This is part 4 on the topic of regulatory change management. In the previous posts we explored:
- Pressure organizations are under in context of regulatory change
- Broken processes they struggle with to manage regulatory change
- Defined a regulatory change management process
In this post I detail the information and technology architecture needed to support an efficient, effective, and agile regulatory change management process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change
Effectively managing regulatory change is done with a GRC information and technology architecture to improve processes and transform manual document and email-centric processes. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis.
Regulatory Change Management Architecture Goals
A GRC information and technology architecture helps the organization to manage regulatory change to:
- Ensure that ownership and accountability of regulatory change is clearly established and understood.
- Manage ongoing business impact analysis and scoring.
- Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
- Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
- Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
- Visualize the impact of a change on the organization’s processes and operations.
The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization.
Regulatory Change Management Architecture Considerations
In evaluating regulatory change management solutions that integrate regulatory intelligence feeds and technology, organizations should ask the following three questions:
- How adaptable is the regulatory taxonomy? The regulatory taxonomy provides the backbone of regulatory change management as it maps regulations to other objects such as business processes, assets, subject matter experts, risks, controls, policies and more. Organizations should specifically understand how adaptable the taxonomy/mapping is to fit the organization’s environment, evolve as the business evolves, and how easy it is to adapt the metadata and taxonomy structure.
- How rich is the regulatory content? A lot of GRC solutions can handle the workflow and task management of regulatory change management. What really differentiates capabilities is the depth and breadth of the regulatory intelligence content feeds that the solution offers. This includes regulator coverage, geographic coverage, supporting news and analysis, frequency of updates, and actionable content/recommendations.
- How strong is the technology? As stated, a lot of solutions can do workflow and tasks management for regulatory change, so the evaluation of the technology itself needs to go deeper in the systems ability to integrate regulatory intelligence feeds, conduct business impact analysis, as well as connect and understand relationships of regulatory impact to policies, processes, and risks. Of particular importance is the user experience. SMEs across the enterprise may or may not be technical gurus; the overall user experience should be intuitive and natural.
- Deficient technology involves documents and spreadsheets with email used as a workflow and task management tools. The organization struggles with things getting missed and not having a structured system of accountability.
- Moderate technology provides a system of accountability with basic workflow and task management, but the integration of regulatory developments/updates is a manual entry system that is time-consuming and taxing on resources.
- Strong technology for regulatory change management has enterprise content, workflow and task management capabilities with integration to actionable regulatory content. It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements.
Regulatory Change Management Architecture Capabilities
All of these elements are critical and are why they come together in a GRC architecture or platform for regulatory change management. Some solutions in the GRC space are delivering across these three elements and are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This at a minimum requires workflow and task management capabilities, but in mature systems it provides direct integration with regulatory content aggregators. These aggregators manage regulatory profiles, and provide data about relevant new developments that can be routed to individuals responsible for evaluating specific regulatory subject areas. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process.
Specific capabilities to be evaluated in a GRC solution for regulatory change management, include:
- Regulatory intelligence content. At a very basic level, the solution should allow for simple manual entry of new changes and updates so they can be routed to the correct SME for analysis. More advanced solutions provide the interface to content to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
- Content management. The solution should be able to catalog and version regulations, policies, risks, controls and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria, within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods, and obsolescence rules that can be set for regulations.
- Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations.
- Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact, and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed or deactivated, the solution assesses the impact of the change, and sets up the appropriate responsive actions.
- Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications.
- Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
- Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted and if notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
- Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are and more. Additionally, by linking regulatory requirements to the various other aspects of the platform including risks, policies, controls and more, the reporting should provide an aggregate view of a regulatory requirement across multiple organization units and business processes.
- Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.