By Hol Thomas-Wrightson, 20 October 2025
The rate of regulatory change has never seemed so fast. Many organisations today find themselves scrambling to keep up with the pace, complexity or the sheer volume of change, let alone managing to stay one step ahead of it.
To help confront this uncertainty, ICA hosted in September 2025 a webinar looking at how compliance professionals can help their organisations prepare for regulatory change. The purpose of the webinar was to detail how compliance professionals can help shift the emphasis within their firms from one of reaction to preparation. Webinar host Roz Dixon-Burnett, Global Lead of GRC for ICA, was joined by panellists Paul Coady from ComplianceLnD, and Ben Westwood from the Motor Insurers’ Bureau, to discuss not only how to predict changes before they take place, but also the preparatory work needed to do so.
Keeping a weather eye
While we often talk about horizon scanning, Westwood started by establishing a clear definition to make sure everyone was on the same page.
He went on to explain the importance of having a repeatable, measurable methodology for rating incoming changes – for instance, completing a business impact analysis. This can be something as simple as a spreadsheet detailing the areas of the business that will be impacted and rating those impacts as high, medium or low. This also goes for those regulatory changes that are found, through this analysis, to be irrelevant. The very act of documenting that it’s been considered demonstrates to regulators that you’re proactively checking.
‘Regulators don’t want you to be guessing or lucky,’ said Coady. But it’s not just a regulator’s specific requirements: pay attention to the context. Look at where they’re coming from and what’s driving it. Are they coming from jurisdictions that are outcome focused, or specifically about meeting the letter of the law?
It’s important to remember that even if your organisation is not heavily regulated, they can still suffer the regulator’s ire. There exist many regulations that have wide-scale application, such as the Data Use and Access Act and Economic Crime and Corporate Transparency Act. And even then, regulated and non-regulated firms often work alongside one another, and it’s not uncommon for regulated firms to expect in a partner a similar level of regulatory maturity to their own.
Coady also warned of the risk of having too narrow a focus, especially if it hasn’t aligned with business changes. If your business has grown into new jurisdictions, markets and customer bases, you can’t expect your regulatory risk to have remained static, and failing to notice this can lead to a nasty surprise.
Tips for embedding changes
Once a regulatory change has been recognised, Westwood and Coady had some key tips for ensuring the business responds properly and embeds that change into its processes.
Ownership and accountability of risk – a key message repeated by both panel members was clear: don’t blur the lines of defence. Compliance is on the second line. The first line of the business owns the risk, and it’s the compliance team’s responsibility to make them aware of those risks, not to take responsibility for dealing with them.
‘If you can make the decisions and not face the consequences,’ Coady said, ‘we end up with a moral hazard.’
The balancing act – it’s important to remember that while meeting compliance regulations is an important part of doing business, it is not the business’ primary objective. Suddenly demanding budget be assigned and changes made by a set date is not going to win over stakeholders. Instead, make sure to look ahead, balance aims for the year against any changes, and build the compliance plan around the business plan to make sure they are working in tandem.
Build relationships – if the compliance team is only ever seen sporadically whenever something’s gone wrong, or when uncomfortable changes need to be made to ways of working, it’s unlikely to engender good will. By being visible, building relationships across teams and making sure members are known and recognised at all levels of the business, even an unpopular change has a much better chance of landing positively.
Personalise the message – part of this visibility is making sure that if a message needs to get out, it’s from someone that people know. This only becomes more important for larger organisations with multiple locations. Even if it’s the same core message that’s cascaded to local leads, an email from someone you’ve met or seen around the office is more likely to receive a warmer reception than if it comes from a distant stranger from head office.
Lost in translation – when you’re immersed in and surrounded by others who speak a particular language, it’s easy to forget that not everyone can speak it. Regurgitating a new act or regulation verbatim is useless if the person listening doesn’t know what it means. A huge part of the compliance professional’s job should be using their regulatory knowledge, combining it with their understanding of their stakeholders and how they do business, and then translating regulatory changes into real terms that mean something to them.
Tone from the top vs tone at the tills – we know the importance of tone from the top, but we can sometimes overlook the importance of making sure that people on the front line understand the changes, and know who to talk to for reporting issues.
Tailor the training – training needs to reach the right people, at the right time, in the right way. Do smaller changes require a meeting, a full training session or an e-learning course? Or can it just be conveyed in a clear, concise email? Does the whole business need detailed training, or does a change affect only a few key areas? Is your training actually teaching people what they need to know in a way that aids understanding, or is it an annoying box to tick as fast as possible that’s delaying someone’s day job?
It can sometimes feel like an uphill struggle to keep your footing in an everchanging regulatory landscape. But by implementing ways of recognising the upstream changes ahead of time, analysing their potential impact, and communicating it clearly to the effected areas, businesses can start to move out of reaction and into readiness.
The full webinar From reaction to readiness: How to stay ahead of the cycle of regulation is available to ICA members via our Learning Hub.
For more information and to sign up to our upcoming ICA webinars, visit our events page.
You may also like to read:
Navigating the future: The role of governance, risk and compliance in modern business
What’s keeping compliance leaders up at night? Struggles and strategies for 2025