Investigation Lifecycle Management

Investigation Lifecycle Management (ILM) enables organizations to manage the lifecycle of investigations, resulting in investigations that are handled consistently with collaboration across investigation roles and accountability into how the investigation is conducted and resolved.

Organizations benefit from consistent investigation documentation and process while maintaining data integrity and confidentiality. ILM is the process of managing and maintaining investigations throughout the organization for all categories of investigations (e.g. retaliation, abuse, fraud, privacy, theft, vandalism). The goal of the ILM approach is to document accountabilities, provide audit trails, coordinate with internal and external resources, specify monitoring activities, and provide a consistent process and investigation case review cycle.

The lifecycle is defined in five primary stages: 1 — Something Happened! Something has happened and the organization is faced with the question — should we investigate? The organization needs a clear guide to determine when an investigation should be conducted. An investigation should not be taken lightly, and should be clearly documented. Every organization requires the capability to identify, prioritize, investigate, and resolve issues. Structures (e.g., management, technology, process) should be embedded within the organization to help identify potential inappropriate activity. Drivers to conduct investigations include: employee reports or comments to management, risk indicator thresholds being exceeded, hotline reports, survey feedback results, recognition that controls have been circumvented, and others. An active monitoring process is implemented to identify when an investigation needs to be conducted, this includes:

  • Hotline: The ability to provide anonymous reporting of actual or perceived misconduct and issues (e.g., anonymous web or call center reporting).
  • Audits/assessments: Identifies issues to investigate through interviews, data or other testing, surveys, and assessment responses.
  • Exit interviews: Interviews at employee exit may expose issues that the soon to be former employee is aware of.
  • Corporate chatter: There is often some truth in rumor, what is the word on the street, around the coffee station, and in the lunch cafeteria?
  • Social media: Facebook, Twitter and other social media sites are increasingly being used for venting and disclosure of malfeasance.
  • Reporting to management: Written or verbal disclosures to management, direct reports or otherwise should not be overlooked or taken lightly; management needs to be held accountable to properly record what has been reported to them directly.

2 — Categorize and Assign. After the intake of a potential incident it is critical to understand what happened, who may have been involved, date of occurrence, and initiate the investigation. This involves:

  • Issue filtering: There may be duplicate reports, misguided reports, and just noise that need to be consolidated or set aside. The goal is to have a quick triage process to identify what is relevant to investigate.
  • Investigation categorization: The organization is to have established and predetermined categories of issues and response plans to engage appropriate resources and establish the security levels within the process. This categorization creates predetermined activity assignments and identification of information that must be gathered throughout the investigation.
  • Investigation assignment: Determine what area, investigation lead, and subject matter expertise based on the categorization is the next part of the process. Here, the organization determines competence and independence (e.g., is attorney client privilege needed, should an external party be engaged). Often these business decisions can be predetermined based upon the category or suspects associated with the investigation.
  • Policies and templates for response: Prepare and plan for what steps are to be taken before you have to respond. When the organization appears to be scrambling and going in different directions investigations fall apart. The organization needs clearly defined policies and process templates defined ahead of time for the various investigation categories it has defined.

3 — Investigate. After classification and assignment the organization next moves into the formal investigation process. Investigation activities can be predetermined to a certain extent and by doing so, critical instructions, considerations and guidance should all be readily available and enforced. Critical components of managing the investigation include:

  • Evidence handling: Based on the classification of the investigation the organization needs the right capabilities to manage and handle the collection, preservation, and retention of evidence.
  • Subject matter experts: Specific subject matter experts need to be engaged for the twists and turns an investigation may take. This may include experts in interview/interrogation, documentation, written statements/ depositions, physical and cyber forensics, as well as other areas.
  • Documentation: Success of an investigation hinges on the correct documentation of how the investigation was conducted, who was involved, and what steps/actions were taken.
  • Collaboration: A critical component of an investigation is the ability to collaborate between parties. This includes investigation personnel inside and outside the organization, parties involved in performing the investigation, those that reported it, as well as management responsible for overseeing the investigation. Communicating, securing and providing access to need-to-know information maintains the correct lev
    el of understanding on status, outcomes, unresolved questions, and actions regarding the matter.
  • Escalation procedures: During the course of an investigation, it may be necessary to escalate issues to another team and get involvement of higher levels of management or even law enforcement and regulators. Predetermining the criteria necessary to make this decision with the advance approval of company leadership will enable the investigation to continue the course approved by the company without jeopardizing the integrity of the investigation or increasing the risk to the resources involved.

4 — Resolve. The process of concluding an investigation is established to organize, preserve, and direct concluding activities according to established investigation procedures:

  • Final documentation: The final form of the investigation notes and documentation needs to be complete, addressing the who, what, when, where, why and how in the cause of the matter. This includes documentation of all investigation activities, involved parties, dates, time frames and other relevant information to complete the historical record of how the investigation was conducted and what was found.
  • Disclosure, restitution, and discipline: The organization needs to follow through with the proper resolution activities to wrap up response. This includes what public or private disclosure, restitution to injured parties, disciplinary actions, or sanctions placed upon companies, groups or individuals have been taken. These actions are to be commensurate with the offense, company policy, and law. Handling these acts with consistency will protect the organization from claims of prejudice and favoritism.
  • Loss reporting: Losses resulting from incidents and issues that have been investigated are to be documented. This includes calculating the business impact of the issue including tangible loss from: internal and external investigation cost, litigation costs, fines, penalties, judgments, impairment of assets, market cap reduction, workforce turnover, customer turnover, and business interruption. The organization should also put some numbers estimating intangible loss metrics to reputation damage and negative media.
  • Incident metrics: The organization is to track metrics on each incident including incident type/category, loss, and time for the investigation. Other necessary metrics include date of incident, when it was detected, when it was reported, when and how long it was investigated, and when it was resolved. The goal is to understand the lag between incident and resolution and reduce the window of exposure and loss to the organization.
  • Lessons learned: A final lessons learned should be documented for incorporating into future risk evaluations and business decision processes which provide historical information relevant to decision making for the today and the future.

5 — GRC Integration. Investigations should not operate as an island disconnected from other GRC processes. The information gathered from investigations is critical to refining and improving other GRC related processes. Organizations are to develop and integrate a GRC information and process architecture that feeds investigation metrics into:

  • Policy & training: Incidents and issues are violations of policies. Violations that have been investigated are to be communicated and integrated into the policy life cycle management process to initiate policy review activities and drive continuous improvement.
  • Risk models and assessments: Use of loss information and details of what occurred from the investigation provides valuable information necessary to drive risk models and identify target risk areas. This enables the organization to identify and avert future incidents and loss to the organization.
  • Remediation of control weaknesses, vulnerability, and exposure: Establish actions items to prevent and or detect similar violations in the future. The critical component is the hand off and monitoring of the remediation activities and the capture of relevant action information with the investigation closure.

In the previous articles we discussed Why Investigations MatterVaried Approaches to Investigations Scattered Across the Organization, and Establishing Investigations Oversight. In the meantime, I would love to hear your thoughts on Investigation Lifecycle Management and corresponding GRC strategies.

Sincerely,

Michael Rasmussen, J.D., CCEPOCEG Fellow Business Ethics & Compliance Lecturer, Author, & Advisor [email protected]

 

Establishing Investigations Oversight

In the previous posts we discussed Why Investigations Matter and Varied Approaches to Investigations Scattered Across the Organization, we now turn our attention to the issues of having proper oversight for investigation processes within the organization.

Organizations are developing strategies to consistently manage a growing body of GRC-related processes that have historically been scattered across the organization – the goal is to deepen transparency and collaboration across the organization. Internal investigations are a function of these processes that organizations strive to make more efficient, effective, and agile. GRC works by breaking down functional silos, connecting team members inside and outside the enterprise, and ensuring transparency and accountability for every action.

The goal is to bring the areas of governance, risk, and compliance into harmony. It enables different areas of the business to be accountable where they excel without dominating others: promoting collaboration and information-sharing to achieve a holistic view of GRC across the business. It provides collaboration as well as accountability across GRC-related processes scattered across the business to work together in harmony, delivering increased efficiency, effectiveness, and agility to the business.

A GRC approach to investigation management provides enterprise visibility across investigations processes. It enables investigation teams across the organization to work in harmony in their distributed functions. The goal of a GRC approach to investigations is to provide assurance that investigations will be handled appropriately, consistently, and in a timely manner while providing useful information to other GRC processes such as risk, policy, and audit.

A GRC approach to investigation allows the organization to achieve:

  • Agility: Business changes rapidly and requires investigation processes that are quick to react to incidents as they arise. Scattered investigation efforts slow down the business and handicap today’s dynamic business.
  • Consistency: Varying investigation teams in the organization need to work together in an integrated methodology and understand how their roles fit into the big picture. When silos are allowed to go their own way the organization loses visibility.
  • Efficiency: Leveraging common processes, technology, and information minimizes redundancy and wasted resources. Manual and document-centric processes are inefficient and burden the business.
  • Transparency: 360-degree visibility across key incident and loss indicators monitor the organization’s health and avert or mitigate disaster. Without full transparency across issues the organization is taken off guard.
  • Accountability: Increasing governance demands require a system of accountability where the status of issues is apparent, and individuals are accountable for resolution. A lack of accountability and ownership of specific issues is a warning sign for regulators or 3rd parties to dig deeper.

GRC in investigation governance is made possible by three key functional capabilities:

  • An organized Internal Investigation Committee to govern the oversight and guidance of investigations and ensure investigations are managed consistently across the enterprise.
  • An individual assigned to the role of Internal Investigation Manager to assure accountability across the investigation lifecycle to the standards and processes defined by the Investigation Management Committee.
  • A well designed Investigation Lifecycle process that delivers efficiency, effectiveness, and agility to the business.

The Internal Investigation Committee (IIC) provides the structure and connective tissue to coordinate and drive consistency across distributed investigation teams and is comprised of team members that represent the best interest and expertise of the different parts of the organization. This committee is comprised of individuals from legal, compliance, audit, fraud, physical security, IT security, quality, health and safety, and other relevant areas of the business with investigative responsibilities.

The IIC carries out its investigation governance responsibilities by leveraging commonly developed and agreed-upon investigation policies, procedures, processes, and technologies that form the Investigation Lifecycle management. The role of the Internal Investigation Manager is to be the champion that sees that the lifecycle is followed.

In the next post we will look at the Investigations Lifecycle in more detail.  In the meantime, I would love to hear your thoughts on Establishing Investigations Oversight and corresponding organizations strategies.

 

Varied Approaches to Investigations Scattered Across the Organization

 

In the previous newsletter/post we discussed Why Investigations Matter, we now turn our attention to the issues of having Varied Approaches to Investigations Scattered Across the Organization.

The problem is that organizations do not have a standardized methodology to consistently address investigations across the enterprise. Today’s typical organization struggles with manual, scattered, and ad hoc investigation processes.

Unfortunately, many organizations implementing GRC strategies have seen investigations as a disconnected component and not core to GRC. Organizations often lack consistency, collaboration, and accountability when it comes to managing investigations. They have multiple investigation processes that do not work introducing redundancy and inefficiency.

When investigations are scattered across the organization the organization lacks 360-degree transparency into the negative events impacting the business. No one can see the breadth and depth of issues the organization has. As a result, investigations:

  • Suffer from complete lack of universal insight: There is no single authoritative source where investigations are consolidated, maintained, monitored and managed consistently.
  • Bound by disparate methodologies: With redundant investigation processes, the organization has not fully embraced a common methodology to consistently manage investigations while allowing for unique subject matter experts to be involved in areas of their specialty.
  • Lack enterprise accountability: There is no enterprise assurance into the consistency of investigations and resolution of issues with limited structures of accountability into understanding who took what action, what is being done to prevent future issues, who is responsible for the impact and loss, is there a trend of similar incidents and issues historically, and is the issue documented correctly.
  • Deficient lifecycle management: Organizations maintain an ad hoc approach to managing investigations with varied approaches that introduce redundancy and inefficiencies when there is no common system for managing workflow, tasks, documentation, approval, accountability, and escalation processes.
  • Fail to integrate with policy systems: Investigations are violations of policy, when the organization has no integration into policy systems and lifecycle management it is handicapped to improve policies to prevent future violations.
  • Disengaged from risk management: Investigation processes that are external to risk management processes are unable to provide necessary historical loss information to adequately identify, measure, and manage risk.
  • Encumbered by improper technology: Processes are burdened by technology such as spreadsheets and homegrown databases used to document and manage investigations. This approach lacks sufficient audit trails that identify who did what, took what action, and entered notes – providing assurance that they were not modified at a later time to structure a different story or get someone out of trouble.

The organization suffers with ineffective investigation structures, content, coordination, lifecycle management, accessibility, accountability, and communication when this critical GRC process is trapped in silos. There is no 360-degree transparency into the status and impact of all investigations across the enterprise.

How can an organization manage and model risk and compliance without a clear understanding of where issues and events have been in the past? The issues of the past are a critical source of risk intelligence, providing a necessary indicator of where the organization’s future risks lie. Corporate governance, strategic decision-making, and the protection of stakeholder value require an organization to understand where its issues and losses have been.

When the organization is under a microscope, having a detailed document trail of investigations – how they were managed, who was involved, who was implicated, and what actions were taken – provide grounds for defending the organization. Organizations require collaboration and accountability across investigation teams for their ongoing involvement in investigations, the investigation process, evidence management, monitoring incidents, corrective actions, and loss reporting.

Why Investigations Matter

Investigations have many names, in parts of the organization they may be called issues, loss, matters, events, cases, and incidents.  I now turn our attention to a series of posts/newsletters on the topic of effectively managing corporate investigations.

Investigations, done right, minimize or control loss, uncover systemic issues, identify risk areas, and provide information that drive continuous improvement initiatives. As a result, investigations are a critical cornerstone to governance, risk management, and compliance (GRC) efforts in the ability to find and resolve issues to reduce exposure and contain loss to the organization.

GRC activities require that an organization have a solid approach to manage investigations and feed information into other GRC related processes. Consider that. . .

  • Investigations are a GOVERNANCE activity: Most organizations do not connect investigations with how they maintain corporate culture and policy boundaries by holding parties accountable to policies and procedures. Without a consistent investigation process culture morphs and takes unintended paths.
  • Investigations influence RISK models: Investigations inform risk management processes where the most significant risks have materialized in the past and drive evaluation and remediation priorities. Loss information gathered from investigations is a critical element of risk modeling.
  • Investigations are a critical component of COMPLIANCE: Investigations enforce compliance through identification of areas that need improvement and increased monitoring. This includes policy and procedure revision, improved communications, changes to training programs, and enhancements to monitoring activities. Further, investigations are considered a fundamental element of a corporate compliance program (e.g., USSC Organizational Sentencing Guidelines).

Through a consistent investigation process the organization identifies damages, involved parties, evidence of policy violations, impacts, remedies, and maintains boundaries for acceptable behavior of business processes, relationships, systems, and individuals.

The right investigation process is necessary to define and communicate that the organization is serious about its policies, culture, and control and to facilitate enhancements that prevent reoccurrence of similar issues.

Stay tuned – more will be coming on the critical topic of effectively managing investigations.  In the meantime, I would love to hear your thoughts on Investigation Management and corresponding organizations strategies.  Please feel free to comment below . . .

 

Is there a place to go for a list of all regulations we need to comply with?

This question was recently posted to the Corporate Integrity LinkedIN Group. The specifics are as follows:

We are looking for a list of all regulations that we need to comply with. I know that OCEG is putting together a database of this information for members, but I am wondering if there are other sources that people are aware of? It seems as though I’ve seen this built into some GRC software and I’d expect law firms and the “big 4” to have something. Have any of you encountered a list and if so can it be shared?

My response was:

Besides the mountains of information that a Lexis or a Thomson has – no. Just for example, there are over 3,000 employment/labor laws and regulations just within the United States (Federal, State, and Local jurisdiction levels). That is only one niche of GRC. You start looking at privacy, anti-corruption, environmental, health & safety, quality, and many other areas this becomes a monstrous list. 

There are some good sources for specific areas. The Unified Compliance Framework has a good listing of IT and Privacy related regulations.

I have been working on compiling some lists for clients – and a good list crossing a lot of areas easily grows into the 1,000s.

 

 

GRC 2011: Gripes & Directions

No matter if you use the term or not – GRC (Governance, Risk Management, & Compliance) is a reality.  We are in 2011 and it has been ten years now since I first started using the term GRC in research and interactions with organizations.

The truth of the matter is – GRC as an acronym is approximately 10 years old, but GRC as part of business is as old as business itself.  Organizations are governed and approach compliance and risk management in some form.  The question before them:

  • Are they doing it in a way that makes sense?
  • Are they doing it to achieve business agility, effectiveness, and efficiency?

Whether you use the acronym GRC or not does not matter to me – the truth is you are doing GRC in some form or fashion. As we enter 2011 it is time for me to put on the pundit hat and give you my gripes from 2010 and directions for GRC in 2011.

2010 Gripes

It is best to get gripes out of the way first – that way I can get them off my chest and not be weighed down as I discuss directions.  Interestingly, my gripes are mainly focused on technology vendors – I am sure I can find a burr or two under my saddle in other areas, but today I am focused on venting my frustration with GRC technology vendors:

  • Ignorance. Yes, vendors often frustrate me – some are great others need a lot of help.  What frustrates me is when vendors ignorantly communicate GRC as being about technology – technology is the enabler for GRC to achieve agility, efficiency, and effectiveness. GRC itself is broader than technology and should align with process and strategy.
  • Generic messages. Ignorant vendors have a generic message.  I am tired of seeing vendors come into buyer situations telling them they have the best and most adaptable solution out there – it slices, it dices, it does your laundry.  Good night – GRC is about solving problems, generic answers do not cut it.  Most sales people from vendors completely miss the boat; they cannot put themselves in the shoes of the buyer.  I remember one situation in which a buyer was addressing a Corporate Integrity Agreement (CIA) – several vendors that came into the deal never even read the CIA, which was publicly available and referenced in the RFP.
  • Blowing Up Deals. My biggest issue is the fact that the primary GRC vendors are focused on large enterprise deals.  They are pressured to close the big deal – often looking for 7 figures. Vendors come into a situation and are trying to fix organizational political issues/silos that the organization is not ready to address.  I have seen more GRC opportunities trashed or postponed because vendors insist on making the deal bigger than what the organization is ready for today.

2011 Directions

2011 will be an interesting year for GRC strategies, processes, and technology.  I pull out my crystal ball and give you the following predictions:

  • Standardized GRC process and definitions. Much of the problem about GRC is a lack of standardized guidance.  As my friend Norman Marks has commented, you can go to a conference and hear a dozen or more definitions of GRC.  This is changing as the OCEG GRC Capability Model has grown in popularity and adoption.  Dell is one company to be among the first to seek process certification for their anti-corruption processes against the GRC Capability Model.
  • GRC professional certification. OCEG also is poised to roll out the GRC Professional Certification in the next month.  This is an encouraging process to get more individuals trained and supporting a common GRC framework.  The last two GRC Process, Strategy, and Technology Bootcamps delivered the early version of the test and enabled attendees to be among the first to get the certification.
  • Year of corporate compliance. A lot of attention has been given to SOX, audit, and IT risk and compliance.  2011 is the year that the most significant growth will be in the corporate compliance department.  This is a department that has been burdened by manual and ad hoc processes for years and is now becoming aware of how technology, particularly integrated with content, can streamline operations.  Issues such as the UK Bribery Act and other regulatory/enforcement actions continue to drive this role as well as compliance evolving into a champion of values and ethics and not just the corporate cop.
  • Performance and ERM. Back to a gripe that I forgot above – ERM.  I continue to be frustrated with many ERM programs that are nothing more than an expanded view of financial controls (an evolution of SOX initiatives).  I see growing interest in ERM being driven by the board down and one focused and integrated into strategy and performance.  BTW – many vendor offerings are inadequate for true ERM as they simply are a replacement for spreadsheets and have very basic models for representing risk.
  • Risk & compliance in the extended enterprise. Extended business relationships — those involving the supply chain, value chain, vendors, service providers, outsourcers, and contractors — require the same vigilance in mitigating risks and staying in compliance, as do internal enterprise activities.  Third-party risk management and compliance obligations have steadily increased over the past decade, coming either directly from statutes and regulations or indirectly.  Whether imposed by statute or from a business partner, managing such risk across the constellation of business relationships requires an approach that is effective, repeatable, and defensible.
  • Risk & regulatory intelligence. A sound GRC strategy is not just built on technology but also content.  More and more solutions are differentiating themselves by offering packaged content of policies, procedures, risk libraries, assessments and controls.  Leading solutions also integrate with knowledge/content services to keep the organization apprised of relevant risk and compliance developments around the world that impact their business.
  • Effective policy management. I am seeing increased interest in developing consistent policies and procedures within organizations and manage them within a well-defined life cycle.  Policies and procedures are a cornerstone of a solid GRC strategy that in the past has often been neglected.  Organizations are finding increased exposure to liability for ineffective policies that are out of date, confusing, and not understood.
  • Fixing problems. There are some organizations executing large enterprise-wide GRC strategies that focus on collaboration across GRC roles.  However, this represents only 10 to 20% of GRC deals.  Most GRC deals are focused on fixing specific problems that bear down on the organization.  Organizations want to leverage processes and technologies for other areas – but immediately they want to solve the problem before them.  This will continue over the next several years as organizations remain reactive and only a few focus on strategic proactive GRC initiatives.
  • Expansion and consolidation. The market for GRC technology will continue to expand as more vendors enter the market which will be complemented by further consolidation as larger vendors continue supplementing their GRC offerings through acquisition of smaller vendors.  We will also see smaller vendors pull together to broaden their offerings and compete against the larger vendors.
  • Mid-market focus. Mu
    ch of the GRC focus has been on the Global 1000 – attention is now moving to encompass the mid-market companies into.  These companies, as I started this discussion, have GRC strategies whether they call it or not – but are looking to improve their business efficiency, effectiveness, and agility for GRC.  This starts with solving immediate pressing problems and expanding to other areas with consistent processes and technology.
  • David and Goliath. The small vendor tends to be more agile, ready to adapt to customer needs, and quick to implement bleeding edge technologies.  While the Goliath’s have entered their challenge and have pulled in smaller vendors to bolster their offering – it is the smaller vendors that tend to have the most intriguing cutting edge offerings that continue to expand how GRC can be managed within an organization.
  • Prices come down. Regarding vendors, it is time for prices to come down.  Many GRC technology opportunities are shut down because the primary vendors are looking for very large deals.  I might not be very popular with this – but prices have to come down for GRC technology to achieve broader adoption.  This will be done as a variety of new and existing vendors are poised to offer very feature rich solutions at lower price points – particularly to compete against the large IT companies in the space.

These are my collective thoughts – I could write volumes on this and more.  In 2010 I had personal interactions (e.g., engagements, interviews) with over 100 different organizations implementing GRC strategies to address various problems across industries.  This does not count the scores of interactions with vendors and professional service firms.  Those subscribing to my newsletter and blog have grown to over 7,000.  The Corporate Integrity LinkedIN Group has grown to over 2,300.   It has been a good year – and I expect it to be an even greater year in 2011!

Happy New Year!  May 2011 bring your organization commitment to sound values, ethics, and practices in light of Principled Performance supported by a sound GRC strategy, process, and technology architecture! Please feel free to comment and share your thoughts and experiences on the GRC market . . .

Regulatory Intelligence Enabled by a GRC Technology Platform

The core elements of a regulatory intelligence process can be delivered in a GRC software platform. The solution will allow the compliance and legal functions to profile regulations, link regulatory content aggregators, and have new developments or alerts pushed into the application and disseminated to the appropriate subject-matter expert for review and analysis.

Technology tailored to this process empowers legal and compliance personnel to manage and monitor regulatory change on a continuous basis. A flexible regulatory intelligence process-management system allows the organization to standardize and automate its regulatory requirements and monitor regulatory change. It also offers the ability to manage the collection, analysis, and action on information that flows within and across business units in an organization. Core capabilities in a GRC technology platform for regulatory intelligence include:

  • Content integration: At a basic level, the system should allow for simple manual entry of new changes and updates so they can be routed to the correct individual. In an advanced implementation, the software will be integrated with feeds from legal and regulatory content aggregators and pushed to the correct individual or group automatically. Additionally, organizations need the ability to search for laws, statutes, regulations, case rulings, analysis, news, and related information that could indicate regulatory risks that need to be monitored proactively.
  • Workflow and task management: The primary goal of regulatory intelligence is to provide accountability. This requires that regulatory change information is routed to the right person to take action. That individual should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The subject-matter expert must be able to re-route the task if it was improperly assigned or forward it to others for review for additional opinions. Individuals and group contributors must have visibility into their assignments and time frames.
  • Document management: The system should be able to catalog and version regulations, policies and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies and assessments for approval before implementation.
  • Ease of use: Legal and regulatory experts are not typically technical experts. The platform managing regulatory intelligence has to be easy to use and should support and enforce the business process. Tasks and relevant information presented to the user should be relevant to their specific role and assignments.
  • Audit trail: It is critical that the regulatory intelligence system have a full audit trail to see who was assigned what, what they did, what was noted and if notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into who, how and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
  • Extensive reporting capabilities: The system must provide full reporting and dashboarding capabilities to see how many regulations are changed, who is assigned what tasks, which items are overdue, what the most significant regulatory changes impacting the organization are, and more.
  • Flexibility and configuration: No two organizations are identical in their processes, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s regulatory intelligence process.

Approaching Regulatory Change as a Consistent Process

 

The old paradigm of regulatory change management is clearly a recipe for disaster given the volume, pace of change and the broader operational impact of today’s laws and regulations. Just as the CFO needs a financial system or the sales department needs CRM, legal and compliance need regulatory intelligence.

Organizations should explore how technology and process combined with regulatory content can transform ad hoc regulatory change management. Organizations must make regulatory information actionable and accountable with regulatory intelligence. A critical part of meeting the demands of a dynamic business and regulatory environment is to gain control of regulatory risk, resource management and better control compliance and legal spending.

Layers of Regulatory Information

While the market seems to be eager to grasp onto the phrase “risk and regulatory intelligence,” it means nothing if corporations do not know what to do with the knowledge the process brings them. Information overload merely bears down on the organization. Organizations need the ability to get the right information to the right people at the right time. This must be supported by clear accountability, task management and workflow management capabilities.

There are three major layers of regulatory information that contribute to supplying sustained intelligence to the organization.

  1. Law: The specific law is the primary and authoritative source of regulatory information.
  2. Legal interpretation and analysis: Laws can often be unclear or downright confusing; expert analysis and interpretation about what it means can be provided. This layer may come as non-legal advice by an expert who understands the breadth of related issues and developments, or as specific legal advice to the corporation. This often includes monitoring which organizations are getting in trouble for lapses in compliance, and why and how it may impact them.
  3. Policies, controls, forms, and assessments: The third layer of regulatory information is the practical application of laws and regulations in the organization in the forms of policies, controls, forms and processes, and assessments.

There are content providers that provide the range of regulatory information across all of these layers. More recently, these content providers deliver GRC technology platforms to automate the distribution and practical application of this information. Their solutions provide collection of content information with process management to provide regulatory intelligence.

The critical change organizations must make is to develop defined processes to route new legal and regulatory developments to the right subject-matter experts to make this information actionable in the organization’s specific context.

A Model Regulatory Intelligence Approach

Success in regulatory change management begins with a strategy ¬— to effectively manage regulatory changes in a dynamic environment. Ultimately, the organization must identify and prioritize regulatory changes resulting from changes in case law, new legislation, regulatory changes, and new rules and requirements, and also must maintain oversight and control over business processes to mitigate risk. This requires deploying a common process that delivers real-time accountability and transparency across regulatory areas impacting the business with a common system of record.

The goal is to deliver:

  • Efficiency: Optimize human and financial capital resources to consistently manage regulatory change and enable sustainable management of resources as the business and regulatory landscapes change over time.
  • Effectiveness: Greater understanding of changing legal requirements and how their impact enables the business to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the legal and regulatory change process. The organization also needs the ability to demonstrate evidence of good business practices.
  • Agility: Regulatory intelligence enables a dynamic and changing organization to understand how the regulatory environment effects business change, and also how regulatory change impacts the organization.

Building a regulatory intelligence strategy requires the implementation of a process model that monitors regulatory change, measures impact on the business, and implements appropriate policy, training, and control updates. Regulatory intelligence processes also include the following core elements:

  • Regulatory taxonomy and catalog: This is a catalog of regulations the organization has to comply with across jurisdictions. Regulations are broken into categories to logically group-related regulations (e.g., employment and labor, anticorruption, privacy, quality, health and safety, AML, and fraud).
  • Roles and responsibilities: The core of regulatory intelligence is accountability — making sure that the right information gets to the right person, and that they take appropriate action to address regulatory change. This requires the definition of subject-matter experts for each regulatory category defined in the taxonomy. This can be subdivided into subject-matter experts with particular expertise in subcategories or specific jurisdictions, or to perform specific actions as part of a series of changes to address change requirements.
  • Business impact analysis: The subject-matter expert must conduct a business impact analysis regarding the regulatory change. It may be as simple as acknowledging that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance monitoring program must be put in place.
  • Integration with policies: Regulations should be mapped to the policies that authorize how the organization will comply with them. Whenever a regulatory change is put into the system, corresponding policies related to the regulation should be flagged to be reviewed. This linkage should also extend to other areas of compliance, such as controls and assessments.
  • Update communication, training, and attestation plans: Along with policies, regulatory changes should be evaluated to see if compliance and policy training, communication, and attestation plans need to be updated or developed. This includes understanding the need to update underlining communication mechanisms that exist between business, experts, workforce and third parties.
  • Monitoring and auditing: The ultimate goal is to provide accountability and sustained performance. A clear system of accountability must be in place that includes monitoring of the process — who is assigned each task, and its status. This goes further into a detailed audit trail the organization can use to understand who made what decision and how the process was conducted.

Manual and Ad Hoc Regulatory Change Processes

 

Over the years, many organizations have matured in their view of internal risk-intelligence issues. However, monitoring external regulatory environments remains a broken process. To date, regulatory risk is managed in a very sporadic and ad hoc fashion with little accountability and oversight — if at all. Most organizations rely on manual ad hoc processes to manage regulatory change, and many times they only address limited areas of coverage. In this model, it is not uncommon to have duplicated coverage areas further exacerbating the problems.

Within legal and compliance it is not uncommon to have a myriad of legal professionals doing ad hoc monitoring of legal and regulatory change and emailing parties of interest with little or no follow-up, accountability, or business impact analysis. The typical organization is in a very immature state of monitoring of case law, regulations, and pending legislation to predict the readiness of the organization to meet new requirements. The difficulty is how to share regulatory change information and what to do about it. The process must require a joint accountability and collaboration effort between legal, compliance, and the business.

These flawed processes — in most cases it is a stretch to call it a process — involve individuals that are overwhelmed with information who fire off an email to a subject-matter expert who may or may not get to it — leading to, in varying degrees:

  • Excessive emails, documents, and paper trails: Organizations rely on manual paper trails, email, and documents to monitor regulatory change with little or no accountability or follow-through. It’s not possible to verify who addressed a regulatory change, what actions need to be taken, or whether the task was transferred to someone else.
  • Lack of an audit trail: Ad hoc processes are prone to failure, as there is no accountability for who reviewed what and what action was decided upon. This approach lacks a clearly defined audit trail, and does not allow for non-repudiation. In fact, it is prone to deception, as individuals are able to fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
  • Limited reporting: Manual and ad hoc regulatory change processes do not deliver regulatory intelligence — there is no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. The organization has no report or dashboard about the number of items being tracked, who they are assigned to, and whether they on or behind schedule for review. Trying to make sense of data collected in manual processes and electronic documents is a nightmare. How do you aggregate and provide meaningful reports from hundreds or thousands of disparate sources of information in emails and documents? The answer: A lot of labor and time.
  • Files and documents out of sync: Adding to this behemoth of labor is the effort to track and control versions of all of emails and documents, which quickly become out of sync and lose relevance. The accuracy and relevance of the information soon comes into question. Where are key decisions documented and how? If an organization makes the decision that a regulatory change does not impact them, where and how are these efforts, actions and decisions documented?
  • Wasted resources and spending: Silos of ad hoc regulatory monitoring lead to wasted resources and hidden costs. Instead of determining how human and financial resources can be leveraged to meet an enterprise view of managing regulatory change, they are developed independently without measure — and are merely a stop-gap, not integrated into a defined business process with clear systems of accountability and transparency. The organization ends up with inefficient, ineffective and unmanageable processes and resources to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that fail to produce desired results wastes time and resources, and sustains and creates excessive and unnecessary burdens on business and operations.
  • Poor visibility across the enterprise: A reactive, siloed approach to regulatory change means the organization can’t see the big picture. The organization has islands of initiatives that are individually assessed and monitored — supported by scattered silos of documents and emails that are not integrated into a system to manage the process. This results in poor visibility across the organization and its control environment that inhibits planning, budget optimization, and process transparency.
  • Overwhelming complexity: Complexity is a result of multiple ad hoc and manual approaches to regulatory change and confuses the business. Varied approaches prevent predictable resource requirements and impact business goals due to uncertainty and confusion. Complexity further increases risk and frustration amongst employees, partners, management, investors, regulators, and other stakeholders.
  • Lack of business agility: A regulatory intelligence strategy without a common process architecture leads to a lack of agility caused by reactive approaches, and is exacerbated by manual approaches overly reliant on email and documents. When information is trapped in individual roles, documents, and emails, the organization is crippled. It lacks a full perspective of regulatory change and intelligence. The company is spinning so many compliance plates, it struggles with business change and inefficiency. The business is not able to adequately prioritize and tackle the most important and relevant issues or make informed decisions.
  • Greater exposure and vulnerability: Regulatory change complexity, exposure and vulnerability are the opposite of what GRC and regulatory intelligence are designed to achieve. There is excessive focus on immediate burdens, rather a drive toward regulatory intelligence integrated within a common process. This creates duplication, gaps, and a business ill-equipped to align regulatory changes to the business.
  • No accountability: Ultimately, this means there is no true accountability for regulatory change. The organization lacks visibility into who is responsible for changes in a given regulatory area, and what the status is. Accountability is critical in a regulatory change process — organizations need to know who the subject-matter experts are, what has changed, who is assigned, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the result of the change process.

For regulatory intelligence and wise decisions, organizations require a process to assimilate the intake of relevant information, track accountability around who needs to perform what actions, model the potential impact on the organization, establish priorities and determine an appropriate course of action.

GRC technologies are beginning to be used to take in risk and regulatory information, weed through irrelevant information, and route critical information to subject-matter experts responsible for making a decision on a particular topic. This at a minimum requires workflow and task management capabilities, but in more mature systems provides direct integration with content and information aggregators. These aggregators contain an organization profile, and relevant new developments are routed to specific individuals responsible for evaluating specific business or subject matter content.

 

Regulatory Intelligence: Bombardment of Regulations upon Organizations

 

After a brief hiatus, I turn our attention back to the issues of policy management and compliance. We will now explore (over several posts) the issue of Regulatory Intelligence and Monitoring.

Hordes of regulation bear down on the organization

Business is under siege by legion of laws and regulations. Compliance itself has become difficult as business is bombarded with thousands of new regulations in addition to changes to existing regulations each year.

At the U.S. Federal level alone (not U.S State or local jurisdictions; not other countries) there were over 3,500 new regulations issued last year. This brings the total number of regulations issues since 1995 to nearly 60,000 (from the Competitive Enterprise Institute’s 10,000 Commandments). In addition to that, there are another 4,000 regulations pending – waiting for approval. You add in the breadth of State laws in addition to the laws in other countries that business has to comply with and the sheer volume is staggering.

The Open Compliance and Ethics Group, in compiling its guidance on common requirements across employment labor laws at the U.S. Federal, State, and local jurisdiction level, sifting through more than 3,000 employment/labor laws and regulations across the U.S.

The problem is not just a U.S. problem. A leading Brazilian bank has catalogued over 80,000 regulatory requirements that impact its operations around the world.

Organizations are in a complex environment of regulatory risk. When the organization approaches regulatory risk management and compliance in scattered silos that do not collaborate with each other there is no possibility to be intelligent, let alone wise, about risk decisions that could impact business execution or strategy.

Lack of regulatory intelligence

Organizations suffer from a lack of regulatory intelligence. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize and make changes to policies, procedures, and controls – particularly in an environment under siege by an ever changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, or even court proceedings all can have a significant impact on the organization.

Information itself is not enough – organizations are overwhelmed by data through legal and regulatory newsletters, websites, emails, journals, and content aggregators. In fact, the overwhelming amount of information and duplication of information is part of the problem. Organizations fail in regulatory monitoring itself, which is the first step towards regulatory intelligence. The organization needs regulatory intelligence – getting the right information to the right person to be able to decide how and when, the organization needs to process regulatory change. Organizations need to grasp the breadth of regulatory data and transform this information to intelligence which then brings knowledge that can be acted upon in a measurable and consistent manner.

Regulatory intelligence is about enabling accountability and reliability of changes in the legal and regulatory environment that the business operates in. The primary directive is to alert the organization to regulatory and legal conditions that can impact their business. It is part of a broader risk intelligence strategy that monitors external and internal changes to the business environment, and alert the organization to risk conditions (e.g., geo-political, economic, natural disaster) that can impact their business.

The corporate compliance and legal roles struggle with monitoring a growing array of regulations, legislation, regulator findings/rulings, and case law. Regulatory intelligence systematically streamlines monitoring by using an automated process with workflow, task management and accountability documentation that results in meaningful information to consistently manage regulatory change. The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments across different parts of the business from so many external sources and be able to exhibit their process and state of complying.

The Bottom Line: Organizations need to move ad hoc monitoring and execution of regulatory changes to a regulatory intelligence process.

I would love to hear your thoughts on Regulatory Intelligence and corresponding organizations strategies. Please feel free to comment on this blog.