Managing Regulatory Relationships – Playing by the Regulator’s Rulebook

[button link=”https://www.nscp.org/webinar-form/”]Register[/button] [tabs style=”default”] [tab title=”Summary”] The National Society of Compliance Professionals is pleased to host this webinar on the “Managing Regulatory Relationships – Playing by the Regulator’s Rulebook. The rise in compliance violations, coupled with the onset of rigorous new laws, have prompted regulators to issue increasingly strict regulatory exams. Given that a single negative review can adversely affect a firm’s profitability and reputation, the onus is on banks and financial institutions to do their homework, and ensure that they are well-prepared to face these exams. For regulatory engagement managers, the biggest task is managing the extensive documentation created during different stages of the exam process. Without a centralized system to manage the required paperwork, it can be difficult to track, retrieve, and deliver timely information to regulators. Please join Michael Rasmussen, Chief GRC Pundit of GRC 20/20 Research, and other expert panelist(s) to find out more on:
  • Preparing for a regulatory exam – Challenges and ways to overcome them
  • Strengthening regulatory relationship with a robust regulatory exam management process
  • Core elements of an effective regulatory examination management program
  • Adopting technology to streamline the overall examination process and gain process visibility
[/tab] [tab title=”GRC 20/20 Presenter”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”]
MetricStreamMetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Their enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance. Leading companies across industry verticals are benefiting from MetricStream’s approach to GRC that is transforming risk management in a business environment that is increasingly mobile, social, global, and virtual. [/tab][/tabs]

Leveraging Regulatory Content for Developing an Optimum Compliance Framework

[button link=”http://info.metricstream.com/regulatory-change.html?Channel=Webinar_MR”]Register[/button] [tabs style=”default”] [tab title=”Summary”]
Organizations are grappling with the siege of changing laws, regulations, and enforcement actions. When regulatory change management is an ad hoc process with little to no documentation, accountability, and task management, there is no possibility to be intelligent about compliance risk that impacts your business. For the typical organization, information itself is not enough – it needs a compliance framework supported by an information and technology architecture to keep abreast of regulatory and business change. A well-defined regulatory change management process helps to establish priorities for regulatory updates, assimilate the intake of applicable information, improve accountability by directing actions to appropriate stakeholders, and determine if the enterprise policies, procedures, and controls need to be adjusted to address the changes. This webinar enables the attendees to build a regulatory intelligence strategy and process that allows them to:
  • Develop a regulatory taxonomy/framework indexed to the enterprise risk taxonomy
  • Define and assign roles and responsibilities in line with the organizational structure
  • Conduct regular business impact analysis of regulatory updates
  • Map regulations to the organization’s risks, policies, controls etc. so that applicable GRC elements can be modified when regulations change
  • Revise communication and training programs to keep them current with regulatory change
  • Monitor and audit action plans to ensure that regulatory updates are driven into the controls of the business
[/tab] [tab title=”GRC 20/20 Presenter”]
rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”]
MetricStreamMetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Their enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance. Leading companies across industry verticals are benefiting from MetricStream’s approach to GRC that is transforming risk management in a business environment that is increasingly mobile, social, global, and virtual. [/tab][/tabs]

Simplifying Regulatory Change Management by Leveraging Integrated Content and Technology

[button link=”http://info.metricstream.com/simplifying-regulatory-change-mgmt.html?Channel=ms-event-webinar”]Register[/button] [tabs style=”default”] [tab title=”Summary”] Banks and financial institutions continue to be challenged in managing the incessant volume of regulatory changes each year, and are now more than ever, realizing the need of an integrated and automated system that can simplify the end-end regulatory change management process across the enterprise. Join us on this webinar, hosted by The National Society of Compliance Professionals, with experts Michael Rasmussen, Chief GRC Pundit at GRC 20/20 Research and Susan Palm, Senior VP of Industry Solutions at MetricStream, where they elucidate on the importance of adopting a well-structured regulatory change management program that would enable companies to assess the scope and impact of changes, establish priorities, and initiate corrective action plans to adjust impacted policies, controls and procedures. [/tab] [tab title=”Objectives”] Attendees can learn how to:
  • Manage regulatory changes in a dynamic regulatory environment
  • Drive control and efficiency with a well-defined regulatory change management program
  • Leverage GRC technology platform for real time regulatory alerts and impact analysis
[/tab] [tab title=”GRC 20/20 Presenter”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”] MetricStream
MetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Our market-leading enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance. [/tab][/tabs]
Posted on Leave a comment

The Agile Organization: GRC in Context of Regulatory Change

Managing this dynamic and intricate nature of change is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year. GRC Regulatory activity What further complicates this is the exponential effect of regulatory change on the business. Business operates in a world of chaos and in that context regulatory chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which a small event actually results, develops and influences what ends up being a significant event. The concept uses the analogy that the simple flutters of a butterfly’s wings create tiny changes in atmosphere that ultimately impacts the development and path of a hurricane. The typical organization does not have adequate processes or resources in place to monitor regulatory change. Instead . . . The rest of this post can be found a guest blog on MEGA’s Corporate Governance Blog . . .
[button link=”http://community.mega.com/t5/Blog/The-Agile-Organization-GRC-in-Context-of-Regulatory-Change/ba-p/11248″ color=”default”]READ MORE[/button]
Posted on 1 Comment

Demand & Market for GRC Content & Intelligence Offerings

Governance, Risk Management & Compliance (GRC) is something every organization does, but not necessarily does well. All have some approach to GRC whether it is ad hoc and broken, or mature and integrated. Every organization on the planet does GRC in some form or fashion. The official definition of GRC, as defined by OCEG in the GRC Capability Model, is that GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” Organizations do not buy GRC they do GRC. However, there is a market for GRC related solutions, services, and content/intelligence. These help organizations in their doing of GRC within their organization and bring organization efficiency, effectiveness, and agility to GRC strategy, processes, and architecture. A lot of attention has been given to the GRC technology solution market. I was the first to define and model this market back in February 2002 while at Forrester and have continued my nurturing and monitoring of this market. There are over 1,000 providers in the broad GRC market which is currently a $11.89 Billion market, but this does not count the professional services market which is significantly bigger than this. The Enterprise GRC market is about 10% of this figure. To date, not a lot of attention has been given to modeling and sizing the GRC content and intelligence market.  This market is significantly represented in the above market size figure but not completely. The reason is that there are a lot of GRC content and intelligence solutions that are tied and integrated into technology solutions.  While this is true, many of these same GRC content and intelligence solutions can also be integrated with other GRC technologies and many are agnostic to GRC technology. The role of content in GRC strategies, solutions, and architecture is becoming significant. Organizations find that they need access to risk and compliance intelligence updates, regulatory changes, risk libraries, audit templates, sanction and watch lists, sample policies, and more. GRC solutions are often differentiating themselves by their ability to provide and integrate a range of content offerings into their solution to provide complete situational awareness in a dynamic business environment. On Monday, July 13th, GRC 20/20 will be presenting our latest Research Briefing on 2015 Market Analysis: GRC Content & Intelligence Providers. In this research briefing we will discuss the latest drivers and trends for GRC content and intelligence as well as segmentation, size, and forecasting of the GRC content and intelligence market. GRC 20/20 has mapped 91 GRC Content & Intelligence providers with more than 350 content & intelligence offerings across the following categories (there is some overlap between these categories):
  • Audit Template & Workpaper Libraries
  • Benchmarking Solutions
  • Control Libraries
  • Compliance Forms & Templates
  • Due Diligence & Financial Monitoring
  • EH&S Libraries
  • Geo-Political Risk Monitoring
  • Industry Risk & Regulatory Reporting
  • Legal Cases & Analysis
  • Loss & Incident Databases
  • Negative News Monitoring
  • Policy Libraries
  • Regulatory Intelligence (actionable insight on reg change, not just a library)
  • Regulatory Libraries
  • Reputation & Brand Monitoring
  • Risk Libraries (including KRI, risk registers)
  • Risk Forms & Templates
  • Sanction / Watch Lists (including PEP lists)
  • Third Party Forms & Templates
  • Third Party Monitoring
  • Third Party Shared Assessments
  • Threat & Vulnerability Monitoring
  • Training Libraries
The role of GRC content and intelligence integrated with technology is a growing demand and need in the GRC market.  Organizations are more and more thinking along the lines of GRC architecture to support the range of their technology and content integration needs and not in siloed concepts of a single enterprise GRC technology platform.
Posted on 2 Comments

Considerations When Purchasing Policy Management Solutions

This is the second in a series of posts on buying considerations when purchasing GRC solutions.  The GRC Pundit first looked at overall considerations when purchasing GRC solutions, and in this post he turns his focus to Policy Management Solutions. policy-portalPolicy management is one of the hottest segments in the GRC market. This is apparent in the number of RFPs and inquiries GRC 20/20 is involved in from organizations looking for policy management platforms. Consider that policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:
  • Provide a framework of governance. Policy paints a picture of behavior, values and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk of has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.
Policies attach a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policies can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal and regulatory proceedings to place culpability. In this context, organizations are struggling with the following issues:
  • Policies haphazardly managed in documents, fileshares, and poorly implemented portals
  • Different departments going in different policy directions
  • Lack of centralized inventory of all organization policies
  • Need to have a defensible audit trail of all interactions with a policy and training
  • Reactive and inefficient training programs
  • Policies that do not adhere to a consistent style, template, format
  • Rogue policies that put liability and exposure on the organization
  • Out of date and inconsistent policies
  • No tracking of policy exceptions
Many organizations lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An organization must establish policy it is willing to enforce — but also must clearly train and communicate policy to make sure that individuals understand what is expected of them. With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the policies needed to reliably achieve objectives while addressing uncertainty and act with integrity. This is why organizations are aggressively looking at policy management platforms to address this challenge.

Basic, Common & Advanced Policy Management Solutions

GRC 20/20 has developed an extensive framework of RFP requirements for policy management platforms and advises organizations on RFP development and solutions the organization should be considering. GRC 20/20 covers 144 solutions in the Policy & Training Management Segment of the GRC market.  Eighty-eight of these solutions do policy management, and forty-four do training management (the overlap if you add these together are solutions that do both). Every organization has unique requirements and expectations for policy management. GRC 20/20 has detailed over 200 requirements specific to policy and training management solutions in the GRC market. Overall, policy management solutions can be mapped into the following areas:
  • Basic Policy Management Capabilities. These solutions tend to focus on the back-end of policy management, the development, approval, maintenance of policies. Policies are typically managed as documents and imported into the system as documents or PDFs. Solutions in this area are focused on managing workflow and tasks for managing and maintaining policies. They often have some basic employee portal capabilities aimed at completing tasks such as reading policies and attestation (e.g., certification, read and understood).
  • Common Policy Management Capabilities. These solutions are more built out in feature sets that offer a broader range of capabilities. This includes a stronger user portal and experience to navigate policies, the ability to build forms related to policies and manage workflow and tasks around forms, map policies to regulations and other obligations, and move beyond treating policies as documents to import into the system and have integrated word processing capabilities. These solutions also have capabilities to manage policy exemptions/exceptions, and measure policy compliance. While the employee experience is stronger than those offering basic capabilities, it is still the back-end management of policies that is central to these solutions.
  • Advanced Policy Management Capabilities. Advanced policy management solutions have all the common attributes, but take on more advanced capabilities (note, advanced capabilities extend common capabilities and not all policy management solutions support the range of advanced capabilities). Advanced capabilities tend to put a stronger focus on the employee experience – the front-end of policy management – and not just the back-end experience. Advanced capabilities include:
    • Employee portal experience is clearly stronger offering an intuitive, interactive, personal, and social policy experience for employees. Policies are most often treated as HTML and not PDFs or word processing documents, and the display of policies allows for hyperlink pop-ups for clarification and resources as well as embedding training and other policy tools.
    • Embedded training in which the solution has a full LMS capability to deliver training within the policy portal for employees and they do not have to bounce around through hyperlinks.
    • Social and gamification, as part of the employee portal the solution picks up on social aspects of employees being able to share policies with other employees, provide feedback and interaction on policies, and implement employee avatars with badges for policy and training tasks.
    • Mobility there are dedicated tablet and phone apps offering policies to employees. In fact, GRC 20/20 has been involved in several interactions with organization looking to use tablets as policy and training kiosks for employees in retail, food and beverage, manufacturing, and logistics/transportation.
    • Integration with HR management systems to push policy to new employees or those that have changed roles in the organization.
    • Integration with other GRC modules and solutions such as incident management to map incidents to violations of policy. Or risk management to map risks to policies.
    • Advanced policy authoring and editing capabilities in which policy authoring is done in a browser interface with full redlining, commenting, and editing capabilities.
    • Regulatory change management in which not just documents but chapter and verse of policies is mapped to chapter and verse of regulations and there are clearly defined processes to manage policies in the context of regulatory change.
    • Federated policy management that allows large distributed and diversified organizations to have layers of policy management committees and groups to govern complex policy lifecycles.
These summaries of basic, common, and advanced capabilities are some attributes these areas from GRC 20/20’s broader RFP requirements and analysis of policy management solutions. Organizations need to select what best fits there needs. More advanced capabilities often comes at a more significant cost of the policy management solution. The most significant trend GRC 20/20 has seen in policy management RFPs and organizational needs is the shift of focus to the front-end of policy management.  Historically, the requirements for policy management have been largely on the back-end management and maintenance of policies with only very basic requirements in the front-end communication and attestation of policies. Over the past three years there has been a growing trend to put equal or more importance on the front-end communication and access of policies. This is in response to organizations desiring to create a single portal for all organization policies, engage employees, and provide defensible audit trails and compliance records.  One organization even requested that the policy portal have a capability to have a green light in a corner if the policy subject matter expert is at their desk and pop-up a box to ask them a question (they used a direct analogy to online shopping with a ‘can we help you’). The overall trend is that organizations desire an engaging policy portal for employees as much as they do the back-end development of policies.OCEG.GRC Illustrated.Interactive Policy.2014 CASE IN POINT: I did the design and layout of the OCEG GRC Illustration: Engaging Employees With Interactive Policies. I have had several organizations specifically reference this illustration and state “this is what we want, who does this.”  

Questions & Considerations to Ponder on Policy Management Solutions

Organizations considering policy management solutions should ask themselves the following questions to help guide them in developing requirements and engaging solution providers:
  • What are my back-end policy lifecycle management requirements?
  • What are my front-end policy portal and employee experience requirements?
  • Is the front-end portal as important as the back-end?
  • Do we want to develop policies in standard word processors and import them as documents/PDFs into the solution to manage?
  • Do we want to develop policies within the solution/browser interface?
  • Do we need to map policies to hotline reports, issues/incidents, controls, or risks?
  • What are our requirements for regulatory change management in context of keeping policies current?
  • What are our requirements for having a full audit and compliance trail of all interactions between policies and employees?
  • Do we desire an integrated LMS capability to manage policies and training as a collective whole in an integrated portal?
  • Do we need the capability to manage policy related forms and manage those forms through workflow and tasks for review and approval/disapproval (e.g., gifts and entertainment, conflict of interest, medical leave, political contributions)?
  • What are out mobility requirements for policy and training on tablets and smartphones?
  • Do we need to integrate with HR management systems to automate the communication of policies to new employees and those that have changed roles?
  • Do we need features of socialization and gamificaiton on the policy portal?
  • What are our internationalization and language requirements for both the back-end management of policies and the front-end policy portal?
  • What are our requirements to track and manage policy exceptions and exemptions?
  • Do we need a solution that can support federated policy management to address the need for multiple layers of policy committees and a complex policy lifecycle?
These are a subset of a broader set of questions that will be categorized and mapped in the forthcoming Buyers Guide: Policy Management Solutions, and are further detailed in GRC 20/20’s RFP requirements for policy management solutions. GRC 20/20 will be releasing the following research in the next several weeks:
  • Buyer’s Guide: Policy Management Solutions. The Buyer’s Guide goes into a detailed framework in how to approach purchasing policy management platforms.
  • Strategy Perspective: Policy Management by Design. The Strategy Perspective focuses on best practices in defining a policy governance committee, framework, lifecycle, and architecture (written from context of GRC 20/20’s Policy Management by Design Workshops).
  • Online directory of Policy & Training Management Solutions. The directory lists policy and training management solutions that GRC 20/20 covers in the market and is the first part of the broader GRC Directory being rolled out in stages.
  • Market Perspective: Policy & Training Management Solutions. This details the overall drivers, trends, market size, growth, and forecasting of the Policy & Training Management Market.
I have shared my thoughts on some buying considerations of policy management solutions. I would love to hear your thoughts and reaction to this as I work on publishing this series of GRC 20/20 research.
Posted on Leave a comment

Regulatory Change Management Maturity Model: From Ad Hoc to Agile

This is part 5 and final post in the series on regulatory change management, part of the broader series of posts on the Greatest GRC Challenges companies are facing today.  Next we will look at changing risk environments.  In the previous posts we explored: In this post I detail GRC 20/20’s maturity model to measure regulatory change management programs to support an efficient, effective, and agile process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change
Mature regulatory change management requires the organization to align on regulatory risk. It also involves participation across the organization at all levels to identify and monitor uncertainty and the impact of regulatory change. GRC 20/20 has developed the Regulatory Change Management Maturity Model to determine an organization’s maturity in regulatory change management processes as well as information and technology architecture. The GRC 20/20 Regulatory Change Management Maturity Model is summarized as follows:

Level 1 – Ad Hoc

Organizations at this stage lack a structured approach to regulatory change management and are constantly putting out fires and being caught off guard. Few if any resources are allocated to monitor regulatory change. The organization addresses regulatory change in a reactive mode—doing assessments when forced to. There is no ownership or monitoring of regulatory change and certainly no integration of regulatory change information and processes. Characteristics of this stage are:
  • Lack of a defined regulatory taxonomy
  • Ad hoc and reactive approaches to regulatory and business change
  • Document and email-centric approaches
  • Lack of accountability

Level 2 – Fragmented

In the Fragmented stage, departments are focused on regulatory change management within respective functions—but information and processes are highly redundant. The organization may have limited processes for regulatory change but largely does not benefit from the efficiencies of an integrated approach. Regulatory change management is very document-centric and lacks an integrated process, information and technology architecture. Positively, there is some structure to regulatory change responsibilities—but the management of regulatory change lacks accountability as it is done largely in documents and email that lack structures of accountability and automation. Characteristics of this stage are:
  • Varied approaches to regulatory change
  • Lack consistent structure
  • Lack integration or formal processes for sharing regulatory information
  • Reliance on fragmented technology with a focus on discrete documents

Level 3 – Managed

The Managed stage represents a mature regulatory change management program that is using technology for structured workflow, task management, and accountability. Regulatory change functions have defined processes for regulatory change management, an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight. Though there is no integration of regulatory content feeds into the technology platform. Characteristics of this stage are:
  • Visibility into regulatory change across the business
  • Established processes for regulatory change
  • Good use of technology to manage accountability

Level 4 – Integrated

It is at the integrated stage that the organization begins to integrate regulatory content feeds into the technology platform for automation. The organization has consistent regulatory taxonomy, process, information, and technology to streamline regulatory change management processes. The organization is seeing gains in addressing regulatory change through shared information that achieves greater agility, efficiency and effectiveness in a common technology architecture that enables consistent management of regulatory change. Standardized workflow is integrated into regulatory and legal content feeds. Characteristics of this stage are:
  • Strategic approach to regulatory change across departments
  • Common process, technology and information architecture
  • Integration of legal/regulatory content feeds
  • Reporting across departments

Level 5 – Agile

At the Agile stage, the organization has completely moved to an integrated approach to regulatory change management across the organization. This results in a shared-services approach in which core regulatory change technology, content, and processes are shared centrally. The approach is characterized through a mature regulatory taxonomy with integrated and actionable regulatory content automated by technology. The organization has enterprise workflow that provides business-process automation for regulatory change with oversight and management of regulatory change. Regulatory content feeds deliver fully analyzed content that identifies relevancy, impacts and tasks. Characteristics of this stage are:
  • Regulatory intelligence achieved through integration of analyzed content and enterprise technology
  • Consistent views of regulatory change and impact on operations and policies
  • Able to efficiently manage business change in regulatory context

GRC 20/20’s Final Perspective

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.  
Posted on 1 Comment

GRC Architecture to Manage Regulatory Change

This is part 4 on the topic of regulatory change management.  In the previous posts we explored: In this post I detail the information and technology architecture needed to support an efficient, effective, and agile regulatory change management process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change
Effectively managing regulatory change is done with a GRC information and technology architecture to improve processes and transform manual document and email-centric processes. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis.  

Regulatory Change Management Architecture Goals

A GRC information and technology architecture helps the organization to manage regulatory change to:
  • Ensure that ownership and accountability of regulatory change is clearly established and understood.
  • Manage ongoing business impact analysis and scoring.
  • Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
  • Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
  • Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
  • Visualize the impact of a change on the organization’s processes and operations.
The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization.

Regulatory Change Management Architecture Considerations

In evaluating regulatory change management solutions that integrate regulatory intelligence feeds and technology, organizations should ask the following three questions:
  1. How adaptable is the regulatory taxonomy?  The regulatory taxonomy provides the backbone of regulatory change management as it maps regulations to other objects such as business processes, assets, subject matter experts, risks, controls, policies and more. Organizations should specifically understand how adaptable the taxonomy/mapping is to fit the organization’s environment, evolve as the business evolves, and how easy it is to adapt the metadata and taxonomy structure.
  2. How rich is the regulatory content? A lot of GRC solutions can handle the workflow and task management of regulatory change management. What really differentiates capabilities is the depth and breadth of the regulatory intelligence content feeds that the solution offers. This includes regulator coverage, geographic coverage, supporting news and analysis, frequency of updates, and actionable content/recommendations.
  3. How strong is the technology? As stated, a lot of solutions can do workflow and tasks management for regulatory change, so the evaluation of the technology itself needs to go deeper in the systems ability to integrate regulatory intelligence feeds, conduct business impact analysis, as well as connect and understand relationships of regulatory impact to policies, processes, and risks. Of particular importance is the user experience.  SMEs across the enterprise may or may not be technical gurus; the overall user experience should be intuitive and natural.
    • Deficient technology involves documents and spreadsheets with email used as a workflow and task management tools. The organization struggles with things getting missed and not having a structured system of accountability.
    • Moderate technology provides a system of accountability with basic workflow and task management, but the integration of regulatory developments/updates is a manual entry system that is time-consuming and taxing on resources.
    • Strong technology for regulatory change management has enterprise content, workflow and task management capabilities with integration to actionable regulatory content.  It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements.

Regulatory Change Management Architecture Capabilities

All of these elements are critical and are why they come together in a GRC architecture or platform for regulatory change management. Some solutions in the GRC space are delivering across these three elements and are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This at a minimum requires workflow and task management capabilities, but in mature systems it provides direct integration with regulatory content aggregators. These aggregators manage regulatory profiles, and provide data about relevant new developments that can be routed to individuals responsible for evaluating specific regulatory subject areas. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process. Specific capabilities to be evaluated in a GRC solution for regulatory change management, include:
  • Regulatory intelligence content.  At a very basic level, the solution should allow for simple manual entry of new changes and updates so they can be routed to the correct SME for analysis. More advanced solutions provide the interface to content to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
  • Content management. The solution should be able to catalog and version regulations, policies, risks, controls and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria, within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods, and obsolescence rules that can be set for regulations.
  • Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations.
  • Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact, and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed or deactivated, the solution assesses the impact of the change, and sets up the appropriate responsive actions.
  • Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications.
  • Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
  • Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted and if notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
  • Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are and more. Additionally, by linking regulatory requirements to the various other aspects of the platform including risks, policies, controls and more, the reporting should provide an aggregate view of a regulatory requirement across multiple organization units and business processes.
  • Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.
Posted on 3 Comments

Defining a Regulatory Change Management Process

This is part 3 on the topic of regulatory change management.  In the previous posts we explored the pressure organizations are under in context of regulatory change, in this post we look at what elements are needed in an efficient, effective, and agile regulatory change management process.
processOrganizations are struggling with regulatory change and seeking to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. The old paradigm of uncoordinated regulatory change management is a disaster given the volume of regulatory information, the pace of change, and the broader operational impact on today’s risk environment.

Elements of a Regulatory Change Management Process

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates. To achieve this financial services organizations must develop a process for collaboration, accountability, and integration between regulatory intelligence content providers within a GRC information and technology architecture. A well defined regulatory change management processes includes:
  • Regulatory taxonomy and repository. The foundation of regulatory change management is a regulatory taxonomy and repository. The regulatory taxonomy is a hierarchical catalog/index of regulatory areas that impact the organization. Regulations are broken into categories to logically group related areas (e.g., employment and labor, anticorruption, privacy, anti-money laundering (AML), fraud).  Integrated with this taxonomy is a repository of the regulations indexed into the taxonomy. One regulation may have multiple links into the taxonomy at different areas. The taxonomy and repository maps into the following elements:
    • Regulatory bodies (e.g., lawmakers, central banks, government bodies, regulators, self-regulatory organizations (SROs), exchanges, clearers, industry associations, trade bodies)
    • Document types (e.g., laws, regulations, rules, guidance, releases)
    • Sources (e.g., websites, RSS feeds, newsletters, etc.)
    • Attributes needed for classification, filtering, and reporting (e.g., business process, jurisdiction/geography, related regulations, regulator, status of change, relevant dates, consequences)
    • Rules & regulatory events
  • Regulatory roles and responsibilities. Success in regulatory change management requires accountability—making sure the right information gets to the right person that has the knowledge of the regulation and its impact on the organization. This requires the identification of SMEs for each regulatory category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in subcategories or specific jurisdictions, or who perform specific actions as part of a series of changes to address change requirements.
  • Regulatory content feeds. To support the process of regulatory change management, the financial services organization should identify the best sources of intelligence on regulatory developments and changes. Content feeds can come directly from the regulators as well as law firms, consultancies, newsletters, blogs by experts, and content aggregators. The best content includes the regulation itself, summary of the change, impact on typical financial services organizations, and recommendations on response with suggested actions for response. The range of regulatory change content should span new regulations, amended regulations, new legislation, regulatory guidance, news and circulars, comment letters, enforcement actions, feedback statements, and regulator speeches.
  • Standard business impact analysis methodology. To maintain consistency in evaluating regulatory change, financial services organizations should have a standardized impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
  • Workflow and task management. The backbone of the regulatory change management process is a system of structured accountability to intake regulatory changes from content feeds and route them to the right subject matter expert for review and analysis. This is extended by getting others involved in review and response and requires some standardized workflow and task management with escalation capabilities when items are past due. The process needs to track accountability on who is assigned what tasks; establish priorities; and determine appropriate course of action.
  • Metrics, dashboarding & reporting. To govern and report on the regulatory change management process the organization needs an ability to monitor metrics and report on the process to determine process adherence, risk/performance indicators, and issues. This should provide the organization a quick view into what regulations have changed, which individuals in the organization are responsible for triage and/or impact analysis, the state of review of change, who is accountable, and overall risk impact on the organization.
Types-of-Metrics-&-Examples

Value and Benefits of a Regulatory Change Process

When organizations develop a regulatory change process they expect to be:
  • Effective. They seek to have a greater understanding of changing regulatory requirements and their impact on the organization. To enable the organization to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the regulatory change. This allows the organization to demonstrate evidence of good compliance practices.
  • Efficient. To allow the organization to optimize human and financial capital resources to consistently address regulatory change and enable sustainable management of resources as the business and regulatory landscape grows.
  • Agile. Competitively enable a dynamic and changing environment as an advantage over competitors that are handicapped by the same change.  This requires the organization to understand how the regulatory environment effects the organization and its strategy and how to adapt quickly and be responsive to new developments before competitors are.
The full paper on this topic in the context of financial services can be found here.
Posted on 5 Comments

2014 GRC Technology Innovation Award: 360factors Empowers Organizations to Stay Current in the Midst of Change

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award. 360factors Empowers Organizations to Stay Current in the Midst of Change. 360factors’ innovation is in regulatory change management with an elegant and intuitive user interface for mapping GRC. This mapping solution seamlessly maps policies & procedures, permits and their requirements, controls, risks, legislation, regulations, and more. While there are many GRC solutions that allow tagging and mapping of content the innovation by 360factors is the elegance and intuitiveness in their interface.  They simplify a process that in other solutions requires going through multiple screens and drop-down menus.  This is core to GRC that needs a complete information architecture that maps risks, policies, controls, assessments, training, and more to the underlying requirements that drive them at the site/location and asset level. Requirements can be a regulation, risk, company objective, internal requirement, or a standard. The organization can simply connect and map policies and procedures, evidence, risk frameworks, risk assessments, training to the requirement. Further, the solution is configurable where it allows the organization to configure the regulatory matrix to add additional items that they would like to map. The settings module allows the organizations to create training plans and map them to requirements, add assets and apply the requirements/regulations that apply to those assets and structure compliance. This allows individuals to only view compliance tasks and issues at the site, geo-location, or assets they represent. Policies are mapped and appear in the requirements knowledge base and can be viewed as you pull up each requirement. The mapping of policies and procedures allows individuals to view which and how many policies get impacted in the event a requirement (standards or regulations) changes. This simplifies the task of regulatory change and policy management for a compliance officer within the organization. Organizations often have multiple locations with onshore presence in various countries, multiple sites with different types of assets, and multiple functions that are subject to regulatory compliance through multiple jurisdictions, all bearing down on the organization and providing a daunting compliance. 360Factors applicability feature automates this complex process of managing and demonstrating compliance across a variety of jurisdictional regulatory requirements.  The mapping technology allows organizations to predict risks and issues. They have architected their mapping technology in such an intuitive and user friendly way it enables the organization to pull reports and dashboards that can help predict how change in each requirement can impact risks, compliance, controls, sites and assets. This unprecedented mapping and applicability feature creates a compliance matrix that enables organizations to manage complex regulatory, business and standards while providing visibility and control over management of change.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients