Regulatory Change Management

Transcription

1 Regulatory Change Management Maturity Model: From Ad Hoc to Agile November 2015 Michael Rasmussen, J.D., GRCP, CCEP The GRC GRC 20/20 Research, LLC OCEG

2 Change is the Greatest Challenge in GRC 2

3 Regulatory REGULATORY Activity in Financial ACTIVITY TRACKED Services Tracked *Note: Tracked activity includes document changes, announcements, and enforcements by regulators. Average Daily Alerts = Total Alerts Year-on-Year / 261 Working Days 3

4 The hydra of inefficiency Organizations are burdened by manual ad hoc processes. This involves being overwhelmed with s and documents leading to, in varying degrees Excessive s, documents, and paper trails Poor visibility & reporting Files and documents out of sync Wasted resources and spending Overwhelming complexity No accountability 4

5 ... and we hope nothing fails Inability to gain clear view of compliance dependencies; High cost of consolidating compliance information; Difficulty maintaining accurate compliance information; Failure to trend across compliance assessment periods; Redundant approaches limit correlation, comparison and integration of compliance information; and Lack of agility to respond timely to changing risks, regulations, laws, and situations. 5

6 Current Situation in Financial Services The current situation: The typical organization has a myriad of subject matter experts doing ad hoc monitoring of regulatory change and ing parties of interest with little or no consistent follow-up, accountability, or business impact analysis. The organization is in a resource intensive confused state of monitoring regulatory risk, enforcement actions, new regulations, and pending legislation resulting in an inability to adequately predict the readiness of the organization to meet new requirements. Challenges to process and resources: Insufficient head count and subject matter expertise Frequency of change and number of information sources overwhelms Limited workflow and task management. Lack of an audit trail Limited reporting Wasted resources and spending Misaligned business and regulatory agility No accountability and structure There is no overall strategy to gather and share regulatory change information, and decide what to do about it. 6

7 Federated Compliance Management 7

8 Elements of a Regulatory Change Management Process Regulatory Taxonomy Regulatory Content Technolog y Enableme nt 8

9 Changes Funnel into Regulatory Change Process Monitor Change Determine Impact Review Policies 9

10 Gathering & Filtering Regulatory Change Alerts Understand fragmented approaches Determine synergies Critical Changes 10

11 360 Regulatory Contextual Intelligence Distributed & Disconnected IT GRC Data Points Integrated and mapped together to provide context Analyzed to understand relationships Action Items 11

12 Conduct Analysis and Manage Regulatory Change Process Regulatory Content Sourcing New Regulations Amended Regulations Regulatory Guidance News and Circulars Comment Letters Enforcement Actions Feedback Statements Integrated Regulatory Content Regulatory Change Management Auto-Assigned to pre-defined subject matter expert (SME) with full context of change Triage assessment and manual assignment for changes without context Impact Assessments Action Plan None or Limited Line of business impact Regulatory reporting change Product or process impact Policy and procedure revision required Control modification Training revisions Regulatory Change Management Process Assign tasks CLOSED Product Offering Review Regulatory Research Business Impact Executive Briefing Change Policies and Procedures Ongoing regulatory change management project tracking Yes Task completed? No Speeches 12

13 Route Regulatory Change to Subject Matter Experts 13

14 Conduct Business Impact Analysis of Regulatory Change 14

15 Determine Actions Needed in Context of Regulatory Change 15

16 Regulatory Change Management Metrics 16

17 Regulatory Change Management: Keys to Success 17

18 Power of Information Drives Effective Regulatory Change Management OBJECTIVES & GOALS ASSETS & RELATIONSHIPS RISK & ANALYSIS REGULATIONS & OBLIGATIONS CONTROLS & ASSESSMENT POLICIES & TRAINING INCIDENTS & ISSUES ROLES & RESPONSIBILITIES 18

19 GRC 20/20 s Regulatory Change Management Maturity Model Strategic Process, Information & Technology Architecture Alignment 5 AGILE Regulatory intelligence 1 AD HOC Unstructured approach. Constantly putting out fires. Often caught off guard. 2 FRAGMENTED Limited structure in regulatory change reponsibilities. Process is accomplished via and documents with limited accountability and oversight. 3 MANAGED Roles & responsibilities are defined with use of technology to manage workflow and tasks to provide accountability. Inconsistencies remain. There is no integration of technology and content. 4 INTEGRATED Regulatory intelligence architecture across the organization enables consistent management of regulatory change process with the integration of content feeds from regulatory intelligence knowlege providers. architecture that integrates feeds from regulatory knowlwedge providers that map to policies, risks, controls, etc. Enables full situational awareness of regulatory change in the context of business. Regulatory feeds deliver fully analyzed content that identifies relevancy, impacts, and tasks. Issue to Departments to Enterprise Coordination and Integration 19

20 Measurements of a Healthy Regulatory Change Management Function 1 - Aware 2 - Aligned 3 - Responsive 4 - Agile 5 - Resilient 6 - Lean Have a finger on how regulatory change impacts business Watch for change in external regulatory environment & changes to internal business environment Turn data into information that can be, and is, analyzed Share regulatory change information in every relevant direction Support and inform business objectives in context of regulatory change Continuously align objectives and operations to regulatory risk of the entity Give strategic consideration to information from regulatory change and compliance enabling appropriate strategic decisions You can t react to something you don t sense Gain greater awareness and understanding of change that will impact decisions and actions Improve transparency, but also quickly cut through the morass of data to what you need to know to make the right decisions Be nimble, being fast isn t helpful if you are headed in the wrong direction. Regulatory change management enables decisions and actions that are quick, coordinated and well thought out. Agility allows an entity to use change to its advantage, adapt strategy, and be confident in its ability to stay on course. Be able to bounce back quickly from changes with limited business impact Have sufficient tolerances to allow for some missteps Have confidence necessary to rapidly adapt and respond to situations Build the muscle, trim the fat Get rid of expense from unnecessary duplication, redundancy and misallocation of resources within regulatory change management processes Lean the organization overall with enhanced capability and related decisions about adapting to change 20

21 Questions? Michael Rasmussen, J.D. The GRC Pundit & OCEG Fellow GRC 20/20 Newsletter LinkedIn: GRC 20/20 LinkedIn: Michael Rasmussen Twitter: GRCPundit Blog: GRC Pundit Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at