Understanding Regulatory Compliance and Risk: 5 Key Steps

How does your business manage the complexity of regulatory compliance and the changes it drives into your business ? Do you understand how regulations affect your business systems and processes ? How do you obtain traceability of your compliance investments and how do they tie back to specific compliance exposure and issues ?

Dealing with the shifting landscape of regulatory compliance can be extremely complex. Our platform, PRIMED, has been helping businesses get a handle on some of this complexity. Through this work we have identified 5 pragmatic steps businesses could undertake that would improve their controls and get better traceability of their regulatory compliance and risk exposure. These steps can also (relatively) quickly allow executives, compliance officers and program directors to get traceability of the drivers of regulatory compliance and change.

Step 1: Model External and Internal Regulations

There are many authorities that set regulations globally, regionally and locally, and it is challenging to understand how they all relate to one another. When these “external” authorities introduce or change regulations, the impact to the business can be significant. Further, companies have internal policies and standards they use for their own operations and compliance needs. We think of these as “internal” regulations.

If you are able to build up an inventory of these regulatory frameworks from both external and internal authorities, then you can also show how they relate to one another and/or contribute and affect one another. Then, when any one of these changes, the impact on their dependents can be easily traced.

Step 2: Understand Business Systems, Processes and Suppliers

There will be core processes that are critical to the operation of a business that will be subject to regulatory compliance. Those processes will often act across or within systems and applications that will need to conform to both external and internal regulations. For example, EU’s GDPR regulation deals with many aspects of Data Privacy, and therefore a business's processes and systems will be subject to those specific external regulations as well as any internal policies (such as their InfoSec policies). The same will apply to suppliers who are either performing outsourced services or providing key products into the business supply chain.

Therefore, a business needs to understand their key processes, systems and suppliers that could be candidates for regulatory assessment and compliance.

Step 3: Assess Compliance, Exposure and Risk

Once you know your external and internal regulations, and your key business processes, systems and suppliers, you can methodically conduct compliance assessments across all regulations that are applicable. Those assessments will drive key compliance and non-compliance metrics, highlight key risks and issues, and thus provide an overall regulatory exposure view. This can then drive quantifiable metrics and a systematic approach to ongoing compliance reviews.

Step 4: Manage Change 

Regulatory change comes in two flavors. The first is where a business is not compliant with existing regulations and therefore needs to execute a remediation or change program on existing processes and systems. The second is where new regulations are introduced or existing regulations are changed, and therefore drive new requirements from a change perspective.

In either case, the business case for change needs to be tightly managed. That means that requirements need to be written, reviewed and approved. New programs or projects need to be stated as business cases: what are the outcomes, deliverables, risks, assumptions, costs, and how do they tie into strategic objectives and solve regulatory exposure issues ? The same is true for finer-grained change requests on existing projects and work efforts. 

Importantly, setting capital budgets up and deciding on investment priorities will be driven by knowing the strategic objectives and KPIs that the business is measuring itself against, and knowing what regulatory non-compliance issues need to be addressed. Change control is therefore critical to managing these strategic initiatives.

Step 5: Realtime Traceability 

Finally, as your regulatory change program and efforts take flight, their status, progress, risks, issues, and realization of outcomes need to be tracked, and tied back to their intended outcomes.

As a business lead, you may want to see all of your regulatory exposure, and what investments and deliverables are going to solve this exposure. Or, you may want to take a more project-centric view and see what regulatory issues each project is solving.

By taking these 5 steps, a business can start the process of getting better governance and control over their regulatory compliance and risk exposure.