GRC Architecture to Manage Regulatory Change
Last week we looked at How to Define a Regulatory Change Management Strategy and Process, this week we look at how to leverage technology to automate and manage regulatory change in a dynamic business and regulatory environment . . .
Effectively managing regulatory change is done with a GRC information and technology architecture to improve processes and transform manual document and email-centric processes with automation, integration, and cognitive technologies. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis.
Regulatory Change Management Architecture Goals
A GRC information and technology architecture helps the organization to manage regulatory change to:
- Ensure that ownership and accountability of regulatory change is clearly established and understood.
- Manage ongoing business impact analysis and scoring.
- Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
- Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
- Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
- Visualize the impact of a change on the organization’s processes and operations.
The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency, using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization.
Regulatory Change Management Architecture Considerations
In evaluating regulatory change management solutions that integrate regulatory intelligence feeds and technology, organizations should ask the following key questions:
- How adaptable is the regulatory taxonomy? The regulatory taxonomy provides the backbone of regulatory change management as it maps regulations to other objects such as business processes, assets, subject matter experts, risks, controls, policies, and more. Organizations should specifically understand how adaptable the taxonomy/mapping is to fit the organization’s environment, evolve as the business evolves, and how easy it is to adapt the metadata and taxonomy structure.
- How rich is the regulatory content? A lot of GRC solutions can handle the workflow and task management of regulatory change management. What really differentiates capabilities is the depth and breadth of the regulatory intelligence content feed that the solution offers and/or integrates with. This includes regulator coverage, geographic coverage, supporting news and analysis, frequency of updates, and actionable content/recommendations.
- How strong is the technology? As stated, a lot of solutions can do workflow and tasks management for regulatory change, so the evaluation of the technology itself needs to go deeper into the systems ability to integrate regulatory intelligence feeds, conduct business impact analysis, as well as connect and understand relationships of regulatory impact to policies, processes, and risks. The more advanced solutions will offer cognitive technologies with artificial intelligence to read and map regulations. SMEs across the enterprise may or may not be technical gurus; the overall user experience should be intuitive and natural. Of particular importance is the user experience.
- Deficient technology involves documents and spreadsheets with email used as a workflow and task management tool. The organization struggles with things getting missed and not having a structured system of accountability. Regulatory change is a manual entry system that is time-consuming and taxing on resources.
- Moderate technology provides a system of accountability with basic workflow and task management and can integrate with regulatory content providers, providing libraries of regulations and alerts on changes.
- Strong technology for regulatory change management has enterprise content, workflow, and task management capabilities with integration to actionable regulatory content. It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements. This involves leveraging artificial intelligence, such as natural language processing, to read regulations. Organizations are finding that machines not only read regulations exponentially faster than individuals, but they are also 30% more accurate in cataloging and mapping regulations and changes. A strong architecture for regulatory change management will encompass horizon scanning to monitor where change is trending and developing to be prepared for the future.
Delivering a regulatory change management information and technology architecture involves the integration of a GRC platform with artificial intelligence technologies to monitor and manage change and conduct horizon scanning.
The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:
4.5