Defining a Regulatory Change Management Process

This is part 3 on the topic of regulatory change management.  In the previous posts we explored the pressure organizations are under in context of regulatory change, in this post we look at what elements are needed in an efficient, effective, and agile regulatory change management process.


processOrganizations are struggling with regulatory change and seeking to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. The old paradigm of uncoordinated regulatory change management is a disaster given the volume of regulatory information, the pace of change, and the broader operational impact on today’s risk environment.

Elements of a Regulatory Change Management Process

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates. To achieve this financial services organizations must develop a process for collaboration, accountability, and integration between regulatory intelligence content providers within a GRC information and technology architecture. A well defined regulatory change management processes includes:

  • Regulatory taxonomy and repository. The foundation of regulatory change management is a regulatory taxonomy and repository. The regulatory taxonomy is a hierarchical catalog/index of regulatory areas that impact the organization. Regulations are broken into categories to logically group related areas (e.g., employment and labor, anticorruption, privacy, anti-money laundering (AML), fraud).  Integrated with this taxonomy is a repository of the regulations indexed into the taxonomy. One regulation may have multiple links into the taxonomy at different areas. The taxonomy and repository maps into the following elements:
    • Regulatory bodies (e.g., lawmakers, central banks, government bodies, regulators, self-regulatory organizations (SROs), exchanges, clearers, industry associations, trade bodies)
    • Document types (e.g., laws, regulations, rules, guidance, releases)
    • Sources (e.g., websites, RSS feeds, newsletters, etc.)
    • Attributes needed for classification, filtering, and reporting (e.g., business process, jurisdiction/geography, related regulations, regulator, status of change, relevant dates, consequences)
    • Rules & regulatory events
  • Regulatory roles and responsibilities. Success in regulatory change management requires accountability—making sure the right information gets to the right person that has the knowledge of the regulation and its impact on the organization. This requires the identification of SMEs for each regulatory category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in subcategories or specific jurisdictions, or who perform specific actions as part of a series of changes to address change requirements.
  • Regulatory content feeds. To support the process of regulatory change management, the financial services organization should identify the best sources of intelligence on regulatory developments and changes. Content feeds can come directly from the regulators as well as law firms, consultancies, newsletters, blogs by experts, and content aggregators. The best content includes the regulation itself, summary of the change, impact on typical financial services organizations, and recommendations on response with suggested actions for response. The range of regulatory change content should span new regulations, amended regulations, new legislation, regulatory guidance, news and circulars, comment letters, enforcement actions, feedback statements, and regulator speeches.
  • Standard business impact analysis methodology. To maintain consistency in evaluating regulatory change, financial services organizations should have a standardized impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
  • Workflow and task management. The backbone of the regulatory change management process is a system of structured accountability to intake regulatory changes from content feeds and route them to the right subject matter expert for review and analysis. This is extended by getting others involved in review and response and requires some standardized workflow and task management with escalation capabilities when items are past due. The process needs to track accountability on who is assigned what tasks; establish priorities; and determine appropriate course of action.
  • Metrics, dashboarding & reporting. To govern and report on the regulatory change management process the organization needs an ability to monitor metrics and report on the process to determine process adherence, risk/performance indicators, and issues. This should provide the organization a quick view into what regulations have changed, which individuals in the organization are responsible for triage and/or impact analysis, the state of review of change, who is accountable, and overall risk impact on the organization.

Types-of-Metrics-&-Examples

Value and Benefits of a Regulatory Change Process

When organizations develop a regulatory change process they expect to be:

  • Effective. They seek to have a greater understanding of changing regulatory requirements and their impact on the organization. To enable the organization to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the regulatory change. This allows the organization to demonstrate evidence of good compliance practices.
  • Efficient. To allow the organization to optimize human and financial capital resources to consistently address regulatory change and enable sustainable management of resources as the business and regulatory landscape grows.
  • Agile. Competitively enable a dynamic and changing environment as an advantage over competitors that are handicapped by the same change.  This requires the organization to understand how the regulatory environment effects the organization and its strategy and how to adapt quickly and be responsive to new developments before competitors are.

