I love compliance. That probably makes me unusual (weird), I know. I’ve always believed compliance isn’t about red tape, but about creating environments where people feel safe to do their best work. Somewhere along the way, that belief stuck with me, and now I can’t help but see the world through a compliance lens.
At its best, compliance creates clarity. It gives people confidence in their decisions, reassurance that they are operating within safe boundaries, and the ability to focus on delivering value rather than second-guessing risk. When it works well, it is almost invisible, quietly underpinning everything from client interactions to internal processes.
The Solicitors Regulation Authority’s (SRA) thematic review of Compliance Officers for Legal Practice (COLPs), published in December 2025, really caught my attention. The review offers a candid look at how compliance roles are operating across the profession and the findings are both revealing and concerning.
Many COLPs are experienced, senior professionals, with 72% legally qualified for more than 15 years and 75% also owners of their firms. Yet only 44% felt their role was valued or acknowledged internally.
I’ve been in their shoes myself, and I’ve spoken to enough compliance leads over the years to know the reality: these are people who care deeply about doing the right thing but are often working within structures that make that almost impossible. They’re not failing, the system is.
On average, COLPs were able to dedicate just 26% of their working time to compliance duties, largely because they juggle multiple roles. This lack of protected time leaves predictable gaps. Breach logs go unfinished, training slips, decision-making lacks evidence, and firm-wide oversight becomes reactive rather than routine.
What do we mean by ‘compliance duties’?
This isn’t just policy writing or ticking boxes. It includes maintaining and reviewing risk assessments, overseeing anti-money laundering controls, ensuring staff training is up to date, documenting decisions, managing breach registers, responding to incidents, and evidencing that systems and processes are operating as intended.
It also means staying on top of regulatory change, advising leadership, and ensuring that governance frameworks are actually followed in practice.
When that entire scope is compressed into a fraction of someone’s working week, it is inevitable that corners are cut, not through negligence, but through capacity. The role becomes reactive by necessity, focused on immediate issues rather than building long-term resilience.
Is this just a legal sector problem? Absolutely not! Similar themes can be found in other regulated environments, such as financial services, insurance, and banking. Regulators worldwide have highlighted increasing pressures on compliance roles, technological weaknesses, documentation failures, and operational fragility.
In financial services, for example, compliance teams are often balancing complex regulatory frameworks such as anti-money laundering (AML), Know Your Customer (KYC), and financial crime prevention, all while managing high transaction volumes and evolving threats.
In insurance, compliance extends to underwriting governance, claims handling standards, and data protection obligations. Banking organisations face constant scrutiny around transaction monitoring, sanctions screening, and fraud prevention, all of which require robust systems and real-time oversight.
Across each of these sectors, the expectation is the same: controls must not only exist but be demonstrably effective. Yet the pressure to deliver this often sits with individuals who are navigating legacy systems, fragmented data, and competing operational priorities. The result is a widening gap between what is required and what is realistically achievable within existing structures.
Canada’s federal regulator, OSFI, for example, has published findings on system-wide stresses that mirror many of the structural challenges seen in UK firms. Likewise, FCA enforcement action against major UK banks, over £107 million in penalties, demonstrates that even large, well-resourced organisations struggle when onboarding, Source of Funds checks and ongoing monitoring are not supported by reliable systems and clear governance.
What is particularly telling is that these failures rarely stem from a lack of awareness. The requirements are well understood. The policies are usually in place. The breakdown happens in execution, where processes are inconsistent, systems don’t integrate, and accountability becomes blurred.
Across sectors, the pattern is the same: compliance breaks down when organisations rely on individuals working within fragile systems, unclear processes, and inconsistent tools. Good people cannot succeed in bad structures.
With all risks within businesses and organisations, tone is always set from the top. Compliance officers cannot carry organisational risk alone. Every leadership meeting I’ve ever sat in has had a moment where someone says, “We’ll sort that later.” In compliance, ‘later’ is exactly when problems start.
That mindset is often unintentional, but it is deeply embedded. Compliance is frequently viewed as something that sits alongside the ‘real work’ of the business, rather than being integral to it. It becomes a task to complete rather than a discipline to live by.
Whether it’s a COLP in a five-partner firm or a compliance lead in a small or medium-sized business, the story remains about good people trying to do the right thing, working against structures and processes that make it harder than it should be.
From obligation to rhythm: rethinking how businesses approach compliance
If the sector, or the wider UK business community, takes one lesson from this review, it is that compliance needs to move from being a role to being part of the firm’s rhythm – an everyday behaviour, not an emergency response.
Too often, compliance is triggered by events: an audit, a regulatory update, or worse, an incident. It becomes something that is revisited periodically rather than embedded consistently. This stop-start approach creates spikes of activity followed by long periods of inactivity, which is exactly where risk begins to build.
In contrast, organisations that treat compliance as part of their operational rhythm build it into everyday processes. Decisions are documented as they happen. Risk assessments are living documents rather than static files. Training is continuous rather than annual. Systems are monitored routinely, not just before an audit.
This shift doesn’t necessarily require more effort, but it does require a different mindset. It means recognising that compliance is not separate from operations, it is what allows operations to function safely, consistently, and at scale.
As leaders, we have a choice. Either we treat compliance as a cost or see it as the backbone of trust. The SRA review makes clear which mindset creates safer, stronger firms. Compliance rises or falls with leadership. Embed it and the firm strengthens. Dismiss it and everything else becomes fragile. The tone is yours to set, so choose wisely.
If that makes me the odd one out for loving compliance, I’ll happily take it. Because the organisations that embrace it, not fear it, are the ones that thrive.
Good people cannot succeed in bad structures. It’s not just a compliance problem; it is a leadership problem. Across operations, IT, finance, HR, client care, and governance, the same truth applies: Capable people fail when systems, processes, and priorities aren’t designed to support them. Strengthening those foundations is a leadership responsibility, not an individual burden.
And when those foundations are strong, compliance stops being something organisations struggle with and starts becoming something they rely on.
