#182 | Capability and Regulation: Why Compliance Keeps Failing - Capability Unboxed Mini Series (powered by CIAB+) Part 6

Show Notes

Capability Unboxed Mini Series (powered by CIAB+) #6

Organisations invest heavily in compliance frameworks, policies, and controls. So why do regulatory failures keep happening?

In this episode of Capability Unboxed, Fatimah Abbouchi explores a critical but often overlooked truth: compliance doesn’t fail because of poor documentation — it fails because of weak underlying capability.

Across reulated industries, organisations build extensive control frameworks designed to demonstrate compliance. But these frameworks often assume the organisation already has the capability required to execute them consistently. When that assumption is wrong, controls exist on paper but fail in practice.

Fatimah unpacks why compliance is frequently treated as a process problem rather than a capability one, and what that means for execution. From AML and risk management to operational resilience, every regulatory obligation depends on a system of people, processes, tools, and governance working together reliably. When those elements are fragmented, compliance becomes inconsistent — regardless of how strong the policies appear.

She also explores why regulatory issues tend to repeat, even after remediation programs. Increasing oversight, adding committees, and strengthening controls may create the appearance of progress, but without addressing the underlying capability, the same failures often re-emerge over time.

This episode reframes compliance as an outcome of capability — not documentation. It introduces a more sustainable approach, where organisations identify the capabilities required to meet obligations, assess their strength, and deliberately design them to operate reliably.

Whether you’re working in regulated environments, governance, PMOs, or transformation, this episode offers a practical lens on why compliance breaks down — and what it takes to make it stick.

In this episode, I cover: 

1:04 Why Regulation Still Fails 

4:02 The Process-First Compliance Trap

7:55 AML CTF Capability Gaps

11:53 Remediation Programs That Do Not Stick

14:40 Building Capability-Led Compliance 

And more...

🎧 Tune in, take notes, and join us in May for our live webinar event where we take a deeper dive into

Thank you for listening to Agile Ideas! If you enjoyed this episode, please share it with someone who might benefit from our discussions. Remember to rate us on your preferred podcast platform and follow us on social media for updates and more insightful content.

Thank you for listening. If you enjoyed this episode, I'd really appreciate it if you could share it with your friends and rate us. Let's spread the #AgileIdeas together!
 
We'd like to hear any feedback. www.agilemanagementoffice.com/contact  

Don't miss out on exclusive access to special events, checklists, and blogs that are not available everywhere. Subscribe to our newsletter now at www.agilemanagementoffice.com/subscribe.  

You can also find us on most social media channels by searching 'Agile Ideas'. 

Follow me, your host, on LinkedIn - go to Fatimah Abbouchi - www.linkedin.com/in/fatimahabbouchi/  

For all things Agile Ideas and to stay connected, visit our website below. It's your one-stop destination for all our episodes, blogs, and more. We hope you found today's episode enlightening. Until next time, keep innovating and exploring new Agile Ideas!


Learn more about podcast host Fatimah Abbouchi
...

Chapters

• 0:00: Welcome And Support Note
• 0:13: Capability Unbox Series Recap
• 1:04: Why Regulation Still Fails
• 4:02: The Process-First Compliance Trap
• 7:55: AML CTF Capability Gaps
• 11:53: Remediation Programs That Do Not Stick
• 14:40: Building Capability-Led Compliance
• 18:10: Webinar Invite And Closing

Transcript

Welcome And Support Note

Fatimah Abbouchi 0:00

You're listening to Agile Ideas the Podcast, hosted by Fatimah Abbouchi. For anyone listening out there not having a good day, please know there is help out there. Hi everyone and welcome back to another episode of Agile Ideas. I'm Fatimah, CEO at AMO, Mental Health Ambassador, and your host. Well, welcome back to the Capability Unboxed mini-series. Here in this series, we're exploring how organisational capability shapes strategy delivery and governance in many ways that organizations typically overlook. In the earlier episodes so far, episodes one to five, and if you haven't listened to them, please go back and either watch the video on YouTube or listen to the podcast episode. We defined capability, we separated it from capacity, which is something that people often get confused. We explored how projects and capabilities differ, and we looked at also why ownership becomes such a difficult leadership conversation. In this episode, we're going to be turning our focus to regulation. Basically, because many industries, and in effect, I think every industry invest heavily in compliance frameworks and policies and controls and processes and training and regulatory programs and all of those amazing things that we need to do to stay compliant with regulations and laws, and yet regulatory failures continue to appear. The reason isn't the framework itself normally, it's that the organization lacks the underlying capabilities required to make the compliance work reliably, not just whilst you have a transformation program running, but in effect long after a program is gone. This is a really relevant piece of conversation or piece of work that we're working on at the moment. So I thought it would be really useful to talk to because of several different livid experiences that are playing out right now across different organizations. And look, I'll be one of those first people to admit that thinking about regulatory compliance and regulations and programs that relate to that and anything that relates to that quite boring. But I have to say I'm sorely mistaken. I avoided working in and around this space. But because regulation follows companies everywhere of every size and every nature, it just became more and more prominent. And so now that I'm in the thick of it doing work in and around the financial services regulation space, it is becoming a lot more prevalent how actually interesting it is to not only help to get organizations to a point where they can be compliant, but actually what happens after they have met the initial requirements, whether they're securing an AFSL license, whether they are registering to be uh be an AML CTF registered business with Ostrack or whatever it might be. So today's podcast talking all things related to this the fact that capability and regulation are really important hand in hand to prevent compliance failures, is really about the what happens in organizations that are trying to keep up and sustain their compliance. And I will just preface this by saying this is not about giving legal advice, this is not about giving advice on any particular regulation, this is more about delivery and the context of making sure that you have the right processes and the capabilities in a business to continue to be able to meet your compliance needs, whether they are regulatory compliance or even compliance internally within the organization itself. So on that note, let's talk a little bit about why it matters. In regulated industries, which I really haven't met an organization that isn't regulated, really, I mean, they come in different shapes and sizes, and there's different levels of regulation depending on the industry that you run in. But what I found, and typically spending half my time or three-quarters of my time in very large businesses, and then the other sort of quarter in small and medium, that organizations, particularly those that are larger, invest heavily in compliance, and they spend a lot of time creating policies and controls and monitoring frameworks and reporting structures, all of the things necessary to help them to meet their compliance obligations. The problem is that they continue to have compliance failures appear. And so, when, as even seen in an article recently where one of the regulators has called out another organization who has effectively breached a number of regulations, and what regulators repeatedly highlight appear to be very similar issues. And this raises a deeper question, and one of the things that I've been pondering a lot, especially working and spending a lot of time in this regulatory compliance space. And that is if organizations have these frameworks in place, then why does compliance still fail? If organizations already have frameworks in place, then why does compliance still fail? Often the issue is not the framework as such. A lot of time and energy usually goes into developing them, but it's the underlying capabilities. And the underlying capabilities is what makes it stick. So compliance requires capability, not just documentation. And remember what we talked about, it's the capability, the what an organization does, not just about the people capabilities, but the organizational capabilities as well. And that's why that's a really important insight to call out. Interestingly, as I'm seeing a lot of organizations working to meet new obligations in relation to the Financial Services Act, they are currently looking at how they either uplift their organization or organizations that don't actually have anything in place to meet the requirements, whether it's AML CTF, whether it's SOCI, PCI DSS, AFASL, any of those things. And so a lot of the time, um, as I hear and see from those organizations, they usually start in one of two places. They they, I mean, besides having a think about what strategic direction they're taking with things. But I'll either hear them talk about tools, thinking that they need to have tools and systems in place immediately, or they have to uplift their systems, which yes, it may be part of the bigger picture, or it's often treated as a process problem. So most organizations will approach regulation as a process exercise. They'll actually focus on those things that I mentioned around you know, policies and control registers, obligations registers, documentation, auto evidence, audit trails, all those sorts of things. Yes, very important, but this is assuming that the organization has all of the capability required to perform the work consistently. As an example, a small or medium financial services organization may document their AML monitoring processes. They may actually make sure that they can put that in a framework that they can adhere to and show to the regulator should they ask. But the organization itself might actually, because maybe they're new or they're smaller or they don't have the maturity, they might lack the capability and actually transaction monitoring. They may actually lack the investigation processes needed to support that. They may not have the data quality, they may not have the right governance to not only notify the regulator but also escalate internally for resolution. So those documented processes will not be able to function reliably without having the supporting capabilities underneath it. Controls will describe the behavior that is required, whereas the capabilities will just will enable that behavior. And so this is why behind compliance, every organization relies and needs to rely on capability. And if you are going to meet your regulatory obligations, you need to have the right organizational capability to do so. And again, I'll I'll use AML CTF because it's very prominent right now with the legislation passing here in Australia very, very soon. That's going to capture a lot more individuals and organizations under the AMR CTF Act. And AMR capability requires monitoring systems, investigation teams, governance structures, reporting processes, escalation authority training. Again, not too dissimilar to AFSL and other sorts of regulation. But an organization that lacks existing risk management capability won't have the right risk identification processes in place. They won't have the right risk ownership, structures, reporting rhythms, cadences, decision forms. Those are things that typically should exist in an organization and be solid because then that'll enable you to meet your regulatory obligations better because you have the underlying capabilities that are necessary. Compliance itself will emerge when these capabilities function reliably. Without them, the controls will exist on paper, but they'll actually fail in practice. And this is very evident in a number of cases that you're hearing in the media around where organizations have got it wrong and they've either breached or they've had fines or other um other issues as a result of not meeting or breaching a compliance requirement. So regulators will typically and frequently identify situations where policies exist but they're not followed operationally, and that's the capability gap. It's actually very timely because I came across an article yesterday about an organization who is who has actually allegedly outsourced their AML CTF capability completely, and they've neglected potentially to have the necessary means internally to show that they are still accountable. And so there is a number of um fines and also additional consequences that have been brought down by the regulator. Now that's just one example. I see lots of articles and lots of news stories about these sorts of things, and as I said, they are very much similar in nature, and I think that there are a lot of them come down to the execution gap. And so this is why compliance itself is the outcome of the capabilities working correctly. And remember, your capability is the system, the processes, the tools, the people, it's all of that, all of the things that enable your organization to do what it does best. So thinking about regulatory failure and how this often repeats, what one thing I can say is I've spent a lot of time in banking and financial services over the last two decades. And in a lot of these organizations, they spend hundreds of millions of dollars on remediation programs. Now, the remediation programs typically are to address a gap in compliance or in new regulation that's coming in, ultimately, it means that they have something that they need to uplift, strengthen, change, increase monitoring for, what you don't want to happen is it to be a remediation program because the regulators called you out on some things, and that typically happens a lot. So if you are running a remediation program worth millions of dollars or even for smaller businesses, tens of thousands, if you continue to develop frameworks and processes and policies, and they're not supported by your underlying capabilities, and your underlying capabilities remain weak, you'll still continue to have the same issues later. So one remediation program done in isolation of business as usual operations teams will solve the problem temporarily, but the problem will persist long term. And that is something that I do see repeated, and this is why I think that there's an underlying issue that needs to be solved for, especially if you start to compare those programs side by side and look at what they're actually trying to solve for. Many remediation programs also increase oversight committees. So there is certain programs that I have been working with over the last few years that are just layering governance on top of governance on top of governance. There is more oversight committees, more governance forums, more I guess it's oversight but at different levels. And so in this regard, it appears like we're heading in the right direction, but if the operational capability itself, i.e., in this example I was giving, operational risk remains fragmented, then it will continue to not be effective long term. The governance structure will grow heavier, but the capability won't improve. And so we need to really balance that and think about that. The capabilities that you have within your organization should have the right structure around them already. And so you're leveraging that as opposed to creating from new. Remember, you can't govern a weak capability to make it stronger. That's not how it works. So now that we've spoken about capabilities and regulatory confidence and compliance, what we can do is thinking about how capability-led compliance can look like in an organization. Now I'll I mentioned earlier that I'm working with a number of organizations and helping them with answer this exact question. And one of the things that some organizations do is typically we'll start with what the obligation is or what the um regulation is that they need to meet, all the controls and all those sorts of things. Sorry, I've got a bit of a dry throat. So capability-led compliance begins by asking what organizational abilities must exist for us to meet our obligations consistently. From there, organizations can then assess whether their capability exists with many organizations at the moment. AMRCTF, for example, is a new capability that they would need to make sure is bedded down in your organization and may not have existed earlier. Whether it's strong enough and where improvement is required. So the controls that you have in your business will reinforce those capabilities rather than acting as a substitute for them. So when you think about the regulations and the capabilities and the obligations that you need to meet, it's really important to start to map those to the capability areas of your business. Whether it's your customer lifecycle management, which we touched on in an early episode, whether it's transaction monitoring pertaining to the AML side of things, whether it's complaints handling, customer service, operational resilience, all of those sorts of things. So to make compliance sustainable, having strong capabilities is necessary. And so one of the things that Capability in a Box or CIAB that we've spent a lot of time on helps organizations to do rather, is to actually map their regulatory obligations to organizational capabilities. So some organizations that I speak to will not have a clear view on their organizational capabilities. They will have a clear view on what their regulatory obligations are. Now, if the two don't align, you're going to have capability gaps. You're also going to have execution gaps, which is probably going to increase your chances of being called out by the regulator, the regulators. And so you wanted to be strengthening the capabilities to help you support your compliance better. This particular move will actually help compliance move from reactive remediation, which is so evident in so many places, to actually deliberate organizational design. A lot of the times compliance will become sustainable if we spend the time and the energy upfront designing intentionally around our capabilities. And the capabilities themselves are not something that you change every five minutes, but you strengthen over time. And as I said earlier, it's what the business does. So a business that doesn't do AML CTF will might introduce that as a new capability. And then they make sure that they've got the necessary structure to support that capability being effective, meaning they can better align their compliance needs. So on that note, we are hosting a webinar in May. It's a live webinar event where we will take you deep dive into all things capability powered by the AMO Way. Keep an eye out on our socials to register. And remember, if you can't attend on the day, we will also send a copy of the recording out to anyone who's registered. I guess just closing thought is if there's anything that I have talked about today that you're wondering or you have questions about, by all means don't hesitate to send me a question via the comments or via LinkedIn or even on our website. Thank you for listening and I hope that this has been helpful. Thank you so much for listening to this podcast. Please share this with someone or rate it if you enjoyed it. Don't forget to follow us on social media and to stay up to date with all things agile ideas. Go to our website www.agile managementoffice.com. I hope you can get the learn, feel or be inspired today. Until next time, what's your Agile Idea?