The Future of Regulatory Change Management
- May 26
- 4 min read
Where this is going. AI, real-time obligation tracking, and what it means to build a true compliance capability.
Most organisations have a regulatory change management process. Very few have a regulatory change management capability. The difference between the two is bigger than it sounds - and it's where the future of this discipline is being decided right now.
The process view treats regulatory change as a series of tasks: monitor for updates, assess relevance, update policies, communicate to the business. Done well, it keeps firms out of trouble. Done poorly, it becomes a compliance exercise that consumes effort without delivering assurance.
The capability view is different. It asks a harder question: can you demonstrate, at any point in time, that a regulatory change was identified, interpreted, mapped into policy, connected to controls, communicated into the business, and monitored in a way that gives confidence to leadership and credibility to regulators?
That chain - from regulation through to proof - is where most programmes begin to struggle. And it's where the next phase of regulatory change management is being built.
The gap nobody talks about
Firms have invested heavily in the front end of regulatory change management. Horizon scanning tools. Alert services. Regulatory feeds. The identification problem, while not solved, is better understood than it was a decade ago.
The gap is further downstream. It sits between policy and proof.
A firm might do a reasonable job spotting a regulatory change. It might update the relevant policy. But can it show that the updated policy is actually implemented, operating as intended, and producing the outcome the regulator expects? Can it trace a line from the original regulatory text through to a specific control, a specific process, a specific piece of evidence?
For most organisations, the honest answer is no. Not because they aren't trying, but because the systems and processes that handle each stage of that chain aren't connected to each other. Regulatory change lives in one place. Policy lives in another. Controls live somewhere else. The evidence that everything is working as it should is assembled manually, under pressure, when someone asks for it.
That is not a sustainable model. And regulators are increasingly aware of it.
Why AI changes the conversation - but not the fundamentals
Artificial intelligence is already reshaping parts of regulatory change management. The ability to process large volumes of regulatory content, identify relevant changes, and surface connections across jurisdictions and frameworks is genuinely valuable - and it's improving rapidly.
But AI accelerates the analysis. It does not replace the governance.
This is a point worth sitting with. The organisations that are getting the most from AI in compliance are not the ones that have automated their way out of judgment. They are the ones that have used AI to free up human capacity for the work that actually requires it: interpretation, ownership, accountability, and the exercise of professional judgment in ambiguous situations.
AI can tell you that a regulation has changed. It cannot tell you what that change means for your specific business model, your specific risk appetite, or your specific relationship with your regulator. That translation - from regulatory text to operational reality - still requires people. What changes is how much time those people spend on the mechanical work that precedes it.
Real-time obligation tracking: from snapshot to living system
The traditional model of regulatory obligation management is essentially a snapshot. At some point in time, a firm maps its obligations, documents its controls, and files the result. That snapshot then ages - quietly, invisibly - as regulations change, business activities evolve, and the gap between documented obligations and actual requirements widens.
The direction of travel is toward something fundamentally different: a living system where obligations are tracked in real time, connected to the regulatory sources that create them, and updated as those sources change.
This is not a distant aspiration. The technology to support it exists. What has lagged is the organisational architecture - the decisions about how obligations are structured, who owns them, how change is managed, and how the whole system connects to the controls and processes that make obligations operational.
Firms that are building that architecture now are not just solving a current problem. They are building the foundation for a compliance function that can absorb whatever comes next - more regulation, faster change, greater complexity - without proportionally scaling the effort required to manage it.
Connected change across venues
For firms operating in exchange-traded and venue-dependent markets, there is a further dimension to this that generic compliance frameworks often miss.
Regulatory change is only part of the picture. Exchange-driven change - rulebook updates, fee schedule changes, margin methodology revisions, product specification updates - moves on its own timeline, governed by its own processes, and landing on desks that may not have the compliance instinct to treat it with the same rigour as a regulatory circular.
The firms that are ahead of this understand that regulatory change management and exchange rulebook management are not separate problems. They are two parts of the same challenge: maintaining a current, accurate, and connected picture of every obligation the firm operates under, wherever that obligation originates.
What true capability looks like
The organisations that will manage regulatory change most effectively in the years ahead share a common characteristic: they have stopped treating compliance as a cost to be minimised and started treating it as a capability to be built.
That means regulatory change and policy management belong together - not in separate systems managed by separate teams. It means the chain from regulation to policy to controls to evidence has to be connected, not assembled on demand. And it means AI is a tool that amplifies that capability - not a substitute for building it in the first place.
The gap between regulation, policy, control, process, and proof is where the real work of modern compliance lives. The firms closing that gap are not just managing risk better. They are building something that will become a genuine competitive advantage as the regulatory environment continues to evolve.
In our next piece, we take an honest look at the risks of AI in regulatory change management - and why getting this right matters more than moving fast.
Comments