Skip to content.

Secondary navigation

Get Your Demo

Why regulatory change is harder to manage today

Regulatory change is accelerating across sanctions, tariffs and global enforcement, making it harder for compliance teams to keep pace. This article explores how organizations can monitor regulatory developments, assign ownership and document decisions to maintain effective oversight. 

AI isn’t the only thing causing change for compliance teams. The once stodgy world of government regulations and enforcement has suddenly grown more dynamic than in any era most anyone could remember. 

The many changes include: 

  • A shift in emphasis in Foreign Corrupt Practices Act (FCPA) enforcement, with focus on individuals rather than corporations and the nexus with transnational crime 
  • Frequent changes to the sanctioned individuals and entities list 
  • A crackdown on fraud, especially in healthcare 
  • Surging tariffs and related enforcement efforts by a new DOJ task force 
  • Scrutiny of potential debanking for political reasons 
  • The rise of predictive markets and a newly announced crackdown by the Commodity Futures Trading Commission on insider trading in these markets
A modern building with a glass facade shows a brightly lit emergency staircase behind the windows on the right, contrasted by a cloudy sky on the left side of the image.

Regulatory change is accelerating across key risk areas

One particularly volatile area has been economic sanctions, which has seen nearly constant changes to the list of prohibited persons and entities. According to international trade attorney Matt Silverman, there have been over 30 separate actions and updates to U.S. sanctions since the start of the year. “That’s an average of two to three per week,” he noted. “And it doesn’t include sanctions relevant to other jurisdictions around the world.” 

To stay on top of these changing global sanctions regimes and respond accordingly, he recommends staying proactive, utilizing automated screening tools and maintaining a risk-based program that focuses on both the geographic location and ownership structures of parties involved in transactions. 

Doing so, he explains, requires proactive work on the part of trade compliance professionals in training functional groups such as Engineering, Sales, Human Resources and other stakeholders across the business that play a vital role in keeping their companies compliant. 

For tariff issues, coordination is also required, and there is great risk in leaving it to the supply or tax teams.

Modern building facade with vertical gardens. Numerous balconies adorned with lush green plants create a striking verdant pattern against the structured lines of the architecture. Glass railings and concrete elements contrast with the foliage.

Enforcement expectations are evolving

Looking more broadly, expectations for compliance programs have evolved considerably. Guidance out of the Department of Justice has elevated expectations for compliance teams to have robust data analytic capabilities, something few previously had. Compliance teams need to bring management tools to their programs to better assess their effectiveness. 

The focus out of Washington on voluntary self-disclosures also has the potential to significantly change the practice of compliance. While on the surface some may wrongly assume it means there is less to fear and less need for strong investment in compliance, the opposite is actually true. 

Daniel Wendt, partner at the law firm Honigman, notes that the enforcement environment is more stable than many expected in early 2025. Several executives have been convicted of FCPA violations in the last year, whistleblower programs continue to expand, and the Department of Justice continues to maintain compliance guidance and oversee enforcement activity across multiple legal regimes. 

“The environment is a lot more stable than many of us may have expected,” he said. 

He notes, however, that most companies are still not rushing to disclose issues under these changes due to the continued risk of investigation and prosecution. “For most companies, because disclosure is so burdensome and uncertain, the default is usually not to disclose,” he explained. 

At the same time, there are situations that may compel disclosure, particularly when legal or public reporting obligations are involved. Ultimately, the decision often comes down to whether leadership would be comfortable defending that choice if the issue became public later

Green and blue fiber optic cables glowing in the dark, creating a dynamic pattern of light streaks and dots against a blurred background.

Global complexity requires broader oversight

Given the amount of change and continued enforcement coming out of Washington, it is easy to focus on U.S. authorities. Yet, for global businesses that can be dangerously myopic. The EU, for example, tends to lead the U.S. in areas such as AI enforcement, data privacy and human trafficking. It, too, offers far from a static picture, recently rolling back some of its rules on reporting environmental sustainability. 

Compliance teams, as a result, need to take a more aggressive and broader-ranging approach to monitoring for legal and regulatory changes. Working with government affairs teams and in-house counsel, they need to ensure they are on top of changes from all governmental authorities. 

Once a change in regulations or law is identified, it’s critical to set up clear ownership of any activity required, whether that’s changing a policy, creating a new or different process, phasing out or quickly dropping certain customers and suppliers or providing training.

A modern building facade with alternating vertical green and translucent panels, and blue-tinted windows revealing office interiors. A green geometric shape is visible in the foreground on the right side.

Speed, coordination and ownership are critical

Surviving and thriving in this environment also requires embracing speed and a more fluid approach. That begins with risk assessment. Relying on an annual risk assessment process may no longer be sufficient for all industries. Those under increased scrutiny, such as healthcare and banking, will need to assess in close to real time how changing regulations affect their risk profile. It also requires working closely with the enterprise risk management team to ensure all parts of the enterprise are in alignment. 

From there, policies need to be harmonized with the overall risk profile, and the organization needs to embrace that policy changes are likely to occur with greater frequency. Compliance committees may need to either meet more frequently or adopt new mechanisms to manage changes.

A modern office with large windows showing a red brick building outside. Inside, a person sits at a desk with laptops, while another walks past. The room has a mix of industrial decor, white chairs, and a red rug.

Culture and guidance still matter

Simply relying on a robust process for change is still not enough since there will still, inevitably, be gaps and delays. To help manage this challenge, it’s essential that organizations continue to leverage their code of conduct. It should serve as a guide in turbulent times, helping employees better determine what they should or should not be doing, absent clear guidance on a specific issue. 

Achieving that objective requires continued reinforcement of the key messages in the code, as well as a commitment to making it a useful tool for employees, not simply a document buried somewhere on the corporate intranet. 

As longtime compliance officer Michael Sayne explains, a code of conduct is meant to be accessible and usable in real moments. “If we want it to be integral to the business, it has to be usable in real moments,” he said. “Clear, plain guidance that helps our teams understand what’s acceptable, what isn’t and when to stop and ask for help.” 

It should also reflect a visible commitment from leadership that doing the right thing is the priority in every decision.

Paramount, too, in this era is ensuring reports of wrongdoing are acted on properly. This begins with continuous monitoring of the helpline itself. Periodically test the helpline in all its forms, online, phone and email, to ensure responses are routed properly. 

Monitor for any changes in reporting, including spikes and dips. 

When an incident occurs, whether discovered by management or reported by an employee, time is increasingly of the essence. Ensure there are strong policies in place for promptly vetting any reports and how investigations should be conducted, and that the investigations team has the resources it needs. 

Deciding whether or when to self-report is a highly complex process involving multiple stakeholders, including the general counsel and leadership. 

“For most companies, because disclosure is so burdensome and uncertain, the default is usually not to disclose,” Wendt noted. 

At the same time, there are a variety of factors that may motivate or compel disclosure. In some cases, public companies may be required to disclose issues depending on the facts and regulatory implications involved. 

Ultimately, the decision often comes down to whether leadership would feel comfortable defending that choice if the issue became public later. If companies do not disclose, it is essential to ensure issues are fully addressed and remediated so that any decision is not perceived as a cover up. 

Throughout the process, be sure to document all the steps taken as well as what the decisions were and why the decision was made. People and memories change over time, and the documentation, done under privilege, can help ensure the organization can tell its side of the story as effectively as possible and prove its good faith efforts. 

Good faith is something that doesn’t change over time, nor should a commitment to the code of conduct. By combining these constants with a commitment to adjusting to change, an organization can move forward even while the ground under it may be shifting. 

About the author 

Adam Turteltaub is a recognized voice in ethics and compliance, with extensive experience helping organizations strengthen compliance programs and navigate evolving regulatory expectations. He serves as Chief Engagement and Strategy Officer at SCCE and HCCA. 

He also hosts the Compliance Perspectives podcast, where he speaks with compliance and risk leaders about real-world challenges, emerging trends and practical approaches to building more effective programs.

Frequently asked questions about regulatory change

  • What is regulatory change management?

    Regulatory change management is the process of identifying new regulatory requirements, assessing their impact, assigning ownership and documenting actions taken to maintain compliance.

  • Why is regulatory change difficult to manage?

    Because updates are frequent, span multiple jurisdictions and often require coordination across teams, making it difficult to assess relevance, assign responsibility and track follow-through.

  • What happens after a regulatory change is identified?

    Organizations must determine whether the change applies, assign ownership, update policies or processes and document decisions to ensure accountability and audit readiness.

  • Why is documentation important in regulatory change?

    Documentation provides a clear record of how decisions were made and helps organizations demonstrate good-faith efforts during audits, investigations or regulatory review.

Continue the conversation

To explore how compliance leaders are approaching regulatory change in practice, join our April 21, 2026 webinar, Managing Regulatory Change: From Monitoring to Defensible Oversight.

You may also like…

Ready for more? Check out our latest related articles.

See more on similar topics: