This article elucidates 5 basic principles that could help your organization to develop a robust regulatory change management framework, track and analyze all too frequent regulatory updates and effectively implement the same.
Banking and Financial Services Institutions across the globe are struggling to keep pace with regulatory change, and, quite often, grappling with the sheer volume and the complexity of these updates can be a laborious, up-hill battle.
According to a survey by MetricStream which polled the responses of 123 compliance professionals across North America and Europe, 19% of the respondents reported taking up to a year to implement regulatory changes1. Considering the magnitude of change that financial institutions have to deal with, this may no longer be affordable.
It may have been possible to keep a track of regulatory updates using standard manual approaches during the pre-financial meltdown era, but as regulators continue to usher in more reforms in this age of rapidly evolving and disruptive financial technologies including Fintech, IoT, and Crypto currencies standard models are proving to be ineffective.
Yet, the survey shows that 48% of the organizations surveyed are still using office productivity software (Excel spreadsheets) to track regulatory changes2.
The need of the hour is to develop a robust and technologically reinforced regulatory change management framework to help manage the next wave of regulatory reforms. A “wait-and-watch” approach is no longer sustainable, and organizations would need to proactively address this business challenge before it gets too late.
Adopting the below model, which elucidates 5 basic principles to develop a robust regulatory change management framework, would equip organizations with the right set of tools to manage regulatory changes and stay ahead of the curve.
Organizations have to keep track of regulatory content from global as well as regional regulators from a multitude of sources including regulatory publications, industry associations, national and local media, and specialized content providers such as LexisNexis, Thomson Reuters, etc. With so many sources to keep track of and high volumes of relevant content to analyze, organizations may find this exercise time consuming and resource incentive.
The solution? A cloud based content platform which serves as a one-stop shop for regulatory content from various sources. Using this platform, compliance professionals can subscribe to curated content based on predefined rules and keywords, which can be streamed directly as RSS feeds, alerts, or email notifications. Such a tool would also allow organization to set pre-defined rules on a variety of regulatory attributes including industry, jurisdiction, topic, state, due-date, etc., thereby ensuring relevant information reaches subscribers in real time.
A global organization has to deal with inconsistencies in regulations across geographies and multiple business operations. Having a standard regulatory taxonomy in line with the organizational hierarchy and consistent in terms of language, terminology, and structure will improve communication among stakeholders, making it easier to setup a robust compliance framework. Additionally, it helps organizations to categorize, store, and deliver regulatory updates without having to frequently modify the rules and linkages that have been setup in the system.
One way to standardize the taxonomy is to setup a centralized GRC repository to store all regulatory updates from across the organization, index updates according to the organizational hierarchy, and map them to multiple GRC attributes such as risks, controls, policies, etc.
In order to ensure accountability, it is important to clarify the roles and responsibilities of the individuals who manage the compliance function. While a cloud-based content platform will ensure the right information reaches the right set of users, each user should be a seasoned compliance professional with the ability to scrutinize these regulatory updates to determine whether they are applicable to the organization. Relevant SMEs need to be identified within the organization who understand the laws/regulations and have sufficient knowledge to analyze these updates in detail.
How can organizations achieve this? Ensure that there is a first level of screening or assessment by a centralized regulatory coordinator to determine the applicability of the regulatory updates to the organization. He or she would then pass the mantle on to individual assessors within relevant departments for detailed impact analyses. Finally, collaboration with external stakeholders also becomes important when regulators, customers, business partners, and other parties need to be informed on any changes in the organization’s overall processes, policies, controls, or other factors.
it is important to clearly document these roles and responsibilities, establishing accountability in the complete information lifecycle from the time a new alert is delivered to the time it is successfully implemented. Additionally, it is recommended that the senior management be actively involved at each stage, and the board has clear visibility into the whole process.
Every regulatory update needs to be assessed in terms of the business impact it has on the organization. After the initial applicability assessment, each business unit can carry out a detailed impact analysis on an update to identify which risks, controls, policies, procedures, trainings, and reports are affected and need to be revised.
It is also important to group similar regulatory updates as it will help not only in eliminating duplicates but also in identifying similar trends and patterns in the risks, controls, policies, and other areas that are impacted. This analysis then needs to be rolled up as per the defined organizational hierarchy to provide a holistic view of the impact across the enterprise.
At any point of time, an organization should be able to gain a comprehensive view of the number of regulatory updates affecting them both holistically and by business unit or functional area.
The next step would be to formulate action plans, listing out tasks that need to be assigned to relevant users. Standard workflows need to be defined for the review and approval processes with escalation capabilities when the tasks become overdue. Additionally, to ensure nothing goes amiss, it would help if business users are notified of the tasks that have been assigned to them through standard email notifications and reminders.
At each stage of the implementation process, reports and dashboards should give stakeholders visibility into the real-time status of the changes taking place, accountability, and the overall impact on the organization. Furthermore, organizations should ensure that issues or findings are logged with defined remediation plans for quick and efficient issue resolution and closure.
To make these steps easier and achievable, organizations can opt for a robust and comprehensive regulatory change management solution which leverages a common foundation to facilitate multi-dimensional mappings with other GRC elements. Such a solution can help centralize disparate, siloed, and manual operations across business units and geographies, and align them with the organization’s overall business goals and objectives. This will not only help them track and analyze the all too frequent regulatory changes, but also ensure that these changes are effectively and efficiently implemented.