Regulatory Change Management - MetricStream PDF Free Download

1y ago

13 Views

1 Downloads

1.91 MB

21 Pages

Report/dmca

Download PDF

Transcription

Regulatory Change ManagementMaturity Model: From Ad Hoc to AgileNovember 2015Michael Rasmussen, J.D., GRCP, CCEPThe GRC Pundit @ GRC 20/20 Research, LLCOCEG Fellow @ www.OCEG.org

REGULATORYACTIVITY TRACKEDRegulatoryActivity in FinancialServices 2014-15Tracked 2015-15*Note: Tracked activity includes document changes, announcements, and enforcements by regulators.Average Daily Alerts Total Alerts Year-on-Year / 261 Working Days 2015, all rights reserved, www.GRC2020.com3

The hydra of inefficiencyOrganizations are burdened by manual adhoc processes. This involves beingoverwhelmed with emails and documents— leading to, in varying degrees Excessive emails, documents,and paper trailsPoor visibility & reportingFiles and documents out of syncWasted resources and spendingOverwhelming complexityNo accountability 2015, all rights reserved, www.GRC2020.com4

. . . and we hope nothing fails Inability to gain clear view ofcompliance dependencies; High cost of consolidatingcompliance information; Difficulty maintainingaccurate complianceinformation; Failure to trend acrosscompliance assessmentperiods; Redundant approaches limitcorrelation, comparison andintegration of complianceinformation; and Lack of agility to respondtimely to changing risks,regulations, laws, andsituations. 2015, all rights reserved, www.GRC2020.com5

Current Situation in Financial ServicesThe current situation: The typical organization has a myriad of subjectmatter experts doing ad hoc monitoring ofregulatory change and emailing parties of interestwith little or no consistent follow-up, accountability,or business impact analysis. The organization is in a resource intensiveconfused state of monitoring regulatory risk,enforcement actions, new regulations, and pendinglegislation resulting in an inability to adequatelypredict the readiness of the organization to meetnew requirements. There is no overall strategy to gather and shareregulatory change information, and decide what todo about it.Challenges to process and resources: Insufficient head count and subject matterexpertise Frequency of change and number ofinformation sources overwhelms Limited workflow and task management. Lack of an audit trail Limited reporting Wasted resources and spending Misaligned business and regulatory agility No accountability and structure 2015, all rights reserved, www.GRC2020.com6

360 Regulatory Contextual IntelligenceAction ItemsAnalyzed tounderstand relationshipsDistributed &DisconnectedIT GRCData PointsIntegrated andmappedtogether toprovide context 2015, all rights reserved, www.GRC2020.com11

Conduct Analysis and Manage Regulatory Change ProcessRegulatoryContentSourcingNewIntegrated RegulatoryContentRegulationsNews ckStatementsTriageassessmentand manualassignment forchangeswithout contextImpactAssessmentsNone orLimited Line of business impactRegulatory reporting changeProduct or process impactPolicy and procedure revisionrequired Control modification Training revisionsAction PlanAssign BusinessImpactExecutiveBriefingChangePolicies andProceduresOngoing regulatory changemanagement project trackingRegulatoryGuidanceRegulatory Change ManagementAmendedRegulationsAuto-Assignedto pre-definedsubject matterexpert (SME)with full contextof changeRegulatory Change Management ProcessYesTaskcompleted?NoSpeeches 2015, all rights reserved, www.GRC2020.com12

Power of Information Drives Effective Regulatory Change ManagementOBJECTIVES& GOALSASSETS &RELATIONSHIPSRISK &ANALYSISREGULATIONS &OBLIGATIONSCONTROLS &ASSESSMENTPOLICIES &TRAININGINCIDENTS& ISSUESROLES &RESPONSIBILITIES 2015, all rights reserved, www.GRC2020.com18

GRC 20/20’s Regulatory Change Management Maturity ModelStrategic Process, Information & Technology Architecture Alignment5 AGILE4 INTEGRATED3 MANAGED2 FRAGMENTED1 AD HOCUnstructured approach.Constantly puttingout fires. Often caughtoff guard.Limited structure inregulatory changereponsibilities. Processis accomplished viaemail and documentswith limitedaccountability andoversight.Roles & responsibilitiesare defined with use oftechnology to manageworkflow and tasks toprovide accountability.Inconsistencies remain.There is no integrationof technology andcontent.Regulatory intelligencearchitecture across theorganization enablesconsistent managementof regulatory changeprocess with theintegration of contentfeeds from regulatoryintelligence knowlegeproviders.Regulatory intelligencearchitecture thatintegrates feeds fromregulatory knowlwedgeproviders that map topolicies, risks, controls,etc. Enables fullsituational awarenessof regulatory change inthe context of business.Regulatory feeds deliverfully analyzed contentthat identifies relevancy,impacts, and tasks.Issue to Departments to Enterprise Coordination and Integration 2015, all rights reserved, www.GRC2020.com19

Measurements of a Healthy Regulatory Change Management Function1 - Aware2 - Aligned3 - Responsive4 - Agile5 - Resilient6 - Lean Have a finger onhow regulatorychange impactsbusiness Watch for change inexternal regulatoryenvironment &changes to internalbusinessenvironment Turn data intoinformation that canbe, and is, analyzed Share regulatorychange informationin every relevantdirection Support and informbusiness objectivesin context ofregulatory change Continuously alignobjectives andoperations toregulatory risk of theentity Give strategicconsideration toinformation fromregulatory changeand complianceenabling appropriatestrategic decisions You can’t react tosomething you don’tsense Gain greaterawareness andunderstanding ofchange that willimpact decisions andactions Improvetransparency, butalso quickly cutthrough the morassof data to what youneed to know tomake the rightdecisions Be nimble, being fastisn’t helpful if youare headed in thewrong direction. Regulatory changemanagementenables decisionsand actions that arequick, coordinatedand well thought out. Agility allows anentity to use changeto its advantage,adapt strategy, andbe confident in itsability to stay oncourse. Be able to bounceback quickly fromchanges with limitedbusiness impact Have sufficienttolerances to allowfor some missteps Have confidencenecessary to rapidlyadapt and respondto situations Build the muscle,trim the fat Get rid of expensefrom unnecessaryduplication,redundancy andmisallocation ofresources withinregulatory changemanagementprocesses Lean theorganization overallwith enhancedcapability andrelated decisionsabout adapting tochange 2015, all rights reserved, www.GRC2020.com20

Questions?Michael Rasmussen, J.D.The GRC Pundit & OCEG Fellowmkras@grc2020.com 1.888.365.4560GRC 20/20 NewsletterLinkedIn: GRC 20/20LinkedIn: Michael RasmussenTwitter: GRCPunditBlog: GRC PunditSome of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copyslides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.

GRC 20/20's Regulatory Change Management Maturity Model email and documents AD HOC Unstructured approach. Constantly putting out fires. Often caught off guard. Limited structure in regulatory change reponsibilities. Process is accomplished via with limited accountability and oversight. Roles & responsibilities are defined with use of .