The modern compliance officer trying to build a program for so many regulations, changing so often, might feel a lot like the mythical Greek king Sisyphus: sentenced by the gods to push a boulder up a hill, over and over again, for all eternity.
“Compliance officers feel as though they are being punished by the gods,” says Steve Taylor, director of product management for Wolters Kluwer’s U.S. enterprise risk and compliance business. “Just as they’ve managed to implement one regulatory development, another 20 come their way. They are continuously rolling the ball up the hill.”
In a post-Dodd-Frank Act world where new regulations emerge fast and furious, keeping pace can seem to require inhuman effort. Hence, a push for smarter approaches to regulatory change management to keep compliance and risk managers alerted to new regulations as quickly as possible. “There is a lot of emphasis, at this precise moment in time, on making sure that people know what the rules are and keep up with the developments,” says Taylor, whose firm is one of many selling regulatory change management systems.
Once upon a time, firms could do quite well by merely monitoring regulators’ websites and, as needed, forming an ad hoc team of lawyers if a new rule was overly complex or risky for a business line. “What’s happening now is that tidal wave of information is making it more and more difficult for businesses to keep up with what is going on,” he says.
Effective regulatory change management (whether you use dedicated software for the task or not) has several parts. Not only must you be aware that a rule change has happened; you must know how the rule affects the company’s policies, procedures, and internal controls.
“Tracking regulatory developments is one thing, but you need to develop an impact assessment, and understand where a new rule hits your policies, procedures, and internal supervisory controls.”
Steve Taylor, Senior Product Manager, Wolters Kluwer
“You want to codify your controls policies and procedures and make sure you really understand the form of the data—because you can have structured and unstructured data—as well the source of the information,” suggests Graham Tasman, business advisory services principal at the accounting firm Grant Thornton. “Where is this critical information going to come from? Integration is crucial because you deal with information flows from many different source systems that all need to come together.”
“There is a lot of information out there that organizations could track, some of which is important and some is not,” Taylor says. “You don’t want to drink from the fire hose. You need customized feeds of information coming into the system that reflect the business activities and the regulators you are tracking.”
The challenge is configuring those systems so the business gets the information it needs, delivered to the right people. And, Taylor notes, more than just final rules must be tracked. Firms should also monitor secondary source information from regulators, such as no-action letters and interpretive guidance.
To succeed, a business must identify affected policies, procedures, and controls. “You need to do the initial triage on whether a change is material and, if it is, who has to deal with it,” Taylor says. In some firms, a regulatory or legal team does the initial scan of the documents, makes that initial assessment, and passes it onto the business lines.
“Managing regulatory change is less about the data gathering—although that is a critical function—and more about assessing the impact to the business,” Taylor stresses. “Organizations need to do some kind of mapping and establish a framework. Can you identify policies and procedures that are relevant to your business activities and products? Can you identify related supervisory controls and compliance risks that may be tied to them?”
The following, from Wolters Kluwer, suggests best practices for a Regulatory Change Management System.
Track Regulatory Developments
Track all developments, from proposal to final effective date announcement, at the federal and state level.
Gain visibility into key information such as regulator, filing numbers, rules affected, rulemaking status, comments due dates, effective dates, and link to original source content.
Continuously update changed regulatory information.
Assess the Impact
Assign regulatory or legislative development cases to business unit owners for review and action
Assess developments against existing policies and procedures, identified risks, controls, and test programs to ensure appropriate implementation actions are taken across the business.
Generate workflows, assignments and tasks.
Automate task distribution and management of action items.
Aggregate real-time reports into dashboards for senior management, individual lines of business, and regulatory agencies concerning the current state of the compliance management program.
Create user defined reports to track regulatory developments, or create ad hoc status reports as required by senior management or regulators.
Source: Wolters Kluwer.
Business operations can be mapped to the regulatory change management technology. “They can understand that ‘this part of my business is driven by these rules and regulations and connected to these policies, procedures, and e-learning training activities,’ ” Taylor says. The data can also be mapped to a specific individual within the organization. “If FINRA Rule 3110 changes, send it to Bob because he deals with those developments.” These efforts can help assess the effect of the new or changed rule and what needs to be done, including whether additional training is needed or a new supervisory control must be developed.
Another challenge is to determine how much resources you need for a strong change management system. “What does it look like for an organization to be aware of those operational costs from regulatory change, from the most Pollyanna to the most Chicken Little perspective?” asks David Houlihan, principal analyst for Blue Hill Research, a GRC research firm. “How do they take the situation and develop a strategic understanding rather than a very reactive posture? You need to figure out what the cost components are. You need to know and measure operational cost.”
While that assessment, capability may be possible, Houlihan says, although he has yet to find a company or vendor that does it effectively. “Folks that own risk need to do more to understand the rest of the business,” he says. “I think they have been comfortable being Chicken Little talking about how the sky is falling, rather than what it costs to build a bomb shelter.”
Those relying on a regulatory change management system would do well to take a look at how many large banks approach fraud management, tracking massive amounts of transaction data on a daily basis and still, in real time, maintaining effective lines to risk and compliance and pushing every transaction through those controls, he adds.
As chief compliance officer for Florida-based BankUnited, Marie Blake uses both technology and a hands-on approach to manage regulatory change. Tracking efforts are supplemented with industry newsletters and updates from regulators and law firms. Armed with this information, she produces a regulatory digest for the company. That impact analysis is supplemented with quarterly, in-person meetings with business unit leaders.
“We are tracking things behind the scenes, and working with the business lines to ensure that everything is covered,” Blake says. “We know if it is a big change or a small change, whether we need to launch a formal initiative, and whether there are vendors involved.”
For her bank, overseen by the Office of the Comptroller of the Currency, adapting to regulatory change is a mandate. Using exams and filings, the OCC directly asks for documentation of how it was engaged throughout regulatory change events and did it assimilate those changes effectively. In addition to rulemaking, guidance and commentary issued by the regulators is “treated as though it is regulation,” Blake says. “They expect us to be reading the guidance and incorporating it into our control structure.”
BankUnited’s approach to regulatory change moves it beyond the compliance function and out into the business lines. “They understand that they are the first line of defense in ensuring that we are managing all risk exposures building these changes into their control environment,” Blake says. “It needs to be a very integrated process where they are sitting at the table with us.”
Training and education is important for bringing all relevant employees up to speed on a rule change. Training materials at BankUnited are updated at least annually, supplemented by customized programs.
While Blake does use technology to assist regulatory change monitoring, she warns against taking it for granted. “The regulators expect us to be monitoring what vendors do,” she says. “We can’t contract away regulatory risk exposure.”