The compliance gap businesses can’t afford to ignore

For many UK organisations, the practical question is clear: how do we turn changing regulatory expectations into clear actions, ownership and records before gaps are exposed by regulators, customers, insurers or internal reviews?

Several recent and upcoming changes show why this matters. In England, workplace recycling rules changed on 31 March 2025 for most organisations. Martyn’s Law received Royal Assent on 3 April 2025, with the Home Office stating that there will be an implementation period of at least 24 months before the substantive duties commence.

In fire risk assessment, BAFE SP205 Version 6 was published in November 2025, with existing registered organisations given a transition period to move across to the revised scheme.

These examples differ in scope, sector and timing, but the practical questions are similar: who owns the change, what needs to happen, what will it cost, how quickly can controls be improved, and what evidence will show progress?

“Readiness gaps often appear when scope is unclear, responsibilities are spread across several functions and upgrades are competing with other priorities." said David Reynolds, Head of Risk Engineering and Surveys at RiskSTOP, "What matters is the evidence trail: assessments, action plans, inspections, training, maintenance records, review dates and follow-up.”

Why readiness can slip

New requirements rarely arrive in isolation. The Home Office’s statutory guidance for Martyn’s Law makes clear that the Act does not supersede other legislation, and that organisations may also need to consider duties relating to health and safety, fire safety, licensing and equality law. That overlap is often why implementation feels more complex than the headline announcement first suggests.

When compliance sits with already stretched operational teams, it is easy for deadlines to slip or for activity to focus on documentation before practical implementation has caught up. A policy only helps when it is translated into site-level responsibilities, training, inspections, maintenance activity and records that can be found when needed.

Older premises, equipment and working methods can also make readiness more difficult, particularly where improvements need to be phased around day-to-day operations. A business may understand what good practice looks like, while still needing time to assess legacy systems, budget for upgrades, arrange inspections and train staff.

“Clear accountability is often what gets progress moving. Readiness improves when one accountable owner is named early, with input from operations, facilities, health and safety, legal, finance, insurers and brokers.” David adds, “Without that ownership, actions can become fragmented and evidence can be difficult to locate when it is needed.”

Where gaps can appear in business compliance

The current regulatory landscape shows why early review is worthwhile. England’s workplace recycling requirements now require most workplaces to separate dry recyclable materials, food waste and non-recyclable waste before collection. The rules apply to waste produced by employees, customers and visitors, with micro-firms having a later deadline of 31 March 2027.

Martyn’s Law provides another useful example. The Home Office gives the example of a clothing shop that usually has fewer than 200 people on site, but exceeds that level during major sales periods such as Black Friday or January sales. Because 200 or more people can reasonably be expected from time to time, the premises may fall within the standard tier.

This is where readiness gaps can appear. A business may understand its usual operating pattern, but not yet have tested busier periods, events or seasonal activity against the new duty. A site may look low risk on a typical trading day, but the picture can change when footfall increases, events are held, or seasonal activity changes how the premises are used.

BAFE SP205 Version 6 points to a different but related issue: competence and accountability in fire risk assessment. Even where a duty is not new in principle, expectations around how competence is demonstrated and assured can change. Businesses that rely on third-party assessments still need to understand whether the people and processes supporting those assessments remain suitable.

The common thread is evidence. Once duties apply, organisations need clear procedures and accessible records, because readiness is judged by what can be shown in practice, not only by what was intended. Beyond enforcement, gaps can also lead to business disruption, poor audit outcomes, delayed remedial work, weaker insurer confidence and missed opportunities to demonstrate that risk is being managed well.

From an insurance perspective, readiness gaps may also influence loss severity. Delays in implementing controls, maintaining critical systems or demonstrating compliance can contribute to larger losses, business interruption and more challenging claims investigations following an incident.

How insurers and brokers can help close the gap

Insurers, brokers, risk engineers and risk-management specialists cannot replace a business’s own legal responsibilities. They can, however, help organisations turn changing expectations into practical priorities, clear next steps and better evidence.

“Insurers, brokers and risk specialists cannot replace a business’s own legal responsibilities, but they can help turn changing expectations into practical priorities.” David says, “In practice, that means helping clients understand whether a duty applies, review current controls, translate technical requirements into operating actions and identify the records needed before an incident, inspection, audit or renewal meeting highlights a gap.”

Compliance-readiness is part of risk management. A business that can show ownership, assessment, action and outstanding priorities is in a stronger position than one relying on informal knowledge, scattered records or last-minute activity.

For brokers, this is a chance to take the conversation beyond policy placement and into practical risk improvement. For insurers, it can provide a clearer view of how well controls are understood, implemented and maintained. For the client, it helps turn regulatory change into a clear plan of action.

A practical readiness framework

A practical starting point is to work through six questions:

1. Scope the duty: Which sites, activities, people, assets or events are affected, and do any thresholds or exemptions apply?

2. Name the owner: Who is responsible for leading the response, and what support is needed from operations, facilities, health and safety, legal, finance, insurers and brokers?

3. Assess the gap: How do current controls, records and training compare with the requirement or expected standard?

4. Prioritise the work: Which actions need attention first, and which improvements may require capital investment, contractor input or phased upgrades?

5. Build the evidence trail: Where will risk assessments, action plans, inspection records, maintenance logs, training records and review dates be kept so they can be accessed and understood?

6. Review before the deadline: Has progress been tested before duties commence, before renewal discussions begin, or before an incident exposes whether controls were working in practice?

   
   

Bridging the gap before it widens

Closing the gap between regulation and readiness means starting early enough to name the duty, assign ownership, test the controls, plan the investment, train the people and keep the records.

The organisations best placed to respond are often those that treat readiness as an operational risk-management issue, rather than a purely legal or administrative task.

This is where insurers, brokers and risk specialists can add value: helping businesses translate change into action before a gap contributes to a claim, a failed inspection, a missed renewal opportunity or an enforcement issue.

Making readiness part of everyday risk management helps businesses keep people safe and secure, reduce disruption and show that risk is being managed with clarity, ownership and evidence.