The volume, velocity and range of regulatory change actions today are overwhelming. By having a regulatory change management system to track and monitor regulatory change activity, you can provide your executives and regulators with more visibility and a clear outline of what you are doing to minimize compliance risk. Regulators want to see that organizations have a transparent process to manage regulatory change, and that employees have a clear understanding of their roles and responsibilities. For this, you need a clear, auditable and automated process in place with the major components of the process being planning, identification, and clear and consistent definitions.
Risk Appetite (Identification)
Organizations need to determine their risk appetite so that they can better determine how much risk they are capable of managing and what their risk profile looks like. To apply a risk-based approach, you must establish a set of criteria and prioritize the most relevant regulatory content against your risk profile. Your risk profile should be applied to the predefined content taxonomy and mapped to the specific risks identified as material.
Common Taxonomy (Definition)
One of the first key steps in the regulatory change management process is to define a set of criteria for content to be managed by an available taxonomy. Within that system, you should use a compliance taxonomy to filter content based on factors like geography, sector, content type, themes and organizations. It is also helpful to map regulatory taxonomies to internal based taxonomies for structure, products and organization.
Roles and Responsibilities (Definition)
With the rise in personal liability and enforcement actions, there should be a clear job description in place and an automated compliance management system that maps regulatory change activity to relevant policies and controls. This helps teams and ownership to easily identify what requires updating and from there communicate this to the relevant individuals.
Staying Current (Planning)
A challenge for compliance teams is staying current, and continuously monitoring and analyzing regulatory developments to ensure you maintain a strong awareness of the regulatory landscape. This is important so that you can create a comprehensive, effective plan in place before a regulatory change is implemented.
Tracking System (Planning)
You need to map relevant regulatory actions to related controls and policies for which you have identified owners. This is simplified when an automated system is housed in one application, which ensures that each time a regulatory change alert takes place it gets sent directly into the business’ workflow process so the teams can perform impact assessments to determine what needs updating. A control requirement may be critical to multiple regulations, but using this approach means testing the control once and feeding the results back to each regulatory assessment.
The financial crisis of 2008 will haunt the memories of a generation and will always be the stick that dictates more, not less regulation. The smart move is to embrace regulations and to make them work for you, rather than against you, by organizing your company or agency accordingly.
John Thackeray is the founder and CEO of Risk Smart Inc., a consulting firm that specializes in the writing of risk documentation. Over his long career, he has held many risk positions, including CRO posts at Societe General and Penson Worldwide Holdings, where he interacted and engaged with U.S. and European regulators.