Inevitability of Failure
Ineffective Processes to Manage Regulatory Change and Compliance
Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year, making change the single greatest challenge for organizations in the context of compliance. Each vortex of change is hard to monitor and manage individually, let alone to gain an understanding of how they impact each other.
Keeping current with regulatory change and keeping the organization’s policies and procedures up to date and linked to compliance requirements is not easy. Regulators across industries and jurisdictions are requiring that compliance is not just operationally effective, but is well documented. However, organizations often do not have adequate processes or resources in place to monitor regulatory change and maintain compliance. Organizations struggle to be proactive and intelligent about regulatory developments, failing to prioritize and revise impacted policies as needed. Instead, most organizations end up firefighting trying to keep the flames of regulatory change controlled.
Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to processes and resources:
- Frequency of change and number of information sources overwhelms. The frequency of updates is challenging from the regulators themselves but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory content that require time-intensive analysis in order to properly understand the potential impact on the business and determine the actions required to comply.
- Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
- Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions were taken as a result, or if the task was transferred to someone else. This environment produces a lack of visibility into the status of compliance obligations—there is uncertainty regarding ownership of initial review and an inability to sufficiently track what actions were taken as a result, let alone obtain reliable information on which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions.
- Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit trails, which regulators require. This leads to gaps in accountability and a lack of integrity in compliance records regarding who reviewed which change and what action was taken as a result. The lack of an audit trail can be conducive to deception: individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
- Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks an overall information architecture and thus is inadequate to effectively report on the number of changes, ownership of the review process, the status of business impact analysis, and courses of action. An inability to make sense of data collected in manual processes and thousands of documents exposes the organization to significant risks.
- Wasted resources and spending. Silos of ad hoc regulatory change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
- Misaligned business and regulatory agility. Regulatory change management without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization lacks a full perspective of regulatory change and business intelligence. As a result, the organization struggles with inefficiency and cannot adequately prioritize the most important and relevant issues in order to make informed decisions.
- No accountability and structure. Ultimately, there is insufficient accountability for regulatory change management, and the process fails to be agile, effective, and efficient in its use of resources. The regulatory change process must install strict accountability for subject matter expert review and analysis, compliance obligation task ownership and the ongoing monitoring of outstanding tasks to ensure that compliance deadlines are met.
The bottom line: Processes for managing regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders. Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management.