Why Compliance Programs Fail (And How to Fix Them)
What fitness resolution failure teaches about sustainable governance—and why good intentions aren't enough.
The Case of the January Gym Crowds
Case File Opening: The Predictable Pattern
Every January, gyms flood with new members. Packed classes, waiting lists for equipment, motivational energy everywhere. By March, the crowds have vanished. The same people who paid annual memberships in January are back to their old routines by spring.
This isn't a fitness problem—it's a systems design problem. And it's identical to why 67% of compliance initiatives fail within 18 months.
Research tracking 200 New Year's resolvers found only 19% maintained their resolutions two years later. Yale behavioral scientists put the success rate even lower: 9%. The failure isn't personal—it's systematic.
Last month, I watched a fintech startup launch an ambitious governance programme. Beautiful frameworks, comprehensive training, enthusiastic executive support. Six months later, it had quietly dissolved into "business as usual." The team was good, the intentions genuine, the need real.
But they'd designed their compliance programme exactly like a January gym membership: all motivation, no sustainable system.
Here's the thing: this isn't just about effectiveness anymore. The UK's 2024 Corporate Governance Code reforms have made systematic integration a legal requirement, not a best practice suggestion. Box-ticking compliance is now non-compliant.
Evidence File: The Resolution Failure Pattern
Exhibit A: The Motivation Trap
New Year's fitness resolutions fail because they rely on motivation rather than systems:
Dramatic goals: "I'll work out every day" (instead of realistic frequency)
All-or-nothing thinking: Missing one session becomes permission to quit entirely
Lifestyle incompatibility: Plans that ignore actual schedule and energy constraints
No support structure: Individual willpower against systematic obstacles
The science confirms this pattern. Habits actually take 59-66 days to form—with substantial individual variation from 4 to 335 days—not the mythical 21 days we've been told. We're setting people up for failure by promising quick fixes to changes that require systematic patience.
Exhibit B: The Compliance Mirror
Compliance programmes fail for identical reasons:
Dramatic goals: "Zero risk tolerance" or "perfect compliance" (instead of systematic improvement)
All-or-nothing thinking: One process failure becomes evidence the whole framework is unworkable
Operational incompatibility: Compliance requirements that ignore actual workflow and business constraints
No support structure: Compliance team expectations against systematic organizational pressures
Harvard research on compliance programme effectiveness reveals the challenge: distinguishing truly effective programmes from "window-dressing." Even firms with formal compliance management systems experience only "rather modest" effects in reducing violations—requiring appropriate organisational culture and technology beyond systematic processes alone.
The UK's academic research on public law compliance governance confirms this pattern: institutions face regulatory pressures but struggle with practical implementation barriers and organizational system constraints that undermine even well-intentioned programmes.
The pattern is identical: unsustainable design disguised as ambitious goal-setting.
Exhibit C: The Sequence Failure—When Good Processes Execute in Wrong Order
But here's what most analysis misses: sometimes compliance fails not because you lack the right components, but because you execute them in the wrong sequence.
Process sequencing isn't bureaucracy—it's the difference between a binding contract and a broken promise.
I watched a fintech company implement every fraud prevention procedure recommended by their advisors. Identity verification? Check. Transaction monitoring? Check. Personal guarantees from high-risk customers? Check.
They failed spectacularly.
Why? They accepted personal guarantees before completing identity verification. They onboarded high-risk customers before establishing monitoring protocols. They processed transactions before confirming the verification systems were operational.
Each step was compliant. The sequence made compliance worthless.
As Poirot would ask: "But why, mon ami, would you accept a personal guarantee from someone whose identity you have not verified? This is not compliance—this is the illusion of compliance."
Governance principle: Having proper procedures means nothing if you execute them in the wrong order.
Like starting a fitness programme with advanced workouts before building basic conditioning—you have all the right exercises, just in a sequence guaranteed to cause injury.
Exhibit D: The Legal Evolution—From Recommendation to Requirement
Here's what changed in 2024: the UK Corporate Governance Code reforms moved away from "comply or explain" box-ticking toward proving systematic effectiveness.
Provision 29 now requires boards to annually attest that material controls are not just documented but effective and embedded in ordinary business operations. PwC's analysis calls this the shift from "structure to culture"—from having compliance frameworks to demonstrating they actually work through behavioral integration.
This isn't governance philosophy. It's regulatory mandate backed by enforcement expectations.
The new failure-to-prevent-fraud offense under the Economic Crime and Corporate Transparency Act (effective 1 September 2025) operates on the same principle: you can't just have anti-fraud policies, you must demonstrate robust, embedded systems that prevent fraud through systematic integration—in the correct sequence.
Watch what happens this September. Companies will scramble to implement comprehensive fraud prevention procedures before the deadline. Law firm guidance from Cooley, Freshfields, and others recommends systematic checklists: top-level commitment, risk assessment, robust procedures, due diligence, communication, training, monitoring, and review.
It's a perfectly designed January gym membership scenario. Ambitious goals, comprehensive frameworks, September enthusiasm.
Let's predict the outcome: by early 2026, many of these programmes will have quietly dissolved into compliance theatre—impressive documentation with minimal operational impact.
Not because companies lack commitment. Because they're following the resolution playbook instead of the systems playbook. And because they're implementing the right steps in the wrong order.
And now, for the first time, regulators are explicitly rejecting that approach.
The Detective's Analysis: Why Systems Beat Intentions
The Cultural Bridge: Sustainable Fitness vs Sustainable Compliance
The people who successfully maintain fitness don't rely on January motivation—they build sustainable systems. Small, consistent actions that integrate with their actual life rather than requiring lifestyle transformation.
They understand that:
Consistency beats intensity: 20-minute walks daily outperform 2-hour weekend workouts
Habit formation beats willpower: Automatic behaviours survive motivation fluctuations
Integration beats addition: Exercise that fits existing routines lasts longer than separate gym sessions
Progress beats perfection: Continuous improvement outperforms perfect adherence
Sequence matters: You don't run a marathon before learning to walk consistently
The evidence supports this approach. British Journal of General Practice research found that habit-formation advice paired with 'small changes' led to sustained weight loss—participants lost 3.8 kg over 32 weeks compared to controls who lost only 0.4 kg. The behaviors became "second nature" and "automatic."
Sustainable compliance works exactly the same way.
And now, the UK Corporate Governance Code requires it.
The Literary Connection: Christie's Drawing Room vs Scotland Yard
Real governance isn't Scotland Yard interrogation rooms with harsh lights and aggressive questioning. It's Agatha Christie's drawing room with all the suspects gathered, all the evidence laid bare, letting truth emerge naturally through intelligent system design.
The best security feels like no security at all. That's not a bug—it's the feature.
Dorothy L. Sayers explored this brilliantly in Gaudy Night—her academic mystery about whether institutional systems should suppress human nature or work with it. The novel's central question applies perfectly to compliance design: do you build fortress walls that people constantly try to breach, or do you design environments where doing the right thing becomes the natural choice?
Sustainable governance chooses the drawing room over the interrogation room. Systems that reveal truth through thoughtful design rather than force it through aggressive enforcement.
The Musical Connection: Jazz vs Classical Training
Classical musicians train for perfection—every note precise, every performance flawless. Jazz musicians train for adaptation—responding to unexpected changes while maintaining musical coherence.
Most compliance programmes are designed like classical training: rigid adherence to perfect procedures. But business operates like jazz performance: constant improvisation around consistent principles.
The programmes that succeed train for jazz-style adaptation while maintaining classical-style quality standards.
But even jazz musicians know sequence matters: you learn scales before improvisation, rhythm before syncopation, the rules before you break them artfully.
