Doctor Strange: Chief Risk Officer in the Multiverse of Uncertainty

Last week I looked at James Bond 007 and Risk Situational Awareness where we explored how organizations need to be like James Bond and have full situational awareness of risk and uncertainty to objectives. This week we keep on the fictional hero theme with a look at Dr. Strange who is the representative of the ultimate CRO – Chief Risk Officer – managing a multiverse of uncertainty . . . 

Doctor Strange is one of the most intriguing characters in the Marvel pantheon of heroes. His powers are diverse. They include his superior intelligence (as well as great martial arts skills), and his ability to have some control over time and outcomes through time loops, and the ability to see into possible futures, giving him the visibility into the multiverse of possible futures and realities.

This makes Doctor Strange the ultimate prototype of the Chief Risk Officer. Risk, as defined in ISO 31000, is the effect of uncertainty on objectives. It is the job of the risk professional to manage and monitor uncertainty to objectives. So, the ultimate Chief Risk Officer is the one that can provide insight into the future and a variety of scenarios that can play out from the actions, activities, external events/developments, and transactions of the organization as it moves forward to achieve its objectives. Those objectives can be high-level entity strategic objectives, they can be division, department, process, project, or event asset level objectives. 

The modern Chief Risk Officer sees into the multiverse of possible futures and realities of the organization and its objectives. Like Doctor Strange, the Chief Risk Officer understands possible futures to determine how they impact the achievement of objectives of the organization. The ability to understand what leads to those possible futures and what the best route forward is for the organization to optimize value and achieve objectives.

This requires that the modern Chief Risk Officer have these Doctor Strange super abilities:

  • Superior intelligence. From my perspective this means that the risk professional needs to be able to enhance left-brain thinking (structured risk models) with right-brain thinking (being able to think creatively and intuitively about risk). Both together provide great risk insight into uncertainty and possible outcomes. 
  • Insight into possible futures. This involves strong scenario analysis to pattern and analyze future scenarios how objectives and risks play out in context of uncertainty to determine the best path forward for the organization.

Of course, both elements are enhanced through structured risk information and quantitative risk analysis and data that is also supported by good risk visualization and perspectives. That is why I am a particular fan of both monte carlo risk analysis and bow-tie risk analysis. 

Unfortunately, the one ability that Doctor Strange has that the modern Chief Risk Officer does not have is the ability to use time loops to correct wrong decisions and errors in time. So, it is critical that the risk function has solid risk intelligence and scenario analysis. 

I will be exploring the role of risk management in the performance and objectives of the organization in this month’s episode of The GRC Red Flag Series where we will discuss Aligning Risk and Performance/Objective Management

James Bond 007 and Risk Situational Awareness

I am so excited about this evening! After a long wait, I am going to the new James Bond 007 movie, No Time to Die! I am making it a big deal. A group of 12 of us are going to the nice Silverspot Cinema that is amazing, with an incredible lounge area. I am dressing up in my black tuxedo, my wife is going to wear an evening gown and be a Bond girl (her choice for those that don’t like the stereotype). We are going to get a vodka martini in the lounge before the movie and enjoy the film. It is going to be a lot of fun, I wish each of you could be there with us.

James Bond is all about risk management. Situational awareness of opportunity, uncertainty, and hazards. He understands and interprets everything around him to leverage and use to his advantage.

Today’s organizations need James Bond risk situational awareness. Risk situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the organization because of the complexity and intricacies of risk management.

Let’s step back and look at what risk management is. If we use the ISO 31000 definition of risk: Risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. What is James Bond’s objective? What can help him in achieving those objectives? What can hinder him from achieving those objectives? What is he confident in? what is he uncertain of?

The same questions and thought processes can be asked of the organization in its objectives. In the business world, we have all sorts of objectives. They can be strategic entity-level objectives for profit, growth, expansion. They could be a division or department objectives. They can then drill into the process, project, or even asset-level objectives. We need to understand and manage risk (uncertainty) in achieving those objectives.

The business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect,’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades and influences what ends up being a significant issue. Change in one area has cascading effects that impact the entire ecosystem. Dissociated risk information leaves the organization with fragments of truth that fail to see the big picture of performance, objectives, and risk/uncertainty across the enterprise. The organization has to have holistic visibility and 360° risk situational awareness into risk.

Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and a sometimes chaotic, relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business, the result is often exponential to unpredictable.

Situational risk awareness enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling. 

Organizations striving to improve their GRC management capability and maturity in their organization will find they are more:

  • Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
  • Aligned. They align performance, risk management, and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated risk capability to those of the entity and giving strategic consideration to information from the risk management capability to affect appropriate change.
  • Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organization needs to know to make the right decisions.
  • Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
  • Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary to adapt and respond to opportunities rapidly.
  • Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced GRC capability and related decisions about the application of resources.

Stay tuned for next week as we look at Dr. Strange, the Chief Risk Officer in the Multiverse of Uncertainty . . .

The Foundation of ESG is in Policy Management

Martin Luther King Jr stated:

Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.

This statement is valid on a personal level, but it is also true at an organizational level. The actions and behavior of organizations impact and shape the world we live in today and into the future.

Organizations need to address environmental, social, and governance (ESG) practices and reporting. Stakeholders, customers, employees, and investors want to ensure that the companies they interact with and invest in share the same values and commitments that they do. Regulators are keenly interested in ESG practices as governments enforce sustainability, social justice, and corporate governance standards. 

The heart of ESG is about the integrity of the organization. ESG covers a broad spectrum of a company’s conduct:

  • E = Environmental: Measures and reports on the organization’s values and commitments regarding stewardship of the natural world and environment. It includes reporting and monitoring the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, etc.
  • S = Social: Measures and reports on the organization’s values and commitments regarding how it treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.
  • G = Governance: Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

In order for an organization to do ESG reporting, they have to have something to report against. This requires that an ESG program be built on the policies of the organization. 

The very foundation of an ESG strategy is an organization’s policies starting with a code of conduct and filtering down into the breadth of policies that support the many dimensions of the E, S, and G in ESG. It is in the policies that what is acceptable and not acceptable is defined. Policies define the behavior of individuals/roles, transactions, processes, and relationships of the organization.

You cannot have an ESG program without policies. Policies define the organization’s conduct, values, ethics, and controls to address risk and ensure that it reliably achieves objectives, including ESG related objectives. 

Any organization developing an ESG program should have the following in place:

  • Policy framework and index. An organization should have an overall policy management framework and an index of all of the organization’s policies. Unauthorized policies (rogue policies) can put a significant legal liability and duty of care on the organization. This index should tag the range of policies that apply to the ESG strategy and reporting of the organization, starting with the code of conduct and mapping across department policies.
  • Consistent template and style guide for policies. ESG related policies are to be consistently written conforming to the organization’s ‘policy on writing policies’ and style guide. Policies need to be published in an approved template to ensure they are easily recognizable as an official policy of the organization. 
  • Singular portal for policies. All policies should be easily accessible through a singular portal by employees and other stakeholders. When policies are scattered on different department portals, they tend to be managed inconsistently and confuse employees. A strong ESG culture means good policy engagement and easy accessibility to policies. 
  • Training and education. For ESG policies to be effective, it requires that the individual roles in the organization are properly trained on the policies in their particular context of the organization.
  • Processes for monitoring and enforcement. Well-written ESG policies are not enough; they have to be enforced. This means regular audits/assurance activities to measure that policies are adhered to that then feed into ESG reporting.
  • Issue reporting. The organization also needs clearly defined pathways to report ESG policy non-compliance issues, complaints, and incidents. This can be through hotlines, management reports, and other vehicles such as surveys and feedback. 

Guidance on how to implement these elements can be found in the open-source (free) Policy Management Capability Model at www.PolicyManagementPro.com.

When the organization does ESG reporting, these reports are built off of the organization’s policies and measure the adherence/conformance to these policies. Without clearly defined, communicated, and enforced ESG related policies, the organization has nothing to measure and report from. Policies are the foundation of an ESG program. 

Managing & Communicating Policies in the “NEW NORMAL”

Issuing well-crafted and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s values, boundaries, practices, and expectations. Policies are the vehicle to ensure culture is defined and does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strongly embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. 

Policy management has been one of the hottest topics in my GRC research for the past few years. When the pandemic hit and lockdowns started in March of 2019, I found my interactions increased. Organizations restructured their strategy, processes, roles, in the context of a work from home environment. In this process, they found policy management a complete mess of a disaster internally. Several organizations found that they had over 20 policy portals in their environment, and policies looked different, were written in different styles, used terms inconsistently, were out of date. Employees were scrambling to try to find policies in the work-from-home environment and were very confused.

During and coming out of the pandemic organizations find policy management to be a critical element to communicate confidence, ease employees’ frustration, and concern, reinforce a strong culture of ethics, and provide stability in the midst of uncertainty. Organizations have been working hard to address consistency in policy management, authoring, and engagement across departments and to deliver a singular portal for policies that engage employees in a hybrid dynamic environment.

I see even more attention to policies and policy management as we come out of the pandemic. Many organizations are maintaining a remote workforce and see the need to have an intuitive and engaging policy portal for employees and consistency in policy management.

There is also heightened concern of rogue unauthorized policies that open the doors to legal liability and a duty of care. Particularly if managers at different levels think they are a little smarter than the rest of the organization and writing what they think the COVID-19 related policies should be (e.g., personal safety equipment, vaccine policy). There is a lot of attention being focused on structured policy management programs that provide a singular interface and process into all official and approved policies in the organization to reduce exposure to rogue unauthorized policies.

Policy Management by Design Workshops New Content . . .

I am so excited that my most popular GRC workshop, Policy Management by Design, is back in person for deep interactive, and free, training on policy management! These workshops are interactive and engaging to learn from GRC 20/20 but also from each other. It is a great place to meet your peers in policy management and broader GRC and share your challenges and experiences to learn from others.

What is really exciting . . . there is all new content for this workshop! The updated workshop includes a structured approach to policy management found in the official Policy Management Capability Model. This is a free and open-source tool that I authored with OCEG and is available at www.PolicyManagementPro.com. This comes from years of experience advising on policy management programs and teaching my Policy Management by Design Workshop around the world.

Policy Management is a critical enabling element of the organization’s culture, integrity, performance, governance, and risk management. This capability should be built on a solid foundation of principles with a defined capability model that provides consistent processes and engagement on policies in your organization . . .

Anatomy of the Policy Management Capability Model

COMPONENTS

The Policy Management Capability Model is organized into five Components that outline an iterative, continuous improvement process to achieve Principled Performance in policy management. While there is an implied sequence beginning with Govern, once the capability is established, Components operate concurrently, interactively, and also symbiotically.

  • G – GOVERN — Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
  • D – DEVELOP — Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
  • C – COMMUNICATE — Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
  • E – ENFORCE — Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
  • I – IMPROVE — Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.

ELEMENTS and PRACTICES

Each Component contains Elements that outline key aspects of high-performing integrated policy management capabilities. Each Element includes Practices that outline specific management actions and controls and address documentation considerations. Elements define the core aspects of effective capabilities and can serve as the starting point for assessing the current state of your organization’s approach.  

Join us for one of the following free Policy Management by Design workshops coming to these popular cities over the next few months . . .

GRC 20/20’s Regulatory Change Management Maturity Model

Last week we looked at Regulatory Change RFP/Solution Capabilities this week we look at how to measure the maturity and trajectory of an regulatory change management program . . .

Mature regulatory change management requires the organization to align on regulatory risk. It also involves participation across the organization at all levels to identify and monitor uncertainty and the impact of regulatory change.

GRC 20/20 has developed the Regulatory Change Management Maturity Model to determine an organization’s maturity in regulatory change management processes, as well as information and technology architecture. The GRC 20/20 Regulatory Change Management Maturity Model is summarized as follows:

Level 1 – Ad Hoc

Organizations at this stage lack a structured approach to regulatory change management and are constantly putting out fires and being caught off guard. Few, if any, resources are allocated to monitor regulatory change. The organization addresses regulatory change in a reactive mode—doing assessments when forced to. There is no ownership or monitoring of regulatory change and certainly no integration of regulatory change information and processes. Characteristics of this stage are:

  • Lack of a defined regulatory taxonomy
  • Ad hoc and reactive approaches to regulatory and business change
  • Document and email-centric approaches
  • Lack of accountability

Level 2 – Fragmented

In the Fragmented stage, departments are focused on regulatory change management within respective functions—but information and processes are highly redundant. The organization may have limited processes for regulatory change but largely do not benefit from the efficiencies of an integrated approach. Regulatory change management is very document-centric and lacks an integrated process, information, and technology architecture. Positively, there is some structure to regulatory change responsibilities, but the management of regulatory change lacks accountability as it is done largely in documents and emails that lack structures of accountability and automation. Characteristics of this stage are:

  • Varied approaches to regulatory change 
  • Lack consistent structure
  • Lack integration or formal processes for sharing regulatory information
  • Reliance on fragmented technology with a focus on discrete documents

Level 3 – Managed

The Managed stage represents a mature regulatory change management program that is using technology for structured workflow, task management, and accountability. Regulatory change functions have defined processes for regulatory change management, as well as an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight. Though there is no integration of regulatory content feeds into the technology platform. Characteristics of this stage are:

  • Visibility into regulatory change across the business
  • Established processes for regulatory change
  • Good use of technology to manage accountability

Level 4 – Integrated

It is at the integrated stage that the organization begins to integrate regulatory content feeds into the technology platform for automation. The organization has consistent regulatory taxonomy, process, information, and technology to streamline regulatory change management processes. The organization is seeing gains in addressing regulatory change through shared information that achieves greater agility, efficiency, and effectiveness in a common technology architecture that enables consistent management of regulatory change. Standardized workflow is integrated into regulatory and legal content feeds. Characteristics of this stage are:

  • Strategic approach to regulatory change across departments
  • Common process, technology and information architecture
  • Integration of legal/regulatory content feeds
  • Reporting across departments

Level 5 – Agile

At the Agile stage, the organization has completely moved to an integrated approach to regulatory change management across the organization and is leveraging artificial intelligence to make it more efficient and effective. Horizon scanning is in place to not only monitor regulatory change in the here and now, but what is coming in the future. This results in a shared-services approach in which core regulatory change technology, content, and processes are shared centrally across the organization. The approach is characterized through a mature regulatory taxonomy with integrated and actionable regulatory content, automated by technology that integrates and leverages artificial intelligence. The organization has an enterprise workflow that provides business-process automation for regulatory change with oversight and management of regulatory change. Regulatory content feeds deliver fully analyzed content that identifies relevancy, impacts, and tasks. Characteristics of this stage are:

Regulatory intelligence is achieved through the integration of artificial intelligence and cognitive technologies to read, map, and analyze regulatory content and impact on the organization

  • Horizon scanning is in place to monitor trending issues
  • Consistent views of regulatory change and impact on operations and policies
  • Able to efficiently manage business change in regulatory context

GRC 20/20’s Final Perspective

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:

Regulatory Change RFP/Solution Capabilities

Last week we looked at GRC Architecture to Manage Regulatory Change this week we get more into the specific capabilities that technology should deliver to automate and manage the regulatory change process to make it more efficient, effective, and agile . . .

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine the potential impact on the organization. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates.

Strong technology for regulatory change management has enterprise content, workflow, and task management capabilities with integration to actionable regulatory content. It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements. This involves leveraging artificial intelligence, such as natural language processing, to read regulations. Organizations are finding that machines not only read regulations exponentially faster than individuals, but they are also 30% more accurate in cataloging and mapping regulations and changes. A strong architecture for regulatory change management will encompass horizon scanning to monitor where change is trending and developing to be prepared for the future. Delivering a regulatory change management information and technology architecture involves the integration of artificial intelligence technologies to monitor and manage change and conduct horizon scanning.

