We all know the legal standard of “knew or should have known” often applied in negligence cases and regulatory enforcement actions. It has led to innumerable legal decisions concluding:
Ignorance of the law is not a defense.
Failure to consider obvious outcomes of action is not a defense.
Putting on blinders instead of investigating an issue is not a defense.
When I was in law school, way back in the day before desktop computers let alone the internet, we learned the meaning of “should have known” was what a reasonable person similarly situated would know, or in the case of specialized knowledge what a peer with similar training and responsibilities would know. Failing to know what you should have was deemed reckless, but there was little or no discussion about how one would or should gain such knowledge.
Today, with advances in technology and the availability of cost-effective methods of collecting and analyzing data, we should be having that discussion. We should be asking ourselves what is the reasonable norm for identifying and responding to regulatory requirements? What methods and types of technologies are required to meet the “knew or should have known” standard? These are questions that will be addressed in enforcement actions, settlements, and judicial decisions in the not-too-distant future. We need to address them now.
Enjoy full access to Compliance Week's Digital Edition, a faithful reproduction of our monthly print magazine—conveniently online. Subscribers can browse, print, and download issues back to April 2013, add annotations, search by keyword, and more.
Let’s look at it in the context of regulatory change management, which is a significant part of any compliance program. For many organizations, especially those engaged in global activities, the challenge of monitoring multiple sources of information and identifying relevant content is overwhelming. Gone are the days of simply relying on trade associations to provide quarterly updates or scanning the daily Federal Register (and other countries’ equivalents). Similarly, maintaining a view of where changes may affect the organization is a more difficult task than in the past. With many organizations increasing outsourcing and use of vendors around the world, the opportunities to miss important connections are frequent and potentially have devastating results. Even managing the passing along of information to owners of policies, procedures, and controls has become a greater challenge. Using spreadsheets and e-mail for communication presents real risk of things falling through the cracks and makes development of an audit trail virtually impossible.
Today, the only way for a complex organization to manage regulatory change is through the thoughtful application of modern services and technology. If there haven’t been judicial decisions yet that explicitly reach this conclusion, I submit that there will be many within the next few years. Regulatory agencies are beginning to define next-generation compliance, and the courts will soon follow. Just one example is the U.S. EPA’s Next Generation Compliance Tools in Civil Enforcement Settlements memorandum (issued Jan. 7, 2015) which calls for use of modern information technology, electronic reporting, enhanced transparency of compliance data, and other methods to more easily identify and address environmental compliance problems, report compliance information, and facilitate review and analysis by the EPA and the public.
Today, the only way for a complex organization to manage regulatory change is through the thoughtful application of modern services and technology.
Now, more than ever before, there are services that monitor thousands of sources of information and can provide up-to-date notification and analysis customized to each organization’s needs. There is technology that can deliver that information into the organization and map it directly to the established policies, procedures, and controls that would be affected by any regulatory change. Technologies are also available to ensure delivery of change information to the right people in the organization at the right time, and to record and report on their responses and actions. The cost of managing these processes manually would far exceed the cost of available services and technology if done right. Just imagine the hundreds of employees or retained experts needed around the world to track the relevant sources of information, let alone the complexity of maintaining an audit trail of response in layers of spreadsheets.
Expensive manual management will fail despite the expenditure and alternatively choosing to do “regulatory change management lite” by applying a minimal level of resource won’t meet the “knew or should have known” standard. The only choice is to enter the modern era and use the technologies now available, for both regulatory change and compliance management overall.
Key Steps to Manage Regulatory Change: An OCEG Roundtable.
Switzer: The volume, velocity, and range of regulatory change actions today are overwhelming. Companies need to track and respond to proposals, final rules, interpretations, guidance, enforcement actions, judicial decisions, and more. Given the wide scope of both sources of information and types of content they release, what is the first step of identifying what you need to track and follow?
Evans: We see too many organizations trying to manage an increased volume of regulatory change with few resources and no clear auditable process in place to evidence what key steps they took to remain compliant. By using a regulatory change management system to track and monitor regulatory change activity, you provide your executives and regulators with more visibility and a clear outline of what you are doing to minimize compliance risk. Within that system, you should use a pre-defined taxonomy to filter content based on factors like geography, sector, content type, themes, and organizations, so that you can tailor what types of alerts each team or individual receives and how frequently.
Bray: I think establishing a definite set of criteria for content that is to be managed by the available taxonomy is one of the first key steps in the regulatory change management process. This is increasingly important given the rising volume and rate of regulatory change activity, as tracking developments from disparate sources continues to be an ongoing challenge for compliance teams. It can leave room for human error and cause potential regulatory changes to be missed, and there isn’t always the option for teams to have visibility on what is being managed and by whom. Also, with the rise in personal liability and enforcement actions, there needs to be a clear job description in place and an automated compliance management system that maps regulatory change activity to relevant policies and controls, so that teams can more easily identify what requires updating and from there communicate this to the relevant individuals.
In my previous role working at a large bank, we tried to manage regulatory change activity with manual processes like excel spreadsheets, which took up a lot of resources and time, and there was little way for us to evidence what had been done by the team to monitor and manage these changes. It is important to ensure you get to the relevant content more quickly without it getting diluted in the noise. With no delegated owner, it raises the chances of something going unmanaged, which could be harmful to the business and reduces the ability to take proactive measures.
Switzer: Once you have organized this vast amount of information, how do you decide what is relevant and necessary for you to track and analyze? Is there a risk- based approach?
Evans: Typically, organizations need to determine their risk appetite beforehand. From there they can better determine how much risk they are capable of managing, and what their risk profile looks like.
In order to apply your risk-based approach, it is key to establish a set of criteria and to prioritize the most relevant regulatory content against your risk profile. Your risk profile should be applied to the pre-defined content taxonomy and mapped to the specific risks identified as material. Once your compliance teams have assessed which regulations matter, it is important that all rule changes get mapped to the business, so that the teams can determine which policies, procedures, business units, and controls were impacted by the change. From there, you can take the steps to update and notify employees of the relevant policy changes.
Moderator: Carole Switzer
Co-Founder & President
Head of Content
Enterprise Risk Management
Bray: Yes, but this is hard to achieve with so many sources of content, each with an inconsistent format. With an automated solution, you will have the assurance that changes are being mapped to the relevant areas of the business; with a consistent and repeatable approach that is aligned to your risk profile. This gives independent reviewers and regulators the confidence that your organization is proactively managing its compliance risk. There may be outliers and false positives, but these are far easier to manage than the entire process given the potential volume of records.
Switzer: How do you ensure that the right people in the organization are kept up-to-speed and informed when regulatory changes may impact the operations or policies and controls that need to be in place? And how do you keep track of those communications and the response to them?
Evans: You need to map relevant regulatory actions to related controls and policies for which you have identified owners. This is really simplified in an automated system housed in one application, which then can ensure that each time a regulatory change alert takes place it gets sent directly into the business’ workflow process so that the teams can perform impact assessments to determine what needs updating.
Of course, there’s another benefit too. By mapping all regulatory considerations and all processes and controls onto a single, integrated solution, you then reduce compliance costs—a control requirement may be critical to multiple regulations but using this approach means test the control once and feed the results back to each regulatory assessment.
Bray: How this gets mapped to the business can be quicker and more streamlined with an automated solution, and this also offers a complete audit trail of the process and actions taken. With an automated compliance management system, teams can receive regulatory alerts to their compliance dashboard each time a change occurs, and it is quite common with some processes to rank this information by level of risk and/or key due dates. You want a system where risk assessments can be assigned to key individuals to manage this change and—for reporting purposes—a clear audit trail of all of the activities taken during the event’s lifecycle is recorded in the system. This offers transparency not only to senior stakeholders and the board, but demonstrates to regulators that your organization has been taking the needed steps to remain compliant.
Switzer: What are some of the typical mistakes that prevent successful regulatory change management?
Evans: Typical pitfalls are missed regulatory changes, improperly managed actions, or policies and procedures that aren’t updated appropriately and communicated to the business. These can all be addressed in an automated system.
Regulators want to see that organizations have a transparent process to manage regulatory change; that employees have a clear understanding on what their roles in this process are; and that stakeholders have oversight on what risks the organization is exposed to.
Bray: By constantly monitoring events, you have visibility of what regulations are on the horizon and can plan ahead. With a clear, auditable process in place, it offers a more streamlined approach to the reporting process where it outlines to regulators what steps were taken to ensure compliance teams were actively managing regulatory change activity.
A challenge for compliance teams is staying current and up-to-date with regulatory change and answering the inevitable “how do you know” question. To do this, you need to be continuously monitoring and analyzing regulatory developments to ensure you maintain a strong awareness of the regulatory landscape. This is important to do, so that you can put a well-thought-out, effective plan in place before a regulatory change is to be implemented that meets the business needs, rather than rushing at the last minute and leaving room for potential error.
Firms typically run into trouble when they do not establish a clear strategy on what changes they will manage and how they apply to their risk profile and organizational structure. This often leads to being overwhelmed by content and spending more time on items that are immaterial versus carefully planning against those that are important.