A practical guide for transformation managers, procurement leaders, and senior leadership who need adoption - not just policy.
You've spent months designing a new compliance process. The policy is sound. The system is configured. Leadership has signed off. And then - quietly, steadily - line managers start going around it.
They hire contractors or engage service providers without raising a purchase order. They renew engagements on a handshake. They fill in worker classification assessments with whatever answers get them through fastest. They engage labour under service contracts, creating compliance risks and complicating cost control.
Not because they're malicious, but because they're busy, under pressure, and your new process feels like friction standing between them and getting the job done.
This is the single biggest risk to any compliance or governance transformation: not the policy, not the technology, but whether the people on the ground actually use it.
This guide draws on real patterns we've seen across large organisations implementing external workforce compliance - from logistics firms managing hundreds of contractor assignments globally, to universities navigating decentralised academic hiring, to manufacturers uncovering hidden tax exposure in their supply chains. The challenges are remarkably consistent, and so are the solutions that work.
The Real Reasons Managers Bypass Compliance
Before you can fix non-compliance, you need to understand it honestly. Managers don't bypass processes because they enjoy risk. They do it for a handful of predictable reasons.
The process adds time they don't have. A hiring manager with a project deadline and an approved budget doesn't want to spend two weeks navigating a new system before they can bring someone in. If the old way - an email to procurement, a phone call to an agency - was faster, that's what they'll default to.
They don't understand the risk. Most line managers have never heard of worker misclassification penalties (IR35 in the UK), or the concept of a Senior Accounting Officer's personal liability. The compliance risk is invisible to them. What's visible is the project that needs delivering.
The system feels like surveillance, not support. If the first experience a manager has with your new process is a long questionnaire that feels like a test they might fail, they'll resist it. Nobody wants to be policed. Everyone wants help getting their work done.
They've been burned by "systems" before. Many organisations have a graveyard of tools that were rolled out with fanfare and abandoned within six months. Managers are understandably sceptical when the next one arrives.
There's no consequence for non-compliance. If a manager can hire a contractor without using the new process and nothing happens, the process is optional - regardless of what the policy says.
What Doesn't Work
Before covering what does work, it's worth naming a few common approaches that consistently underperform.
Mandating compliance by email. Sending an all-staff communication saying "effective immediately, all contractor engagements must go through the new system" achieves very little on its own. Emails get archived. Policies get forgotten. Without structural enforcement, mandates are just suggestions.
Training as a one-off event. Running a training session during rollout week and assuming the job is done misses the reality that managers hire contractors sporadically. The manager who attends training in March may not need to hire anyone until September — by which point they've forgotten everything.
Making the process comprehensive at the expense of usability. There's a temptation to capture every possible data point at the point of engagement. The result is a 45-minute intake form that guarantees managers will find workarounds. Comprehensiveness and usability are in tension, and usability must win for the first interaction.
What Actually Works: A Framework for Driving Adoption
The organisations that successfully embed new compliance processes share a common pattern. They treat adoption as a design problem, not a communications problem. Here's the framework.
1. Make the Process Easier Than the Workaround
This is the single most important principle. If your compliance process is faster and simpler than the informal route, managers will use it voluntarily. If it isn't, no amount of policy enforcement will sustain adoption.
In practice, this means designing for the 80% case first. Most contractor engagements are straightforward - a known supplier, a defined piece of work, a reasonable budget. Your process should handle these in minutes, not days. Save the heavy-touch review for the high-risk, high-value engagements that genuinely need it.
One effective approach is risk-based triage. Rather than subjecting every engagement to the same process, let the system assess risk early and route accordingly. A £5,000 piece of consultancy work with a limited company doesn't need the same scrutiny as a £250,000 individual contractor embedded in your team for two years. When managers see that the process is proportionate, resistance drops significantly.
The goal is simple: make managers reach for the tool because it saves them time, not because policy forces them.
2. Create a Structural Gate That Can't Be Bypassed
Voluntary adoption is the goal. But you need a backstop. The most effective structural gate is tying compliance to something managers already have to do - typically the purchase order.
If a contractor engagement can't get a purchase order raised without a compliance reference number, the process becomes unavoidable without being adversarial. The gate isn't punitive. It simply makes compliance a prerequisite for the thing they already need to happen. This is the difference between a process that's "recommended" and one that's "embedded."
The key is keeping the gate lightweight. If generating a compliance reference takes five minutes, it's a minor step. If it takes five days, you've created a bottleneck that will generate executive pressure to create exceptions - and exceptions, once granted, become the norm.
3. Bring the Process to Where Managers Already Work
Every additional login, every separate portal, every new browser tab is friction. The most successful rollouts integrate compliance touchpoints into the tools managers already use - whether that's Teams, Slack, their ERP system, or email.
If a manager can initiate a compliance check from a Teams message, receive the outcome in the same channel, and never need to learn a new interface, you've removed the single biggest adoption barrier: remembering the process exists.
One final thing - SSO. Keep things easy so line managers don't need to remember passwords and credentials when they do need to undertake compliance checks.
4. Show the Risk in Terms They Understand
Line managers don't respond to abstract regulatory references. They respond to tangible consequences framed in terms relevant to their world.
Instead of: "Failure to comply with IR35 off-payroll rules may result in regulatory penalties."
Try: "If this contractor is found to be misclassified, HMRC can look back five years and recover the tax from us - not the contractor, not the agency. That's on our balance sheet. For a single long-term contractor on a day rate, that exposure can reach six figures."
Better still, use real examples. Most large organisations have had at least one close call, one HMRC enquiry, one expensive retrospective assessment. With appropriate anonymisation, these stories are far more persuasive than any policy document.
The most effective compliance training isn't a webinar about regulations. It's a 20-minute session with real financial penalties, real case examples, and a clear explanation of what this means for the specific managers in the room.
5. Design for Honest Answers, Not "Right" Answers
One of the most common failure modes in compliance assessments is managers (or contractors) giving the answers they think will produce the desired outcome rather than the truthful ones. If a manager knows that answering "yes" to the substitution question means their preferred contractor can keep working, they'll answer "yes" - whether or not genuine substitution rights exist.
The solution isn't to make the questions harder. It's to design the process so that honesty doesn't feel punishing. That means separating the assessment from the outcome, so managers feel safe providing accurate information without fear that it will immediately block their engagement. It means cross-referencing answers against contract terms and working practices rather than relying solely on self-reporting. And it means having a clear, supportive path for engagements that are flagged as high-risk - not just a hard stop.
Face-to-face conversations still matter for high-value or complex engagements. Systems handle volume; relationships handle nuance.
6. Make Compliance Continuous, Not Point-in-Time
A common mistake is treating compliance as a gate at the start of an engagement and then never revisiting it. Working practices change. Contracts get extended. Scope creeps. A contractor who was genuinely outside IR35 in year one may be clearly inside by year three - but if nobody reassesses, the organisation carries accumulating risk without knowing it.
Build periodic reassessment into the process. Trigger reviews at contract renewal points, at spend thresholds, or at fixed intervals. Make these lightweight - a five-minute check-in rather than a full re-assessment - but make them happen.
This also addresses one of the most dangerous patterns: the long-tenure contractor. Organisations routinely discover contractors who've been embedded for three, five, even seven years - often on day rates, using company equipment, with company email addresses, and with no realistic right of substitution. These are the engagements that generate the largest tax exposure, and they're invisible without continuous monitoring.
Tenure visibility is also one of the best tools for reducing friction with line managers. When you can see at a glance which engagements are long-standing and high-risk versus which are short-term and low-risk, you know exactly where to focus attention - and where to leave managers alone. Not every engagement needs the same level of oversight. Tenure data helps you be surgical rather than blanket, which builds trust with the business units that are doing things right.
7. Flag the Outliers - Not Every Assessment
Most organisations route every completed assessment to procurement, tax, or finance for manual review. This creates two problems: it overwhelms the reviewers, and it adds unnecessary delay for the majority of straightforward engagements - which is exactly the kind of friction that drives managers to bypass the process altogether.
A smarter approach is to build a baseline during mobilisation. Use your initial data to establish what "normal" looks like for your organisation: is this role typically assessed as an independant contractor (outside IR35) or as an employed worker (inside IR35), in your market and jurisdiction? What's the typical classification split across similar engagements?
Once you have that baseline, the interesting signals aren't the assessments that fall within the expected range - they're the anomalies. If 90% of software contractors across the business are assessed as inside IR35, why has one department consistently returned outside results? If a role is routinely classified one way across every other business unit, why has this particular assessment come back differently?