The Regulatory Reality Check
The 2024 governance reforms essentially mandate Christie's drawing room approach: adaptive systems that reveal truth through behavioral integration, not rigid adherence to interrogation-style procedures.
AuditBoard's analysis of the new Code emphasizes this shift: boards must demonstrate that governance "actually works in practice, not just on paper." This requires embedded routines that become organizational habits, not separate compliance initiatives that require ongoing motivation.
The UK's new Data (Use and Access) Act 2025 reflects the same philosophy. It streamlines privacy compliance with easier cookie rules, updated automated decision-making requirements, and modernised KYC processes—but success depends on integration with existing data governance, not comprehensive programme overhauls.
Streamlined requirements should make compliance easier, right? But here's the trap: organizations are treating regulatory updates as opportunities for dramatic programme redesigns instead of incremental integration.
Same resolution pattern. Same predicted failure rate. And often, same sequence mistakes.
Pattern Recognition: The Sustainable Governance Design
Clue Analysis: What Actually Works
Small Consistent Actions vs Grand Declarations
Fitness: 15-minute morning walks vs 2-hour weekend gym sessions
Compliance: Daily risk check-ins vs quarterly compliance assessments
Result: Sustainable progress vs boom-bust cycles
Habit Integration vs Lifestyle Addition
Fitness: Exercise that fits existing schedule vs adding gym time to packed days
Compliance: Governance built into existing meetings vs separate compliance meetings
Result: Automatic execution vs willpower dependency
McKinsey research on organizational habits reveals why this matters: 45% of daily behaviour happens in consistent contexts. When you change the context, you change the behaviour. Integration leverages existing contexts instead of fighting them.
This is precisely what Provision 29 requires: demonstrating that controls are embedded in the contexts where decisions actually happen, not isolated in separate compliance processes.
Progress Measurement vs Perfection Expectation
Fitness: Track weekly improvement vs demand daily perfection
Compliance: Monitor systematic enhancement vs expect zero risk events
Result: Continuous adaptation vs all-or-nothing failure
Support Systems vs Individual Accountability
Fitness: Workout partners and routine structure vs solo motivation
Compliance: Team integration and systematic support vs individual compliance officer burden
Result: Collective sustainability vs individual burnout
Research on leadership's effect on habit formation shows that organizational systems significantly impact individual behaviors through the habit loops they create and reinforce. The environment you design determines the habits that form.
Freshfields' guidance on effective compliance management systems identifies this as a core pillar: compliance must be "owned" across the organization through distributed accountability and systematic support structures, not concentrated in a central compliance function.
Correct Sequence vs Random Implementation
Fitness: Progressive overload after establishing form vs jumping to advanced movements
Compliance: Verify identity before accepting guarantees vs having procedures without order
Result: Genuine protection vs illusion of compliance
Poirot understood this intuitively: the order of investigation matters as much as the investigation itself. You gather facts before forming theories, establish timeline before assigning motive, confirm identity before accepting testimony.
Compliance works identically. The sequence transforms procedures from checkbox theatre into genuine protection.
The Investigation: Why January Always Fails
The Gym Membership Deception
Gyms make most of their profit from people who pay but don't attend. Their business model depends on New Year's resolution failure. They oversell memberships knowing most people will quit by March. Industry data shows January revenue increases of 25-50% compared to other months—all from resolution-driven signups that rarely translate to sustained attendance.
This creates perverse incentives: gyms appear to want your success but financially benefit from your failure. The systems are designed for initial enthusiasm, not sustained engagement.
The Compliance Parallel
Many compliance frameworks operate like gym memberships:
Over-promise capacity: "This framework will solve all governance challenges"
Under-deliver sustainability: Complex systems that require unrealistic ongoing commitment
Profit from appearance: Look impressive in initial implementation but unsustainable in practice
Design for failure: Implicitly assume high abandonment rates and design accordingly
Ignore sequence: Implement components randomly rather than in logical order
The Serious Fraud Office's enforcement priorities, the Unexplained Wealth Order regime, and the incoming fraud prevention requirements all create similar dynamics: companies invest heavily in September compliance initiatives that fade by spring.
But here's what's different now: the 2024 governance reforms explicitly reject this pattern. The Code's shift from structure to culture, from documentation to demonstration, from compliance to effectiveness—these aren't suggestions. They're requirements backed by regulatory expectations and enforcement priorities.
The Law Society Gazette's risk and compliance coverage consistently emphasizes this evolution: regulators now expect firms to prove systematic integration, not just produce impressive frameworks. And increasingly, they're examining whether procedures execute in sequences that create genuine protection rather than compliance theatre.
Solution Framework: The Sustainable Compliance Architecture
Design Principles That Actually Work—And Now, That Regulators Require
1. Start Stupidly Small
Instead of: "Comprehensive risk assessment every quarter"
Try: "Two-minute risk check in existing Monday meeting"
Why it works: No additional time commitment, automatic integration, immediate value
Behavioral science research shows that radical changes in behavior come through simple changes to our environments, not through willpower alone. The smaller the change, the lower the activation energy required.
For the September 2025 fraud prevention deadline:
Instead of: Comprehensive fraud prevention programme rollout
Try: Add one fraud risk question to existing transaction approval workflows—before final approval, not after
Result: Immediate value, sustainable practice, genuine cultural impact—and regulatory compliance through demonstrated effectiveness
2. Stack on Existing Habits
Instead of: "New monthly compliance committee"
Try: "Five-minute governance update in existing leadership meeting"
Why it works: Uses established routines, reduces calendar complexity, natural adoption
Remember: 45% of daily behavior happens in consistent contexts. Stack new behaviors onto existing contexts instead of creating new ones.
This is exactly what Provision 29's "embedded in ordinary operations" language requires.
For the UK Data Act compliance:
Instead of: Separate data governance training programme
Try: Integrate data considerations into existing project approval processes—at the design stage, not post-implementation
Result: Natural adoption, operational efficiency, better outcomes—and Code compliance through genuine integration
3. Progress Over Perfection
Instead of: "Zero compliance violations tolerated"
Try: "10% improvement in early risk identification monthly"
Why it works: Encourages reporting, rewards improvement, builds systematic capability
4. Social Architecture
Instead of: "Compliance officer handles all governance"
Try: "Governance champion in each department"
Why it works: Distributes load, builds ownership, creates peer accountability
5. Sequential Logic
Instead of: "Implement all procedures simultaneously"
Try: "Build in logical order: verify, then approve; assess, then onboard; establish monitoring, then allow transactions"
Why it works: Each step creates foundation for the next, procedures reinforce rather than contradict
As Poirot would remind us: "Order and method, mon ami. Always order and method."
The Implementation Evidence
Case Study: The Sustainable Transformation
One fintech company applied these principles after their "comprehensive governance programme" failed:
What they stopped doing:
Monthly all-hands compliance training (attendance dropped to 40% by month 3)
Separate quarterly risk assessments (became admin burden disconnected from operations)
Perfect process documentation (too complex for daily use)
Random implementation of compliance procedures without considering sequence
What they started doing:
Two-minute risk discussion in existing weekly team meetings
Simple risk tracking integrated with existing project management tools
One-page guidance that fit on screens people actually used
Clear sequence: risk identification → assessment → mitigation → monitoring (in that order, every time)
Results after 6 months:
Risk identification increased 340% (from quarterly reports to real-time discussion)
Compliance-related meetings decreased 60% (integrated vs separate)
Team satisfaction with governance increased 89% (helpful vs burdensome)
Actual risk management improved measurably (prevention vs detection)
Sequence failures dropped to zero (procedures built on proper foundations)
The regulatory validation: When their board conducted the first Provision 29 assessment, they could demonstrate genuine effectiveness through behavioral evidence, not just documentation. Controls were embedded in ordinary operations because operations had been designed with controls integrated from the start—in the correct sequence.
They'd built Christie's drawing room, not Scotland Yard's interrogation chamber. Truth emerged naturally because the system was designed to reveal it.
The Resolution That Actually Works
The Fitness Parallel Applied
People who successfully maintain fitness after January don't set dramatic goals—they build systems so simple they can't fail:
Morning walk before coffee (automated through routine stacking)
Stairs instead of lifts (decision-free environmental design)
Ten press-ups after bathroom breaks (micro-habits that accumulate)
Progressive sequence: consistency before intensity, form before weight, basics before advanced
The Compliance Translation
Sustainable governance programmes work the same way:
Risk mentions in existing check-ins (automated through meeting rhythm)
Governance questions in existing decision templates (decision-free process integration)
Micro-improvements tracked in existing dashboards (small wins that accumulate)
Logical sequence: identity verification before guarantees, risk assessment before onboarding, controls before transactions
The September 2025 Prediction
Here's what will separate successful fraud prevention implementations from failures:
Failures will:
Launch comprehensive programmes in September
Create separate fraud prevention committees
Develop extensive documentation that nobody reads
Celebrate impressive frameworks that don't change daily behaviour
Implement procedures randomly without considering sequence
Build interrogation rooms when they need drawing rooms
Struggle to demonstrate effectiveness under new governance requirements
Successes will:
Integrate fraud awareness into September's existing workflows
Add fraud considerations to current decision points—in the right order
Create simple tools that enhance rather than replace existing processes
Measure behavioural change, not documentation completeness
Build verification before acceptance, assessment before approval, monitoring before transactions
Design systems where truth emerges naturally through intelligent architecture
Easily demonstrate Provision 29 compliance through embedded effectiveness
By December, the difference will be obvious. By March 2026, the pattern will be complete.
And for the first time, regulators won't just notice the difference—they'll enforce it.
The Cultural Transformation
The goal isn't perfect compliance, it's systematic improvement that becomes organisational culture. Like fitness habits that become lifestyle, governance practices that become "how we work" rather than "extra work we do."
When compliance feels like going to the gym, it will fail like January resolutions. When compliance feels like taking the stairs instead of the lift, it becomes automatic behaviour that improves performance.
When governance feels like an interrogation room, people build defenses and hide information. When governance feels like Christie's drawing room, truth emerges naturally because the system is designed to reveal rather than force it.
The best governance, like the best fitness routines, disappears into daily life while dramatically improving outcomes. The best security feels like no security at all. That's not a bug—it's the feature.
The 2024 Corporate Governance Code doesn't just recommend this approach—it requires it. PwC calls it the shift from "tick-box compliance to genuine governance effectiveness." AuditBoard emphasizes that boards must demonstrate controls "actually work in practice, not just on paper."
And increasingly, "work in practice" means executing in sequences that create genuine protection rather than the illusion of compliance.
This isn't compliance philosophy. It's regulatory mandate.
The question isn't whether to build sustainable systems. It's whether you'll do it proactively through intelligent design, or reactively through enforcement pressure.
Dorothy L. Sayers understood this in Gaudy Night: institutions that work with human nature rather than against it create environments where excellence becomes natural. The same principle transforms compliance from burden to advantage.
🎵 Today's Track: "Everyday" by Buddy Holly. Because sustainable governance, like sustainable fitness, happens in the ordinary moments when nobody's watching—and consistency in small things creates extraordinary results over time. The new governance requirements understand this: effectiveness happens in daily routines, not annual reports. And it happens in the right order, not just with the right components.
🗂 Case Closed
Governance Principle: Systems beat intentions every time—sustainable compliance programmes start stupidly small, integrate with existing habits, and execute in logical sequences rather than requiring lifestyle transformation. The UK's 2024 governance reforms have made this approach not just best practice, but legal requirement.
Suggested Reading: Gaudy Night by Dorothy L. Sayers—an academic mystery exploring whether institutional systems should suppress human nature or work with it. The novel's insights about designing environments where doing the right thing becomes the natural choice apply perfectly to modern compliance challenges.
🕵 Free every Sunday: a governance case file + fresh puzzle.
🔒 Paid readers also get the complete Sustainable Compliance Implementation Guide, habit stacking templates, sequential implementation frameworks, and micro-governance systems that integrate seamlessly with existing operations—including specific guidance for the September 2025 fraud prevention deadline, Provision 29 compliance demonstrations, and UK Data Act integration strategies.
Research & Sources
Habit Formation & Behavioral Change:
Lally, P., et al. "Making health habitual: the psychology of 'habit-formation' and general practice." British Journal of General Practice, 2012.
Eldred, D., et al. "Time to Form a Habit: A Systematic Review and Meta-Analysis." PubMed, 2024.
Gardner, B., et al. "Developing habit-based health behaviour change interventions." Health Psychology Review, 2023.
Niv, Y., et al. "Habit formation viewed as structural change in the behavioral network." PLOS Computational Biology, 2023.
New Year's Resolution Research:
Oscarsson, M., et al. "A large-scale experiment on New Year's resolutions: Approach-oriented goals are more successful than avoidance-oriented goals." PLOS ONE, 2020.
Yale School of Management. "Now or Never: Why Do Many New Year's Resolutions Fail?" 2024.
Compliance Program Effectiveness:
Soltes, E. "Evaluating the Effectiveness of Corporate Compliance Programs." Harvard Business School, 2019.
Arlen, J., et al. "Compliance Management Systems: Do They Make a Difference?" The Cambridge Handbook of Compliance, 2021.
NAVEX. "The Top 10 Reasons Compliance Programs Fail." 2023.
ZenGRC. "Why do Compliance Programs Fail?" 2024.
UK Regulatory & Legal Sources:
Halliday, S. "The Governance of Compliance with Public Law." Public Law, 2013. Available via Westlaw UK.
AuditBoard. "Understanding the UK Corporate Governance Code: The Complete Guide." 2025.
Impero. "UK Corporate Governance Code 2024: Provision 29 Guide." 2024.
PwC UK. "UK Corporate Governance Code reform: From structure to culture." 2024.
Cooley LLP. "New UK Corporate Fraud Offence Takes Effect Soon: Prepare Your Business for Compliance." 2025.
Freshfields Bruckhaus Deringer. "Implementing an Effective Compliance Management System." 2024.
National Law Review. "UK Data Act 2025—Key Changes Seek to Streamline Privacy Compliance." 2025.
Compliance Week. "United Kingdom: Prepare Now with UK Failure to Prevent Fraud Offense." 2025.
The Law Society Gazette. "Risk and Compliance" coverage, 2024-2025.
LexisNexis UK. "Risk & Compliance News" updates, 2024-2025.
The Law Society. "News and Articles: Compliance and Regulatory Updates." 2024-2025.
Organizational Behavior & Systems:
McKinsey & Company. "How organizations can build healthy employee habits." 2023.
IOSR Journal of Business and Management. "Leadership Styles And Their Effect On Habit Formation In Employees." 2024.
Tamarack Institute. "Small Changes for Big Impacts - Behavioural Insights for Community Change." 2023.
Gym Industry Data:
FitBudd. "How do gyms make money?" 2024.
Exercise.com. "What month do gyms make the most money?" 2024.
Myprotein. "Americans' January Gym Habits, Revealed." 2024.
Smart Health Clubs. "100 Gym Membership + Retention Statistics You Need to Know." 2024.
Literary References:
Sayers, Dorothy L. Gaudy Night. Victor Gollancz, 1935. Academic mystery exploring institutional systems and human nature.
Next week: When 90 patient surveys vanish and accountability disappears. The case of the missing minutes.