The full paper on this topic in the context of financial services can be found here.

Building an Integrated and Sustainable ERM Framework

Business operations are becoming increasingly complex. Multiple factors including – exponential growth and change in risks, regulations, globalization, distributed operations, processes, technologies are impacting organizations of all sizes. Managing this change and deriving meaningful information for decision making is a significant challenge for boards, executives, and GRC professionals. Many organizations continue to lag as risks are managed in disconnected silos without collaborating and sharing information. Without an integrated risk information architecture, organizations are challenged to build risk knowledge from scattered data points residing in silos.

Join this session, where experts will discuss how to address the challenge of herding the silos of risk, and established a structured and systemic approach to risk management unified with clear visibility into the top risks affecting each business unit and the company overall.

Join this webinar with executives GRC 20/20 Research as they discuss:

  • The challenges organizations face
  • The solution: How to establish a structured and systemic approach to risk management
  • How to enable a Risk Management Architecture for ERM and Beyond
  • Key components to consider and best practices to follow
  • Defining the technology infrastructure necessary to support a unified and sustainable ERM approach
  • Organizational benefits: by implementing a holistic, integrated, and optimized risk framework

Greatest GRC Challenges: Regulatory Change Management, Part 2

This is the second in a multi-part blog series on the greatest GRC challenges organizations face. This is part 2 on the topic of regulatory change management.  In the previous post we explored the pressure organizations are under in context of regulatory change, in this post we look at how organizations processes are broken and insufficient to manage regulatory change.  Other topics in the series will be risk change management, business change management, and 3rd party management.

Broken Process and Insufficient Resources to Manage Regulatory Change

The typical organization does not have adequate processes or resources in place to monitor regulatory change. Organizations struggle to be intelligent about regulatory developments, and fail to prioritize and revise policies, and take actionable steps to be proactive. Instead, most organizations end up fire fighting trying to keep the flames of regulatory change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, and even enforcement actions of other organizations can have a significant impact. Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to process and resources:

  • Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Frequency of change and number of information sources overwhelms. The frequency of updates is challenging from the regulators themselves but then comes the flood of updates from aggregators, experts, law firms and more. Organizations often subscribe to and utilize multiple sources of regulatory intelligence  that take time to go through and process to identify what is relevant.  
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility to ongoing compliance—the organization has no idea of who is reviewing what and suffers with an inability to track what actions were taken, let alone which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions. 
  • Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit/accountability trails that regulators require. This leads to regulator and audit issues who find there is no accountability and integrity in compliance records in who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception, individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble. 
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus has no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of regulatory change and business intelligence. The organization is spinning so many compliance plates it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
  • No accountability and structure. Ultimately, this means there is no accountability for regulatory change that is strategically coordinated and the process fails to be agile, effective, and efficient in use of resources. Accountability is critical in a regulatory change process — organizations need to know who the subject-matter experts (SMEs) are, what has changed, who change is assigned to, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the results of the change analysis.

The current situation: The typical organization has a myriad of subject matter experts doing ad hoc monitoring of regulatory change and emailing parties of interest with little or no consistent follow-up, accountability, or business impact analysis. The organization is in a resource intensive confused state of monitoring regulatory risk, enforcement actions, new regulations, and pending legislation resulting in an inability to adequately predict the readiness of the organization to meet new requirements. There is no overall strategy to gather and share regulatory change information, and decide what to do about it.  

 

Greatest GRC Challenges: Regulatory Change Management, Part 1

This is the first in a multi-part blog series on the greatest GRC challenges organizations face. The first topic is regulatory change management in which there will a few posts.  This one describes the pressure the organizations are under to manage regulatory change.  Other topics in the series will be risk change management, business change management, and 3rd party management.

