Regulatory Change Management

Maturity Model: From Ad Hoc to Agile

November 2015

Michael Rasmussen, J.D., GRCP, CCEP

The GRC Pundit @ GRC 20/20 Research, LLC

OCEG Fellow @ www.OCEG.org

2 © 2015, all rights reserved, www.GRC2020.com

Change is the Greatest Challenge in GRC

3 © 2015, all rights reserved, www.GRC2020.com

Regulatory Activity in Financial Services Tracked 2015-15 REGULATORY ACTIVITY TRACKED 2014-15

*Note: Tracked activity includes document changes, announcements, and enforcements by regulators.

Average Daily Alerts = Total Alerts Year-on-Year / 261 Working Days

4 © 2015, all rights reserved, www.GRC2020.com

Organizations are burdened by manual ad

hoc processes. This involves being

overwhelmed with emails and documents

— leading to, in varying degrees…

Excessive emails, documents,

and paper trails

Poor visibility & reporting

Files and documents out of sync

Wasted resources and spending

Overwhelming complexity

No accountability

The hydra of inefficiency

5 © 2015, all rights reserved, www.GRC2020.com

. . . and we hope nothing fails

Inability to gain clear view of

compliance dependencies;

High cost of consolidating

compliance information;

Difficulty maintaining

accurate compliance

information;

Failure to trend across

compliance assessment

periods;

Redundant approaches limit

correlation, comparison and

integration of compliance

information; and

Lack of agility to respond

timely to changing risks,

regulations, laws, and

situations.

6 © 2015, all rights reserved, www.GRC2020.com

Challenges to process and resources:

Insufficient head count and subject matter

expertise

Frequency of change and number of

information sources overwhelms

Limited workflow and task management.

Lack of an audit trail

Limited reporting

Wasted resources and spending

Misaligned business and regulatory agility

No accountability and structure

The current situation:

The typical organization has a myriad of subject

matter experts doing ad hoc monitoring of

regulatory change and emailing parties of interest

with little or no consistent follow-up, accountability,

or business impact analysis.

The organization is in a resource intensive

confused state of monitoring regulatory risk,

enforcement actions, new regulations, and pending

legislation resulting in an inability to adequately

predict the readiness of the organization to meet

new requirements.

There is no overall strategy to gather and share

regulatory change information, and decide what to

do about it.

Current Situation in Financial Services

7 © 2015, all rights reserved, www.GRC2020.com

Federated Compliance Management

8 © 2015, all rights reserved, www.GRC2020.com

Elements of a Regulatory Change Management Process

Regulatory

Taxonomy

Regulatory

Content

Technology

Enablement

9 © 2015, all rights reserved, www.GRC2020.com

Changes Funnel into Regulatory Change Process

Monitor

Change

Determine

Impact

Review

Policies

10 © 2015, all rights reserved, www.GRC2020.com

Gathering & Filtering Regulatory Change Alerts

Determine

synergies 2

Understand

fragmented

approaches 1

Critical Changes 3

11 © 2015, all rights reserved, www.GRC2020.com

360° Regulatory Contextual Intelligence

Integrated and mapped

together to provide context

Analyzed to understand relationships

Action Items

Distributed & Disconnected

IT GRC Data Points

12 © 2015, all rights reserved, www.GRC2020.com

Conduct Analysis and Manage Regulatory Change Process

CLOSED Impact

Assessments

Regulatory

Content

Sourcing

Auto-Assigned

to pre-defined

subject matter

expert (SME)

with full context

of change

None or

Limited

News and

Circulars

Comment

Letters

Regulatory

Guidance

Amended

Regulations

New

Regulations

Feedback

Statements

Enforcement

Actions Action Plan

Product

Offering

Review

Regulatory

Research

Business

Impact

Executive

Briefing

Change

Policies and

Procedures

Assign tasks

On

go

ing

reg

ula

tory

ch

an

ge

manag

em

ent p

roje

ct tra

ckin

g

Line of business impact

Regulatory reporting change

Product or process impact

Policy and procedure revision

required

Control modification

Training revisions

Integrated Regulatory

Content

Regulatory Change Management Process

No

Yes

Task

completed? Triage

assessment

and manual

assignment for

changes

without context

Re

gu

lato

ry C

han

ge

Ma

na

ge

me

nt

Speeches

13 © 2015, all rights reserved, www.GRC2020.com

Route Regulatory Change to Subject Matter Experts

14 © 2015, all rights reserved, www.GRC2020.com

Conduct Business Impact Analysis of Regulatory Change

15 © 2015, all rights reserved, www.GRC2020.com

Determine Actions Needed in Context of Regulatory Change

16 © 2015, all rights reserved, www.GRC2020.com

Regulatory Change Management Metrics

17 © 2015, all rights reserved, www.GRC2020.com

Regulatory Change Management: Keys to Success

18 © 2015, all rights reserved, www.GRC2020.com

Power of Information Drives Effective Regulatory Change Management

REGULATIONS &OBLIGATIONS

RISK & ANALYSIS

OBJECTIVES& GOALS

INCIDENTS& ISSUES

ASSETS & RELATIONSHIPS

POLICIES &TRAINING

CONTROLS &ASSESSMENT

ROLES & RESPONSIBILITIES

19 © 2015, all rights reserved, www.GRC2020.com

GRC 20/20’s Regulatory Change Management Maturity Model

AD HOC

Unstructured approach.

Constantly putting

out fires. Often caught

off guard.

Limited structure in

regulatory change

reponsibilities. Process

is accomplished via

email and documents

with limited

accountability and

oversight.

Roles & responsibilities

are defined with use of

technology to manage

workflow and tasks to

provide accountability.

Inconsistencies remain.

There is no integration

of technology and

content.

Regulatory intelligence

architecture across the

organization enables

consistent management

of regulatory change

process with the

integration of content

feeds from regulatory

intelligence knowlege

providers.

Regulatory intelligence

architecture that

integrates feeds from

regulatory knowlwedge

providers that map to

policies, risks, controls,

etc. Enables full

situational awareness

of regulatory change in

the context of business.

Regulatory feeds deliver

fully analyzed content

that identifies relevancy,

impacts, and tasks.

FRAGMENTED

MANAGED

INTEGRATED

AGILE

1

2

3

4

5

Issue to Departments to Enterprise Coordination and Integration

Str

ate

gic

Pro

cess, In

form

atio

n &

Technolo

gy A

rchite

ctu

re A

lignm

ent

20 © 2015, all rights reserved, www.GRC2020.com

Measurements of a Healthy Regulatory Change Management Function

1 - Aware

Have a finger on

how regulatory

change impacts

business

Watch for change in

external regulatory

environment &

changes to internal

business

environment

Turn data into

information that can

be, and is, analyzed

Share regulatory

change information

in every relevant

direction

2 - Aligned

Support and inform

business objectives

in context of

regulatory change

Continuously align

objectives and

operations to

regulatory risk of the

entity

Give strategic

consideration to

information from

regulatory change

and compliance

enabling appropriate

strategic decisions

3 - Responsive

You can’t react to

something you don’t

sense

Gain greater

awareness and

understanding of

change that will

impact decisions and

actions

Improve

transparency, but

also quickly cut

through the morass

of data to what you

need to know to

make the right

decisions

4 - Agile

Be nimble, being fast

isn’t helpful if you

are headed in the

wrong direction.

Regulatory change

management

enables decisions

and actions that are

quick, coordinated

and well thought out.

Agility allows an

entity to use change

to its advantage,

adapt strategy, and

be confident in its

ability to stay on

course.

5 - Resilient

Be able to bounce

back quickly from

changes with limited

business impact

Have sufficient

tolerances to allow

for some missteps

Have confidence

necessary to rapidly

adapt and respond

to situations

6 - Lean

Build the muscle,

trim the fat

Get rid of expense

from unnecessary

duplication,

redundancy and

misallocation of

resources within

regulatory change

management

processes

Lean the

organization overall

with enhanced

capability and

related decisions

about adapting to

change

Questions? Michael Rasmussen, J.D.

The GRC Pundit & OCEG Fellow

mkras@grc2020.com

+1.888.365.4560

Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy

slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.

GRC 20/20 Newsletter

LinkedIn: GRC 20/20

Blog: GRC Pundit

Twitter: GRCPundit

LinkedIn: Michael Rasmussen