Managing and keeping up with change is one of the greatest challenges for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and interconnected nature of change and how it impacts the organization is driving strategies to mature and improve regulatory change management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated GRC strategy within the organization.
The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that are continuous, dynamic, and disruptive. Consider the scope of change organizations have to keep in sync:
- External risk environments. External risks – such as market, geopolitical, societal, competitive, industry, and technological forces – are constantly shifting in nature, impact, frequency, scope, and velocity.
- Internal business environments. The organization has to stay on top of changing business environments that introduce a range of operational risks, such as change in employees, processes, employees, relationships, mergers & acquisitions, strategy, and technology.
- Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels.The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making, and more has organizations struggling to stay afloat.
Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other. Organizations can devote human and financial capital resources to keeping up with regulatory change, but that does not make them compliant if that change is not consistent and in sync with business and risk change. Change in economic or market risk bears down on the organization as it impacts regulator oversight and requirements. Internal processes, people, and technology changes continuously, and regulatory requirements need to be understood in the context of business change. As these internal processes, systems, and employees change, this impacts regulatory compliance and risk posture.
Change is an intricate machine of chaotic gears and movements. Keeping current and aligned with change is one of the greatest challenges to compliance management strategies within organizations.
Regulatory Change Overwhelming the Organization
Regulatory change is overwhelming organizations. Many industries, like financial services, are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year. Regulatory change impacts the organization as it reacts to:
- Frequency of change. In the past five years, the number of regulatory changes has more than doubled while the typical organization has not increased staff or updated processes to manage regulatory change. In financial services, according to the latest Thomson Reuters research, there was an average of 257 regulatory change events every business day in 2020, which is just in this one industry. In the past five years, the number of regulatory change updates impacting organizations has grown extensively across industries.
- Global context. Regulatory change is not limited to one jurisdiction but is a turbulent sea of change around the world. Regulations have a global impact on organizations and markets. In Asia, GRC 20/20 finds that there is often more concern over EU and US regulation than over-regulation from Asian countries. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance.
- Inconsistency in regulations. Managing compliance and keeping up with regulatory changes, exams, and reporting requirements becomes complicated when faced with international requirements. Regulatory jurisdictions have varying approaches such as principle-based regulation (also called outcome-based regulation) that is popular across Europe and other countries around the world, while the United States and other countries approach a prescriptive approach to regulation that is more akin to a check box list of requirements in specifically telling the firm what has to be done. The principle-based approach gives the organization flexibility with the focus on the achievement of an outcome and not the specific process that got them there. There are conflicting challenges in privacy regulations and other laws impacting organizations across jurisdictions.
- Expansion into new markets. It has become complex for organizations to remain in foreign markets as well as enter into new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive, while at the same time being constrained by the turbulent sea of changing regulations and requirements.
- Focus on risk assessment. Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering a specific assessment of compliance risks. For example, regulators in the US seek to ensure that compliance officers do compliance risk assessments. This is also a theme picked up on by law enforcement agencies like the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC). The courts, with the United States Sentencing Commission, also evaluate the culpability of an organization on compliance based on compliance risk. The discipline of risk management is becoming a prerequisite for compliance officer skills to ensure that compliance has a seat at the enterprise risk management (ERM) / GRC table.
- Hoards of regulatory information. Organizations are overwhelmed by information from legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information add to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
- Defensible compliance. Regulators across industries are requiring that compliance is not just well documented, but is operationally effective. This can be seen in the latest DoJ Evaluation of Compliance Program guidance. Case in point, Morgan Stanley is praised by regulators as a model compliance program and is the first company in 35 years of the Foreign Corrupt Practices Acts (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current in the midst of regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.”
The amount of regulatory change coming at organizations is staggering. Consider an international bank headquartered in South America that embarked on a project to build a database of regulatory requirements impacting the bank globally. The detail went down to the required level so an individual regulation may have a few requirements to more than a thousand, depending on the regulation. After eighteen months of cataloging over 81,000 requirements, they abandoned the project. The reason was that the content was already obsolete—so much had changed during the process of documenting that they did not have the resources to maintain the volume of regulatory change. A Tier 1 Canadian bank has expressed a similar regulatory requirement documentation project demise for the same reason. If you print the United Kingdom’s Financial Conduct Authority rulebook, it comes to a stack of paper six feet tall. The U.S. Code of Federal Regulations (CFR) is over 174,000 pages. When printed and laid out end-to-end that is a paper trail that is 25 miles long, nearly as long as a marathon.
The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.
The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management: