Most leaders meet "compliance" as a folder of policies someone in legal asks them to sign once a year. That framing is the problem. Compliance is not a binder; it is the live discipline of knowing which laws bind you, deciding how you will meet them, and being able to prove, to a regulator, a court, or your own board, that the system works in practice and not just on paper.

The quick version

  • The regulatory landscape is the full set of laws, rules and regulator expectations that apply to your business, and it varies by industry, by activity, and by every jurisdiction you operate in.
  • You cannot comply with everything equally, so start by mapping your obligations to your real risks: list the rules that could cause the most harm if breached, and build controls there first.
  • Regulators do not reward a thick policy manual. They ask whether your compliance programme actually works, is it well designed, properly resourced, and does it catch problems in real life?
  • The recurring failure is "paper compliance": documents that look complete and a culture that ignores them. The fix is ownership, escalation routes, and testing whether the controls bite.

The idea in depth: map the rules to the risk

The first honest thing to say about the regulatory landscape is that no leader holds all of it in their head. A mid-sized company can sit under company law, employment law, data-protection law, tax rules, sector regulators, anti-bribery statutes, consumer law, health-and-safety duties and competition rules at once, and each jurisdiction it touches adds its own layer. Trying to "be compliant with everything" with equal effort is how teams end up compliant with nothing that matters.

The discipline that cuts through this is risk-based. The phrase has a precise pedigree: the US Department of Justice's Evaluation of Corporate Compliance Programs guidance (updated September 2024) tells prosecutors to ask whether a company's programme is built around its specific risk profile, and states that a well-designed programme begins by examining a company's key risk areas closely, then implementing policies and controls aimed squarely at those risks. The same logic underpins the FCPA Resource Guide (2nd edition, 2020), which the DOJ and SEC use to assess anti-bribery programmes: tailor the effort to where the exposure actually is.

So the move is to build a one-page obligations map before you write a single policy. List your major activities, then against each one note the laws and regulators that apply, the jurisdictions, and, crucially, what happens if you get it wrong (a fine, a licence revoked, a director personally liable, a front-page story). Sort by that consequence; the rules at the top are where your scarce attention, controls and budget go first. The map is the difference between a programme aimed at your real exposures and one that polishes the trivial while the dangerous goes unwatched.

Regulators do not grade the binder. They ask whether the programme is well designed, properly resourced, and whether it actually works in practice.

An honest limitation. A risk-based map is a judgement, not a guarantee. You are betting on which obligations matter most, and you can be wrong, a "minor" rule becomes a crisis when an incident lands on it, or a regulator's priorities shift faster than your map. Prioritisation is the right default precisely because resources are finite, but it has to be revisited, not framed once and hung on the wall. Review the map when the business, the law, or the regulator's mood changes, which, for the rules that matter, is often.

Why "having the policy" is not the test

The most expensive misunderstanding in compliance is believing that a written policy equals a met obligation. It does not, and the bodies that judge these things have said so for decades. The US Sentencing Guidelines (Chapter 8, the "Sentencing of Organizations" rules first introduced in 1991) set out what an effective compliance and ethics programme requires: not just standards on paper, but governance and oversight, training, monitoring, a reporting channel, consistent enforcement, and genuine response when something goes wrong. The reward for clearing that bar is concrete, courts can substantially reduce penalties for an organisation that had a real, effective programme in place.

The DOJ guidance sharpens this into three plain questions a prosecutor asks of any compliance programme: Is it well designed? Is it adequately resourced and empowered to function? Does it work in practice? Notice what is missing from that list, nobody asks how many policies you have. A programme can be beautifully documented and still fail every one of those three tests if no one owns it, no one funds it, and no one acts on what it surfaces.

The fix is to stop measuring compliance by document count and start measuring it by behaviour. For each top obligation on your map, ask: who owns it by name? How would a breach get reported, and would the person who spots it feel safe doing so? When the last issue surfaced, what actually happened? If the answers are vague, you have paper compliance, and a thick manual will not save you in the room where it counts.

flowchart TD
  L(["The full regulatory landscape
company, employment, data, tax,
sector, anti-bribery, consumer, safety"]) --> M(["Map obligations to YOUR activities
+ jurisdictions"])
  M --> R{"Sort by consequence
of getting it wrong"}
  R -->|"High harm:
fines, licence, liability"| H(["Build real controls first
owner · monitoring · escalation"])
  R -->|"Lower harm"| W(["Lighter-touch controls
review periodically"])
  H --> T(["Test that it works in practice
not just that the policy exists"])
Compliance done well: narrow the whole landscape down to the obligations that can actually hurt you, then prove the controls bite. Leaders Loop

Who owns it: the three lines

Once you know which obligations matter, the next question is who is responsible for them, and the answer is usually "more people than realise it." A useful structure here is the Three Lines Model, published by the Institute of Internal Auditors (a 2020 update of the older "three lines of defence"). It separates three jobs that are easy to blur. The first line is the business itself, the people doing the work, who own the risks they create. The second line is the compliance, legal and risk functions that set policy, advise and monitor. The third line is internal audit, independent of both, which checks that the first two are actually doing their jobs.

The point of the model is that compliance is not something a small second-line team does to the business; it is owned first by the people closest to the risk, supported by specialists, and independently assured. When the front line assumes "compliance handles it" and compliance assumes the front line is following the rules, obligations fall into the gap between them, and that gap is where most breaches live.

In practice, that means assigning every top obligation a named first-line owner, not just a second-line policy author. The compliance team's job is to make the right thing easy and the wrong thing visible; it is not to personally guarantee that ten thousand transactions a day each follow the rules. (For how this connects to board-level oversight of risk, see board roles, committees & responsibilities.)

An honest limitation. The three-lines model is a clarifying lens, not a law of nature. Pushed too literally it ossifies into silos, a first line that offloads thinking to the second, a second line that polices rather than enables. The IIA's own 2020 revision exists partly because the rigid "lines of defence" framing was being applied mechanically. Use it to allocate ownership clearly; do not let it become an excuse for anyone to stop thinking about risk because it is "someone else's line."

A worked example

Take a fast-growing software company, call it Northvale, selling to customers across the UK, the EU and the US. (Illustrative figures and details throughout; this is a teaching example, not a real company.) Compliance, until now, has meant a shared drive of policy PDFs that new hires click through on day one. The general counsel, stretched across contracts and fundraising, treats the regulatory landscape as a list of fires to put out as they ignite.

Then two things happen in the same quarter. A sales team in a new market starts paying "facilitation fees" to speed up a government client's procurement, a textbook anti-bribery exposure. And a product team ships a feature that processes customer personal data in a way the company's own privacy policy never contemplated. Both were "covered" by a policy on the shared drive. Neither policy did anything, because nobody owned the obligation at the point the risk was created, and an uneasy salesperson or engineer had no safe route to raise a hand.

flowchart TD
  P(["A risky decision is being made
'pay a facilitation fee to win the deal'"]) --> D{"Is the obligation owned
+ is there a safe way to raise it?"}
  D -->|"No, policy on a drive,
no owner, no escalation"| F(["Breach proceeds quietly
→ regulator finds it first"])
  D -->|"Yes, named owner,
clear escalation, no blame"| G(["Raised before it happens
→ stopped or corrected early"])
The same decision, two systems, the difference between a programme that exists on paper and one that actually catches the breach. Leaders Loop

Now run Northvale through a risk-based, owned programme. The general counsel spends a day building the obligations map and finds that, of dozens of applicable rules, anti-bribery and data protection sit at the top, high harm, high exposure in its markets. Each gets a named first-line owner: a regional sales lead for bribery risk, a product lead for data handling, each trained on the few rules that apply to their work. There is a simple, no-blame escalation route, and the compliance lead reviews a short risk dashboard monthly. When the facilitation-fee question arises, the sales lead recognises it, raises it, and it is stopped before a payment is made. Same company, same temptation, but the system was built to surface the problem early rather than discover it in an enforcement letter. That is the entire game.

Frequently asked questions

What is the difference between a law, a regulation, and a regulator's expectation?

A law is passed by a legislature; a regulation is detailed rule-making made under the authority of a law, usually by a government agency; and a regulator's expectation is the guidance, codes and supervisory practice that signal how a regulator will actually apply those rules. All three bind you in practice, even though only the first two are strictly "the law." Treating published guidance as optional is a common and costly mistake, it is the clearest signal you have of what enforcement will look like.

How do we keep up when the rules constantly change?

You cannot monitor everything, so monitor what matters: assign someone to track changes for your top handful of obligations and your primary regulators, and review the map on a set cadence and whenever you enter a new market or launch a materially new product. The goal is not omniscience; it is to never be surprised by a change in the rules at the top of your risk map.

Isn't a thorough policy manual proof we're compliant?

No, and the official frameworks say so explicitly. The US Sentencing Guidelines and the DOJ's evaluation guidance both judge whether a programme is effective in practice, not how comprehensive the documents are. A policy nobody owns, follows, or enforces is evidence of intent at best and a liability at worst, because it shows you knew the rule and still did not meet it. Documents are necessary; they are nowhere near sufficient.

Who is actually responsible for compliance, legal, or everyone?

Both, in defined roles. Under the three-lines model, the business owns the risks it creates (first line), compliance and legal advise, set policy and monitor (second line), and internal audit independently assures the whole thing (third line). Compliance failures usually happen when the front line assumes the specialists have it covered and the specialists assume the front line is following the rules. Naming a first-line owner for each major obligation closes that gap.

This is general, where do we get advice specific to us?

Everything here is a way of thinking, not legal advice. The specific obligations, thresholds and penalties that apply to your business depend entirely on your industry and the jurisdictions you operate in, and they change. Use the obligations map to find your high-risk areas, then get qualified legal or regulatory advice on those, that is where professional help earns its fee, and where getting it wrong is most expensive.

Related in the Toolkit

The regulatory landscape sits on top of the day-to-day legal building blocks, the agreements you sign (contract fundamentals) and the rules that govern your people (employment law basics), and connects directly to how a board oversees risk.

Where to go next