The old paradigm of regulatory change management is clearly a recipe for disaster given the volume, pace of change and the broader operational impact of today’s laws and regulations. Just as the CFO needs a financial system or the sales department needs CRM, legal and compliance need regulatory intelligence.
Organizations should explore how technology and process combined with regulatory content can transform ad hoc regulatory change management. Organizations must make regulatory information actionable and accountable with regulatory intelligence. A critical part of meeting the demands of a dynamic business and regulatory environment is to gain control of regulatory risk, resource management and better control compliance and legal spending.
Layers of Regulatory Information
While the market seems to be eager to grasp onto the phrase “risk and regulatory intelligence,” it means nothing if corporations do not know what to do with the knowledge the process brings them. Information overload merely bears down on the organization. Organizations need the ability to get the right information to the right people at the right time. This must be supported by clear accountability, task management and workflow management capabilities.
There are three major layers of regulatory information that contribute to supplying sustained intelligence to the organization.
- Law: The specific law is the primary and authoritative source of regulatory information.
- Legal interpretation and analysis: Laws can often be unclear or downright confusing; expert analysis and interpretation about what it means can be provided. This layer may come as non-legal advice by an expert who understands the breadth of related issues and developments, or as specific legal advice to the corporation. This often includes monitoring which organizations are getting in trouble for lapses in compliance, and why and how it may impact them.
- Policies, controls, forms, and assessments: The third layer of regulatory information is the practical application of laws and regulations in the organization in the forms of policies, controls, forms and processes, and assessments.
There are content providers that provide the range of regulatory information across all of these layers. More recently, these content providers deliver GRC technology platforms to automate the distribution and practical application of this information. Their solutions provide collection of content information with process management to provide regulatory intelligence.
The critical change organizations must make is to develop defined processes to route new legal and regulatory developments to the right subject-matter experts to make this information actionable in the organization’s specific context.
A Model Regulatory Intelligence Approach
Success in regulatory change management begins with a strategy ¬— to effectively manage regulatory changes in a dynamic environment. Ultimately, the organization must identify and prioritize regulatory changes resulting from changes in case law, new legislation, regulatory changes, and new rules and requirements, and also must maintain oversight and control over business processes to mitigate risk. This requires deploying a common process that delivers real-time accountability and transparency across regulatory areas impacting the business with a common system of record.
The goal is to deliver:
- Efficiency: Optimize human and financial capital resources to consistently manage regulatory change and enable sustainable management of resources as the business and regulatory landscapes change over time.
- Effectiveness: Greater understanding of changing legal requirements and how their impact enables the business to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the legal and regulatory change process. The organization also needs the ability to demonstrate evidence of good business practices.
- Agility: Regulatory intelligence enables a dynamic and changing organization to understand how the regulatory environment effects business change, and also how regulatory change impacts the organization.
Building a regulatory intelligence strategy requires the implementation of a process model that monitors regulatory change, measures impact on the business, and implements appropriate policy, training, and control updates. Regulatory intelligence processes also include the following core elements:
- Regulatory taxonomy and catalog: This is a catalog of regulations the organization has to comply with across jurisdictions. Regulations are broken into categories to logically group-related regulations (e.g., employment and labor, anticorruption, privacy, quality, health and safety, AML, and fraud).
- Roles and responsibilities: The core of regulatory intelligence is accountability — making sure that the right information gets to the right person, and that they take appropriate action to address regulatory change. This requires the definition of subject-matter experts for each regulatory category defined in the taxonomy. This can be subdivided into subject-matter experts with particular expertise in subcategories or specific jurisdictions, or to perform specific actions as part of a series of changes to address change requirements.
- Business impact analysis: The subject-matter expert must conduct a business impact analysis regarding the regulatory change. It may be as simple as acknowledging that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance monitoring program must be put in place.
- Integration with policies: Regulations should be mapped to the policies that authorize how the organization will comply with them. Whenever a regulatory change is put into the system, corresponding policies related to the regulation should be flagged to be reviewed. This linkage should also extend to other areas of compliance, such as controls and assessments.
- Update communication, training, and attestation plans: Along with policies, regulatory changes should be evaluated to see if compliance and policy training, communication, and attestation plans need to be updated or developed. This includes understanding the need to update underlining communication mechanisms that exist between business, experts, workforce and third parties.
- Monitoring and auditing: The ultimate goal is to provide accountability and sustained performance. A clear system of accountability must be in place that includes monitoring of the process — who is assigned each task, and its status. This goes further into a detailed audit trail the organization can use to understand who made what decision and how the process was conducted.