Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Regulatory Change Management
Maturity Model: From Ad Hoc to Agile
November 2015
Michael Rasmussen, J.D., GRCP, CCEP
The GRC Pundit @ GRC 20/20 Research, LLC
OCEG Fellow @ www.OCEG.org
2 © 2015, all rights reserved, www.GRC2020.com
Change is the Greatest Challenge in GRC
3 © 2015, all rights reserved, www.GRC2020.com
Regulatory Activity in Financial Services Tracked 2015-15 REGULATORY ACTIVITY TRACKED 2014-15
*Note: Tracked activity includes document changes, announcements, and enforcements by regulators.
Average Daily Alerts = Total Alerts Year-on-Year / 261 Working Days
4 © 2015, all rights reserved, www.GRC2020.com
Organizations are burdened by manual ad
hoc processes. This involves being
overwhelmed with emails and documents
— leading to, in varying degrees…
Excessive emails, documents,
and paper trails
Poor visibility & reporting
Files and documents out of sync
Wasted resources and spending
Overwhelming complexity
No accountability
The hydra of inefficiency
5 © 2015, all rights reserved, www.GRC2020.com
. . . and we hope nothing fails
Inability to gain clear view of
compliance dependencies;
High cost of consolidating
compliance information;
Difficulty maintaining
accurate compliance
information;
Failure to trend across
compliance assessment
periods;
Redundant approaches limit
correlation, comparison and
integration of compliance
information; and
Lack of agility to respond
timely to changing risks,
regulations, laws, and
situations.
6 © 2015, all rights reserved, www.GRC2020.com
Challenges to process and resources:
Insufficient head count and subject matter
expertise
Frequency of change and number of
information sources overwhelms
Limited workflow and task management.
Lack of an audit trail
Limited reporting
Wasted resources and spending
Misaligned business and regulatory agility
No accountability and structure
The current situation:
The typical organization has a myriad of subject
matter experts doing ad hoc monitoring of
regulatory change and emailing parties of interest
with little or no consistent follow-up, accountability,
or business impact analysis.
The organization is in a resource intensive
confused state of monitoring regulatory risk,
enforcement actions, new regulations, and pending
legislation resulting in an inability to adequately
predict the readiness of the organization to meet
new requirements.
There is no overall strategy to gather and share
regulatory change information, and decide what to
do about it.
Current Situation in Financial Services
7 © 2015, all rights reserved, www.GRC2020.com
Federated Compliance Management
8 © 2015, all rights reserved, www.GRC2020.com
Elements of a Regulatory Change Management Process
Regulatory
Taxonomy
Regulatory
Content
Technology
Enablement
9 © 2015, all rights reserved, www.GRC2020.com
Changes Funnel into Regulatory Change Process
Monitor
Change
Determine
Impact
Review
Policies
10 © 2015, all rights reserved, www.GRC2020.com
Gathering & Filtering Regulatory Change Alerts
Determine
synergies 2
Understand
fragmented
approaches 1
Critical Changes 3
11 © 2015, all rights reserved, www.GRC2020.com
360° Regulatory Contextual Intelligence
Integrated and mapped
together to provide context
Analyzed to understand relationships
Action Items
Distributed & Disconnected
IT GRC Data Points
12 © 2015, all rights reserved, www.GRC2020.com
Conduct Analysis and Manage Regulatory Change Process
CLOSED Impact
Assessments
Regulatory
Content
Sourcing
Auto-Assigned
to pre-defined
subject matter
expert (SME)
with full context
of change
None or
Limited
News and
Circulars
Comment
Letters
Regulatory
Guidance
Amended
Regulations
New
Regulations
Feedback
Statements
Enforcement
Actions Action Plan
Product
Offering
Review
Regulatory
Research
Business
Impact
Executive
Briefing
Change
Policies and
Procedures
Assign tasks
On
go
ing
reg
ula
tory
ch
an
ge
manag
em
ent p
roje
ct tra
ckin
g
Line of business impact
Regulatory reporting change
Product or process impact
Policy and procedure revision
required
Control modification
Training revisions
Integrated Regulatory
Content
Regulatory Change Management Process
No
Yes
Task
completed? Triage
assessment
and manual
assignment for
changes
without context
Re
gu
lato
ry C
han
ge
Ma
na
ge
me
nt
Speeches
13 © 2015, all rights reserved, www.GRC2020.com
Route Regulatory Change to Subject Matter Experts
14 © 2015, all rights reserved, www.GRC2020.com
Conduct Business Impact Analysis of Regulatory Change
15 © 2015, all rights reserved, www.GRC2020.com
Determine Actions Needed in Context of Regulatory Change
16 © 2015, all rights reserved, www.GRC2020.com
Regulatory Change Management Metrics
17 © 2015, all rights reserved, www.GRC2020.com
Regulatory Change Management: Keys to Success
18 © 2015, all rights reserved, www.GRC2020.com
Power of Information Drives Effective Regulatory Change Management
REGULATIONS &OBLIGATIONS
RISK & ANALYSIS
OBJECTIVES& GOALS
INCIDENTS& ISSUES
ASSETS & RELATIONSHIPS
POLICIES &TRAINING
CONTROLS &ASSESSMENT
ROLES & RESPONSIBILITIES
19 © 2015, all rights reserved, www.GRC2020.com
GRC 20/20’s Regulatory Change Management Maturity Model
AD HOC
Unstructured approach.
Constantly putting
out fires. Often caught
off guard.
Limited structure in
regulatory change
reponsibilities. Process
is accomplished via
email and documents
with limited
accountability and
oversight.
Roles & responsibilities
are defined with use of
technology to manage
workflow and tasks to
provide accountability.
Inconsistencies remain.
There is no integration
of technology and
content.
Regulatory intelligence
architecture across the
organization enables
consistent management
of regulatory change
process with the
integration of content
feeds from regulatory
intelligence knowlege
providers.
Regulatory intelligence
architecture that
integrates feeds from
regulatory knowlwedge
providers that map to
policies, risks, controls,
etc. Enables full
situational awareness
of regulatory change in
the context of business.
Regulatory feeds deliver
fully analyzed content
that identifies relevancy,
impacts, and tasks.
FRAGMENTED
MANAGED
INTEGRATED
AGILE
1
2
3
4
5
Issue to Departments to Enterprise Coordination and Integration
Str
ate
gic
Pro
cess, In
form
atio
n &
Technolo
gy A
rchite
ctu
re A
lignm
ent
20 © 2015, all rights reserved, www.GRC2020.com
Measurements of a Healthy Regulatory Change Management Function
1 - Aware
Have a finger on
how regulatory
change impacts
business
Watch for change in
external regulatory
environment &
changes to internal
business
environment
Turn data into
information that can
be, and is, analyzed
Share regulatory
change information
in every relevant
direction
2 - Aligned
Support and inform
business objectives
in context of
regulatory change
Continuously align
objectives and
operations to
regulatory risk of the
entity
Give strategic
consideration to
information from
regulatory change
and compliance
enabling appropriate
strategic decisions
3 - Responsive
You can’t react to
something you don’t
sense
Gain greater
awareness and
understanding of
change that will
impact decisions and
actions
Improve
transparency, but
also quickly cut
through the morass
of data to what you
need to know to
make the right
decisions
4 - Agile
Be nimble, being fast
isn’t helpful if you
are headed in the
wrong direction.
Regulatory change
management
enables decisions
and actions that are
quick, coordinated
and well thought out.
Agility allows an
entity to use change
to its advantage,
adapt strategy, and
be confident in its
ability to stay on
course.
5 - Resilient
Be able to bounce
back quickly from
changes with limited
business impact
Have sufficient
tolerances to allow
for some missteps
Have confidence
necessary to rapidly
adapt and respond
to situations
6 - Lean
Build the muscle,
trim the fat
Get rid of expense
from unnecessary
duplication,
redundancy and
misallocation of
resources within
regulatory change
management
processes
Lean the
organization overall
with enhanced
capability and
related decisions
about adapting to
change
Questions? Michael Rasmussen, J.D.
The GRC Pundit & OCEG Fellow
+1.888.365.4560
Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy
slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.
GRC 20/20 Newsletter
LinkedIn: GRC 20/20
Blog: GRC Pundit
Twitter: GRCPundit
LinkedIn: Michael Rasmussen