This is part 3 on the topic of regulatory change management. In the previous posts we explored the pressure organizations are under in context of regulatory change, in this post we look at what elements are needed in an efficient, effective, and agile regulatory change management process.
Organizations are struggling with regulatory change and seeking to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. The old paradigm of uncoordinated regulatory change management is a disaster given the volume of regulatory information, the pace of change, and the broader operational impact on today’s risk environment.
Elements of a Regulatory Change Management Process
Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates. To achieve this financial services organizations must develop a process for collaboration, accountability, and integration between regulatory intelligence content providers within a GRC information and technology architecture. A well defined regulatory change management processes includes:
- Regulatory taxonomy and repository. The foundation of regulatory change management is a regulatory taxonomy and repository. The regulatory taxonomy is a hierarchical catalog/index of regulatory areas that impact the organization. Regulations are broken into categories to logically group related areas (e.g., employment and labor, anticorruption, privacy, anti-money laundering (AML), fraud). Integrated with this taxonomy is a repository of the regulations indexed into the taxonomy. One regulation may have multiple links into the taxonomy at different areas. The taxonomy and repository maps into the following elements:
- Regulatory bodies (e.g., lawmakers, central banks, government bodies, regulators, self-regulatory organizations (SROs), exchanges, clearers, industry associations, trade bodies)
- Document types (e.g., laws, regulations, rules, guidance, releases)
- Sources (e.g., websites, RSS feeds, newsletters, etc.)
- Attributes needed for classification, filtering, and reporting (e.g., business process, jurisdiction/geography, related regulations, regulator, status of change, relevant dates, consequences)
- Rules & regulatory events
- Regulatory roles and responsibilities. Success in regulatory change management requires accountability—making sure the right information gets to the right person that has the knowledge of the regulation and its impact on the organization. This requires the identification of SMEs for each regulatory category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in subcategories or specific jurisdictions, or who perform specific actions as part of a series of changes to address change requirements.
- Regulatory content feeds. To support the process of regulatory change management, the financial services organization should identify the best sources of intelligence on regulatory developments and changes. Content feeds can come directly from the regulators as well as law firms, consultancies, newsletters, blogs by experts, and content aggregators. The best content includes the regulation itself, summary of the change, impact on typical financial services organizations, and recommendations on response with suggested actions for response. The range of regulatory change content should span new regulations, amended regulations, new legislation, regulatory guidance, news and circulars, comment letters, enforcement actions, feedback statements, and regulator speeches.
- Standard business impact analysis methodology. To maintain consistency in evaluating regulatory change, financial services organizations should have a standardized impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
- Workflow and task management. The backbone of the regulatory change management process is a system of structured accountability to intake regulatory changes from content feeds and route them to the right subject matter expert for review and analysis. This is extended by getting others involved in review and response and requires some standardized workflow and task management with escalation capabilities when items are past due. The process needs to track accountability on who is assigned what tasks; establish priorities; and determine appropriate course of action.
- Metrics, dashboarding & reporting. To govern and report on the regulatory change management process the organization needs an ability to monitor metrics and report on the process to determine process adherence, risk/performance indicators, and issues. This should provide the organization a quick view into what regulations have changed, which individuals in the organization are responsible for triage and/or impact analysis, the state of review of change, who is accountable, and overall risk impact on the organization.
Value and Benefits of a Regulatory Change Process
When organizations develop a regulatory change process they expect to be:
- Effective. They seek to have a greater understanding of changing regulatory requirements and their impact on the organization. To enable the organization to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the regulatory change. This allows the organization to demonstrate evidence of good compliance practices.
- Efficient. To allow the organization to optimize human and financial capital resources to consistently address regulatory change and enable sustainable management of resources as the business and regulatory landscape grows.
- Agile. Competitively enable a dynamic and changing environment as an advantage over competitors that are handicapped by the same change. This requires the organization to understand how the regulatory environment effects the organization and its strategy and how to adapt quickly and be responsive to new developments before competitors are.
The full paper on this topic in the context of financial services can be found here.
Michael is spot on with this point:
This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates.
I’d add the only way to deliver in ‘real-time’ is with use-case defined and ‘always on’ connection to external feeds, business application, IT infrastructure and security data that drives operationally efficient workflow to the right person and the right time. Financial Services regulators no longer accept inefficiency as an exception to findings.