By Paul Gant, Head of Operations, EMEA
Even high-performing compliance teams feel the squeeze right now. Rules keep shifting across jurisdictions, third-party ecosystems grow more complex, and boards want proof not promises that controls work under stress. After spending the past year working with mature programs across financial services, healthcare, and critical infrastructure, I see the same five fault lines, again and again. None of them signal “immaturity.” They’re simply where even the best programs struggle when regulation, technology, and business speed collide.
Below I unpack those five challenges, and the practices that consistently convert pressure into performance.
1) Regulatory change is outpacing operating models
The challenge. The volume and variety of change has moved from “busy” to “structural.” In Europe alone, the Digital Operational Resilience Act (DORA) entered into application in 2025 with concrete demands around ICT risk, incident reporting, advanced testing, and oversight of critical third-party providers. That’s not a one-off: it institutionalizes continuous capability.
Meanwhile, UK regulators (FCA/PRA) continue to embed their operational resilience regime impact tolerances for important business services, mapping, and scenario testing so resilience moves from documents into daily operations.
Why good teams trip. Mature programs often have strong “policy drafting” muscles and good control libraries. Where they struggle is translation speed: getting from new expectation → mapped obligation → updated control → tested evidence across multiple jurisdictions and entities fast enough to satisfy supervisors and executives.
How to get unstuck.
- Stand up a regulatory change cell (legal, compliance, risk, ops) with a 30/60/90 cadence that does three things: (1) prioritizes upcoming changes by business service; (2) maps each clause to control objectives; (3) assigns testing plans with owners and dates.
- Treat mappings as products with version history, links to change notices, and retired/active flags; this creates the defensible audit trail supervisors expect under regimes like DORA.
- Publish brief “what changed / so what / now what” memos to business service owners and the board after each triage cycle to keep leadership aligned to impact tolerances and deadlines.
2) Third-party and concentration risk: visibility isn’t the same as control
The challenge. Across sectors, disruptions now arrive from outside your four walls. DORA explicitly raises the bar on third-party oversight (including a framework for designating “critical” providers). US regulators took a similar step with the 2023 Interagency Guidance on Third-Party Relationships, which is now the baseline for banks’ end-to-end due diligence, ongoing monitoring, and exit plans.
It’s not just policy pressure. ENISA highlights how supply-chain attacks and provider-layer vulnerabilities escalate operational risk in ways ordinary questionnaires miss.
Why good teams trip. Even sophisticated programs collect robust questionnaires but don’t connect them to business service impact. They also under-invest in concentration risk (too many critical services riding on the same cloud/SaaS/vendor), and they rarely test realistic “supplier fails at the worst moment” scenarios.
How to get unstuck.
- Build a live supplier–to–service map: for every important business service, list the material providers, the obligations you pass to them (contractual clauses, SLAs), and the fallback options. Tie each supplier to impact tolerances.
- Operationalise the interagency life cycle: plan → due diligence → contract → ongoing monitoring → termination—and instrument each stage with evidence, not email.
- Add continuous monitoring signals (breach/news feeds, financial health, performance telemetry) so tier-1/critical vendors get attention between annual reviews. Add concentration dashboards: “% of critical services with ≥2 viable providers.”
3) “Sufficient and appropriate” evidence—every day, not just at audit time
The challenge. Auditors and regulators are aligned on a core idea: evidence must be reliable, relevant, and traceable to support conclusions about control effectiveness. PCAOB AS 1105 and ISA 500 remain the anchor texts here; both emphasise the nature and quality of audit evidence, not just volume.
Yet inspection reports in recent years (FRC, PCAOB, and global equivalents) continue to call out weak documentation and insufficient professional scepticism—particularly around going-concern judgments and management review controls. (Financial Times)
Why good teams trip. Many controls “work” operationally but leave shallow fingerprints: approvals in email, screenshots without system provenance, spreadsheets without lineage, or incomplete samples. The net effect is friction and findings—even when the control owner swears the control runs perfectly.
How to get unstuck.
- Shift to anytime-audit posture: automatic logs of who changed what, when, and why; evidence stored with the control; and structured “test of design vs test of effectiveness” records.
- Use computer-assisted audit techniques (full-population tests from systems of record) so you’re not defending sample choice when anomalies exist. (This aligns with the spirit of ISA 500’s relevance and reliability tests.)
- Document judgment explicitly in management review controls: the criteria used, thresholds applied, exceptions raised, and follow-ups closed—this is where scepticism lives and where reviewers are most exposed. (Financial Times)
4) Data lineage and reporting: great dashboards can mask weak plumbing
The challenge. Board, regulator, and public disclosures are only as good as the data pipelines under them. Banks learned this early through BCBS 239, which sets out principles for effective risk data aggregation and risk reporting—accuracy, completeness, timeliness, adaptability, and governance of data architecture. Many of those principles now apply well beyond banking. (Bank for International Settlements)
Why good teams trip. Reporting teams can build beautiful views; but without controlled lineage from system of record → transformation → report, you end up with recon breaks, “spreadsheet islands,” and manual adjustments that aren’t captured anywhere. When a supervisor asks, “How do you know this number is right?” the story can unravel fast.
How to get unstuck.
- Treat risk data as a controlled asset: owners, dictionaries, quality rules, and known transformations. BCBS 239’s governance and architecture principles are an excellent checklist even if you’re not a bank.
- Create evidence-aware reporting: every metric links back to its data sources and the controls that govern them (access, change management, reconciliations).
- Measure data-quality SLAs (completeness, timeliness, reconciliation success rate). Escalate breaches the same way you’d escalate a failed SOX control, because the reporting is a control.
5) Operational resilience: designing tests that reflect how work really flows
The challenge. Across the UK regime and industry guidance, the direction of travel is clear: identify your important business services, set impact tolerances, map dependencies (including third parties), and run scenario tests that surface end-to-end weaknesses, not just IT failover steps.
Why good teams trip. Exercises are still too “tabletop,” too departmental, and too clean. Real incidents combine service overload, supplier failure, messy communications, and split decision-rights. Programs that test one dimension at a time miss systemic weaknesses.
How to get unstuck.
- Build cross-functional scenarios anchored to a single important business service (payments processing, market access, critical clinical service). Include failure of the communications layer and the vendor you least want to lose.
- Ensure every scenario yields control improvements and evidence (runbooks updated, contracts amended, telemetry added). Report deltas against impact tolerances to the board—shifting the narrative from compliance to capability.
- Close the loop: after each test, log issues, owners, target dates, and link to a later re-test so the investigative work creates durable resilience.
Cross-cutting enablers that separate leaders from everyone else
- Accountability frameworks that bite. The UK SM&CR regime remains a useful north star: clear responsibilities, conduct rules, and a documented “who owns what” map reduce ambiguity when controls fail and speed remediation when they do. Even outside the UK, the principle holds—make ownership explicit. (FCA)
- A single control backbone. Unify control objectives, test scripts, evidence stores, and exceptions across risk, resilience, security, and compliance. If you’re mapping the same encryption or vendor-due-diligence control to five frameworks, do it once and reuse the evidence everywhere.
- Continuous assurance. Blend control health, incident learnings, data-quality alerts, and supplier signals into rolling assurance dashboards. When supervisors ask for proof, you export; you don’t assemble.
Putting it together: a 90/180-day action plan
First 90 days
- Regulatory change cell. Catalogue the next three quarters of changes across your jurisdictions (DORA, NIS2, FCA/PRA resilience, ESG/CSRD, sector-specific rules). Prioritise by important business service and consumer harm potential.
- Third-party map. Produce a first-cut supplier–to–service dependency map with criticality tiers, single-points-of-failure, and exit options; align to interagency guidance steps.
- Evidence overhaul. Identify your top 20 management review controls and instrument them with structured approvals and source-linked evidence. Align to AS 1105/ISA 500 expectations.
Next 180 days
- Resilience scenarios. Run two end-to-end exercises per quarter that explicitly test a third-party failure against an impact tolerance. Log issues, retest to closure.
- Data lineage. Assign owners to your top 25 risk/board metrics. Document lineage and quality rules and set 95%+ timeliness/accuracy SLAs. Use BCBS 239 as your standard.
- Board reporting. Shift from narrative packs to decision dashboards with trend lines, thresholds, and the “what changed / action taken” summary for each domain (regulatory, controls, vendors, resilience).
Metrics that matter
- Reg-change velocity: days from regulation issued → mapped obligations → updated control → test scheduled → evidence captured.
- Vendor dependency risk: % of important business services with ≥2 viable suppliers; # of critical vendors under continuous monitoring.
- Evidence integrity: % of top controls with system-generated evidence (vs. manual), % of controls with immutable change logs.
- BCBS-style data quality: reconciliation success rate; % of board metrics with documented lineage. (Bank for International Settlements)
- Resilience outcomes: # of scenarios run; # of issues closed vs. opened; delta to impact tolerances after corrective actions.
Compliance excellence in 2026 won’t be defined by who writes the best policy. It will be defined by who can prove, with clean evidence, dependable data, supplier realism, and end-to-end scenarios, that obligations are embedded in how work actually gets done. If these five challenges sound familiar, you’re not behind, you’re normal. The opportunity is to turn them into an advantage.
See how CLDigital 360 helps teams operationalize change, evidence, and resilience with a single control backbone, third-party mapping, and audit-ready trails designed for DORA, FCA/PRA resilience, and beyond.
