This article elucidates the key guidelines that could help your organization to develop a robust regulatory change management framework, track and analyze regulatory changes and assess its impact on business processes.
The sheer volume, velocity, and complexity of regulatory change is likely to keep many a CCO awake at night. Why is it that organizations across the globe struggle to keep pace with the rapid onslaught of regulatory change? What is the approach organizations need to take to stay ahead in this race?
In the past, during the pre-financial meltdown era, it may have been possible to keep track of regulatory updates using standard manual approaches, but as regulators continue to introduce more reforms, and in this age of rapidly evolving and disruptive technologies -- Fintech, IoT, Blockchain and Cryptocurrencies – standard approaches are proving to be less effective.
It appears that organizations have some catching up to do with the rapidly evolving regulatory environment. In fact, a recent KPMG survey confirms that only 27% of CCOs state that their compliance function has a change management process in place to identify changes in laws and regulations, and to incorporate such changes into their policies and procedures.
The time has come to develop a robust technologically reinforced regulatory change management framework to help manage the rapidly increasing volume of regulatory reforms. A “wait-and-watch” approach is no longer sustainable, and organizations need to proactively address this business challenge before it is too late.
Here are some key guidelines to develop a robust regulatory change management framework that can equip organizations with the right set of tools to manage regulatory change, and be prepared for the next wave.
In the current business environment, organizations have to keep track of regulatory content from global as well as regional regulators, from a multitude of sources including regulatory publications, industry associations, national, and local media, and specialized content providers such as LexisNexis, Thomson Reuters, etc. With so many sources to keep track of, and high volumes of relevant content to analyze, it’s a time-consuming and resource-intensive exercise.
The solution? A cloud based content platform which serves as an aggregator for regulatory content from various sources. Using this platform, compliance professionals can subscribe to curated content based on predefined rules and keywords, which can be streamed directly as RSS feeds, alerts, or email notifications. Such a tool would also allow the organization to set predefined rules on a variety of regulatory attributes including industry, jurisdiction, topic, state, due date, etc., thereby ensuring that relevant information reaches subscribers in real time.
A global organization has to deal with inconsistencies in regulations across geographies, and multiple business operations. A standard regulatory taxonomy, in line with the organizational hierarchy, and consistent in terms of language, terminology, and structure will improve communication among stakeholders, making it easier to set up a robust compliance framework. Additionally, organizations will then be able to categorize, store, and deliver regulatory updates without having to frequently modify the rules and linkages that have already been set up in the system.
An efficient way to standardize the taxonomy is to set up a centralized GRC repository to store all regulatory updates from across the organization, index updates according to the organizational hierarchy, and map them to multiple GRC attributes such as risks, controls, policies, etc.
In order to ensure accountability, it is important to clarify the roles and responsibilities of the individuals who manage the compliance function. While a cloud-based content platform will ensure the right information reaches the right set of users, each user should be a trained compliance professional with the ability to scrutinize these regulatory updates, in order to determine whether they are applicable to the organization. Relevant SMEs need to be identified within the organization, who understand the laws or regulations, and have sufficient knowledge to analyze these updates in detail.
How can organizations achieve this? Ensure that there is a first level of screening or assessment by a centralized regulatory coordinator to determine the applicability of the regulatory updates to the organization. He or she would then pass the mantle on to individual assessors within relevant departments for detailed impact analyses. Finally, collaboration with external stakeholders also becomes important when regulators, customers, business partners, and other parties need to be informed on any changes in the organization’s overall processes, policies, controls, or other factors.
It is important to clearly document these roles and responsibilities, establishing accountability in the complete information lifecycle - from the time a new alert is delivered, to the time it is successfully implemented. Additionally, it is recommended that the senior management be actively involved at each stage, and the board has clear visibility into the whole process.
Every regulatory update needs to be assessed in terms of the business impact it has on the organization. After the initial applicability assessment, each business unit can carry out a detailed impact analysis on an update to identify which risks, controls, policies, procedures, trainings, and reports are affected and need to be revised.
It is also important to group similar regulatory updates, as it will help not only in eliminating duplicates but also in identifying similar trends and patterns in the risks, controls, policies, and other areas that are impacted. This analysis then needs to be rolled up as per the defined organizational hierarchy to provide a holistic view of the impact across the enterprise.
At any point of time, an organization should be able to gain a comprehensive view of the number of regulatory updates affecting them both holistically, and by business unit or functional area.
The next step would be to formulate action plans, listing out tasks that need to be assigned to relevant users. Standard workflows need to be defined for the review and approval processes, with escalation capabilities when the tasks become overdue. Additionally, to ensure nothing goes amiss, it would help if business users are notified of the tasks that have been assigned to them through standard email notifications and reminders.
At each stage of the implementation process, reports and dashboards should give stakeholders visibility into the real-time status of the changes taking place, accountability, and the overall impact on the organization. Furthermore, organizations should ensure that issues or findings are logged with defined remediation plans for quick and efficient issue resolution and closure.
Regulatory change is not going to abate. In a world confronted with geo political turmoil, cyber-attacks, business fraud, and social media influence, organizations need to buckle up and take measures to tackle regulatory change head-on. Technology can be a strong enabler in addressing this need. Organizations can opt for a robust and comprehensive regulatory change management solution which leverages a common foundation to facilitate multidimensional mappings with other GRC elements. Such a solution can help centralize disparate, siloed, and manual operations across business units and geographies, and align them with the organization’s overall business goals and objectives. This will not only help them track and analyze the all-too-frequent regulatory changes, but also ensure that these changes are effectively, and efficiently implemented. A proactive approach to regulatory change, backed by technology, is perhaps the most effective way in complying with the regulatory uncertainties of our times.