ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
Overview

The success of any compliance program depends to a large extent on how effectively regulatory engagements are managed across federal, state, and international levels. However, regulations are constantly changing, even as supervisory activities continue to increase. Meanwhile, new rules and regulators are emerging across industries and sometimes even jurisdictional boundaries, particularly in areas like cybersecurity and data privacy.

All these trends confront regulatory engagement teams with multiple challenges as they seek to fulfil their core mission i.e. to build credibility with regulators, and to ensure that the organization is operating in line with compliance requirements. This objective can only be achieved through an agile and well-coordinated strategy of responding to regulatory requests on time, managing regulatory meetings efficiently, and ensuring that the business is well-prepared for regulatory examinations and other such interactions.

On September 12, a group of senior compliance and regulatory practitioners met in London to discuss and debate the core components of an effective regulatory engagement management program. Participants talked about the key challenges faced in their regulatory interactions, while also sharing insights and trends on how to strengthen regulatory relationships.

Resource

This report summarizes the key highlights from the discussion, particularly the best practices that organizations are adopting to optimize their regulatory engagements:

 

10 Best Practices for Regulatory Engagement Teams

 

  • Create an Internal Regulatory Engagement Community

In most organizations operating in highly regulated industries, there are individuals who juggle multiple regulatory engagements as part of their roles. They either meet directly with regulators or help in preparing the materials that regulators review. The larger and more complex the organization, the greater in size and scope this group of individuals will be. Therefore, it’s important that they form an organized community, with the overall culture and strategy set by a senior executive who has direct access to the C-suite and board. It’s also crucial that the group is supported in its work with the right resources and talent.

 

  • Map Regulatory Engagement Policies and Actions to the Organization’s Risk Appetite and Compliance Culture

The regulatory engagement team should be able to strategically align their policies and processes with the organization’s risk appetite and compliance culture through the governance, risk, and compliance (GRC) framework. The team should incorporate the risk appetite that exists both at a top-down organization level and within different business lines and geographies. At the same time, regulatory engagement data should contribute to GRC and risk appetite conversations, particularly focusing on compliance risk and regulatory risk. Specifically, regulatory engagement intelligence should contribute to the creation of, and response to, key risk indicators (KRIs) and key control indicators (KCIs).

 

  • Report Regularly on Engagements to Senior Management and the Board

Today, organizations are engaging with regulators more than ever before, in large part because of the significant amount of regulatory changes that are taking place, coupled with the increase in supervisory and enforcement activity.

Boards and senior managers need to be able to quickly and easily understand the important regulatory engagement issues that the organization is facing. For that, they need well-structured reports based on good quality data. These reports should share intelligence such as statistics about interactions with regulators, as well as the organization’s progress towards addressing any issues that have emerged. They should also discuss each regulatory engagement in the context of the organization’s GRC data, such as KRIs and KCIs.

All this information can help the board and senior managers make informed decisions about how much to invest in technology and human resources within the business, as well as specific compliance projects.

 

  • Deliver Insights on Regulatory Engagement to the Business as Well

A great deal of value can be provided to the business through regulatory engagement reporting. While reports for the board and senior management look at macro trends, reports for the business are meant to help them effectively navigate specific regulatory and compliance risks, as well as issues around operational risks and resilience. It’s important that business-level reports focus on intelligence and information that is genuinely useful to the business. A “fire hose” approach must be avoided at all costs.

 

  • Understand the Data that the Organization Produces through Its Regulatory Engagements

While regulatory engagements may be about something that is fairly intangible – good relationships – the reality is that the whole organization produces significant volumes of tangible structured and unstructured data in this area. Unstructured data includes the letters, emails, regulatory reports, and other materials produced within the context of a regulatory relationship. Structured data includes specific details about regulatory activities (discussed further in the next section).

It’s vitally important for the regulatory engagement team to have a good understanding of how all this data is created, what it is about, and where it can be found. Ideally, the data should be stored in a single repository, so that it can be accessed and worked on by multiple teams.

 

  • Ensure That All Stakeholders Understand the Importance of Good Quality Regulatory Engagement Data

All regulatory engagement team activities, including meetings, exams, investigations and enforcement actions produce structured data, such as:

           • Regulator name and contact information

           • Country or jurisdiction

           • Engagement owners

           • Start dates

           • Meeting dates

           • Meeting attendees

           • Due dates for responses

           • Action owners

There are also large volumes of unstructured data that need to be mapped to the above data types and stored in the same location in a way that is searchable. Having well-organized information enables teams to quickly find what they need to prepare for a regulatory meeting, create internal reports, or manage a regulatory exam.

All regulatory engagement information that is entered should be correct and complete. Automated data quality reminders can help in this effort by, for instance, reminding users to file a report after a meeting has been held. Regular data quality checks are also essential. Teams would do well to have samples of good quality data, so that they can replicate it in their own regulatory engagement activities.

 

  • Enable Secure Access to Regulatory Engagement Information

Regulatory engagement intelligence is highly sensitive data. Therefore, while certain individuals need to have access to this information to perform their roles, strong security and access controls also need to be in place to ensure that the information is not obtained and shared in inappropriate ways.

In today’s world, spreadsheets and other documents stored on shared servers are not always secure. A better approach would be to have a dedicated system for regulatory engagement management – one with clearly defined access and authorization protocols.

 

  • Automate Certain Activities

Regulatory engagement managers often end up spending most of their time on cumbersome manual activities like tracking actions and sending reminders. By automating these processes, managers can be freed up to focus on the processes that truly add value to the compliance program. Automation also reduces the compliance risks associated with human error.

Critical activities that can benefit from automation include the process of preparing for an engagement, managing regulatory findings through investigations and remediation, and organizing tasks to meet regulatory expectations.

 

  • Create Repeatable Processes

Some regulatory engagements occur every quarter, or twice a year, or annually. They often require the same set of activities to be performed – be it regulatory capital calculations or some form of conduct risk reporting. Despite being recurrent tasks, they are many times undertaken in a “fire drill” fashion.

A more effective approach would be for regulatory engagement teams to create an automated set of action point reminders for process stakeholders, as well as a single system where important documentation and previous reports can be accessed by those who need to do so. This can help stakeholders adopt a regular reporting rhythm, and improve the overall quality of their regulatory engagement activities.

 

  • Be More Strategic

For individual engagements with regulators, it helps to bring together all related information in one central place. This “engagement hub” enables individuals to access related materials (based on their roles and responsibilities), stay updated on deadlines, and understand the role of their own deliverables. The hub can also help users connect related engagements together, and map them to GRC elements such as the organizational hierarchy, risks, controls, and regulations

 

Key Takeaways
  • Regulatory engagements are ultimately about data management i.e. ensuring that information is accurate, complete, secure, centrally stored, easy to access, and of a high quality
  • Frequent reports and updates on regulatory engagements can help executives, boards, and business teams make better risk-informed decisions
  • Regulatory engagement management is not a siloed activity – it must be mapped to the business and to the GRC program for optimal benefit
  • There is plenty of scope for automation that will enable regulatory engagement managers to spend less time on cumbersome repetitive tasks, and more on value-added activities
 
Summary

As regulatory environments grow more stringent, the pressure on compliance and regulatory engagement management teams will most likely increase. However, with sufficient planning and thought, organizations can rise to the challenge with regulatory engagement programs that are truly well-coordinated, streamlined, and efficient. The end result? Greater confidence with management teams and boards, as well as better trust with regulators.

To learn how MetricStream helps organizations strengthen regulatory engagement, click here.

 

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk