In the time it takes you to read this article your business has changed. The economic environment has changed, your employees have changed, and there are constant changes to technology, competition, and processes. Business drifts in a sea of change. One particular area of change that bears down on the organization is the siege of changing laws, regulations, and enforcement actions.
When regulatory change management is an ad hoc process with little to no documentation, accountability, and task management, there is no possibility to be intelligent about regulatory risk that impacts your business. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize, and make changes to policies. Information itself is not enough—organizations are overwhelmed by data through legal and regulatory newsletters, Websites, e-mails, and content aggregators. In fact, the vast amount of information is part of the problem. It is not uncommon to have a myriad of subject matter experts doing ad hoc monitoring of legal and regulatory change and sending e-mails with little or no follow-up, accountability, or impact analysis.
The organization needs a defined regulatory change management process—to assimilate the intake of relevant information, track accountability on who needs to perform what actions, model the potential impact on the organization, establish priorities, and determine if the organization's policies, procedures, and controls need to be adjusted to address the change. The process must require a joint accountability and collaboration effort between legal, compliance, and the business.
Building a regulatory intelligence strategy requires the implementation of a process model that monitors regulatory change, measures impact on the business, while implementing appropriate policy, training, and control updates.
Regulatory change management processes include the following components:
1. Regulatory taxonomy and catalog: This is a catalog of legal and regulatory categories the organization has to comply with. Regulations are broken into categories to logically group related regulations (e.g., employment and labor, anti-corruption, privacy, quality, health and safety, AML, and fraud).
2. Roles and responsibilities: The core of regulatory intelligence is accountability—making sure that the right information gets to the right person to take appropriate action. This requires the identification of subject matter experts for each regulatory category defined in the taxonomy.
3. Business impact analysis: The subject matter expert with the business must conduct a business impact analysis regarding the change. It may be as simple as acknowledging that it has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance program must be put in place.
4. Integration with policies: Regulations should be mapped to the policies that authorize how the organization will comply with them. Whenever a regulatory change is put into the system, corresponding policies related to the regulation should be flagged for review.
5. Communication and attestation plans: Along with policies, regulatory changes should be evaluated to see if compliance and policy training, communication, and attestation plans need to be updated or developed.
6. Monitoring and auditing: The goal is to provide accountability and sustained performance. A clear system of accountability includes monitoring of the process—who is assigned each task, and its status. Establish a detailed audit trail the organization can use to understand who made what decision and how the process was conducted.
Technology tailored to this process empowers legal and compliance personnel to manage and monitor regulatory change on a continuous basis. A flexible regulatory change process management system allows the organization to standardize and automate its regulatory requirements and monitor regulatory change. It also offers the ability to manage the collection, analysis, and action on information that flows within and across business units in an organization.
Tracking Change: An OCEG Roundtable
Rasmussen: I think everyone knows that changes in legal and regulatory requirements bring a need to create or change policies. At the same time, though, there is a lot of anxiety about how to best track these changes so they can be analyzed in light of policy needs. What steps do you recommend for keeping up with changes in legal requirements?
Wisniewski: The first step is effectively sourcing regulatory changes. Like most risk-related activities, determining what coverage you need and who is responsible for specific areas is key. For example, you may divide up responsibility based on regulator so that individuals have ownership of certain rulebooks. Gather data through regulatory intelligence providers; these providers distill regulatory updates into actionable synopses that provide a level of completeness and efficiency to identification of regulatory updates. Unfortunately, ignorance is not an excuse for non-compliance, so it's important to still review regulator Websites to cross-check that all significant updates have been captured. Next, the process for evaluating changes needs to be efficient. Specifically, it's important to have methods for reducing the noise, quickly vetting relevance, managing inter-related updates, and working with lines of business to determine potential impacts.
LeBas: The traditional approach of subscribing to compliance Websites with RSS feeds or receiving e-mail-based regulatory alerts from compliance monitoring vendors is becoming too onerous for organizations. Compliance teams can receive dozens of these e-mail notifications from multiple sources on a single day, and they simply do not have time to sift through content to find what is relevant to their organization. By consolidating this information into a consistent process enabled by technology, the organization is able to first of all filter content that does not apply directly to them. Secondly, organizations are able to align compliance information to their internal policy, procedure, and control framework. This approach allows organizations to quickly identify which policies should be reviewed for changes to align with the new regulatory requirements. This approach is able to establish a streamlined process for analyzing regulatory alerts, determining policies to review, and tracking necessary actions required to meet each regulatory requirement.
Karrer: A critical step is to establish ownership of the process. In some organizations, this process lives in the legal counsel, other times it is just thrown out to the business. Recognizing this as a process is the first step and then building a cross-functional team to own the methods the organization uses to keep track of regulatory changes is imperative. Receiving alerts is only half the battle. What do you do with the information once you get it is the real challenge. How organizations respond to these changes determine whether they remain compliant. The key is to be able to filter through and isolate the impactful items so they can be addressed. Additionally, having the ability to document the impact is critical. This can't just be a thread of e-mails bouncing around the organization. It needs to be a defined process with a clear documentation trail to not only stay organized but also demonstrate proper diligence around the process.
OCEG ROUNDTABLE PANELISTS
Michael Rasmussen,Moderator
Principal Analyst,
GRC360° Research
Mason Karrer,
Sr. Product Manager
RSA, The Security Division,
EMC
Joe LeBas,
President, North America,
BWise, a NASDAQ OMX Company
Scott Wisniewski,
Director, Risk Technology Solutions,
Protiviti
Source: OCEG.
Rasmussen: Clearly, changes such as a shift in lines of business, or locations of operation, or third-party relationships, can lead to a need for policy change. There is an ongoing relationship between such internal changes and how they impact identification of legal requirements and risk analysis. What methods do you suggest for ensuring that those responsible for policy development are kept in the loop as these actions and analyses take place?
Karrer: The ability for policy owners to keep up with organizational and external changes and measure the impact is crucial. Building on the previous question, in the case of regulatory changes, once information about them is captured, it needs to be routed to the responsible party for review. If the impact is significant and requires a policy change or addition, being able to workflow that activity through a collaboration process and establish a verifiable audit trail is a key component to demonstrating diligence and ensuring compliance. The same is true for internal changes. Suppose an organization wants to build a new factory. What are the risks? Are there local laws that could impact the project? How would delays threaten the investment? Is there a plan for maintaining safety and business continuity? Have any risks been transferred, and if so what's the residual risk level? Organizations must ensure that proper policies are defined to adequately address business risk and regulatory obligations. Maintaining comprehensive oversight to tie these things together, identify and measure external implications, and ensure key stakeholder awareness are essential factors.
Wisniewski: It's tricky because business leaders are focused on pushing the business forward. High-risk transactions or tidal shifts in the organization will likely funnel through legal, IT, procurement, and/or finance. These groups need to work in concert with each other, and include risk and assurance professionals in the dialogue. On one hand, they need to establish policies and related controls that prevent individuals from entering into transactions or relationships outside the risk appetite of the business. On the other hand, they need to be a conduit for change that allows the business to grow and need to regularly meet with business line professionals regarding business indicators and trends. For example, an inability for the organization to take on a certain risk may be resulting in a competitive disadvantage for which these groups must potentially revise existing policies and related capabilities in a way that allows the business to pursue growth while effectively managing risk.
LeBas: Shifting business lines, changing operational locations, and working with various third-party vendors are activities that occur daily, especially within large organizations. The process of maintaining compliance as these events occur requires a great deal of visibility and collaboration across the organization. However, these activities can be managed in a variety of ways. For example, process owners and business unit managers may be required to report these changes within a system that facilitates the analysis, approval, and overall reporting of changing business functions. Additionally, periodic assessments can be distributed through the system to process owners and business unit managers to communicate whether significant changes have occurred that may have a regulatory impact. By embedding compliance activities such as this into the business, executives and the board of directors can gain more assurance that their organization is operating in a streamlined, optimized fashion while still meeting regulatory requirements.
Rasmussen: One of the challenges in keeping policies relevant is knowing, in a timely fashion, when changes need to be made, or new policies created. How do you determine how quickly to transmit information to the policy owners about changes in requirements, risk analysis, or business plans? Should you have different categories that call for immediate action or use regularly scheduled communication? What sort of mechanisms should be in place to make sure communication takes place?
LeBas: Policy changes can be driven from a variety of compelling events in the company. These can be based on internal factors (i.e. results of the latest executive board meeting) as well as external factors (i.e. regulatory changes). These events oftentimes impact multiple business areas and require a great deal of coordination to ensure each area takes the necessary steps to respond. A policy committee should be established with representatives from each business area (HR, finance, IT, etc.) with regularly scheduled meetings to discuss these events and the necessary steps to add or modify policies as well as communicate these changes throughout the business. By utilizing a centralized process enabled by technology, these activities can be tracked by policy owner, due date, and activity status. Through consolidated dashboards and reports, each business area can have a real-time view of the drafting, reviews, communication, and attestation of each policy.
Karrer: Some changes can take substantial time to actually impact the organization. Sometimes it may be years before operations need to comply with a regulatory change. The true implementation horizon should be anticipated and visible on an organization's radar. The last thing the organization wants is to know of something that impacts in the future, forget about it, lose it in the constant change of business and then all of sudden the compliance timeline ticks down to zero resulting in a last minute fire drill. Suppose a new mandate will require six months of organizational policy and retraining effort to adapt and be compliant. The ability for policy owners to set the wheels in motion early is key to ensure the organization reacts sufficiently and timely enough to avoid compliance risk. Whether an alert is received from an external feed or management gets wind of something on the street, aggregating that information into a common workflow for consideration by key policy stakeholders is critical.
Wisniewski: For regulatory and legal changes the business should have a team in place that is dedicated to monitoring the regulatory environment, and based on your industry this may be a daily job. Review of policies in light of external environment or business condition changes is more likely to result from incorporation of risk management into the planning, budgeting, and forecasting process. This is central to utilizing risk management as a tool that helps the organization move from strategy to execution as it allows you to respond to market conditions with greater agility and more effectively communicate objectives and parameters across the enterprise. Of course, policy owners need to establish a regularly scheduled review of policies to assure they are up-to-date.
No comments yet