Tsunami of Change Overwhelms Organizations

Change is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and intricate nature of change and how it cascades in impact is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that is constant, dynamic, and disruptive. Consider the scope of change financial services organizations have to keep in sync:

  • External risk environments. External risks such as market, geo-political, societal, competitive, industry, and technological forces are constantly shifting in nature, impact, frequency, scope, and velocity. 
  • Internal business environments. Within, the organization has to stay on top of changing business environments that introduce a range of operational risks such as employees, 3rd party relationships, mergers & acquisitions, processes, strategy, and technology.
  • Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making and more has organizations struggling to stay afloat. 

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other. Change in economic or market risks bear down on the organization as it impacts regulator oversight and requirements. Internal processes, people, and technology are impacted as well. As internal processes, systems, and employees change this impacts regulatory compliance and risk posture. Change is an intricate machine of chaotic gears and movements that make the aspects of GRC challenging in organizations (as well as organizations in several other industries). Keeping current with change and keeping the organization aligned with it is one of the greatest challenges to GRC stratgies in organizations.

Regulatory Change Overwhelming the Organization

Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as it actively drowns in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year.  Regulatory change impacts the organization as it reacts to:

  • Frequency of change. In the past five years the number of regulatory changes has more than tripled while the typical organization has not increased staff or changed processes to manage regulatory change. According to Thompson Reuters, in 2008 there 8,704 changes to regulations impacting financial services organizations, in 2013 there were over 26,950 changes. Those are just the ones they tracked. Global organizations are often dealing with more than one-hundred and twenty-five notifications of regulatory change alerts a day.
  • Global context.  Regulatory change is not limited to one jurisdiction but is a turbulent sea of change around the world. Regulations have a global impact in the market. In Asia, GRC 20/20 finds that there is often more concern over US regulation than over regulation from Asian countries. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance. 
  • Inconsistency in regulations. Managing compliance and keeping up with regulatory change, exams, and reporting requirements becomes complicated when faced with International requirements. Regulatory jurisdictions have varying approaches such as principle-based regulation (also called outcome-based regulation) popular across Europe and other countries around the world, while the United States and several other countries approach a prescriptive approach to regulation that is more akin to a checkbox list of requirements in specifically telling the firm what has to be done. The principle-based approach gives the organization flexibility with the focus on the achievement of an outcome and not the specific process that got them there.  There are conflicting challenges in privacy regulations and other laws impacting financial services organizations across jurisdictions.
  • Expansion into new markets.  It has become complex for organizations to remain in foreign markets as well as enter into new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive while at the same time being constrained by the turbulent sea of changing regulations and requirements.
  • Focus on risk assessment.  Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering specific assessment of compliance risks. For example, FINRA regulators in the US seek to ensure that compliance officers do compliance risk assessments. The discipline of risk management is becoming a pre-requisite for compliance officer skills and ensuring that compliance has a seat at the enterprise risk management (ERM) table.
  • Hoards of regulatory information. Organizations are overwhelmed by information from legal, and regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information adds to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
  • Defensible compliance. Regulators across industries and jurisdictions are requiring that compliance is not just well documented, but is operationally effective.  Case in point, Morgan Stanley is praised by regulators as a model compliance program and is the first company in 35 years of Foreign Corrupt Practices Act (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current in the midst of regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.” 

The amount of regulatory change coming at organizations is staggering. Consider an international bank headquartered in South America who embarked on a project to build a database of regulatory requirements impacting the bank globally. The detail went down to the requirement level so an individual regulation may have a few requirements to more than a thousand, d
epending on the regulation. After eighteen months and cataloging over 81,000 requirements they abandoned the project. The reason was that the content was already obsolete—so much had changed during the process of documenting they did not have the resources to maintain the volume of regulatory change.  A Tier 1 Canadian bank has expressed a similar regulatory requirement documentation project demise for the same reason.   

In the next installment we will look at “Broken Process and Insufficient Resources to Manage Regulatory Change”

What are your thoughts on the increasing pressure of regulatory change management?  Please comment and share below (no promotions or solicitations).

 

The Role of Internal Audit in Autogrill’s GRC Journey

Building a Compliance Risk Assessment Program at Société Générale