November 21, 2022 | Amanda Khatri
Estimated reading time: 9 minutes
Compliance regulatory change management framework – what does good look like?
A few weeks ago, I was contacted by an advisory service for some input based on compliance subject matter expertise.
It seems that a digital finance organization was working on flushing out its compliance program and needed guidance on the compliance regulatory change management (CRCM) framework.
Well, if you know me, you know that this is a topic near and dear to my heart. During my career, I have built this process more than once. So yes, I could have spent hours discussing designing, developing, and executing a CRCM framework.
However, I was on the clock so I had to be brief and concise in my feedback. I figured there are other organizations out there that also find themselves at the precipice of standing up or expanding their CRCM and may benefit from what I learned through the school of hard knocks.
First, let me take a few moments to lay out the basic tenants of an excellent CRCM Framework then I will get into the trials and tribulations of governance (centralized vs decentralized, management reporting, accountability, etc.)
There are three critical components to any CRCM framework (1) Regulatory Intelligence, (2) Regulatory Implementation, and (3) Regulatory Library Management.
- Regulatory Intelligence covers all aspects of identifying new and changing regulations, tools/processes, and appropriate communications to all impacted parties.
- Regulatory Implementation covers all aspects of assessing the new/change regulation against business processes, implementation of identified changes, and the appropriate documentation and reporting.
- Regulatory Library Management includes the appropriate mapping to business, products, processes, risk rating the regulations, and using the library to support other compliance processes.
Depending on the size of the organization these three components may be handled very differently in any organization.
However, the key component is Regulatory Intelligence. If this component is not managed well, the rest becomes a moot point.
I found the biggest key to regulatory intelligence is finding an appropriate vendor to source and deliver the right regulatory materials to your organization in an easy-to-use platform on a real-time or near-real-time basis.
There are many vendors out there that offer the service some leverage high tech such as AI and some are low tech (aka law firms that will mine the data for you – some manually and some using automation).
If you have internal resources still searching regulatory sites looking for this information, let’s quickly stop this wasted effort and look for an affordable vendor to provide you with this service. Free up these resources for the real work – regulatory implementation.
A good vendor should leverage high-tech automation and should be able to customize your feed based on your specific needs (aka, the business lines, products, services, footprint, and jurisdictions).
Be thoughtful in prioritizing the staging of the build-out. No matter how good the vendor, the build-out requires months to tune and test the content feed to ensure it is meeting your needs, so take it in bitesize portions.
In my experience, I believe that the regulatory intelligence component needs to be managed centrally. This will avoid duplicative processes across the organization and make the work more efficient for the vendor thereby keeping costs down. I have seen the centralizing of regulatory intelligence work done differently in many organizations. It typically either resides under Compliance or Legal in some cases, it may reside under a centralized Risk function.
No matter which team, it is important that the Regulatory Intelligence team members have a decent understanding of regulations, and the organization, and they have identified Compliance SMEs supporting the vertical or horizontal process to engage for feedback. No matter how good a vendor is, they are reliant on the Regulatory Intelligence team to provide them with feedback to refine the content.
Even with the use of AI machine learning, it typically starts with supervised learning (aka humans training the machine). Your vendor is not the expert on your business and therefore cannot be expected to refine content without your continuous feedback.
Do not forget when building this component, you must determine how best to get the content to the appropriate parties in your organization. Ideally, a good vendor will have some sort of workflow that allows for segmenting of the content to queues by each Compliance SME who has been given responsibilities to review and communicate, as appropriate, to their risk and business partners.
The worst case scenario is if a system is not available establish some type of communication process and a central place where this information is stored for easy retrieval.
Some organizations do not have a formal process to ensure that new or changed regulations are implemented. In my experience, a good CRCM framework should have a formal tracking of implementation. This is foundational in demonstrating a solid compliance program. The management of the change process can be done centralized or decentralized. Regulatory implementation should be treated like project management. To include:
- Identifying key requirements impacting business processes.
- Developing action plans to bring the processes in line with the requirements and dates to be completed.
- Determining what documentation will be provided to the evidence action plan is completed.
- Identify which Business and Risk Partners will sign off when all action plans are completed.
- Establishing routines for status updates and progress reporting including escalation if an implementation is at risk of completion.
Depending on the scope of the regulation, this could be light work or multi-business/multi-year implementations. Where many organizations go wrong is not putting the necessary rigor into ensuring the project management, tracking, and reporting on implementations and are often left scrabbling trying to pull information together during a regulator’s inquiry.
Best practice should require regulatory implementation tracking to be stored in one platform. Your vendor platform may provide the necessary workflow or may allow for API connection into your GRC for reporting and efficient means to provide for regulatory exams.
Regulatory Library Management
The last component of a good CRCM Framework is good regulatory library management. This is the necessary maintenance that must be done to your library to ensure your risk and business partners always have an accurate inventory of regulations that apply to their business, products, and services. In this component, you should have:
- One system of record for your library. This may be the vendor’s platform if the vendor has an open API that allows for connection into GRC or other tools. If not, you may need to port the regulations into a GRC and establish update routines between the vendor and GRC. I am not a believer in landing the regulatory intelligence feeds directly into the GRC. Most GRCs are not designed to allow for appropriate review and scrubbing. This is best done outside of your GRC. Leaving the GRC to either connect or house the final records.
- A risk rating is assigned to the regulation and the enterprise level. At the requirements level, a rating should be assigned based on the impact of a specific product, service, or process. The requirements level rating may be different across the organization.
- As your organization chart changes or products /services are added or discontinued, this regulatory library mapping must be updated so that the business inventory is accurate. If the regulation or requirements in a regulation are repealed that must also be documented and deactivated.
- The system of record should have retention dates for all components of the CRCM framework.
This process is better managed centrally with input from the appropriate Compliance SMEs. Working with a good technology team should allow you to integrate the library where needed so that regulations can be leveraged in all aspects of your compliance program (e.g., complaints management, issues management, RCSA, Vendor Assessments, etc.)
Now I want to take a few moments to discuss the trials and tribulations around governance. As you see I encourage the centralization of two components — regulatory intelligence, and regulatory library management. Depending on the size of your organization there are always individuals who do not like working through a centralized process. I have heard the arguments time and time again including:
- “We could get the information faster if we had direct access.”
- “The generalists don’t know enough to curate the right information.”
- “It is too time-consuming having to provide someone else feedback. I can do it better myself.”
I could go on and on. Here is the hard cold reality. Even the best RegTech vendor will provide you with a host of information that you do not want to communicate down through the organization. Why? Because the regulatory bodies put out a ton of information.
If you cast your net too narrow, you may miss something important. If you cast your net too wide, you can be inundated with noise. The role of the Reg Intelligence team is to filter through the news and help teach the machine (if machine learning is involved) which will improve the content over time and limit/eliminate the noise that the Compliance Officer would have to deal with if the central team was not in place. This is the same case on the backend in Library Management. Depending on how fast your organization changes, maintenance can become a time-consuming and easily neglected process.
A library has no value if it is not well maintained. Performing these functions is not the best use of a Compliance Officer’s time as it takes away from their value ad provides business support in helping manage compliance risk.
When it comes to Regulatory Implementation, there is no magic to the right model. I firmly do believe it is tied to the maturity of the organization and how seriously the senior leadership view regulatory change management.
In a well-oiled, disciplined organization this function can be performed in a decentralized fashion with appropriate systems to track progress and generate CRCM metric reporting. If you are not managing the implementation centrally, having good procedures is a must.
Whether it is fully centralized project management or a light-touch central governance oversight, it is important to ensure proper reporting to business leadership, executive management, and the Board as part of your compliance program updates. This demonstrates a foundational commitment to your compliance program. If you cannot provide metrics around your regulatory change management, you will never be able to look a regulator in the eye and state that you are managing compliance risk.
All of this leads to a strong governance model that clearly identifies each component of your CRCM framework, lays out clear expectations, identifies roles and responsibilities, and ensures you’re your management accountability is well-defined and communicated.
My final word on the CRCM framework is – it is a never-ending continuous cycle of improvement. As your organization morphs and changes, you will constantly have to update regulatory intelligence and your library. As resources ebb and flow and leadership changes, you may have to reevaluate if a regulatory implementation is working effectively. This will never be a one-and-done. To achieve the best outcomes, engage, engage, engage – your vendor(s), your compliance teams, your risk partners, and your business leadership.
CUBE can help you keep abreast of every regulatory change and make sense of it for your business, from the CRCM framework to compliance worries.