Building Regulatory Intelligence

In the time it takes you to read this ar­ticle your business has changed. The economic environment has changed, your employees have changed, and there are constant changes to technology, com­petition, and processes. Business drifts in a sea of change. One particular area of change that bears down on the organiza­tion is the siege of changing laws, regula­tions, and enforcement actions.

When regulatory change management is an ad hoc process with little to no docu­mentation, accountability, and task man­agement, there is no possibility to be intel­ligent about regulatory risk that impacts your business. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize, and make changes to policies. Informa­tion itself is not enough—organizations are overwhelmed by data through legal and regulatory newsletters, Websites, e-mails, and content aggregators. In fact, the vast amount of information is part of the prob­lem. It is not uncommon to have a myriad of subject matter experts doing ad hoc monitoring of legal and regulatory change and sending e-mails with little or no fol­low-up, accountability, or impact analysis.

The organization needs a defined regu­latory change management process—to assimilate the intake of relevant informa­tion, track accountability on who needs to perform what actions, model the potential impact on the organization, establish pri­orities, and determine if the organization's policies, procedures, and controls need to be adjusted to address the change. The pro­cess must require a joint accountability and collaboration effort between legal, compli­ance, and the business.

Building a regulatory intelligence strategy requires the implementation of a process model that monitors regulatory change, measures impact on the business, while implementing appropriate policy, training, and control updates.

Regulatory change management pro­cesses include the following components:

1.   Regulatory taxonomy and catalog: This is a catalog of legal and regulatory categories the organization has to com­ply with. Regulations are broken into categories to logically group related regulations (e.g., employment and la­bor, anti-corruption, privacy, quality, health and safety, AML, and fraud).

2.   Roles and responsibilities: The core of regulatory intelligence is accountabil­ity—making sure that the right infor­mation gets to the right person to take appropriate action. This requires the identification of subject matter experts for each regulatory category defined in the taxonomy.

3.   Business impact analysis: The subject matter expert with the business must conduct a business impact analysis regarding the change. It may be as simple as acknowledging that it has no impact and the organizational controls and policies are sufficient, or it may in­dicate that a significant policy, train­ing, and compliance program must be put in place.

4.   Integration with policies: Regulations should be mapped to the policies that authorize how the organization will comply with them. Whenever a regula­tory change is put into the system, cor­responding policies related to the regu­lation should be flagged for review.

5.   Communication and attestation plans: Along with policies, regulatory changes should be evaluated to see if compliance and policy training, com­munication, and attestation plans need to be updated or developed.

6.   Monitoring and auditing: The goal is to provide accountability and sus­tained performance. A clear system of accountability includes monitoring of the process—who is assigned each task, and its status. Establish a detailed audit trail the organization can use to understand who made what decision and how the process was conducted.

Technology tailored to this process em­powers legal and compliance personnel to manage and monitor regulatory change on a continuous basis. A flexible regulatory change process management system al­lows the organization to standardize and automate its regulatory requirements and monitor regulatory change. It also offers the ability to manage the collection, analy­sis, and action on information that flows within and across business units in an or­ganization.

Tracking Change: An OCEG Roundtable

Rasmussen: I think everyone knows that changes in legal and regulatory require­ments bring a need to create or change policies. At the same time, though, there is a lot of anxiety about how to best track these changes so they can be analyzed in light of policy needs. What steps do you recommend for keeping up with changes in legal requirements?

Wisniewski: The first step is effectively sourcing regulatory changes. Like most risk-related activities, determining what coverage you need and who is responsi­ble for specific areas is key. For example, you may divide up responsibility based on regulator so that individuals have ownership of certain rulebooks. Gather data through regulatory intelligence providers; these providers distill regu­latory updates into actionable synopses that provide a level of completeness and efficiency to identification of regulatory updates. Unfortunately, ignorance is not an excuse for non-compliance, so it's important to still review regulator Web­sites to cross-check that all significant updates have been captured. Next, the process for evaluating changes needs to be efficient. Specifically, it's important to have methods for reducing the noise, quickly vetting relevance, managing inter-related updates, and working with lines of business to determine potential impacts.

LeBas: The traditional approach of sub­scribing to compliance Websites with RSS feeds or receiving e-mail-based regulatory alerts from compliance monitoring vendors is becoming too onerous for organizations. Compliance teams can receive dozens of these e-mail notifications from multiple sources on a single day, and they simply do not have time to sift through content to find what is relevant to their organization. By consolidating this information into a consistent process enabled by technol­ogy, the organization is able to first of all filter content that does not apply di­rectly to them. Secondly, organizations are able to align compliance informa­tion to their internal policy, procedure, and control framework. This approach allows organizations to quickly iden­tify which policies should be reviewed for changes to align with the new regu­latory requirements. This approach is able to establish a streamlined process for analyzing regulatory alerts, deter­mining policies to review, and tracking necessary actions required to meet each regulatory requirement.

Karrer: A critical step is to establish ownership of the process. In some or­ganizations, this process lives in the le­gal counsel, other times it is just thrown out to the business. Recognizing this as a process is the first step and then build­ing a cross-functional team to own the methods the organization uses to keep track of regulatory changes is impera­tive. Receiving alerts is only half the battle. What do you do with the infor­mation once you get it is the real chal­lenge. How organizations respond to these changes determine whether they remain compliant. The key is to be able to filter through and isolate the impact­ful items so they can be addressed. Ad­ditionally, having the ability to docu­ment the impact is critical. This can't just be a thread of e-mails bouncing around the organization. It needs to be a defined process with a clear documen­tation trail to not only stay organized but also demonstrate proper diligence around the process.

OCEG ROUNDTABLE PANELISTS

Michael Rasmussen,Moderator

Principal Analyst,

GRC360° Research

Mason Karrer,

Sr. Product Manager

RSA, The Security Division,

EMC

Joe LeBas,

President, North America,

BWise, a NASDAQ OMX Company

Scott Wisniewski,

Director, Risk Technology Solutions,

Protiviti

Source: OCEG.

Rasmussen: Clearly, changes such as a shift in lines of business, or loca­tions of operation, or third-party relationships, can lead to a need for policy change. There is an ongoing relationship between such internal changes and how they impact iden­tification of legal requirements and risk analysis. What methods do you suggest for ensuring that those re­sponsible for policy development are kept in the loop as these actions and analyses take place?

Karrer: The ability for policy own­ers to keep up with organizational and external changes and measure the impact is crucial. Building on the pre­vious question, in the case of regula­tory changes, once information about them is captured, it needs to be routed to the responsible party for review. If the impact is significant and requires a policy change or addition, being able to workflow that activity through a collaboration process and establish a verifiable audit trail is a key component to demonstrating diligence and ensur­ing compliance. The same is true for internal changes. Suppose an organiza­tion wants to build a new factory. What are the risks? Are there local laws that could impact the project? How would delays threaten the investment? Is there a plan for maintaining safety and busi­ness continuity? Have any risks been transferred, and if so what's the residual risk level? Organizations must ensure that proper policies are defined to ad­equately address business risk and reg­ulatory obligations. Maintaining com­prehensive oversight to tie these things together, identify and measure external implications, and ensure key stakehold­er awareness are essential factors.

Wisniewski: It's tricky because business leaders are focused on pushing the busi­ness forward. High-risk transactions or tidal shifts in the organization will likely funnel through legal, IT, pro­curement, and/or finance. These groups need to work in concert with each other, and include risk and assurance profes­sionals in the dialogue. On one hand, they need to establish policies and re­lated controls that prevent individuals from entering into transactions or re­lationships outside the risk appetite of the business. On the other hand, they need to be a conduit for change that al­lows the business to grow and need to regularly meet with business line pro­fessionals regarding business indicators and trends. For example, an inability for the organization to take on a certain risk may be resulting in a competitive disadvantage for which these groups must potentially revise existing policies and related capabilities in a way that allows the business to pursue growth while effectively managing risk.

LeBas: Shifting business lines, chang­ing operational locations, and working with various third-party vendors are activities that occur daily, especially within large organizations. The pro­cess of maintaining compliance as these events occur requires a great deal of visibility and collaboration across the organization. However, these activities can be managed in a variety of ways. For example, process owners and busi­ness unit managers may be required to report these changes within a system that facilitates the analysis, approval, and overall reporting of changing business functions. Additionally, pe­riodic assessments can be distributed through the system to process owners and business unit managers to com­municate whether significant changes have occurred that may have a regula­tory impact. By embedding compliance activities such as this into the business, executives and the board of directors can gain more assurance that their or­ganization is operating in a streamlined, optimized fashion while still meeting regulatory requirements.

Rasmussen: One of the challenges in keeping policies relevant is knowing, in a timely fashion, when changes need to be made, or new policies created. How do you determine how quickly to transmit information to the policy owners about changes in requirements, risk analysis, or business plans? Should you have different categories that call for immediate action or use regularly scheduled communication? What sort of mechanisms should be in place to make sure communication takes place?

LeBas: Policy changes can be driven from a variety of compelling events in the company. These can be based on internal factors (i.e. results of the latest executive board meeting) as well as ex­ternal factors (i.e. regulatory changes). These events oftentimes impact mul­tiple business areas and require a great deal of coordination to ensure each area takes the necessary steps to respond. A policy committee should be established with representatives from each busi­ness area (HR, finance, IT, etc.) with regularly scheduled meetings to discuss these events and the necessary steps to add or modify policies as well as com­municate these changes throughout the business. By utilizing a centralized pro­cess enabled by technology, these ac­tivities can be tracked by policy owner, due date, and activity status. Through consolidated dashboards and reports, each business area can have a real-time view of the drafting, reviews, commu­nication, and attestation of each policy.

Karrer: Some changes can take sub­stantial time to actually impact the or­ganization. Sometimes it may be years before operations need to comply with a regulatory change. The true implemen­tation horizon should be anticipated and visible on an organization's radar. The last thing the organization wants is to know of something that impacts in the future, forget about it, lose it in the constant change of business and then all of sudden the compliance timeline ticks down to zero resulting in a last minute fire drill. Suppose a new mandate will require six months of organizational policy and retraining effort to adapt and be compliant. The ability for pol­icy owners to set the wheels in motion early is key to ensure the organization reacts sufficiently and timely enough to avoid compliance risk. Whether an alert is received from an external feed or management gets wind of something on the street, aggregating that informa­tion into a common workflow for con­sideration by key policy stakeholders is critical.

Wisniewski: For regulatory and legal changes the business should have a team in place that is dedicated to monitoring the regulatory environment, and based on your industry this may be a daily job. Review of policies in light of exter­nal environment or business condition changes is more likely to result from incorporation of risk management into the planning, budgeting, and forecast­ing process. This is central to utilizing risk management as a tool that helps the organization move from strategy to execution as it allows you to respond to market conditions with greater agil­ity and more effectively communicate objectives and parameters across the enterprise. Of course, policy owners need to establish a regularly scheduled review of policies to assure they are up-to-date.