Over the years, many organizations have matured in their view of internal risk-intelligence issues. However, monitoring external regulatory environments remains a broken process. To date, regulatory risk is managed in a very sporadic and ad hoc fashion with little accountability and oversight — if at all. Most organizations rely on manual ad hoc processes to manage regulatory change, and many times they only address limited areas of coverage. In this model, it is not uncommon to have duplicated coverage areas further exacerbating the problems.
Within legal and compliance it is not uncommon to have a myriad of legal professionals doing ad hoc monitoring of legal and regulatory change and emailing parties of interest with little or no follow-up, accountability, or business impact analysis. The typical organization is in a very immature state of monitoring of case law, regulations, and pending legislation to predict the readiness of the organization to meet new requirements. The difficulty is how to share regulatory change information and what to do about it. The process must require a joint accountability and collaboration effort between legal, compliance, and the business.
These flawed processes — in most cases it is a stretch to call it a process — involve individuals that are overwhelmed with information who fire off an email to a subject-matter expert who may or may not get to it — leading to, in varying degrees:
- Excessive emails, documents, and paper trails: Organizations rely on manual paper trails, email, and documents to monitor regulatory change with little or no accountability or follow-through. It’s not possible to verify who addressed a regulatory change, what actions need to be taken, or whether the task was transferred to someone else.
- Lack of an audit trail: Ad hoc processes are prone to failure, as there is no accountability for who reviewed what and what action was decided upon. This approach lacks a clearly defined audit trail, and does not allow for non-repudiation. In fact, it is prone to deception, as individuals are able to fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
- Limited reporting: Manual and ad hoc regulatory change processes do not deliver regulatory intelligence — there is no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. The organization has no report or dashboard about the number of items being tracked, who they are assigned to, and whether they on or behind schedule for review. Trying to make sense of data collected in manual processes and electronic documents is a nightmare. How do you aggregate and provide meaningful reports from hundreds or thousands of disparate sources of information in emails and documents? The answer: A lot of labor and time.
- Files and documents out of sync: Adding to this behemoth of labor is the effort to track and control versions of all of emails and documents, which quickly become out of sync and lose relevance. The accuracy and relevance of the information soon comes into question. Where are key decisions documented and how? If an organization makes the decision that a regulatory change does not impact them, where and how are these efforts, actions and decisions documented?
- Wasted resources and spending: Silos of ad hoc regulatory monitoring lead to wasted resources and hidden costs. Instead of determining how human and financial resources can be leveraged to meet an enterprise view of managing regulatory change, they are developed independently without measure — and are merely a stop-gap, not integrated into a defined business process with clear systems of accountability and transparency. The organization ends up with inefficient, ineffective and unmanageable processes and resources to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that fail to produce desired results wastes time and resources, and sustains and creates excessive and unnecessary burdens on business and operations.
- Poor visibility across the enterprise: A reactive, siloed approach to regulatory change means the organization can’t see the big picture. The organization has islands of initiatives that are individually assessed and monitored — supported by scattered silos of documents and emails that are not integrated into a system to manage the process. This results in poor visibility across the organization and its control environment that inhibits planning, budget optimization, and process transparency.
- Overwhelming complexity: Complexity is a result of multiple ad hoc and manual approaches to regulatory change and confuses the business. Varied approaches prevent predictable resource requirements and impact business goals due to uncertainty and confusion. Complexity further increases risk and frustration amongst employees, partners, management, investors, regulators, and other stakeholders.
- Lack of business agility: A regulatory intelligence strategy without a common process architecture leads to a lack of agility caused by reactive approaches, and is exacerbated by manual approaches overly reliant on email and documents. When information is trapped in individual roles, documents, and emails, the organization is crippled. It lacks a full perspective of regulatory change and intelligence. The company is spinning so many compliance plates, it struggles with business change and inefficiency. The business is not able to adequately prioritize and tackle the most important and relevant issues or make informed decisions.
- Greater exposure and vulnerability: Regulatory change complexity, exposure and vulnerability are the opposite of what GRC and regulatory intelligence are designed to achieve. There is excessive focus on immediate burdens, rather a drive toward regulatory intelligence integrated within a common process. This creates duplication, gaps, and a business ill-equipped to align regulatory changes to the business.
- No accountability: Ultimately, this means there is no true accountability for regulatory change. The organization lacks visibility into who is responsible for changes in a given regulatory area, and what the status is. Accountability is critical in a regulatory change process — organizations need to know who the subject-matter experts are, what has changed, who is assigned, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the result of the change process.
For regulatory intelligence and wise decisions, organizations require a process to assimilate the intake of relevant information, track accountability around who needs to perform what actions, model the potential impact on the organization, establish priorities and determine an appropriate course of action.
GRC technologies are beginning to be used to take in risk and regulatory information, weed through irrelevant information, and route critical information to subject-matter experts responsible for making a decision on a particular topic. This at a minimum requires workflow and task management capabilities, but in more mature systems provides direct integration with content and information aggregators. These aggregators contain an organization profile, and relevant new developments are routed to specific individuals responsible for evaluating specific business or subject matter content.