A care provider operating twelve residential homes across the Midlands received a Fair Work Agency visit at their Coventry site in February 2026. The inspectors asked to see right to work records for all staff currently on shift. The site manager opened a filing cabinet, pulled out a folder, and began searching through loose-leaf plastic wallets containing photocopied passports and scribbled dates.
Three of the fifteen staff on shift had no records on site at all. The site manager explained that their paperwork was "at head office." Head office, when called, said the records were "probably with the regional manager." The regional manager was on leave.
The civil penalty notice — issued against the company, not the individual site — covered all three workers. At up to £45,000 per worker for a first offence, the total exposure was £135,000. The other eleven sites, which may have had identical gaps, were now on the enforcement radar.
This is not a story about one badly managed care home. It is a story about what happens when a multi-site business treats compliance as a local responsibility without providing centralised infrastructure.
The multi-site compliance problem
Any business operating across multiple locations faces a structural challenge that single-site businesses do not: the distance between where compliance is managed and where compliance is tested.
In a single-site business, the person responsible for right to work checks is usually in the same building as the records, the staff, and — when they arrive — the inspectors. They can walk to the filing cabinet, pull a file, and present the documentation.
In a multi-site business, the compliance landscape fractures along several axes.
Records are distributed. Some documents are at the site where the employee works. Some are at head office. Some are with the manager who conducted the onboarding. Some are in an email attachment that nobody saved to the shared drive. When an inspector asks for records at Site 7, the relevant documents may be at Sites 2, 4, and head office.
Processes vary by location. Head office may have a written compliance procedure. The site manager at Location A follows it meticulously. The manager at Location B has developed their own shorthand version. Location C has a new manager who was never trained on the process. Location D has no manager at the moment and the assistant manager is covering. Five sites, five different standards, one company liability.
Accountability is unclear. Is compliance the responsibility of the site manager, the regional manager, the HR team at head office, or the company directors? In many multi-site businesses, the answer is "all of the above," which in practice means "none of the above." When everyone is responsible, nobody is accountable.
Visibility is limited. Head office does not know the compliance status of individual sites in real time. They may conduct periodic audits — quarterly, annually, or when someone remembers to. Between audits, gaps develop silently. A new starter whose paperwork was never completed. A visa that expired three months ago. An agency worker whose identity was never verified. These gaps are invisible until an inspector makes them visible.
Sectors most affected
The multi-site compliance challenge is most acute in sectors that combine high staff volumes, high turnover, and regulatory intensity.
Care providers. A care company operating ten or more homes may have hundreds of staff across sites, many of them part-time, agency, or bank workers. Each home has its own manager, its own shift patterns, and its own filing system. The CQC inspects individual locations, but compliance failures at one site trigger scrutiny of the entire organisation. The Fair Work Agency operates on the same principle.
Hospitality groups. A restaurant chain with twenty locations faces similar challenges. Kitchen and front-of-house staff may move between sites. Managers at busy locations prioritise service over paperwork. The documents for a chef who works across three locations may be at any of them — or none.
Retail chains. A retailer with fifty stores has fifty sets of staff records, fifty store managers conducting checks, and fifty potential points of failure. When head office mandates a process, adoption at store level is inconsistent.
Construction firms with multiple sites. A contractor running three or four projects simultaneously has workers who move between sites, subcontractors who supply labour to different locations, and site managers who focus on build schedules rather than compliance records.
Recruitment agencies with multiple branches. An agency operating from several offices may register workers at one branch and deploy them from another. The registration records stay at the original branch. The deployment records are at the placing branch. The compliance gap sits between them.
The regulatory reality
The enforcement framework does not accommodate multi-site complexity. When the Fair Work Agency or Home Office inspects a site, they expect to find complete, accurate records at that site, for every person working at that site, at that moment.
The Home Office employer's guide to right to work checks does not distinguish between a business with one office and a business with a hundred locations. The obligation is the same: verify every worker's right to work before they start, maintain records, and produce them when asked.
The civil penalty scheme holds the employer — the legal entity — responsible for every site. A failure at one location is a failure by the company. The penalty is issued to the company, not to the site manager. And a pattern of failures across multiple sites can elevate a case from civil penalties to criminal prosecution, on the basis that non-compliance is systemic rather than isolated.
This means that the compliance risk of a multi-site business is not the sum of individual site risks. It is multiplicative. Each additional site creates another point of potential failure, and each failure compounds the others in the eyes of enforcement bodies.
What good multi-site compliance looks like
The businesses that manage multi-site compliance effectively share a common approach: they centralise the system while distributing the execution.
Centralised digital records
Every compliance record — right to work checks, DBS certificates, qualifications, training records — is stored in a single, centralised digital system accessible from any site. No paper filing cabinets. No documents stored on individual computers. No records that exist only in someone's email.
When an inspector arrives at any site, any authorised person at that site can access the complete compliance record for every worker on shift, in minutes. The records are not "at head office" or "with the regional manager." They are in the system, accessible now.
This is not just about convenience. It is about producing an audit trail that demonstrates systematic compliance. A centralised record shows that the organisation has a process, that the process is applied consistently, and that compliance is monitored in real time.
Standardised processes
Every site follows the same compliance process. Not "roughly the same" — exactly the same. The steps for conducting a right to work check, the documents required, the recording method, the escalation procedure for anomalies — all identical, all documented, all trained.
This requires investment in training. Every site manager, every person who conducts onboarding, every shift supervisor who accepts agency workers must be trained on the standard process. The training must be recorded (on the centralised system) and refreshed periodically.
Standardisation also means standardised exceptions. What happens when a new starter cannot produce documents on day one? What happens when a visa expiry date is approaching? What happens when an agency worker arrives without prior notification? Each scenario must have a defined, consistent response across all sites.
Real-time visibility for head office
The compliance team at head office must have a live view of compliance status across all sites. Not a quarterly report. Not an annual audit. A dashboard that shows, in real time:
- How many staff at each site have complete compliance records
- How many records are incomplete or pending
- How many visas or work permissions are expiring in the next 30, 60, and 90 days
- Which sites have conducted their checks on time and which are falling behind
- Where agency workers have been accepted without proper verification
This visibility serves two purposes. First, it enables early intervention — head office can identify and address gaps before an inspector does. Second, it demonstrates to regulators that the organisation has active, ongoing compliance oversight. The difference between "we audit annually" and "we monitor continuously" is the difference between reactive and proactive compliance.
Site-level accountability with head office oversight
Compliance execution must sit at site level. The site manager is the person who sees the staff, who meets the agency workers, who knows who is on shift. They must have the responsibility and the tools to conduct and record checks.
But accountability cannot rest solely at site level. Head office must set the standard, provide the tools, monitor performance, and intervene when sites fall short. This is not micromanagement — it is governance.
The most effective model assigns clear roles:
- Site manager: conducts and records checks for their site, ensures all staff have complete records, manages day-to-day compliance
- Regional manager: reviews compliance dashboards for their region, conducts spot-check audits, supports site managers with complex cases
- Head office compliance team: owns the system, sets the standard, monitors all sites in real time, reports to the board, manages inspector visits
- Board/directors: receive regular compliance reports, bear ultimate legal responsibility, ensure adequate resources
Regular cross-site audits
Even with centralised records and real-time dashboards, physical audits remain important. A compliance team member visiting a site can verify that:
- The people on shift match the records in the system
- Documents stored digitally match the originals
- The site manager understands and follows the process
- Agency workers are being verified at arrival, not just logged
- The physical environment matches what the records suggest
These audits should be unannounced — mirroring the approach the Fair Work Agency will take. If your own compliance team can arrive without warning and find everything in order, you are in a strong position when an external inspector does the same.
The cost of getting it wrong
Beyond the direct financial penalties, multi-site compliance failures create cascading consequences.
Enforcement escalation. A failure at one site prompts inspectors to visit other sites. If they find similar gaps, the case is no longer about one location — it is about systemic non-compliance. The penalty calculation changes. The likelihood of criminal prosecution increases.
CQC, Ofsted, and sector regulator involvement. In regulated sectors, a right to work failure at one site can trigger a wider regulatory review. A care provider that fails at one home may face enhanced inspection across all its locations. A school that fails its single central record faces immediate rating consequences.
Operational disruption. When enforcement action affects one site, the operational impact spreads. Management attention shifts from running the business to managing the crisis. Staff at other sites become anxious. Agency partners reassess the relationship. Clients or service users — patients, residents, students — may be affected.
Reputational damage. "Care provider fined for illegal workers at multiple sites" is a national news story, not a local one. Multi-site failures suggest organisational incompetence, not individual error. The reputational recovery is correspondingly harder.
The practical first step
For any multi-site business, the first step is an honest assessment of the current state. Pick five sites at random. For each site, attempt to access the complete compliance record for every person currently working there. Time how long it takes. Note what is missing. Observe the differences between sites.
If the answer is that all records are complete, accessible, and consistent across all five sites, your compliance infrastructure is working. If it is not — if records are scattered, processes vary, and gaps are invisible until someone looks — you now know the size of the problem.
The SME compliance mistakes guide covers many of the individual process failures that occur at site level. But for multi-site businesses, the root cause is not individual mistakes. It is the absence of a system that makes consistent compliance possible across every location, every shift, every day.
Certifyd's Right to Work Portal gives multi-site businesses a single compliance platform — centralised records, site-level dashboards, automated expiry tracking, and real-time visibility across every location. When the inspector arrives at any site, the answer is the same: everything is in the system, and you can see it now.