GRC 20/20’s Regulatory Change Management Maturity Model
Last week we looked at Regulatory Change RFP/Solution Capabilities this week we look at how to measure the maturity and trajectory of an regulatory change management program . . .
Mature regulatory change management requires the organization to align on regulatory risk. It also involves participation across the organization at all levels to identify and monitor uncertainty and the impact of regulatory change.
GRC 20/20 has developed the Regulatory Change Management Maturity Model to determine an organization’s maturity in regulatory change management processes, as well as information and technology architecture. The GRC 20/20 Regulatory Change Management Maturity Model is summarized as follows:
Level 1 – Ad Hoc
Organizations at this stage lack a structured approach to regulatory change management and are constantly putting out fires and being caught off guard. Few, if any, resources are allocated to monitor regulatory change. The organization addresses regulatory change in a reactive mode—doing assessments when forced to. There is no ownership or monitoring of regulatory change and certainly no integration of regulatory change information and processes. Characteristics of this stage are:
- Lack of a defined regulatory taxonomy
- Ad hoc and reactive approaches to regulatory and business change
- Document and email-centric approaches
- Lack of accountability
Level 2 – Fragmented
In the Fragmented stage, departments are focused on regulatory change management within respective functions—but information and processes are highly redundant. The organization may have limited processes for regulatory change but largely do not benefit from the efficiencies of an integrated approach. Regulatory change management is very document-centric and lacks an integrated process, information, and technology architecture. Positively, there is some structure to regulatory change responsibilities, but the management of regulatory change lacks accountability as it is done largely in documents and emails that lack structures of accountability and automation. Characteristics of this stage are:
- Varied approaches to regulatory change
- Lack consistent structure
- Lack integration or formal processes for sharing regulatory information
- Reliance on fragmented technology with a focus on discrete documents
Level 3 – Managed
The Managed stage represents a mature regulatory change management program that is using technology for structured workflow, task management, and accountability. Regulatory change functions have defined processes for regulatory change management, as well as an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight. Though there is no integration of regulatory content feeds into the technology platform. Characteristics of this stage are:
- Visibility into regulatory change across the business
- Established processes for regulatory change
- Good use of technology to manage accountability
Level 4 – Integrated
It is at the integrated stage that the organization begins to integrate regulatory content feeds into the technology platform for automation. The organization has consistent regulatory taxonomy, process, information, and technology to streamline regulatory change management processes. The organization is seeing gains in addressing regulatory change through shared information that achieves greater agility, efficiency, and effectiveness in a common technology architecture that enables consistent management of regulatory change. Standardized workflow is integrated into regulatory and legal content feeds. Characteristics of this stage are:
- Strategic approach to regulatory change across departments
- Common process, technology and information architecture
- Integration of legal/regulatory content feeds
- Reporting across departments
Level 5 – Agile
At the Agile stage, the organization has completely moved to an integrated approach to regulatory change management across the organization and is leveraging artificial intelligence to make it more efficient and effective. Horizon scanning is in place to not only monitor regulatory change in the here and now, but what is coming in the future. This results in a shared-services approach in which core regulatory change technology, content, and processes are shared centrally across the organization. The approach is characterized through a mature regulatory taxonomy with integrated and actionable regulatory content, automated by technology that integrates and leverages artificial intelligence. The organization has an enterprise workflow that provides business-process automation for regulatory change with oversight and management of regulatory change. Regulatory content feeds deliver fully analyzed content that identifies relevancy, impacts, and tasks. Characteristics of this stage are:
Regulatory intelligence is achieved through the integration of artificial intelligence and cognitive technologies to read, map, and analyze regulatory content and impact on the organization
- Horizon scanning is in place to monitor trending issues
- Consistent views of regulatory change and impact on operations and policies
- Able to efficiently manage business change in regulatory context
GRC 20/20’s Final Perspective
The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.
The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management: