Compliance & regulatory requirements: why “nearly compliant” still gets you binned

Clients tell me: “We’ve got most of the paperwork—can we bid?”
My answer never changes: in UK public procurement, almost compliant is non-compliant. Framework owners (CCS, YPO, NHS SBS, Everything ICT) and contracting authorities aren’t nit-picking; they’re managing risk. One expired Cyber Essentials Plus certificate, an unsigned safeguarding policy, a mismatch between your insurance certificate and your legal entity—and you’re out before anyone reads your method statement.

What follows is how I get clients from “we’ve got a folder of PDFs” to “we’re continuously tender-ready.” Use it as a checklist, or ask me to turn it into your live system.

What “compliance” actually means on frameworks (in plain English)

Different frameworks badge things differently, but the assurance pillars are consistent:

  • People safety & integrity
    Right-to-work, DBS/BPSS (and higher clearances where relevant), safeguarding governance, designated safeguarding lead, incident/near-miss reporting, whistleblowing.
  • Information security & data protection
    Cyber Essentials / CE+ (annual), access control, device and asset management, patching, backups, business continuity, breach response; UK GDPR (RoPA, DPIAs, SAR handling), data processing terms, sub-processor list.
  • Quality & Health & Safety
    ISO-style QMS (often aligned to ISO 9001), risk assessments, method statements, accident/incident logs, toolbox talks, training matrix, COSHH where applicable; H&S policy signed & dated.
  • Environment & social value
    Environmental policy (often ISO 14001 aligned), waste/carbon reporting, net-zero stance, local supply chain and employment plans, measurable social value interventions with reporting cadence.
  • Financial & insurance
    Stable financials, credit strength, and correct insurance levels with the right business description and territories (typical public-sector norms: EL £10m, PL £5m, PI where professional advice/IT is involved).
  • Corporate integrity
    Anti-bribery, modern slavery statement (publish where applicable), equality, conflicts of interest, complaints procedure.

A framework checks these at entry—and buyers check them again at call-off. If your evidence is stale or inconsistent when a mini-competition lands in Jaggaer/Atamis/Proactis/SAP Ariba, you’ll score poorly or be ruled non-compliant.

The small mistakes that quietly kill your bids

I win back time and margin for clients by removing these “paper cuts”:

  1. Expiry drift
    CE+ lapsed last week; insurance renewed but your pack still holds last year’s certificate; training matrix shows currency but the evidence folder hasn’t been updated.
  2. Name & scope mismatches
    Companies House says “ABC Limited”; your insurance says “ABC Ltd”; your bid says “ABC Group”. Or the policy excludes the exact activity you’re proposing (e.g., on-site services, personal data processing, lone working).
  3. Unsigned/undated policies
    Beautiful policy, no approval signature/date. That’s a draft, not a policy.
  4. Vetting gaps
    Mobilisation plan includes five new starters; your vetting log shows three with DBS/BPSS and two “in progress”. Buyers don’t assume—they exclude.
  5. Broken evidence links
    Cloud links requiring logins or expiring tokens. Evaluators won’t chase.
  6. “Equivalent” without mapping
    Claiming you’re “ISO-aligned” is meaningless unless you map controls to the standard and show evidence (policy → procedure → record).
  7. Financial surprises
    You passed the credit check at framework award, then filed accounts that dropped your score. No mitigations, no explanation.
  8. Portal hygiene
    Wrong lot tags, old catalogue entries, missing geographies, outdated contacts. If buyers can’t filter to you, they can’t invite you.

Any one of these drops you from compete to bin.

Build a compliance machine (not a document dump)

If you want consistent conversion at call-off, you need a living system that defaults to “compliant today”—not a scramble the night before.

1) Stand up a single source of truth (SSOT)

  • Structured folders with controlled filenames:
    02_Policy_Safeguarding_v8_2025-09-15_Signed.pdf
  • Every document has a front-sheet: owner, version, approval signature, review date, and the framework criteria it satisfies.
  • Keep a Short Pack (the 10–15 files buyers actually request most) and a Deep Pack (full evidence).

2) Map evidence to each framework

  • Two columns: RequirementEvidence.
  • Where you claim “equivalent,” add a control-by-control mapping showing where each requirement lives in your system (policy, procedure, record).
  • Flag gaps, assign owners, set due dates.

3) Put named owners on the hook

  • RACI per pillar:
    InfoSec (IT lead), GDPR (Data Protection lead), Safeguarding (DSL), H&S (NEBOSH-qualified lead), Quality (Ops), ESG/Social Value (HR/ESG), Finance (FD), Legal (contracts/DPAs).
  • Owners have metrics: zero expired documents; 100% training currency for in-scope roles; audits completed on schedule.

4) Automate renewals and assurance

  • A renewal calendar with 60/30/7-day prompts for insurance, CE/CE+, policy reviews, statements, key training.
  • Quarterly internal audits: pick five staff files at random; inspect vetting, induction, and training; check incident/breach logs; test SAR/DPIA templates; verify asset register accuracy.

5) Standardise templates that win time at call-off

  • Signed policies, step-by-step procedures, blank and sample records (incident forms, breach logs, training matrix, vetting log).
  • Supplier DPA with sub-processor schedule and breach timelines.
  • Mobilisation Gantt (roles, dependencies, go-live gates, risk & contingency).
  • Case studies and CVs aligned by lot and by sector.

6) Make your portal storefront buyer-friendly

  • Correct legal entity, coverage map, catalogue SKUs, keywords, and decision-maker contacts.
  • Test findability: can a buyer filter the lot and actually land on you?

The 90-day sprint I run with clients

Days 0–14 — Baseline & triage

  • Gap-assess against the pillars; fix fast hygiene issues (signatures/dates, name consistency, missing insurance schedule pages, broken links).
  • Publish the Short Pack and replace stale files in live frameworks.

Days 15–45 — Structure & closeouts

  • Build the SSOT, evidence maps, and renewal calendar.
  • Close vetting gaps; refresh the training matrix; update RoPA/DPIA templates; rehearse breach response.
  • Refresh modern slavery, EDI, H&S, environmental policies; publish statements on your site where required.
  • If you’re claiming ISO “equivalency”, complete the control mapping and do an internal audit with actions.

Days 46–90 — Prove & embed

  • Run a mock buyer audit against one live framework’s criteria.
  • Train managers on incident escalation, safeguarding, and SAR handling.
  • Launch a monthly compliance dashboard (expired items, audits due, training currency, incidents closed).
  • Clean your portal entries; align catalogue SKUs and tags to how buyers search.

Red flags evaluators look for (so you can pre-empt them)

  • Policy says “annual review”; metadata shows two years since last sign-off.
  • Insurance excludes the core activity or geography.
  • Vetting “in progress” for staff due on site next week.
  • CE+ scope limited to “head office only” but service is delivered at client sites.
  • Data processing terms missing sub-processors or breach timelines.
  • Social value promises are vague (“we will explore apprenticeships”) without local metrics or reporting.
  • Cash-flow or gearing issues with no mitigations or parent guarantee.

Make compliance commercially useful

This isn’t admin; it’s pre-sales:

  • Pre-populated answers: lift from the SSOT into Jaggaer/Atamis in minutes.
  • Risk-priced bids: your incident history and mitigations justify pricing and exclusions.
  • Mobilisation credibility: real controls, real people, real logs—buyers trust what they can verify.

Minimal viable “always tender-ready” pack (keep live)

  • Certificates: CE/CE+, EL/PL/PI insurance, sector cards/accreditations.
  • Policies: InfoSec, Data Protection/Privacy, Safeguarding, H&S, Quality, Environmental, Modern Slavery, Anti-bribery, Whistleblowing, EDI — all signed & dated.
  • Procedures & records: Incident/Breach, SAR handling, Complaints, Vetting log, Training matrix, Asset register.
  • Corporate: Legal name/number, ownership, conflicts, headline financials/mitigations, bank details (redacted).
  • Social value: locality-specific plan template, metrics, monthly/quarterly reporting cadence.
  • People & proof: sector-relevant case studies, role-based CVs, mobilisation Gantt.
  • Portal data: catalogue SKUs, tags/keywords, geographies, contacts.

Bottom line

Frameworks create opportunity; compliance earns permission to compete. If your evidence isn’t current, consistent, and accessible, you’re volunteering to lose call-offs you could have won. Build the machine once—owners, versions, renewals, mapped evidence—and your team stops scrambling for certificates and starts winning work.

Back To Hub