Most compliance frameworks start in the wrong place. They begin with the regulatory universe — the full body of legislation, rules, guidance, and codes that could conceivably apply — and then work inward, attempting to map everything against the firm's activities. The logic seems sound: if we start with everything, we cannot miss anything. But this approach carries a cost that is rarely acknowledged and almost never measured.
The cost is not just in time and resource, though those are substantial. The deeper cost is in signal-to-noise ratio. When you map everything, you bury the obligations that genuinely matter beneath a mass of requirements that are either inapplicable, immaterial, or already adequately addressed. The compliance team ends up maintaining a sprawling artefact that tells them very little about where their actual risk lies.
There is a better approach. We call it relevance-first compliance, and the core idea is simple: start with what applies to your firm, not with what exists in the regulatory universe.
The Everything-Applies Approach
The traditional compliance mapping exercise begins with a regulatory inventory. A firm operating in Jersey, for example, might start by listing every applicable piece of legislation: the Proceeds of Crime (Jersey) Law, the Money Laundering Order, the Codes of Practice for Regulated Businesses, the Companies (Jersey) Law, the Financial Services (Jersey) Law, and so on. Then they add guidance notes, dear CEO letters, thematic reviews, and sectoral standards. The list grows.
From this inventory, the compliance team extracts obligations — sometimes hundreds, sometimes thousands of individual requirements. Each obligation is then mapped to internal policies, controls, and evidence. The mapping is recorded in a spreadsheet, a GRC tool, or a combination of both.
The result is a mapping that is comprehensive in scope but often shallow in usefulness. It treats a high-risk obligation around beneficial ownership identification with the same weight and rigour as a low-risk administrative filing requirement. Everything is mapped, but nothing is prioritised. The compliance team knows what exists; they do not know what matters.
This approach also creates a maintenance burden that is almost impossible to sustain. When a regulatory change arrives, the team must assess its impact across the entire map. When an audit approaches, they must prepare evidence for every mapped obligation, regardless of materiality. When a new team member joins, they must navigate a mapping that is more encyclopaedia than operational tool.
What Relevance-First Looks Like
A relevance-first approach inverts the starting point. Instead of asking "what regulations exist?" it asks "what are our regulated activities, and which specific obligations arise from them?" The firm begins with its own profile — its jurisdictions, licence types, client base, product set, risk appetite, and operating model — and uses that profile to filter the regulatory universe down to the obligations that are genuinely applicable and material.
This is not about ignoring regulations. Every applicable requirement still gets mapped. But the filtering happens before the mapping, not after. The result is a regulatory scope that is manageable, focused, and defensible. When a regulator asks "how did you determine what applies to you?" the firm can explain the relevance criteria, the risk-based judgements, and the rationale for excluding requirements that do not apply.
The practical implications of this shift are significant:
- Mapping is smaller and richer. Instead of a thousand thinly mapped obligations, you have three hundred deeply mapped ones. Each mapping includes not just the link between regulation and policy, but the interpretation rationale, the risk assessment, the evidence chain, and the change propagation path.
- Maintenance is feasible. When a regulatory change arrives, the relevance filter tells you immediately whether it affects your scope. If it does, the impact radius tells you what downstream mappings to review. If it does not, you can log it and move on with confidence.
- Audit preparation is structural, not scrambled. Because every mapped obligation has a defined evidence chain, audit preparation is a matter of extracting and formatting — not hunting and assembling.
- Resource allocation reflects risk. The compliance team can spend its time on the obligations that carry the highest risk to the firm, rather than distributing effort evenly across a thousand-row spreadsheet.
The Relevance Decision
The critical question in a relevance-first model is: how do you determine what is relevant? This is where many firms hesitate, because the relevance decision involves judgement, and judgement creates risk. What if you exclude something that later turns out to apply?
This concern is legitimate, but it conflates two different things. The relevance decision is not about ignoring regulations; it is about documenting a risk-based assessment of applicability. A well-structured relevance framework captures:
- The regulatory requirement — what the provision says and which instrument it comes from.
- The applicability assessment — why it does or does not apply to the firm, based on specific criteria (jurisdiction, licence type, client type, activity type, risk rating).
- The materiality assessment — for applicable requirements, how material is the obligation given the firm's risk profile and operating model.
- The approval record — who made the assessment, when, and under what authority.
- The review trigger — what events would cause the assessment to be revisited (regulatory change, new business line, jurisdictional expansion).
This is not guesswork. It is structured, documented, risk-based decision-making — exactly what regulators expect to see. A firm that can produce a relevance assessment with clear criteria and a transparent audit trail is in a stronger position than a firm that mapped everything but cannot explain why half of its mappings are incomplete or stale.
From Coverage to Defensibility
The shift from everything-applies to relevance-first is fundamentally a shift from coverage to defensibility. The old model optimises for breadth: how much of the regulatory universe have we touched? The new model optimises for depth: can we defend our compliance position for every obligation we have determined applies to us?
Defensibility means being able to show a regulator, an auditor, or a board the complete chain from regulatory requirement through interpretation, policy, control, and evidence — and to demonstrate that this chain is current, reviewed, and owned. It means having an answer not just for "do you comply?" but for "how do you know you comply, and how would you know if you stopped?"
This is a higher standard than mere coverage. It is also a more sustainable one. A firm that maps three hundred obligations defensibly will always outperform a firm that maps a thousand obligations superficially — in regulatory outcomes, in audit performance, and in the confidence of its board and senior management.
Getting Started
Transitioning to a relevance-first model does not require scrapping your existing mapping. It requires layering a relevance assessment over it. Take your current regulatory inventory and, for each obligation, document the applicability criteria and the materiality assessment. Identify the obligations that are genuinely high-priority and deepen their mappings — richer interpretations, clearer evidence chains, defined change propagation paths. For obligations that are low-materiality or borderline applicable, document the rationale and set a review cycle.
The result will be a mapping that is leaner, richer, and vastly more useful — both to the compliance team that maintains it and to the regulators and auditors who examine it. It will also be a mapping that can be maintained without heroic effort, because the scope is defined by relevance rather than by the ambition to capture everything.
Relevance-first is not about doing less. It is about doing the right things well — and being able to prove it.