This is the first in a multi-part blog series on the greatest GRC challenges organizations face. The first topic is regulatory change management in which there will a few posts. This one describes the pressure the organizations are under to manage regulatory change. Other topics in the series will be risk change management, business change management, and 3rd party management.
Tsunami of Change Overwhelms Organizations
Change is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and intricate nature of change and how it cascades in impact is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization.
The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that is constant, dynamic, and disruptive. Consider the scope of change financial services organizations have to keep in sync:
- External risk environments. External risks such as market, geo-political, societal, competitive, industry, and technological forces are constantly shifting in nature, impact, frequency, scope, and velocity.
- Internal business environments. Within, the organization has to stay on top of changing business environments that introduce a range of operational risks such as employees, 3rd party relationships, mergers & acquisitions, processes, strategy, and technology.
- Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making and more has organizations struggling to stay afloat.
Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other. Change in economic or market risks bear down on the organization as it impacts regulator oversight and requirements. Internal processes, people, and technology are impacted as well. As internal processes, systems, and employees change this impacts regulatory compliance and risk posture. Change is an intricate machine of chaotic gears and movements that make the aspects of GRC challenging in organizations (as well as organizations in several other industries). Keeping current with change and keeping the organization aligned with it is one of the greatest challenges to GRC stratgies in organizations.
Regulatory Change Overwhelming the Organization
Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as it actively drowns in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year. Regulatory change impacts the organization as it reacts to:
- Frequency of change. In the past five years the number of regulatory changes has more than tripled while the typical organization has not increased staff or changed processes to manage regulatory change. According to Thompson Reuters, in 2008 there 8,704 changes to regulations impacting financial services organizations, in 2013 there were over 26,950 changes. Those are just the ones they tracked. Global organizations are often dealing with more than one-hundred and twenty-five notifications of regulatory change alerts a day.
- Global context. Regulatory change is not limited to one jurisdiction but is a turbulent sea of change around the world. Regulations have a global impact in the market. In Asia, GRC 20/20 finds that there is often more concern over US regulation than over regulation from Asian countries. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance.
- Inconsistency in regulations. Managing compliance and keeping up with regulatory change, exams, and reporting requirements becomes complicated when faced with International requirements. Regulatory jurisdictions have varying approaches such as principle-based regulation (also called outcome-based regulation) popular across Europe and other countries around the world, while the United States and several other countries approach a prescriptive approach to regulation that is more akin to a checkbox list of requirements in specifically telling the firm what has to be done. The principle-based approach gives the organization flexibility with the focus on the achievement of an outcome and not the specific process that got them there. There are conflicting challenges in privacy regulations and other laws impacting financial services organizations across jurisdictions.
- Expansion into new markets. It has become complex for organizations to remain in foreign markets as well as enter into new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive while at the same time being constrained by the turbulent sea of changing regulations and requirements.
- Focus on risk assessment. Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering specific assessment of compliance risks. For example, FINRA regulators in the US seek to ensure that compliance officers do compliance risk assessments. The discipline of risk management is becoming a pre-requisite for compliance officer skills and ensuring that compliance has a seat at the enterprise risk management (ERM) table.
- Hoards of regulatory information. Organizations are overwhelmed by information from legal, and regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information adds to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
- Defensible compliance. Regulators across industries and jurisdictions are requiring that compliance is not just well documented, but is operationally effective. Case in point, Morgan Stanley is praised by regulators as a model compliance program and is the first company in 35 years of Foreign Corrupt Practices Act (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current in the midst of regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.”
The amount of regulatory change coming at organizations is staggering. Consider an international bank headquartered in South America who embarked on a project to build a database of regulatory requirements impacting the bank globally. The detail went down to the requirement level so an individual regulation may have a few requirements to more than a thousand, d epending on the regulation. After eighteen months and cataloging over 81,000 requirements they abandoned the project. The reason was that the content was already obsolete—so much had changed during the process of documenting they did not have the resources to maintain the volume of regulatory change. A Tier 1 Canadian bank has expressed a similar regulatory requirement documentation project demise for the same reason.
In the next installment we will look at “Broken Process and Insufficient Resources to Manage Regulatory Change”
What are your thoughts on the increasing pressure of regulatory change management? Please comment and share below (no promotions or solicitations).