The success of any compliance program depends to a large extent on how effectively regulatory engagements are managed across federal, state, and international levels. However, regulations are constantly changing, even as supervisory activities continue to increase. Meanwhile, new rules and regulators are emerging across industries and sometimes even jurisdictional boundaries, particularly in areas like cybersecurity and data privacy.
All these trends confront regulatory engagement teams with multiple challenges as they seek to fulfil their core mission i.e. to build credibility with regulators, and to ensure that the organization is operating in line with compliance requirements. This objective can only be achieved through an agile and well-coordinated strategy of responding to regulatory requests on time, managing regulatory meetings efficiently, and ensuring that the business is well-prepared for regulatory examinations and other such interactions.
On September 12, a group of senior compliance and regulatory practitioners met in London to discuss and debate the core components of an effective regulatory engagement management program. Participants talked about the key challenges faced in their regulatory interactions, while also sharing insights and trends on how to strengthen regulatory relationships.
This report summarizes the key highlights from the discussion, particularly the best practices that organizations are adopting to optimize their regulatory engagements:
In most organizations operating in highly regulated industries, there are individuals who juggle multiple regulatory engagements as part of their roles. They either meet directly with regulators or help in preparing the materials that regulators review. The larger and more complex the organization, the greater in size and scope this group of individuals will be. Therefore, it’s important that they form an organized community, with the overall culture and strategy set by a senior executive who has direct access to the C-suite and board. It’s also crucial that the group is supported in its work with the right resources and talent.
The regulatory engagement team should be able to strategically align their policies and processes with the organization’s risk appetite and compliance culture through the governance, risk, and compliance (GRC) framework. The team should incorporate the risk appetite that exists both at a top-down organization level and within different business lines and geographies. At the same time, regulatory engagement data should contribute to GRC and risk appetite conversations, particularly focusing on compliance risk and regulatory risk. Specifically, regulatory engagement intelligence should contribute to the creation of, and response to, key risk indicators (KRIs) and key control indicators (KCIs).
Today, organizations are engaging with regulators more than ever before, in large part because of the significant amount of regulatory changes that are taking place, coupled with the increase in supervisory and enforcement activity.
Boards and senior managers need to be able to quickly and easily understand the important regulatory engagement issues that the organization is facing. For that, they need well-structured reports based on good quality data. These reports should share intelligence such as statistics about interactions with regulators, as well as the organization’s progress towards addressing any issues that have emerged. They should also discuss each regulatory engagement in the context of the organization’s GRC data, such as KRIs and KCIs.
All this information can help the board and senior managers make informed decisions about how much to invest in technology and human resources within the business, as well as specific compliance projects.
A great deal of value can be provided to the business through regulatory engagement reporting. While reports for the board and senior management look at macro trends, reports for the business are meant to help them effectively navigate specific regulatory and compliance risks, as well as issues around operational risks and resilience. It’s important that business-level reports focus on intelligence and information that is genuinely useful to the business. A “fire hose” approach must be avoided at all costs.
While regulatory engagements may be about something that is fairly intangible – good relationships – the reality is that the whole organization produces significant volumes of tangible structured and unstructured data in this area. Unstructured data includes the letters, emails, regulatory reports, and other materials produced within the context of a regulatory relationship. Structured data includes specific details about regulatory activities (discussed further in the next section).
It’s vitally important for the regulatory engagement team to have a good understanding of how all this data is created, what it is about, and where it can be found. Ideally, the data should be stored in a single repository, so that it can be accessed and worked on by multiple teams.
All regulatory engagement team activities, including meetings, exams, investigations and enforcement actions produce structured data, such as:
• Regulator name and contact information
• Country or jurisdiction
• Engagement owners
• Start dates
• Meeting dates
• Meeting attendees
• Due dates for responses
• Action owners
There are also large volumes of unstructured data that need to be mapped to the above data types and stored in the same location in a way that is searchable. Having well-organized information enables teams to quickly find what they need to prepare for a regulatory meeting, create internal reports, or manage a regulatory exam.
All regulatory engagement information that is entered should be correct and complete. Automated data quality reminders can help in this effort by, for instance, reminding users to file a report after a meeting has been held. Regular data quality checks are also essential. Teams would do well to have samples of good quality data, so that they can replicate it in their own regulatory engagement activities.
Regulatory engagement intelligence is highly sensitive data. Therefore, while certain individuals need to have access to this information to perform their roles, strong security and access controls also need to be in place to ensure that the information is not obtained and shared in inappropriate ways.
In today’s world, spreadsheets and other documents stored on shared servers are not always secure. A better approach would be to have a dedicated system for regulatory engagement management – one with clearly defined access and authorization protocols.
Regulatory engagement managers often end up spending most of their time on cumbersome manual activities like tracking actions and sending reminders. By automating these processes, managers can be freed up to focus on the processes that truly add value to the compliance program. Automation also reduces the compliance risks associated with human error.
Critical activities that can benefit from automation include the process of preparing for an engagement, managing regulatory findings through investigations and remediation, and organizing tasks to meet regulatory expectations.
Some regulatory engagements occur every quarter, or twice a year, or annually. They often require the same set of activities to be performed – be it regulatory capital calculations or some form of conduct risk reporting. Despite being recurrent tasks, they are many times undertaken in a “fire drill” fashion.
A more effective approach would be for regulatory engagement teams to create an automated set of action point reminders for process stakeholders, as well as a single system where important documentation and previous reports can be accessed by those who need to do so. This can help stakeholders adopt a regular reporting rhythm, and improve the overall quality of their regulatory engagement activities.
For individual engagements with regulators, it helps to bring together all related information in one central place. This “engagement hub” enables individuals to access related materials (based on their roles and responsibilities), stay updated on deadlines, and understand the role of their own deliverables. The hub can also help users connect related engagements together, and map them to GRC elements such as the organizational hierarchy, risks, controls, and regulations
As regulatory environments grow more stringent, the pressure on compliance and regulatory engagement management teams will most likely increase. However, with sufficient planning and thought, organizations can rise to the challenge with regulatory engagement programs that are truly well-coordinated, streamlined, and efficient. The end result? Greater confidence with management teams and boards, as well as better trust with regulators.
To learn how MetricStream helps organizations strengthen regulatory engagement, click here.