By John Palmiero, SVP of EMEA at governance, risk and compliance software organisation, MetricStream
The sheer volume, velocity, and complexity of regulatory change is likely to keep many chief compliance officers (CCO) awake at night. Why is it that enterprises across the globe struggle to keep pace with the rapid onslaught of regulatory change? What is the approach organisations need to take to stay ahead in this race?
In the past, during the pre-financial meltdown era, it may have been possible to keep track of regulatory updates using standard manual approaches. However, as regulators continue to introduce more reforms and as rapidly evolving and disruptive technologies – such as fintech, IoT, Blockchain and cryptocurrencies – continue to appear, traditional approaches are proving less and less effective.
It appears that organisations have some catching up to do with the rapidly evolving regulatory environment. In fact, a recent KPMG survey revealed that only 27 percent of CCOs state that their compliance function has a change management process in place to identify changes in laws and regulations, and to incorporate such changes into their policies and procedures.
The time has come to develop a robust and technologically reinforced regulatory change management framework to help manage the rapidly increasing volume of regulatory reforms. A “wait-and-watch” approach is no longer sustainable and companies need to proactively address this business challenge before it is too late. Below are five key guidelines that will help firms to develop a regulatory change management framework that can equip them with the right set of tools to manage regulatory flux and be prepared for the next wave.
Stay on top of regulatory updates
In the current business environment, enterprises have to keep track of regulatory content from global as well as regional regulators, from a multitude of sources including regulatory publications, industry associations, national, and local media, and specialised content providers. With so many sources to keep track of, and high volumes of relevant content to analyse, it’s a time-consuming and resource-intensive exercise.
Cloud-based content platforms can serve as an aggregator for regulatory content from various sources. Using platform technology, compliance professionals can subscribe to curated content based on predefined rules and keywords, which can be streamed directly as RSS feeds, alerts, or email notifications. The organisation can set predefined rules on a variety of regulatory attributes including industry, jurisdiction, topic, state, due date, etc., thereby ensuring that relevant information reaches subscribers in real time.
Ensure a common regulatory taxonomy
Every global firm has to deal with inconsistencies in regulations across geographies and multiple business operations. A standard regulatory taxonomy, in line with the organisational hierarchy, and consistent in terms of language, terminology, and structure will improve communication among stakeholders, making it easier to set up a robust compliance framework. Additionally, companies will then be able to categorise, store, and deliver regulatory updates without having to frequently modify the rules and linkages that have already been set up in the system.
An efficient way to standardise the taxonomy is to set up a centralised GRC repository to store all regulatory updates from across the organisation, index updates according to the established hierarchy, and map them to multiple GRC attributes such as risks, controls and policies.
Assign regulatory responsibilities
In order to ensure accountability, it is important to clarify the roles and responsibilities of the individuals who manage the compliance function. While a cloud-based content platform will ensure the right information reaches the right set of users, each user should be a trained compliance professional with the ability to scrutinise these regulatory updates, in order to determine whether they are applicable to the organisation. Relevant senior management executives (SMEs) need to be identified within the enterprise, who understand the laws or regulations, and have sufficient knowledge to analyse these updates in detail.
To achieve this, enterprises need to ensure that there is a first level of screening or assessment by a centralised regulatory coordinator to determine how applicable the regulatory updates are. He or she would then pass the mantle on to individual assessors within relevant departments for detailed impact analyses. Finally, collaboration with external stakeholders also becomes important when regulators, customers, business partners, and other parties need to be informed on any changes in the firm’s overall processes, policies, controls, or other factors.
It is important to clearly document these roles and responsibilities, establishing accountability in the complete information lifecycle, from the time a new alert is delivered, to the time it is successfully implemented. Additionally, it is recommended that the senior management be actively involved at each stage and the board has clear visibility into the whole process.
Assess the business impact
Every regulatory update needs to be assessed in terms of its business impact. After the initial applicability assessment, each business unit can carry out a detailed impact analysis on an update to identify which risks, controls, policies, procedures, trainings, and reports are affected and need to be revised.
It is also important to group similar regulatory updates, as it will help not only in eliminating duplicates but also in identifying similar trends and patterns in the risks, controls, policies, and other areas that are impacted. This analysis then needs to be rolled up as per the defined organisational hierarchy to provide a holistic view of the impact across the enterprise.
At any point in time, a company should be able to gain a comprehensive view of the number of regulatory updates affecting them both holistically, and by business unit or functional area.
Implement regulatory change
The next step would be to formulate action plans, listing out tasks that need to be assigned to relevant users. Standard workflows need to be defined for the review and approval processes, with escalation capabilities when the tasks become overdue. Additionally, to ensure nothing goes amiss, it would help if business users are notified of the tasks that have been assigned to them through standard email notifications and reminders.
At each stage of the implementation process, reports and dashboards should give stakeholders visibility into the real-time status of the changes taking place, accountability, and the overall impact on the organisation. Furthermore, companies should ensure that issues or findings are logged with defined remediation plans for quick and efficient issue resolution and closure.
Regulatory change is not going to abate. In a world confronted with geo-political turmoil, cyber-attacks, business fraud, and social media influence, firms need to buckle up and take measures to tackle regulatory change head-on. Technology can be a strong enabler in addressing this need.
Organisations can opt for a robust and comprehensive regulatory change management solution that leverages a common foundation to facilitate multidimensional mappings with other GRC elements. Such a solution can help centralise disparate, siloed, and manual operations across business units and geographies, and align them with the enterprise’s overall business goals and objectives. This will not only help them track and analyse the all-too-frequent regulatory changes, but also ensure that these changes are effectively, and efficiently implemented. A proactive approach to regulatory change, backed by technology, is perhaps the most effective way in complying with the regulatory uncertainties of our times.
 KPMG: The compliance journey, 2017https://assets.kpmg.com/content/dam/kpmg/pa/pdf/compliance-journey-survey-2017.pdf