Cognitive GRC: A.I. & Regulatory Change & Intelligence
One of the top inquiry areas for GRC 20/20’s market research is the role of Corporate Compliance and Ethics Management, managing the range of conduct, ethics, regulations/obligations, policies, and boundaries of the organization. Particularly now in the era of ESG. We regularly get inquiries from organizations looking for solutions for policy management, hotline/whistleblower, case management, forms/disclosures, third-party compliance/risk, compliance assessments, and more.
A growing area for solutions for corporate compliance is in regulatory change management and regulatory intelligence. This is an area where the traditional approach of armies of subject matter experts is now automated with artificial intelligence.
Managing and keeping up with regulatory change is one of the most significant challenges for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and interconnected nature of change and how it impacts the organization is driving strategies to mature and improve regulatory change management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated GRC strategy within the organization.
Regulatory change is overwhelming organizations. Many industries, like financial services, are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more worldwide. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year.
In the past five years, the number of regulatory changes has more than doubled, while the typical organization has not increased staff or updated processes to manage regulatory change. According to Thomson Reuters, financial services had an average of 257 regulatory change events every business day in 2020, just in this one industry. In the past five years, the number of regulatory change updates impacting organizations has grown extensively across industries.
GRC 20/20 Research is seeing a steady pace of regulatory change management inquiries and research interactions, focusing on artificial intelligence in this context. In our market research, we have reviewed/evaluated many solutions in this space. Some solutions deliver real value, and some solutions claim A.I. but are stretching the term (anyone with some logic in a workflow claims it as A.I.), or it is the Wizard of Oz with the man behind the curtain doing the work as the A.I. tech is not fully baked and delivering.
The best solutions deliver a lot of value in A.I. for regulatory change, with natural language processing, machine learning, deep learning, predictive analytics, generative A.I., and more.
I am told that if you print off the entire UK FCA rulebook, it is a stack of paper six feet tall. Printing off the U.S. Code of Federal Regulations and stack it end to end is longer than a marathon. Internal documents, like policies, are also a mess. One bank I built a business case for policy management had one policy that took six months to get updated because of a regulatory change and went through 75 reviewers in a linear document check-in and check-out fashion . . . that certainly is not agile. Another bank states that if every branch printed the policy manual, it would be a stack of paper as tall as the Elizabeth Tower (Big Ben) in London.
A machine with natural language processing can read the US CFR or UK FCA rulebook in minutes. It would take me a year or more. But a machine can read it in minutes and direct, map, and categorize it in minutes.
The Chief Ethics and Compliance Officer (CECO) I interacted with at a life sciences firm did some internal testing on A.I. for regulatory change management. They not only found that a machine was a ‘gazillion’ times faster at reading and mapping regulations, but they also found it was 30% more accurate/effective. Think about it, if we are going to read a lot of legal documents/regulations, and I mean a lot, looking for changes/updates . . . are minds are going to wander and think about the plans for dinner or the weekend, or how our favorite sports club is doing. We miss things where a machine stays on point.
There are a variety of use cases for A.I. in regulatory change management. Not one solution has all of this covered in detail, so it takes an architecture and often plugs into your favorite enterprise GRC platform for even broader value. These include:
- Horizon Scanning. Using A.I. to monitor and evaluate pending legislation, proposed rules, changes in enforcement, speeches, and comments made by regulators to determine what we need to pay attention to that will be tomorrow’s concerns.
- Regulatory Obligation Library. Using A.I. to monitor the current situation of regulations, changes in regulations, comparisons of change (side-by-side markups), and notifications, all to keep the organization current with regulatory changes impacting the hear and now.
- Policy Management. This is mapping regulations and changes to your current policy library and leveraging A.I. to inform you what policies should be reviewed because of changes and suggest language for the update to address the change (generative A.I.)
- Control Management. I worked on a large risk management RFP for a global organization a few years ago. Once they were done with that RFP, they looked to using A.I. to keep controls updated and current in their environment. They specifically leveraged Natural Language Processing to derive content-related information from local control descriptions. They then used Machine Learning to score quality and identify quality gaps in documentation. This enabled them to provide real-time feedback to control owners directly and indicate areas for improvement. They then did Scoring Reports & Dashboards to generate an overview of the documentation quality of ICS Principles in Business Units.
And this is just exploring the regulatory change management-related use cases of A.I. I also see a lot of interest in using A.I. for third-party risk management, from reading and comparing differences in policies/controls between an organization and a supplier/vendor to monitoring the range of third-party risk databases (e.g., ESG ratings, financial viability/corporate ratings, reputation and brand lists, watch lists, sanction lists, negative news, security ratings, politically exposed persons, geo-political risk, and more).
My job as an analyst is to research and understand the variety of GRC solutions (both very narrow and specific to broad platforms) and understand what differentiates one vendor from another and what is the best solution for an organization.
In that context, GRC 20/20 covers the range of Cognitive GRC solutions available in the market, around the world, and in which industries . . . and know which are real and provide value, and which are ’the Wizard of Oz.’