Getting your compliance in order
Let's be honest. This is the least exciting part of bid readiness. No one gets fired up about insurance certificates and policy documents. But get this wrong and none of the exciting stuff matters, because you won't make it past the first check.
Before a buyer looks at a single word of your quality responses, they check whether you're eligible to bid at all. Compliance is the entry requirement, not the winning formula. But without it, nothing else matters.
Exclusion grounds
Every tender will ask you to declare whether any exclusion grounds apply to your business. These fall into two categories.
Mandatory exclusion grounds are absolute. If they apply, you cannot bid. These cover things like serious criminal convictions, terrorism offences, fraud, and corruption. If any of these apply to your business, a director, or someone with significant control, you will be excluded.
Discretionary exclusion grounds are different. These are things a buyer can choose to exclude you for, but doesn't have to. They include things like insolvency, significant past performance failures, misrepresentation, and certain financial irregularities. If any of these apply, you need to declare them, but you also have the opportunity to demonstrate what you've done about it. This is called self cleansing.
Self cleansing is genuinely important and not enough businesses know about it. If a discretionary ground applies, you can set out the steps you've taken to address the issue, changes to personnel, new processes, remediation measures, evidence that it won't happen again. A well prepared self cleansing statement can allow a business to remain in a procurement process that it might otherwise have been excluded from. The key is to think about this in advance, not when you're halfway through filling in a selection questionnaire with a deadline looming.
I'll give you a real example of why this matters. When I was on the procurement side, a bidder submitted a response and declared that they had never had a contract terminated with a public sector body. During the evaluation process it came to light that this wasn't accurate. A contract had been terminated previously due to equipment failure and quality issues. They were excluded from the process.
Had they declared the termination at the outset, they would have had the opportunity to explain what happened and set out the self cleansing measures they had taken since, the changes they had made, the improvements to their processes, the evidence that the same thing wouldn't happen again. Whether those measures would have been deemed acceptable is impossible to say, that decision sits with the contracting authority and it would have depended entirely on what they said and how compelling their case was.
But by not declaring it, they took that option completely off the table. They eliminated themselves.
If you're not sure whether something needs to be declared, take advice. Declaring something you don't need to declare is far better than failing to declare something you should have.
Subcontractors, consortiums and relied upon entities
If you're bidding as part of a consortium, or if you're relying on another business to meet the selection criteria, their compliance position matters too. You'll typically need to provide the same declarations and information for any entity you're relying upon. This catches people out regularly. Have that conversation with any partners or subcontractors before you start, not when you're pulling the submission together the night before.
The common compliance areas
Beyond exclusion grounds, here are the areas that come up most often.
Quality, environmental and health and safety management systems. ISO 9001, ISO 14001 and ISO 45001 are the most commonly referenced certifications. Many buyers will accept equivalence, a documented system that demonstrates the same standard of rigour without the formal certification. Whether you need the certification itself, equivalence, or neither depends on your market and the specific contracts you're targeting. In construction, health and safety accreditation is far more likely to be required than in consultancy or professional services. The research you've done on your target market will tell you what's expected in your space, so do that first before investing in anything.
Cyber Essentials. This is becoming an increasingly standard requirement, particularly for contracts involving data handling, digital services, or anything above £5 million in value. Since April 2025 it has been mandatory for suppliers bidding on central government contracts above that threshold. It's UK Government backed, relatively affordable to achieve, and something that genuinely protects your business as well as satisfying a compliance requirement. If you're targeting contracts where data or technology is involved, getting this in place sooner rather than later is a sensible move. Again, worth knowing if its needed before going ahead and spending time and resource but worth considering.
Industry specific accreditations. Beyond the ISO family there are sector specific accreditations that are recognised as a standard of excellence in certain industries and commonly expected by buyers. Know what's standard in your space.
Insurance levels. Businesses sometimes assume they need certain levels of cover in place before they can bid. In most cases, if you're successful you'll be given the opportunity to put the required cover in place before the contract starts. You do need to know what's likely to be required though, because it affects your cost assessment and your decision about whether bidding makes commercial sense.
Policies. Health and safety, equalities and diversity, environmental, data protection and GDPR, Modern Slavery Act compliance, Fair Work. These need to exist, be current, be properly signed off, and actually reflect how your business operates. A policy that was written three years ago and hasn't been looked at since is a liability, not an asset. On data protection, if you handle any personal data, and most businesses do, make sure your approach to GDPR is documented and up to date. Buyers want confidence that their data and the data of the people they serve will be handled responsibly.
There is no single compliance checklist
This is worth saying because I hear it a lot. There is no universal list of things you must have in place before you can bid. What you need depends on who your buyers are, what they're procuring, and what sector you're operating in.
That's why the market intelligence work we covered in the last article comes first. Understanding your buyers and what they typically ask for tells you what you actually need to have in place. A picture specific to your business and your market, not a generic checklist that may or may not be relevant to what you're going after.
And having the compliance in place is the foundation, not the finish line. It gets you to the scoring stage. Once you're through the door, everything comes down to how well you can demonstrate that you're the right supplier for this contract.
Understanding exactly how your response is going to be evaluated is where we go next.
Everything I share in this series is based on my own experience on both the buyer and the bidder side. I'd love to hear your views too. If something resonates, or if you see it differently, tell me in the comments.
I'm Mandy, founder of Millar Tender Solutions. I help growth-focussed businesses win public sector contracts, drawing on 20+ years of experience on the buyer side. I'm also an associate trainer with Supplier Development Programme Scotland and deliver bid readiness support through a number of Business Gateway Expert Help frameworks. If you want to talk about where your business is on its bid readiness journey, drop me a message.