Some solutions in the GRC space are delivering across these three areas and are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This, at a minimum, requires workflow and task management capabilities, but in mature systems, it provides direct integration with regulatory content providers. These aggregators manage regulatory profiles and provide data about relevant new developments that can be routed to individuals responsible for evaluating specific regulatory subject areas. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process supported by artificial intelligence technologies that read and analyze changes and their impact on the organization’s processes, policies, and controls.

Specific capabilities to be evaluated in a GRC solution for regulatory change management include:

  • Regulatory intelligence content.  At a very basic level, the solution should allow for simple manual entry of new changes and updates so they can be routed to the correct SME for analysis. More advanced solutions provide integration and automation with artificial intelligence platforms built for regulatory change to conduct horizon scanning to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
  • Cognitive GRC – artificial intelligence. Keeping up with regulatory content can be a challenge. Many organizations either hire a lot of compliance/legal experts to comb through mountains of regulatory data, or they subscribe to regulatory content subscriptions that do this. This is changing with the role of artificial intelligence applied to a GRC context called Cognitive GRC. Natural language processing, predictive analytics, and robotic process automation make regulatory change management more efficient, effective, and agile for the organization. As stated, the U.K.’s FCA Rulebook stacks to six feet tall; this would take a human a year or more to read. A machine can read it, sort it, categorize it, and link it in under a minute. Not only is a machine faster at reading regulations, but it is also more accurate. One Chief Ethics and Compliance Officer (CECO) told GRC 20/20 that they found natural language processing 30% more accurate in reading, sorting, categorizing, and linking/mapping regulations/requirements than humans. A machine stays focused; there is no mind to wander and get distracted.
  • Content management. The solution should be able to catalog and version regulations, policies, risks, controls, and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods and obsolescence rules that can be set for regulations.
  • Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitate regulatory change management in the context of the organization’s operations
  • Business impact analysis. The system needs to provide the functionality to identify the impact of changes of regulations on the business environment and its operations and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed, or deactivated, the solution assesses the impact of the change and sets up the appropriate responsive actions.
  • Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for regulatory change management.
  • Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
  • Audit trail and accountability. It is absolutely necessary that the regulatory change management solution has a full audit trail to see who was assigned a task, what they did, what was noted, and notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
  • Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are, and more. Additionally, by linking regulatory requirements to the various other aspects of the platform – including risks, policies, controls, and more – the reporting should provide an aggregate view of a regulatory requirement across multiple organizational units and business processes.
  • Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:

GRC Architecture to Manage Regulatory Change

Last week we looked at How to Define a Regulatory Change Management Strategy and Process, this week we look at how to leverage technology to automate and manage regulatory change in a dynamic business and regulatory environment . . .

Effectively managing regulatory change is done with a GRC information and technology architecture to improve processes and transform manual document and email-centric processes with automation, integration, and cognitive technologies. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis. 

Regulatory Change Management Architecture Goals

A GRC information and technology architecture helps the organization to manage regulatory change to:

  • Ensure that ownership and accountability of regulatory change is clearly established and understood.
  • Manage ongoing business impact analysis and scoring.
  • Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
  • Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
  • Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
  • Visualize the impact of a change on the organization’s processes and operations.

The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency, using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization.

Regulatory Change Management Architecture Considerations

In evaluating regulatory change management solutions that integrate regulatory intelligence feeds and technology, organizations should ask the following key questions: 

  1. How adaptable is the regulatory taxonomy?  The regulatory taxonomy provides the backbone of regulatory change management as it maps regulations to other objects such as business processes, assets, subject matter experts, risks, controls, policies, and more. Organizations should specifically understand how adaptable the taxonomy/mapping is to fit the organization’s environment, evolve as the business evolves, and how easy it is to adapt the metadata and taxonomy structure.
  2. How rich is the regulatory content? A lot of GRC solutions can handle the workflow and task management of regulatory change management. What really differentiates capabilities is the depth and breadth of the regulatory intelligence content feed that the solution offers and/or integrates with. This includes regulator coverage, geographic coverage, supporting news and analysis, frequency of updates, and actionable content/recommendations.
  3. How strong is the technology? As stated, a lot of solutions can do workflow and tasks management for regulatory change, so the evaluation of the technology itself needs to go deeper into the systems ability to integrate regulatory intelligence feeds, conduct business impact analysis, as well as connect and understand relationships of regulatory impact to policies, processes, and risks. The more advanced solutions will offer cognitive technologies with artificial intelligence to read and map regulations. SMEs across the enterprise may or may not be technical gurus; the overall user experience should be intuitive and natural. Of particular importance is the user experience.
    • Deficient technology involves documents and spreadsheets with email used as a workflow and task management tool. The organization struggles with things getting missed and not having a structured system of accountability. Regulatory change is a manual entry system that is time-consuming and taxing on resources.
    • Moderate technology provides a system of accountability with basic workflow and task management and can integrate with regulatory content providers, providing libraries of regulations and alerts on changes.
    • Strong technology for regulatory change management has enterprise content, workflow, and task management capabilities with integration to actionable regulatory content. It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements. This involves leveraging artificial intelligence, such as natural language processing, to read regulations. Organizations are finding that machines not only read regulations exponentially faster than individuals, but they are also 30% more accurate in cataloging and mapping regulations and changes. A strong architecture for regulatory change management will encompass horizon scanning to monitor where change is trending and developing to be prepared for the future.

Delivering a regulatory change management information and technology architecture involves the integration of a GRC platform with artificial intelligence technologies to monitor and manage change and conduct horizon scanning.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:

Defining a Regulatory Change Management Strategy & Process

Last week we looked at the broken of the Broken Process and Insufficient Resources to Manage Regulatory Change this week we look at how tp fix this with strategy and process to address regulatory change management . . .

Organizations are struggling with regulatory change and seeking to integrate a regulatory change strategy and process with an integrated information and technology architecture. The goal is to provide actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. The old paradigm of uncoordinated regulatory change management is a disaster given the volume of regulatory information, the pace of change, and the broader operational impact on today’s risk environment. 

Elements of a Regulatory Change Management Process

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine the potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates. To achieve this, organizations must develop a process for collaboration, accountability, and integration between regulatory intelligence content within a GRC information and technology architecture. A well defined regulatory change management process includes:

  • Regulatory taxonomy and repository. The foundation of regulatory change management is a regulatory taxonomy and repository. The regulatory taxonomy is a hierarchical catalog/index of regulatory areas that impact the organization. Regulations are broken into categories to logically group related areas (e.g., employment and labor, anticorruption, privacy, anti-money laundering (AML), and fraud). Integrated with this taxonomy is a repository of the regulations indexed into the taxonomy. One regulation may have multiple links into the taxonomy at different areas. The taxonomy and repository maps into the following elements:
    • Regulatory bodies (e.g., lawmakers, central banks, government bodies, regulators, self-regulatory organizations (SROs), exchanges, clearers, industry associations, and trade bodies)
    • Document types (e.g., laws, regulations, rules, guidance, and releases)
    • Sources (e.g., websites, RSS feeds, newsletters, etc.)
    • Attributes needed for classification, filtering, and reporting (e.g., business process, jurisdiction/geography, related regulations, regulator, status of change, relevant dates,and consequences)
    • Rules & regulatory events 
  • Regulatory roles and responsibilities. Success in regulatory change management requires accountability: making sure the right information gets to the right person that has the knowledge of the regulation and its impact on the organization. This requires the identification of SMEs for each regulatory category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in subcategories or specific jurisdictions, or who perform specific actions as part of a series of changes to address change requirements.
  • Regulatory content feeds. To support the process of regulatory change management, the organization should identify the best sources of intelligence on regulatory developments and changes. Content feeds can come directly from the regulators as well as law firms, consultancies, newsletters, blogs by experts, and content aggregators. Cognitive technologies that deliver artificial intelligence with natural language processing is making regulatory change management more efficient and effective for organizations. The best content includes the regulation itself, summary of the change, impact on typical organization, and recommendations on response with suggested actions for response. The range of regulatory change content should span new regulations, amended regulations, new legislation, regulatory guidance, news and circulars, comment letters, enforcement actions, feedback statements, and regulator speeches. 
  • Standard business impact analysis methodology. To maintain consistency in evaluating regulatory change, organizations should have a standardized impact analysis process that measures the impact of the change on the organization to determine if action is needed and prioritize action items and resources. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
  • Workflow and task management. The backbone of the regulatory change management process is a system of structured accountability to intake regulatory changes from content feeds and route them to the right subject matter expert for review and analysis. This is extended by getting others involved in review and response, and requires some standardized workflow and task management with escalation capabilities when items are past due. The process needs to track accountability on who is assigned what tasks, establish priorities, and determine appropriate course of action. 
  • Metrics, dashboarding, & reporting. To govern and report on the regulatory change management process, the organization needs an ability to monitor metrics and report on the process to determine process adherence, risk/performance indicators, and issues. This should provide the organization a quick view into what regulations have changed, which individuals in the organization are responsible for triage and/or impact analysis, the state of review of change, who is accountable, and overall risk impact on the organization.

Value and Benefits of a Regulatory Change Process

When organizations develop a regulatory change process, they expect to be:

  • Effective. They seek to have a greater understanding of changing regulatory requirements and their impact on the organization. To enable the organization to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing, and monitoring the regulatory change. This allows the organization to demonstrate evidence of good compliance practices.
  • Efficient. To allow the organization to optimize human and financial capital resources to consistently address regulatory change and enable sustainable management of resources as the business and regulatory landscape grows.
  • Agile. Competitively enable a dynamic and changing environment as an advantage over competitors that are handicapped by the same change. This requires the organization to understand how the regulatory environment effects the organization and its strategy and how to adapt quickly and be responsive to new developments before competitors are.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:

Broken Process and Insufficient Resources to Manage Regulatory Change

Last week we looked at the challenge of the tsunami of regulatory change that organizations are flooded with, this week we look at how the internal processes and resources are insufficient to keep up with managing regulatory change in today’s dynamic, distributed, and disrupted business environment . . .

The typical organization does not have adequate processes or resources in place to monitor regulatory change. Organizations struggle to be intelligent about regulatory developments and fail to prioritize and revise policies and take actionable steps to be proactive. Instead, most financial service organizations end up fire fighting, trying to keep the flames of regulatory change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, and even enforcement actions of other financial services organizations can have a significant impact. Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to processes and resources:

  • Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulations is time-consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • The frequency of change and the number of information sources overwhelms. The frequency of updates from the regulators is challenging but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory intelligence that take time to go through and process in order to identify what is relevant.  
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility to ongoing compliance — the organization has no idea of who is reviewing what and suffers from an inability to track what actions were taken, let alone which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions. 
  • Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit/accountability trails that regulators require. This leads to regulator and audit issues who find there is no accountability and integrity in compliance records in who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception; individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble. 
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus has no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring leads to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time, resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of regulatory change and business intelligence. The organization is spinning so many compliance plates that it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
  • No accountability and structure. Ultimately, this means there is no accountability for regulatory change that is strategically coordinated: the process fails to be agile, effective, and efficient in the use of resources. Accountability is critical in a regulatory change process — organizations need to know who the subject-matter experts (SMEs) are, what has changed, who changes are assigned to, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the results of the change analysis.

The current situation: The typical organization has a myriad of subject matter experts doing ad hoc monitoring of regulatory change and emailing parties of interest with little or no consistent follow-up, accountability, or business impact analysis. The organization is in a resource-intensive, confused state of monitoring regulatory risk, enforcement actions, new regulations, and pending legislation resulting in an inability to adequately predict the readiness of the organization to meet new requirements. There is no overall strategy to gather and share regulatory change information and decide what to do about it.  

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:

A Tsunami of Regulatory Change Overwhelms Organizations

Managing and keeping up with change is one of the greatest challenges for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and interconnected nature of change and how it impacts the organization is driving strategies to mature and improve regulatory change management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated GRC strategy within the organization.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that are continuous, dynamic, and disruptive. Consider the scope of change organizations have to keep in sync:

  • External risk environments. External risks – such as market, geopolitical, societal, competitive, industry, and technological forces – are constantly shifting in nature, impact, frequency, scope, and velocity. 
  • Internal business environments. The organization has to stay on top of changing business environments that introduce a range of operational risks, such as change in employees, processes, employees, relationships, mergers & acquisitions, strategy, and technology.
  • Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels.The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making, and more has organizations struggling to stay afloat. 

