Last week we looked at the challenge of the tsunami of regulatory change that organizations are flooded with, this week we look at how the internal processes and resources are insufficient to keep up with managing regulatory change in today’s dynamic, distributed, and disrupted business environment . . .
The typical organization does not have adequate processes or resources in place to monitor regulatory change. Organizations struggle to be intelligent about regulatory developments and fail to prioritize and revise policies and take actionable steps to be proactive. Instead, most financial service organizations end up fire fighting, trying to keep the flames of regulatory change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, and even enforcement actions of other financial services organizations can have a significant impact. Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to processes and resources:
- Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulations is time-consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
- The frequency of change and the number of information sources overwhelms. The frequency of updates from the regulators is challenging but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory intelligence that take time to go through and process in order to identify what is relevant.
- Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility to ongoing compliance — the organization has no idea of who is reviewing what and suffers from an inability to track what actions were taken, let alone which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions.
- Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit/accountability trails that regulators require. This leads to regulator and audit issues who find there is no accountability and integrity in compliance records in who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception; individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
- Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus has no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
- Wasted resources and spending. Silos of ad hoc regulatory change monitoring leads to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time, resources, and creates excessive and unnecessary burdens across the organization.
- Misaligned business and regulatory agility. Regulatory change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of regulatory change and business intelligence. The organization is spinning so many compliance plates that it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
- No accountability and structure. Ultimately, this means there is no accountability for regulatory change that is strategically coordinated: the process fails to be agile, effective, and efficient in the use of resources. Accountability is critical in a regulatory change process — organizations need to know who the subject-matter experts (SMEs) are, what has changed, who changes are assigned to, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the results of the change analysis.
The current situation: The typical organization has a myriad of subject matter experts doing ad hoc monitoring of regulatory change and emailing parties of interest with little or no consistent follow-up, accountability, or business impact analysis. The organization is in a resource-intensive, confused state of monitoring regulatory risk, enforcement actions, new regulations, and pending legislation resulting in an inability to adequately predict the readiness of the organization to meet new requirements. There is no overall strategy to gather and share regulatory change information and decide what to do about it.
The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management: