Managing this dynamic and intricate nature of change is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year.
What further complicates this is the exponential effect of regulatory change on the business. Business operates in a world of chaos and in that context regulatory chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which a small event actually results, develops and influences what ends up being a significant event. The concept uses the analogy that the simple flutters of a butterfly’s wings create tiny changes in atmosphere that ultimately impacts the development and path of a hurricane.
The typical organization does not have adequate processes or resources in place to monitor regulatory change. Instead, most organizations end up fire fighting trying to keep the flames of regulatory change controlled. To address regulatory change, organizations need to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization.
Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. To achieve this, organizations must develop a process for collaboration, accountability, and integration within a GRC information and technology architecture.
To maintain consistency in evaluating regulatory change, organizations should have a standardized business impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
A GRC information and technology architecture helps the organization to manage regulatory change to:
The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization. Most critical is the ability of technology to model the organization to analyze the change of regulations on the organization and its processes.
Source : Data from Thomson Reuters via GRC 20/20