The Regulatory Change Challenge: What Firms Keep Getting Wrong

Volume isn't the problem. It's the inability to know what's relevant, when, and to whom. And this is getting worse.

Ask most compliance leaders what keeps them up at night and they'll tell you: the pace of regulatory change. New rules, updated guidance, consultation papers, supervisory expectations - the flow is relentless.

But here's the thing. Volume isn't actually the problem.

Firms have always had to deal with a lot of regulatory content. The ones that manage it well aren't necessarily better resourced. They're better organised. The ones that struggle aren't drowning in regulation - they're drowning in noise, unable to quickly and confidently answer three simple questions: What's changed? Does it affect us? What do we need to do about it?

That inability is expensive. And it's getting more so.

What "Getting It Wrong" Actually Looks Like

Regulatory change failures rarely make headlines. They don't tend to look like a single catastrophic oversight. They look like this:

A regulatory update is published. It sits in someone's inbox, or in a monitored feed that nobody has time to review properly. By the time it's identified as relevant, the implementation window has narrowed. Teams are scrambling. Decisions are made under time pressure that should have been made carefully. Something gets missed - a control, a disclosure, an obligation that was technically in scope but didn't make it through the process.

Or worse: the update is spotted, assessed as not relevant, and filed away - but the assessment was wrong, because the person doing it didn't have full visibility of what the firm actually does across all its business lines.

Neither of these is a compliance team failure. They're process failures. They're the predictable result of managing regulatory change through a combination of manual monitoring, fragmented systems, and individual expertise that isn't consistently documented or shared.

The Relevance Problem

This is the crux of it. The hardest part of regulatory change management isn't finding the rules. It's knowing which ones matter to you.

A large financial institution might operate across dozens of markets, asset classes, and business lines. A single regulatory update from a single regulator might be relevant to three of those business lines, partly relevant to two more, and irrelevant to the rest. Getting that assessment right - quickly, consistently, and in a way that's auditable - is genuinely difficult.

Most firms approach it through a combination of regulatory horizon scanning (often manual, often lagging), subject matter experts who know their own area well but may not see across the organisation, and escalation processes that were designed for a slower-moving environment.

It worked, after a fashion, when the volume was lower and the pace was slower. It's increasingly inadequate now.

Why This Is Getting Worse

Three things are making the regulatory change challenge harder.

More regulators, more rules. The post-2008 expansion of the regulatory perimeter hasn't stopped. New frameworks, new supervisory expectations, and new reporting requirements continue to emerge across every major jurisdiction. The sheer number of sources firms need to monitor has grown significantly.

Faster timelines. Implementation windows are not keeping pace with the volume of change. Firms are being asked to absorb and operationalise more regulatory content in less time.

Greater complexity. Rules increasingly interact with each other. A change in one framework can have implications across several others. Understanding the second and third-order effects of a regulatory update requires a level of cross-framework visibility that most organisations simply don't have.

The result is a compliance function that is perpetually reactive - always catching up, rarely ahead.

The Cost of Getting It Wrong

The direct costs are visible: regulatory fines, remediation programmes, supervisory scrutiny. But the indirect costs are often larger.

Management time diverted to regulatory firefighting. Strategic decisions deferred because the compliance implications aren't clear. Talented compliance professionals spending the majority of their time on monitoring and triage rather than on analysis and advice. Opportunity costs that never appear in any risk register but compound quietly over time.

And then there's the reputational dimension. Regulators notice which firms are consistently ahead of change and which are consistently behind it. That perception shapes supervisory relationships in ways that are hard to quantify but very real.

What Better Looks Like

Firms that manage regulatory change well share a few characteristics. They have a clear, structured view of their regulatory obligations - not just at a point in time, but maintained and connected to the business activities they govern. They have defined processes for identifying relevant change, assessing impact, and routing it to the right people. And they have systems that support those processes rather than ones that the process has to work around.

None of this is simple. But it's also not mysterious. It's the result of treating regulatory change management as a core operational capability rather than a compliance overhead.

That shift in framing - from cost centre to capability - is where the conversation needs to start. The firms that have made it are measurably better placed to manage whatever comes next.

In our next piece, we walk through what a structured approach to this actually looks like in practice - and how SRB's platform is built around it.