Equally telling: too many consistencies. If every single assessment from one area returns identical results with identical answers, that's a red flag that someone is copying responses rather than genuinely assessing each engagement.
Run monthly or quarterly reviews of the data rather than reviewing every individual assessment in real time. Where the data raises a flag - an outlier department, an unusual pattern, a suspicious level of uniformity - you can investigate, educate, and make targeted changes. The areas of the business with a strong compliance posture get less friction. The areas that need attention get it. Everyone's time is better spent.
8. Replace Static Forms with Conversational AI — Backed by Human Expertise
Compliance assessments have historically been carried out by forms. Tick boxes, dropdown menus, yes/no questions. The problem isn't just that they're tedious - it's that they lack context. A static form can't probe further when an answer doesn't quite make sense. It can't ask "what do you mean by that?" It can't spot the gap between what someone selected and what the contract actually says. And critically, when the questions are the same every time, in the same order, they're easy to game. Managers and contractors quickly learn which answers produce the "right" outcome.
Highly advanced, conversational, deterministic AI changes this dynamic. An AI-led assessment adapts in real time - following up on ambiguous answers, probing inconsistencies, and gathering richer contextual information than any static form can capture. Because the questions aren't fixed or predictable, it's significantly harder to reverse-engineer the "correct" responses.
The evidence supports this. Research published in Artificial Intelligence and Law found that fine tuned AI models achieved 20x higher accuracy than forms in classifying worker status based on the characteristics of the working relationship - and critically, this accuracy held even across different jurisdictions. Separate research into conversational AI for data collection found that adaptive, dialogue-driven approaches consistently produce richer, more detailed responses than traditional forms, with higher completion rates and greater participant engagement.
But AI shouldn't work in isolation. The real power is in the combination: AI gathers deeper, more contextual information than a form ever could, then surfaces it with contractual analysis - alongside the anomaly data from your baseline reviews for a human expert to quickly assess. Systems handle volume; humans handle nuance. The result is better data, faster decisions, less friction for managers, and a detailed audit trail that stands up to scrutiny.
9. Give Senior Leadership Visibility Without Asking Them to Do the Work
CFOs, SAOs, and Finance Directors need to know the organisation's compliance posture. They don't need to - and won't - log into a system to find out. The most effective approach is automated reporting that surfaces to leadership on a cadence they find useful: a monthly compliance dashboard, a quarterly risk summary, an alert when exposure exceeds a defined threshold.
This serves two purposes. It gives leadership the defensible evidence they need if a regulator comes calling. And it creates top-down pressure that reinforces adoption - because when the CFO can see which business units are and aren't using the process, accountability follows naturally.
A Realistic Timeline for Embedding Change
One of the mistakes organisations make is expecting full adoption on day one. A more realistic and effective approach is phased rollout.
Weeks 1–3: Foundation. Start with data. Understand your current contractor population, your spend, your existing documentation. You don't need perfect data - even 20 to 30 suppliers gives you enough to establish a baseline and identify the highest-risk engagements.
Weeks 4–6: Pilot. Run the new process with a small group - ideally one business unit or one category of engagement. Choose an area with visible risk and a willing champion. Use this phase to refine the process based on real feedback, not assumptions.
Months 2–3: Expand. Roll out to additional business units. By this point you'll have real examples of the process working, real data showing risk identified and managed, and real advocates who can speak peer-to-peer about the experience.
Months 3–6: Embed. Activate structural gates (PO integration, compliance reference requirements). At this point, the process should be well-understood and the tool well-tested. The gate moves you from "most people comply" to "everyone complies."
Ongoing: Monitor and improve. Track adoption rates, assessment completion times, risk trends. Use the data to continuously simplify the process and demonstrate value.
The Adoption Conversation You Need to Have
If you're a transformation manager or procurement leader preparing to roll out a new compliance process, the most important conversation isn't with your vendor or your project team. It's with the line managers who will use it daily.
That conversation needs to address three things honestly. First, why this matters - in concrete financial and personal terms, not regulatory abstractions. Second, how it will make their life easier - with a genuine commitment to usability, not just a promise. Third, what happens if they don't use it - not as a threat, but as a clear statement of organisational expectation.
The organisations that get this right don't just achieve compliance. They gain visibility into their external workforce that they've never had before - who's actually working for them, what they're paying, where the risks are, and whether their contracts reflect reality. That visibility transforms compliance from a cost centre into a strategic capability.
