What good regulatory change delivery actually looks like

Regulatory change is one of the most demanding things a financial institution can be asked to do. The obligation arrives from outside. The deadline is fixed. The consequences of getting it wrong are public and painful. And the organisation is expected to deliver it alongside everything else already in flight.
Most writing on this subject splits into two camps. Compliance professionals write about what the regulation requires. Programme managers write about how to run projects. Very few people write about what it actually takes to do both well at the same time.
I came to this subject from both directions. My Master of Laws, specialising in Fraud and Financial Crime, gave me a grounding in the legislative and regulatory frameworks that sit behind the obligations. My experience in the workforce, leading regulatory change programmes within large financial institutions over the last six years, has given me a practical understanding of what it actually takes to deliver against them.
That combination shapes how I think about this work. The law matters. So does delivery. And the gap between understanding an obligation and implementing it effectively is where most programmes either succeed or fail.
What follows is an honest account of what good regulatory change delivery looks like in practice, and why so many programmes fall short of it.

The regulatory pipeline is not slowing down.

Before getting into delivery, it is worth understanding the environment in which these programmes operate.

Global financial regulation shifted from fragmentation to localisation in 2025, as national regulators rewrote rules to match domestic growth and competitiveness goals. For financial institutions, this means managing a constantly changing, increasingly complex mix of obligations across multiple jurisdictions.

The UK's ninth Regulatory Initiatives Grid, published in December 2025, set out 124 live initiatives. That is an enormous volume of change for regulated firms to absorb and implement.

The organisations that manage this environment well are not the ones with the most resources. They are the ones that have figured out how to deliver regulatory change systematically, with a clear method, the right people, and a genuine understanding of what they are trying to achieve.

Why regulatory change programmes fail

In my experience, regulatory change programmes fail for a consistent set of reasons.

The first is that the problem is not understood properly before the solution is designed. Regulatory obligations are read, a project is stood up, and work begins. But the gap between what the regulation requires and what the organisation actually does is rarely mapped in sufficient depth before the scope is set. That leads to a scope that is too narrow, too broad, or misdirected.

The second is a rush to a solution. Pressure to show progress leads teams to jump to implementation before the requirements are genuinely clear. In regulatory change, this is particularly dangerous; the cost of rework is not just time and money, but also the risk of missing a regulatory deadline or delivering a control that does not meet the obligation.

The third is that decisions do not get made. In large organisations, the combination of risk aversion and unclear accountability means that difficult questions get escalated, workshopped, and deferred. Nobody wants to make a call that turns out to be wrong. The result is that programmes slow to a crawl exactly when they need to move fastest.

The fourth is that compliance and delivery operate in separate lanes. Legal and compliance teams understand the regulatory obligation but may not know how to translate it into operational change. Programme teams know how to run projects but may not fully understand the regulatory intent behind what they are building. When these two functions do not work closely together from the start, the programme delivers something that is either non-compliant or unworkable in practice. Sometimes both.

What good actually looks like

Good regulatory change delivery is not complicated in principle. It is difficult in practice because it requires discipline, clarity, and genuine collaboration across functions that do not always work well together.

Start with the obligation, not the solution. Before any work begins on design or delivery, the regulatory requirements need to be understood properly. What is the obligation? What does compliance actually look like in practice? What is the gap between the current state and the required state? This is not a compliance team exercise handed over to a project team. It is a joint exercise, done together, before the scope is fixed.

Fix the scope and hold it. Regulatory change programmes suffer more from scope instability than almost any other type of programme. New requirements surface mid-delivery. Stakeholders want to expand what is being built. A clear scope, agreed at the outset and governed carefully, is the single most important structural decision a programme makes. That does not mean the scope never changes. It means changes go through proper governance rather than accumulating quietly until the deadline becomes impossible.

Design with the end state in mind. The goal is not to pass an audit. It is to build a control environment that operates effectively and can be evidenced over time. Controls that are manual, inconsistent, or dependent on individual knowledge will degrade. Controls that are embedded in systems and workflows, with clear ownership and monitoring, will endure.

Build in a pathway for the next change. Regulation does not stand still. Designing with that in mind, building flexibility into systems, documenting decisions clearly, and maintaining a live view of regulatory requirements, is the difference between an organisation that adapts efficiently and one that has to rebuild from scratch every time.

Use the right delivery framework for the work. Some obligations are straightforward: a new disclosure requirement, a change to a policy. These can be delivered in a simple linear way. Others are complex, iterative, and uncertain — a new customer risk framework, a system-level change to transaction monitoring. These benefit from a more adaptive approach with shorter delivery cycles, frequent review points, and a willingness to adjust course as understanding develops.

The mistake organisations make is applying the same methodology to everything. Different types of regulatory change need different delivery pathways. The best programmes are explicit about which pathway they are on and why.

The role of the programme manager

In regulatory change, the programme manager's role is more demanding than in most other delivery types. They need to understand the regulatory environment well enough to have a credible conversation with compliance and legal colleagues. They need to understand the organisation's systems well enough to translate requirements into workable solutions. And they need to manage upwards effectively, keeping sponsors informed, escalating decisions that need to be made, and maintaining momentum when the programme hits the inevitable obstacles.

The best regulatory change programme managers I have worked with are genuinely curious about the subject matter. They read the regulation. They ask questions in the compliance workshops. They understand why a control is being built, not just that it needs to be built by a certain date. That engagement makes them more effective at scope management, stakeholder management, and problem-solving when things go wrong.

Compliance as an opportunity

Regulatory change programmes are almost always also process improvement programmes, whether or not the organisation treats them that way.

The requirement to implement a new customer due diligence process forces an organisation to look hard at how it currently onboards customers, manages risk ratings, handles exceptions, and documents decisions. In most large organisations, those processes have evolved over the years into something manual, inconsistent, and hard to audit. A regulatory change programme that uses the obligation as a catalyst to redesign those processes properly will come out the other side with something genuinely better.

That outcome does not happen automatically. It requires a programme team thinking about the end state, not just the deadline. It requires sponsors willing to invest in getting it right rather than just getting it done.

The FCA's five-year strategy, set out in March 2025, signals that firms that demonstrably do the right thing should expect a more proportionate, more predictable regulatory relationship. Regulators are not looking for organisations that tick boxes. They are looking for organisations that can show their controls work and that good practice is embedded in day-to-day operations. A well-delivered regulatory change programme is the most direct route to that outcome.

A final thought

Regulatory change is one of the few areas where compliance expertise and delivery expertise are equally important and genuinely interdependent. Organisations that treat them as separate functions will consistently underdeliver. Organisations that integrate them from the outset, with a shared understanding of the objective, a clear delivery framework, and genuine accountability for outcomes, will consistently outperform.

That is not a complicated idea. But it requires deliberate effort to make it happen in practice. And in my experience, it is where most of the value in regulatory change delivery is either captured or left on the table.