data (Use and Access) Act 2025 will be fully brought into force this year, which in particular could result in organisations seeing an increase in data protection complaints, as well as higher penalties for direct marketing and cookies breaches.
The new Cyber Security and Resilience (Network and Information Systems) Bill introduced in Parliament at the end of last year will also be debated and likely passed. This will expand the scope of the existing Network and Information Systems Regulations 2018 and introduce stricter incident reporting obligations for those organisations in-scope (including key suppliers).
Sign up to our upcoming webinar on 27 January 2026 to hear more about these and other upcoming changes in 2026.
Artificial intelligence (AI)
The integration of AI into the delivery of professional services presents exciting opportunities for professional services firms to drive efficiencies for clients. But as with many exciting opportunities, AI has its limitations and associated risks for both clients and their professional advisers. We expect that its increasing use is likely to provide fertile ground for regulatory complaints and negligence claims against professionals in years to come.
We discussed the use of AI and its impact on professional duties in the first part of our series of insights on the topic. In the coming months, we will issue some further instalments in this series, looking at insurance issues and professional privilege issues arising from the use of AI. Watch this space!
Fraud
Geopolitical tensions, supply chain disruption, global conflict, and new and emerging tech coupled with enhanced regulation create a perfect storm for fraud and other economic crimes to remain a significant corporate risk in 2026.
Legally, fraud is considered as a “machination or contrivance to deceive”. At a practical level, it typically involves persuading someone to do something that they don’t want to do – usually in connection with the transfer of money or property. An obvious example is Authorised Push Payment (or APP) frauds, involving persuading someone to voluntarily instruct their bank or financial institution to transfer funds to the fraudster.
The routes taken by fraudsters to persuade victims to take such steps are becoming increasingly sophisticated (often now involving the use of tech and AI). Fraudsters seeking to persuade companies to make payment of invoices to “new” bank account details is nothing new and businesses are typically alert to sudden changes to payee details and often have protocols in place to verify them. However, it is now becoming increasingly common for fraudsters to seek to build longer term relationships (for instance posing as an account manager at a key supplier) over sometimes several months or years, during which time trust is established, allowing the fraud to subsequently be perpetrated at a later date.
Similarly, fraudsters are becoming increasingly adept at triggering plausible reasons for, for instance, a call from your bank (for example triggering a lockdown of accounts by repeatedly entering the wrong password) and even misrepresenting the telephone number from which they are calling. At the same time, they are using more sophisticated techniques for fishing for personal information, which they will then use to further support the impression that the call is genuine.
It is worth remembering, however, that, at its heart, fraud is often straightforward and, notwithstanding the increasingly sophisticated approach taken by fraudsters, can continue to be prevented by taking relatively simple, vigilant steps to ensure resilience: such as always seeking confirmation of the introduction of new relationships and ensuring that contact involving financial movements is always instigated by you.
Failure to prevent fraud offence
In the UK, the failure to prevent fraud offence is fully in force which raises expectations on compliance and controls to mitigate fraud risks. We expect to see the regulators use the enforcement tools at their disposal and for investigations to progress more quickly than they have in the past. With the SFO publicly expressing a keenness to prosecute the new failure to prevent fraud offence, enforcement activity is a real risk.
That risk may be lower for organisations committed to strong governance and who have taken steps to ensure having “reasonable procedures” in place to prevent fraud but still cannot be ignored. It is worth remembering that the senior manager attribution rule has been in force since 2023, making it easier to hold companies directly liable for actions of senior managers, including fraud. That rule has no defence of “reasonable procedures”. We expect organisations who have not already done so to complete any review of fraud risks and mitigation measures and expect to see more internal investigations to map risks and inform any engagement with authorities. With the UK’s new Anti-Corruption Strategy launched in December 2025 there is now an overarching framework for wider enforcement, and we expect activity generally to continue to increase.
People
The Employment Rights Bill finally received Royal Assent on 18 December 2025, formally becoming law as the Employment Rights Act 2025. It will usher in a wide-ranging programme of significant changes of critical importance to employers. These reforms will have far-reaching implications for workplace practices, compliance, and risk management, making it essential for employers to understand what lies ahead. We recently set out a clear practical breakdown of the key changes together with a detailed roadmap.
In addition to the wide-reaching changes introduced by the Employment Rights Act 2025, artificial intelligence is also an emerging risk area for employers, particularly where it is used in recruitment, workforce management and decision-making. Its use can raise significant employment law issues, including discrimination, transparency and data protection risks, making it an important issue for employers to have on their radar in the year ahead. We previously touched on some of these risks and trends, along with guidance on best practice.
Investigations
All of the areas of risk identified above can give rise to allegations of wrongdoing against a business and/or the individuals within it. When such allegations arise, an investigation can be an effective means of establishing the facts, determining next steps and demonstrating to internal and external stakeholders that the business has taken the matter seriously. The use of such investigations as a tool to manage risk has increased significantly in recent years, and we expect this trend to continue into 2026. There have been many recent examples of high profile investigations across all types of businesses and sectors, from politics, to sport, to financial services. Where these are handled well, they represent a very effective way of demonstrating that a matter has been dealt with appropriately, but if they are not designed and managed carefully from the outset they can also be counterproductive and have a detrimental impact on the company’s credibility and culture. Best practice in this area continues to evolve.
Conclusion
As we begin 2026, the pace of change across the risk landscape reinforces the need for organisations to proactively identify the risks posed to their businesses. Regulatory reform, environmental accountability, AI advancements and evolving people risks are just some of the risks which must be addressed now. In many cases, risks will not exist in isolation, further increasing the likelihood of disputes and enforcement action. Time spent now in identifying and understanding the risks relevant to your organisation, and embedding a strong risk aware internal culture will ensure it is in the best possible position to respond when risks do manifest, both those which can be planned for and those unforeseen. If you would like to discuss any of the issues raised above, do not hesitate to contact your usual Burness Paull contact or one of the contacts listed below.
Save the dates
Our spring risk conferences will take place in Edinburgh on 18 March and in Glasgow on 19 March, covering the key risks for businesses in 2026 including fraud, climate change litigation and class actions and the Employment Rights Act. Invitations will be issued shortly, and places will be limited – please keep an eye out for the email.
We will also shortly be opening registration for our property risk conference taking place in Aberdeen on 5 March and in Edinburgh on 23 April. This morning seminar will bring together legal and industry insight on the key risks and opportunities shaping the commercial property sector including business rates, EV charging and infrastructure, planning risk, green leases, greenwashing, and dilapidations.
Written by
Related News, Insights & Events
Error.
No results.
Supreme Court overturns Court of Appeal on termination for repeated default under JCT contract
22/01/2026
In this article, we consider the Supreme Court’s decision overturning the Court of Appeal on contractor termination rights under clause 8.9 of the JCT Design and Build Contract.
Professional negligence case law round up 2025
21/01/2026
This article looks back on a busy year in the professional negligence sphere, marked by a number of published judgments over the past 12 months, new legislation, and developments in the use of AI.
The risk landscape in 2026: A horizon scan of what lies ahead for business leaders
19/01/2026
This horizon scanning article sets out some of the key risks for 2026 already visible across many sectors.
{name}
{properties.pageSummary}
{properties.eventName}
{properties.pageDate|date:dd/MM/yyyy}{properties.shortDescription}
{properties.headline}
{properties.pageDate|date:dd/MM/yyyy}
{properties.shortDescription}
