cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MRasmussen
New Member

Managing this dynamic and intricate nature of change is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year.

GRC Regulatory activity

What further complicates this is the exponential effect of regulatory change on the business. Business operates in a world of chaos and in that context regulatory chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which a small event actually results, develops and influences what ends up being a significant event. The concept uses the analogy that the simple flutters of a butterfly’s wings create tiny changes in atmosphere that ultimately impacts the development and path of a hurricane.

The typical organization does not have adequate processes or resources in place to monitor regulatory change. Instead, most organizations end up fire fighting trying to keep the flames of regulatory change controlled. To address regulatory change, organizations need to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. 

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. To achieve this, organizations must develop a process for collaboration, accountability, and integration within a GRC information and technology architecture

To maintain consistency in evaluating regulatory change, organizations should have a standardized business impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.

A GRC information and technology architecture helps the organization to manage regulatory change to:

  • Ensure that ownership and accountability of regulatory change is clearly established and understood.
  • Manage ongoing business impact analysis and scoring.
  • Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
  • Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
  • Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
  • Visualize the impact of a change on the organization’s processes and operations.

The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization. Most critical is the ability of technology to model the organization to analyze the change of regulations on the organization and its processes.

*****

 Source : Data from Thomson Reuters via GRC 20/20