By Brian Gregory, VP Market Manager, Non-Financial Risk/GRC, EMEA, Wolters Kluwer.
Why do you feel regulatory change management is important?
Regulatory change management refers to the process by which an institution reacts to regulatory changes that may impact their business. Regulatory Change Management includes monitoring for, assessing, and reporting on changes and is a necessary part of a strong compliance program management system. A healthy regulatory change management program helps you to understand the effect a change has regarding your business policies and procedures, to identify gaps in your procedures, and provides an opportunity to educate and train colleagues. It also allows you to monitor, track, and embed controls in order to maintain a proactive compliance program. Managing regulatory change well can significantly reduce your compliance risk.
How has regulatory change management evolved over time?
Regulatory change management has always existed, but there’s currently more of a focus on it. It’s always been a part of the compliance team’s responsibilities, but it’s become more formalised and process driven. Regulators want you to ensure that there are project plans in place and tracking modules to ensure that you are regularly completing processes including training staff, updating your business’ risk assessment, updating your compliance testing program, and providing regular updates to senior management.
Is regulatory compliance an issue for Operational Risk Professionals?
Penalties for operational failings have reached a level where they are having a material impact on firms’ profitability and ability to deliver shareholder value. To remain on the right side of the law, operational risk professionals must remain aware of regulatory changes and maintain compliance. Interestingly Gartner refined their market view of governance in 2017 and made operational risk the hub for all risk management categories.
What are the main regulatory challenges facing risk professionals?
There are many but I think they can broadly be grouped into 4 categories:
- Do they know which regulations apply to each part of their business?
- Are the sure that they have appropriate controls, policies, procedures etc. to ensure compliance with the regulations?
- Are the controls functioning correctly? Is there any evidence of failures?
- Can they be sure that they are capturing all the changes, amendments, new requirements, guidance etc.?
- Can they quickly assess the impact of changes to regulations, new guidance etc.? Can they evidence the steps taken and the approvals obtained?
ii. Most organisations have tried to manage this through spreadsheets, word documents, SharePoint etc. but few have succeeded to create efficient, sustainable solutions.
What should organisations be focusing on?
The simple answer is that they should look at how they can achieve an efficient, sustainable process that enables them to meet the above objectives, and that they can document and prove to their board, internal audit and regulators, that they have this system in place. At the heart of this will be obtaining the appropriate regulatory content in a format enables them to link it to their business units, controls, policies and procedures. They then need to have amendments, new regulations, guidance etc. delivered in a format that enables them to quickly assess their impact. Last, but not least, they need a software solution that automates and records their actions.