Enabling Closed-Loop Regulatory Compliance

The GRC PunditWritten by
Published onUpdated onDiscussionLeave a Comment on Enabling Closed-Loop Regulatory Compliance
Paperwork

Tsunami of Change Overwhelms Compliance

Managing and keeping up with change is one of the greatest challenges for financial services organizations in the context of compliance management. The dynamic and interconnected nature of regulatory change and how it impacts the organization are driving strategies to mature and improve regulatory change and compliance management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated compliance management strategy within the organization.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions. It is continuous, dynamic, and disruptive. Consider the scope of change financial services organizations have to keep in sync:

  • External risk environments. External risks – such as market, geopolitical, societal, competitive, industry, and technological forces – are constantly shifting in nature, impact, frequency, scope, and velocity. 
  • Internal business environments. The financial services organization must stay on top of changing business environments that introduce a range of operational risks, such as changes in employees, processes, relationships, mergers & acquisitions, strategy, and technology. Any of these changes can take an organization from a state of compliance to non-compliance in its processes, controls, and people.
  • Regulatory environments. Regulatory environments governing financial services organizations are a constantly shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rulemakingactivities, and more has organizations struggling to stay afloat. 

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone managing how they impact each other. Organizations can devote human and financial capital resources to keeping up with regulatory change, but that does not make them compliant if that change is not consistent and in sync with business and risk change. Change in economic or market risk bears down on the organization as it impacts regulatory oversight and requirements. Internal processes, people, and technology      continuously change and regulatory requirements need to be understood in context of business change. As these internal processes, systems, and employees change, this impacts regulatory compliance and risk posture. 

Change is an intricate machine of chaotic gears and movements. Keeping current and aligned with change is one of the greatest challenges to compliance management strategies within organizations.

Compliance Overwhelming the Organization

Compliance management, and in this context regulatory change management, is overwhelming organizations. Financial services firms are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting are a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year. Regulatory change impacts the organization as it reacts to:

  • Frequency of change. In the past five years, the number of regulatory changes has tripled while the typical organization has not increased staff or updated processes to manage regulatory change.
  • Regulatory contexts. Regulatory change is not limited to one jurisdiction but is a turbulent sea of change across the country and around the world. Regulations have a global impact on organizations and markets. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance. 
  • Inconsistency in regulations. Managing compliance and keeping up with regulatory change, exams, and incident/complaint reporting requirements becomes complicated when faced with requirements. Regulatory jurisdictions have varying approaches and requirements. There are often conflicting challenges in regulations and other laws impacting organizations across jurisdictions.
  • Expansion into new markets. It has become complex for organizations to remain in different markets as well as enter new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive, but     at the same time they are being constrained by the turbulent sea of changing regulations and requirements.
  • Focus on risk assessment. Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering specific assessment of compliance risks. For example, regulators in the US seek to ensure that compliance officers do compliance risk assessments. This is also a theme picked up on by law enforcement agencies like the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC). The courts, with the United States Sentencing Commission, also evaluate the culpability of an organization on compliance based on compliance risk.
  • Hoard of regulatory information. Organizations are overwhelmed by information from legal alerts, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information adds to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
  • Defensible compliance. Regulators across industries are requiring that compliance is not just well documented but is operationally effective. This can be seen in the latest DoJ Evaluation of Compliance Program guidance.[1] Case in point, Morgan Stanley was praised by regulators as a model compliance program and was the first company in 35 years of the Foreign Corrupt Practices Acts (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current amid regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.”[2]

Broken Process and Insufficient Resources to Manage Compliance

The typical financial services organization does not have adequate processes or resources in place to monitor regulatory change and manage compliance in a dynamic environment. Organizations struggle to be intelligent about regulatory developments and fail to prioritize and revise policies and take actionable steps to be proactive. Instead, most financial services organizations end up firefighting, trying to keep the flames of regulatory change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, and even enforcement actions involving other financial services organizations can have a significant impact. 

Organizations that GRC 20/20 has interviewed in the context of compliance management reference the following challenges to processes and resources:

  • Insufficient head count and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Frequency of change and number of information sources overwhelms. The frequency of updatesfrom the regulators themselves is challenging but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory intelligence[3]. Going through each source to identify what is relevant takes time and effort.       
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility into ongoing compliance — the organization has no idea of who is reviewing what and suffers from an inability to track what actions were taken, let alone which items are “closed.” Compliance documentation is scattered across      documents, spreadsheets, and emails in different versions. 
  • Lack of an audit trail/system of record. The manual and document-centric approach to regulatory change lacks defensible audit/accountability trails that regulators require. These leads to issues with regulators and auditors when they find there is no accountability and integrity in compliance records interms of who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception; individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble. 
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus provides no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring led to wasted resources and hidden costs. Instead of determining how resources can be leveraged to manage regulatory change efficiently and effectively, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of regulatory change and business intelligence. The organization is spinning so many compliance plates that it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
  • No accountability and structure. Ultimately, this means there is no accountability for regulatory change that is strategically coordinated: the process fails to be agile, effective, and efficient in the use of resources. Accountability is critical in a regulatory change process — organizations need to know who the subject matter experts (SMEs) are, what has changed, who changes are assigned to, what the priorities are, what the risks are, what needs to be done, whether it is overdue, and the results of the change analysis.

The bottom line: Processes for managing compliance and regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders. Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed, and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management. 

[1]       https://www.justice.gov/criminal-fraud/page/file/937501/download

[2]       Source of this statement is at: http://www.justice.gov/opa/pr/2012/April/12-crm-534.html

[3]       Such as legal databases, regulator feeds and news, trade associations, enforcement actions, court rulings, administrative decisions

Leave a Reply

Your email address will not be published. Required fields are marked *