THE REGULATOR IS NOT YOUR EARLY WARNING SYSTEM
Welcome to the Compliance Hangover
Why Legal Risk Is Still Managed After the Party:
There’s a particular silence that settles over a boardroom when a compliance problem stops being theoretical. It usually arrives just after someone says, “How did we not see this coming?” and just before everyone starts searching inboxes for the policy that was apparently “final-final-approved” in 2021.
Welcome to the compliance hangover: that bleak corporate morning-after when the breach has happened, the regulator has arrived, the media statement is being drafted, and the business suddenly remembers that governance isn’t a decorative word for the annual report.
Most organisations don’t ignore compliance because they’re reckless villains in expensive suits. They ignore it because the business is busy. Sales needs approvals. Finance wants numbers. Operations wants speed. Legal is left holding a clipboard, politely pointing out that someone has parked a supplier contract on top of a data privacy landmine.
The problem isn’t that companies lack controls. Many have exquisite financial controls. A senior executive can see, almost in real time, whether a regional office bought two extra staplers. Yet the same organisation may have no live view of outdated contract clauses, missed statutory deadlines or risky vendor arrangements.
So, the uncomfortable question is this: why do sophisticated companies run world-class financial systems and underdeveloped legal early-warning systems? Why is cash monitored like a newborn in ICU, while legal risk is still managed with spreadsheets, calendar reminders and the collective hope that nothing catches fire before month-end?
The traditional compliance cycle is painfully familiar. A new rule appears. Legal circulates a note. The business replies, “Noted with thanks,” which too often means “we’ll get to this later”. Months pass. A complaint, breach, inspection or whistle-blower disclosure appears. Suddenly, policies are updated, training is scheduled and everyone remembers that the organisation “takes compliance seriously”.
Of course it does. It just tends to take it seriously after the invoice has arrived.
This is compliance as a confession booth. The organisation sins first, repents later and then pays penance in legal fees, remediation costs, management distraction and reputational bruising. It’s a terrible operating model, but a surprisingly popular one.
In South Africa, this approach is becoming more dangerous. POPIA requires responsible parties to process personal information lawfully, retain records only for as long as necessary, destroy or de-identify records they’re no longer authorised to keep, and notify the Information Regulator and affected data subjects where there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person.
The financial sector is no gentler. The Financial Sector Regulation Act 9 of 2017 established South Africa’s Twin Peaks model, creating the Prudential Authority and the Financial Sector Conduct Authority, with supervisory, inspection, investigation and enforcement powers. In plain English: the regulator isn’t there to admire your values statement. It can ask difficult questions, arrive with statutory powers, and impose consequences.
Against that backdrop, waiting for a regulator to tell you where the problem is makes about as much sense as using a car crash as your navigation system.
Legal Tech Is Not Just Litigation With Shinier Buttons
Legal technology is often sold as a way to move faster once things have gone wrong: find documents quicker, manage matters better, track costs, brief counsel, build timelines and prepare for disputes with fewer grey hairs. That’s useful. But it isn’t the whole story.
The stronger case for legal tech is preventative. It can help reduce the number of disputes, breaches and avoidable failures before they become expensive. In other words, it helps legal teams move from post-event paperwork to pre-event intelligence.
A properly structured system isn’t just a digital filing cabinet with better manners. It can flag renewal dates, missed approvals, unusual billing patterns, trust accounting anomalies, outstanding FICA or KYC checks, dormant matters and files that have quietly slipped out of active oversight.
Then there’s workflow: the unglamorous hero. It routes approvals, triggers reminders, preserves audit trails and stops important tasks from living exclusively in the mind of Brenda from accounts, who is on leave and apparently the only person who knows where the compliance register is saved.
Legal tech doesn’t replace judgement. It replaces avoidable blindness. It gives legal and compliance teams the kind of visibility that finance has enjoyed for years: live information, consistent workflows, escalation triggers and evidence that something was actually done.
Why Legal Risk Still Lives in the Dark Ages
Step inside any modern enterprise and you’ll see the asymmetry. Finance is automated, monitored and dash boarded. Expenses are captured, approvals are routed and thresholds are watched by people who know exactly where the money is.
Then step across the hall to legal. Too often, brilliant professionals are still cross-referencing vendor contracts, searching email chains for signed clauses and tracking statutory deadlines in spreadsheets with more tabs than a nervous browser before an audit.
It’s a bizarre paradox. We use AI to predict consumer behaviour, but still use hope, memory and manually updated Word documents to manage the structural integrity of our organisations.
King IV has long pushed South African boards away from box-ticking and towards ethical, effective leadership, informed oversight and integrated governance. That’s the grown-up version of compliance: not a laminated policy, but a living system that helps the organisation anticipate risk and explain what it did when asked.
The difficulty is that living systems need live information. A board pack compiled once a quarter may be comforting, but comfort is not the same as visibility. By the time the report reaches the board, the risk may already have grown into something far less manageable.
Contract, Matter and Compliance Data Should Not Be a Treasure Hunt
Most organisations don’t actually know what’s inside their active legal universe. Agreements are signed, scanned, saved, renamed, duplicated and exiled to shared drives where they slowly become folklore. When a regulation changes, the response is often a frantic human document hunt, which is less a strategy than an expensive trust exercise.
A structured system changes that rhythm. It shows which matters are open, which tasks are overdue, which documents sit where, which approvals are outstanding and which compliance obligations need attention. That sounds basic until you’ve watched three senior people argue over whether the “real” version is called Signed_Final, Signed_Final2 or Signed_Final_UseThisOne.
POPIA Breaches Rarely Arrive Wearing a Cape
Executives often imagine a data breach as something cinematic: a hacker in a hoodie, dramatic music, the mainframe surrendering after a tense battle of wills. In practice, many privacy failures are painfully ordinary: an old database retained too long, a spreadsheet emailed to the wrong person, a vendor keeping access after a contract ends.
POPIA doesn’t care whether the failure was glamorous. Section 14 deals with retention and restriction of records. Section 22 deals with notification of security compromises. The question, when the dust settles, won’t be whether the policy looked respectable. It’ll be whether the organisation can show what personal information it held, why it held it, who accessed it, what safeguards applied, what happened, and what was done next.
That’s where legal tech becomes less “nice efficiency project” and more “we need to be able to explain this properly”. Automated reminders, access controls, audit trails, secure matter histories and workflow accountability help create proof of a system. Not perfection. Nobody sensible promises that. But proof that the organisation didn’t manage privacy with crossed fingers and a laminated poster near the printer.
Risk Avoidance Is a Performance Metric
Compliance is often framed as cost. That’s understandable. It rarely arrives wearing a party hat. It asks for budget, patience, implementation time and, most offensively, change management. But the cost conversation is incomplete if it only counts the price of prevention and ignores the price of failure.
The real cost of non-compliance isn’t only the fine. It’s the urgent forensic review, the interrupted board agenda, the clients asking nervous questions, the tender committee quietly moving on, and the communications team trying to make “we take this seriously” sound credible rather than rehearsed.
For legal practices, the point is even sharper. Clients expect their lawyers to be careful, organised and audit ready. They’re not especially comforted by the explanation that the firm’s internal process depends on institutional memory and a spreadsheet with a name only three people understand. In professional services, operational discipline is part of the product.
What Preventative Legal Tech Looks Like in Practice
Preventative legal tech doesn’t need to be dramatic. In fact, the best systems are often quietly boring, which is exactly what you want from compliance. Drama is for theatre, not trust accounting.
It looks like a centralised practice or matter management platform where documents, correspondence, billing, trust accounting, task workflows and compliance records aren’t scattered across disconnected systems. It looks like reminders that escalate before deadlines become excuses, and matter histories that don’t depend on someone’s personal folder of good intentions.
AJS positions its legal software around this operational reality: matter, billing, trust and compliance functions in a secure system for South African legal practices, with workflow and document generation tools designed to reduce administrative drag. The future of compliance isn’t more heroic last-minute effort. It’s fewer emergencies in the first place.
Curing the Compliance Hangover
No executive sets out to ignore the law. We slide into compliance hangovers because manual risk management feels fine until it doesn’t. The problem with “we’ll deal with it if it happens” is that, by the time “it” happens, the cheap options have usually left the building.
The better approach is less theatrical and far more useful: build systems that spot risk earlier, route responsibility clearly, preserve evidence automatically and give leadership a live view of where legal and compliance pressure is building. That’s not fear-based compliance. That’s intelligent governance.
Because the party is always easier to enjoy when someone responsible is watching the exits.
If this all feels a little familiar, it may be worth looking at the systems behind the scramble. AJS works with South African legal practices to bring matter management, billing, trust accounting and compliance into a more organised, auditable rhythm — not because technology makes lawyers magically calmer, but because fewer avoidable surprises is a perfectly respectable business strategy.
– Written by Alicia Koch on behalf of AJS
(Sources used and to whom we owe thanks – Protection of Personal Information Act 4 of 2013; SAFLII versions of POPIA, including the statutory framework for lawful processing, retention and security compromise notification; POPIA section 14: Retention and restriction of records; Moonstone summary of the prescribed notification form and reporting expectations under section 22 of POPIA; Financial Sector Regulation Act 9 of 2017: South African Government overview of the Act establishing the Prudential Authority and Financial Sector Conduct Authority; South African Reserve Bank: Prudential Regulation and the Twin Peaks model; Financial Sector Conduct Authority: Regulatory framework and conduct standards; King IV Report on Corporate Governance for South Africa: Institute of Directors in South Africa access page and supporting governance material and AJS article on comprehensive risk management: Context on risk management concerns for law firms).

Leave a Reply