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other. Organizations can devote human and financial capital resources to keeping up with regulatory change, but that does not make them compliant if that change is not consistent and in sync with business and risk change. Change in economic or market risk bears down on the organization as it impacts regulator oversight and requirements. Internal processes, people, and technology changes continuously, and regulatory requirements need to be understood in the context of business change. As these internal processes, systems, and employees change, this impacts regulatory compliance and risk posture. 

Change is an intricate machine of chaotic gears and movements. Keeping current and aligned with change is one of the greatest challenges to compliance management strategies within organizations.

Regulatory Change Overwhelming the Organization

Regulatory change is overwhelming organizations. Many industries, like financial services, are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year.  Regulatory change impacts the organization as it reacts to:

  • Frequency of change. In the past five years, the number of regulatory changes has more than doubled while the typical organization has not increased staff or updated processes to manage regulatory change. In financial services, according to the latest Thomson Reuters research, there was an average of 257 regulatory change events every business day in 2020, which is just in this one industry. In the past five years, the number of regulatory change updates impacting organizations has grown extensively across industries.
  • Global context.  Regulatory change is not limited to one jurisdiction but is a turbulent sea of change around the world. Regulations have a global impact on organizations and markets. In Asia, GRC 20/20 finds that there is often more concern over EU and US regulation than over-regulation from Asian countries. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance. 
  • Inconsistency in regulations. Managing compliance and keeping up with regulatory changes, exams, and reporting requirements becomes complicated when faced with international requirements. Regulatory jurisdictions have varying approaches such as principle-based regulation (also called outcome-based regulation) that is popular across Europe and other countries around the world, while the United States and other countries approach a prescriptive approach to regulation that is more akin to a check box list of requirements in specifically telling the firm what has to be done. The principle-based approach gives the organization flexibility with the focus on the achievement of an outcome and not the specific process that got them there.  There are conflicting challenges in privacy regulations and other laws impacting organizations across jurisdictions.
  • Expansion into new markets.  It has become complex for organizations to remain in foreign markets as well as enter into new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive, while at the same time being constrained by the turbulent sea of changing regulations and requirements.
  • Focus on risk assessment. Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering a specific assessment of compliance risks. For example, regulators in the US seek to ensure that compliance officers do compliance risk assessments. This is also a theme picked up on by law enforcement agencies like the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC). The courts, with the United States Sentencing Commission, also evaluate the culpability of an organization on compliance based on compliance risk. The discipline of risk management is becoming a prerequisite for compliance officer skills to ensure that compliance has a seat at the enterprise risk management (ERM) / GRC table.
  • Hoards of regulatory information. Organizations are overwhelmed by information from legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information add to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
  • Defensible compliance. Regulators across industries are requiring that compliance is not just well documented, but is operationally effective. This can be seen in the latest DoJ Evaluation of Compliance Program guidance. Case in point, Morgan Stanley is praised by regulators as a model compliance program and is the first company in 35 years of the Foreign Corrupt Practices Acts (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current in the midst of regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.” 

The amount of regulatory change coming at organizations is staggering. Consider an international bank headquartered in South America that embarked on a project to build a database of regulatory requirements impacting the bank globally. The detail went down to the required level so an individual regulation may have a few requirements to more than a thousand, depending on the regulation. After eighteen months of cataloging over 81,000 requirements, they abandoned the project. The reason was that the content was already obsolete—so much had changed during the process of documenting that they did not have the resources to maintain the volume of regulatory change.  A Tier 1 Canadian bank has expressed a similar regulatory requirement documentation project demise for the same reason. If you print the United Kingdom’s Financial Conduct Authority rulebook, it comes to a stack of paper six feet tall. The U.S. Code of Federal Regulations (CFR) is over 174,000 pages. When printed and laid out end-to-end that is a paper trail that is 25 miles long, nearly as long as a marathon.

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management: