2. Page 2Regulatory Change Management
Speaker: Ed Sattar
Ed Sattar is the CEO of 360factors For more than a decade, Ed has made
significant professional contributions to the regulatory compliance space across
multiple industries. His experiences include extensive research and consulting to
regulatory compliance consulting firms, training providers as well as state and federal
regulatory agencies. During his tenure in the regulatory compliance workflow
automation and eTraining space, he has identified key criteria and compliance
standards that are currently being published and implemented.
Ed Sattar has been nominated for the Ernst & Young Entrepreneur of the Year award
three times and was among the top seven finalists in 2009. 360training.com, the
parent company of 360factors, has appeared on the Deloitte Fast 50 as the 6th
fastest growing company in Texas. It has also been listed in Inc 5000 several times as
one of the fastest growing companies.
Ed studied Electrical Engineering and Finance at the University of Texas at Austin.
4. Page 4Regulatory Change Management
Outline
Regulatory & Operational Risk Trends
Why Implement an Enterprise Risk and Regulatory
Change Management System
Enterprise Risk and Compliance Management
Methodology
How to Implement an Enterprise Risk and Compliance
Management System
Can Automation and Software can Increase Operational
Excellence and Reduce Risk
7. Page 7Regulatory Change Management
Source: Davis, Polk Dodd-Frank Infographics
Regulatory change is significantly impacting
organizations and their policies
8. Regulatory Change Management
More Complexity, More Projects, and More
Risks to Manage
Managing Your Operations
Seamlessly While Reducing
Risk
10. Regulatory Change Management
1. Understanding Regulations- Either Over Complying or Under
Complying-
2. Regulatory Applicability and Managing Regulatory Changes.
3. Automating And Streamlining Day To Day Compliance, Event And
Incident Management With Respect To Regulatory Change
Management
4. Cost Efficiency By Automating TrackingandMonitoringaNonCompliance
Items Such as Events, Incidents, Audits & Investigations
Four Reasons Why Implement
Regulatory Change Management
11. Page 11Regulatory Change Management
Four Reasons Why Implement
Regulatory Change Management
Understanding Regulations
Regulatory Change
Management
Regulatory Applicability
Day to Day Compliance
Tasking
Event-Driven Compliance
Tasking
Incident Management and Root
Cause Analysis
Predictive Risk Analysis
Corrective and Preventive Actions
Policy and Procedure
Management
Audit Management
Sustainability
Training Management
Multiple Tools to address Reg
Compliance
Other Industry Pain Points
13. Regulatory Change Management
1. WHY = Regulatory change management
2. WHAT = Risk and internal controls
3. HOW = Operational excellence and workflow
4. WHERE = Location / Assets
5. WHO = Defining &, Mapping Roles / Key Management Functions
to Metrics & P&L
Enterprise Risk and Compliance
Management Model – Five Steps
14. Regulatory Change Management
REGULATORY CHANGE MANAGEMENT MODEL
Regulatory
Change
Management
Operational
Excellence
and Workflow
Risks &
Internal
Controls
Organization
– Roles and
Key
Management
Functions
Location/
Assets
HOW
WHY
WHAT
WHO
WHERE
16. Page 16Regulatory Change Management
Requirements
Knowledge Based &
Taxonomy
Business
Process
Risk and Internal
Controls
Roles and
Responsibilities
Locations and
Assets
COMPONENTS OF REQUIREMENTS KNOWLEDGE BASE
1. Regulatory, Standards, Requirements
and Objectives library management
2. Translate regulatory requirements into
action, evidence, subject, frequency
3. Monitor regulatory change
4. Regulations in effect to proposed
5. Mapping- regulatory requirements
mapped to CAPA , policy procedures and
evidence
6. Regulation Applicability
Step 1- Requirements Knowledge
Base & Taxonomy
WHY
17. Page 17Regulatory Change Management
Step 2- Risk & Internal Controls
1. What is impacted?
Environmental Risk
Financial Risk
Legal Risk
Reputational Risk
Operational Risk
2. Define internal controls
Process
Procedures
Risk Assessments
tasks
training
3. Define risk levels
Which details impacting
factors
Is based on a systematic
process allowing the
organization to prioritize more
efficiently
Effectively assesses issues
requiring immediate action.
Requirements
Knowledge Based &
Taxonomy
Operational
Excellence and
Workflow
Risk and
Internal
Controls
Reporting –
Roles and Key
management
Functions
Location/ Assets
WHAT
18. Page 18Regulatory Change Management
Step 2- Risk & Internal Controls
Requirements
Knowledge Based &
Taxonomy
Roles and
Responsibility
Risk and
Internal
Controls
Reporting
Regulatory
Compliance
Software
Small Workforce Large Workforce
HighRiskLowRisk
19. Page 19Regulatory Change Management
Weak Technology
• Documents&
spreadsheets
• Email for workflow &
tasks
• No audit trail or
accountability
Moderate
Technology
• Basic workflow &
task management
• No regulatory
content feeds
• Audit trail for
accountability
Strong
Technology
• Enterprise workflow
• Integrated and
actionable regulatory
content with policy
management
• Closed loop process
– everything
integrated into one
platform
• Indexing of
regulations to other
policies
Small Workforce Large Workforce
HighComplexityLowComplexity
Step 2 - Risk & Internal Controls
20. Page 20Regulatory Change Management
1. How
2. Compliance process around
sites, assets, events
3. Process automation and cost
4. Manual VS automation
Step 3- Business Processes
Requirements
Knowledge Based &
Taxonomy
Operational
Excellence
and Business
Processes
Risk and Internal
Controls
Reporting
Regulatory
Compliance
Software
HOW
21. Page 21Regulatory Change Management
Automate Corrective Action to Increase
Speed, Eliminate Waste and Cut Costs
Automate Scheduling, Tasking and
Tracking
Embed Transparency and Accountability
Automate Management of Change
PROCESSESS THAT CAN BE AUTOMATED
PROCESSESS THAT CAN’T BE AUTOMATED
Translation of Requirements
Subject Matter Expertise
Step 3- Business Process
Requirements
Knowledge Based &
Taxonomy
Business
Process
Risk and Internal
Controls
Reporting
Regulatory
Compliance
Software
HOW
22. Page 22Regulatory Change Management
1. Where is compliance
done.
2.Compliance done at the
site and asset level
Step 4. Location & Assets
Requirements Knowledge
Based &
Taxonomy
Business Process
Risk and Internal
Controls
Roles &
Responsibility
Location /
Assets
WHERE
23. Page 23Regulatory Change Management
1. It is important to define the
roles and responsibilities
before you create an EHS
Regulatory Compliance
Framework?
2. So what are the barriers to
creating a Regulatory
Compliance Framework?
3. Is there a specific role and
responsibility structure or
can it vary from organization
and industries?
Step 5. Roles & Responsibility
Requirements
Knowledge Based &
Taxonomy
Business Process
Risk and Internal
Controls
Roles &
Responsibility
Location / Assets
WHO
24. Page 24Regulatory Change Management
1. Key Roles and Structure
2. Key Functions
3. Key Actions
4. Outcome / Results
COMPONENTS OF ROLES AND RESPONSIBILITES
Step 5. Roles & Responsibility
Requirements Knowledge
Based &
Taxonomy
Business Process
Risk and Internal
Controls
Roles &
Responsibility
Location / Assets
26. Page 26Regulatory Change Management
1. Is Technology perceived
as a catalyst for growth and
performance?
2. Are people or technology
barriers to Regulatory
Compliance Automation?
Automate Regulatory
Compliance Through Software
Requiremen
ts
Regulations
Standards
Business
Requirements
Business
Process
Risks &
Controls
Organizatio
n
Location/
Assets
27. Page 27Regulatory Change Management
Source: Global survey by KPMG, Inc
BENEFITS OF AN INTEGRATED MANAGEMENT SYSTEM
Automate Regulatory
Compliance Through Software
Welcome everyone- In an environment where the demise of major institutions, impact of GHG, impact on the environment through events such as mocondo and utilities blow outs and how its effects the lives of human beings has led to stricter regulations in major industries and countries around the world, the word “ Risk & Regulatory Change Management” has become an all-important language in the world of EHS & utilities that can make or break the organization, its officers, its people, its customers and the communities we live in
The purpose of this presentation is to share with you how to build an enterprise risk and regulatory change management methodology, best practices, and insightful experiences that can help you build out a successful enterprise risk and regulatory change management system, irrespective of the regulation type, standards and corporate objectives that you may be subjected to
My name is Ed Sattar and I am with 360factors, which is Enterprise Risk and Compliance Solutions company. I’ve spent the past 15 years in the Regulatory Compliance policy making and workflow automation space, which essentially is involved in building regulatory intelligence models, change management methodology and developing Software to automate , scale and stream line compliance for corporations, agencies, consulting firms and regulators.
Managing and creating a balance between the three P”s as not an easy task.
Human, environment safety and health protection remains the number 1 priority for all those that are stakeholders in the energy and utility companies and that is a given. As stakeholder representing these companies, you all understand the burden relates to the complexities and stringent EHS regulations across the entire span of their effect. These regulations are not only stringent but also constantly revised and evolving which we have to take into consideration.
With recent major accidents — such as the Deepwater Horizon drilling rig in the Gulf of Mexico in 2010, the Californian San Bruno gas pipeline explosion in 2010 where PG & E was fined $1.4 B, the Pemex pipeline explosion in 2012, refinery fires and shutdowns like the ones at BP Cherry Point,, and Amuay in Venezuela in 2012 . In 2011 $25 M fine on three utilities companies for poor performance to their response due the storm leaving house holds without utilities …All these are examples of local and international regulators trying to influence our balance between the three P’s Profit , Your People/ Staff and Planet- your customers
So by the end of the presentation, I expect that you will walk away performing some mental assessment of your regulatory compliance maturity model and hopefully identifying those activities that you will stop, start and continue doing. This will in turn contribute towards helping you balance your three P’s
----------------------------------------------------------------------
CASE STUDY: The state Department of Environmental Protection has fined Cabot Oil & Gas $120,000 for a storage tank explosion and spill.
The incident occurred January 11 at the Reynolds well pad in Jessup Township, Susquehanna County. “This was a serious incident that injured an employee and resulted in a spill of approximately 2,835 gallons of production fluid from a 21,000-gallon storage tank,” DEP Director of District Oil and Gas Operations John Ryder said in a statement. “Some of this fluid escaped containment and impacted soil off the well pad.” The DEP cited the company for violations of the Oil and Gas Act and regulations, Solid Waste Management Act, and Clean Streams Law. Cabot has since remediated the spill.
“Fortunately, the injured contractor returned to work shortly after this incident,” said Cabot spokesman George Stark in an email. “We undertook a detailed investigation. We have implemented additional safeguards into our design and construction practices across our operations, and we continue to work toward our goal of zero incidents.” The company ranks fifth among operators in overall wells drilled, but it’s second in the state in DEP violations.
This is step by process in how I will address my discussion
Here we will discuss the leading effects of regulatory change which is in the forefront of regulatory reform
Lets look at how the regulatory landscape is changing ……
The heritage Foundation has researched that massive amount of regulations have been added since 2009, and that regulatory burdens on American business has increased by nearly $70 billion during just during President Obama’s first term in office.
What this data is trying to communicate it that the pace of rule making and pages written is consistently increasing over the last three years
1 word of law has resulted in 42 words of rules and rule making
For example in the United States, We are only 39% completion in implementing dodd frank act..…..and Dodd Frank does not just impact financial services….it impacts every organization
For instance, new offshore drilling safety requirements have been increasing, New US Pipeline Safety Act regulations being introduced for pipeline integrity. Reinforcement of greenhouse gas (GHG) emission caps is also impacting organizations and refineries are all example of evolving regulations and they are impacting us as an organization
Operational Complexity
As the regulations and standards are increasing and as your company continues to grow , your organization becomes more complex……Risk management SPECIFIC TO MANAGING CHANGES AROUND REGULATION AND COMPLIANCE can become costly and cumbersome.
So you not only have to worry about risks and costs related to asset damage, business interruption, pollution, injuries to people, damage to properties and cost overruns for large projects …..ON TOP OF ALL THIS: there are the additional risks and costs of non-compliance in today's industry. So if you merge the complexity of operational risks and regulatory risk….the exposure can be high and costly......So the question becomes how can mitigate these risks and keep the cost down?
If the goal is to produce as efficiently and cost effectively as possible, with minimizing your operation and regulatory risk. The only strategy for achieving this is through an "integrated operations“ management system to optimize efficiency, productivity, reduce economic, environment, health, and safety risks. WAIT: LET ME CORRECT MYSELF: > I would insert the word “ AUTOMATED” in front of integrated operations management system”
1. The first pain point comes from most organizations don’t know if they are over complying or under complying …..in either, case it is expensive whether you are over or under complying, it can be highly costly in terms of safety, product, brand, reputation. The impact and probability of the risks that the regulations represent depends on how well you understand the Three I’s – the intent of the law, how well you interpret the law , how you implement the law and how well regulatory change management is institutionalized within your firm.
It is therefore critical that a firm implements a regulatory change management system to effectively manage and monitor the compliance process to ensure that these are institutionalized in a way that compliance becomes part of the “culture”.
2. The second step towards compliance is to get a clear understanding of which regulations are applicable to the organization and their various business units and sites, In ability to determine which rules apply or don’t apply may result in under or over complying. Again, in both cases, it can drive unnecessary costs.
3. Firms have no structured approach to managing regulatory change and are often caught “ Working in Compliance” VS “Working on Compliance” . Working in compliance involves being caught off guard , being reactive and putting out fires. Working on compliance involves in doing proper analysis, being proactive and putting in regulatory change management structure in place.
4- Hence automating and streamlining…………..to Regulatory Change Management will give you quality key performance indicators so that you can react quickly to issues and even predict issues…..
------------------------------------------------------------------------------------------------
If the there not tighter systems or a methodology around the First Three Steps, your risks that may stem from non-compliance with key regulatory requirements can be very costly and damaging to a firm and the custodians of governance within the firm. We all know that consequences of non-compliance range from penalties and fines, to imprisonment, withdrawal of licenses, lawsuits and reputational risk which may individually and or collectively have a fundamental impact on the firm’s sustainability as a going concern- That cost is substantially more than a putting in a system that automates your tracking and monitoring of non-compliance day to day compliance tasks, events, incidents and investigation
Example- Haliburton fine in PA ..fined about a $ 1 MIL and a system would be a fraction of the cost.
The items in gray are something you have been addressing some fashion either through manual or automated processes, the items on the right are now hot as a result of how the regulatory environment is changing and becoming from stringent or if you are growing as a company…….and what is a major concern of the executives is how can all of the above pain points for various functional departments can be done through a single management system reducing cost and increasing efficncy ?
Regulatory change management model is comprised of five simple components
Here is an illustration of the Risk and Regulatory Change Management Model
Once you have your model down, let’s talk about you how you convert the model into a management system
1. It is necessary to be adequately prepared by creating a regulatory knowledge base and develop a regulatory taxonomy mapped to your organizations enterprise risk framework. Components of Requirements knowledge base should include:
Regulatory library – should enable a firm to maintain regulations and standards along with their translations
ii) Map reference documents, notes, templates of various kinds, checklists at the standard and requirement level
iii) Search engine that allows compliance professionals to search for standards and requirements
2. Translate Regulatory Requirements in Practices – this links the three I’s I talked about earlier and the comment about over complying and under complying. This makes the translation of the regulations or standards a very critical factor in the compliance change management process.
3. Monitor Regulatory Change- is about conducting a business impact analysis to understand regulatory change impact on your business by implementing a workflow within a regulatory change management system that enables you to send alerts to specific works groups when the regulations change
4. Regulations in effect to Proposed- is having a system in place that enables you to track regulations that are approved but not in effect and also do side by side comparison or redline between the old to new regulations
5. Mapping of the Regulations- a sophisticated RCM would allow you to map Regulatory requirements to CAPA , Policy Procedures and Evidence this way you know which regulations are triggering most of your actions and which policies or procedures to update when a regulations change.
6. Regulation Applicability –compliance is usually done at the site or asset level so it important to get a clear understanding of which regulations are applicable to the organization and their various business units, sites and assets
1. Risk and Controls – In order for the organization to manage their risk and regulatory compliance, they should define their Internal Controls and Risks. Risk Analysis tells what is impacted and based on a systematic process allows us to prioritize and therefore tells us what to address first.
2. Define Internal Controls- There are various internal control models. Internal controls are the activities that are put in place to help achieve the objectives or specific regulatory requirements that may include various processes, policies, procedures, risk assessments, communication process, training, etc….you can define very specific set of environmental health and safety corrective and preventive actions as your internal controls
3. Risk analysis You can make a simple risk analysis at your enterprise by asking three simple
questions:
i) What can go wrong?
ii) What can we do to prevent it?
iii) What can we do to reduce the consequences if some- thing does go wrong?
Q2. Ed’s Response - The business processes are at the core of the organization and the holistic model. These processes should have strong controls and reporting capabilities. Surrounding the business processes is the GRC operational model, the layer at which the governance, risk management, and compliance management is put into practice to drive enterprise assurance.
With low risk and a small workforce, Health and Safety activities or internal controls and risk are simple and straight-forward
with high risk, e.g. if you have employees in multiple countries under multiple regulations, to avoid or mitigate your hazards, your EHS activities are going to be more extensive…….when the organization is complex and risk is high, then consultants and organization should consider software automation to reduce complexity
So risk levels for various hazards and internal controls should be defined based on the what environmental health safety managers are concerned with based on the industry and complexity of your organization
Here is a simple Risk and Regulatory Compliance maturity model. So you grow and become more complex, you need from week to strong technology to improve decision making across the entire enterprise.
Once the organizations has identified their EHS internal controls and identified their risks or hazards from high to low, the management would be required to further develop and streamline compliance routines, process and and procedures into a coherent system.
This system should allow you to pull reports so that you are able to understand regulatory change impact and make informed and timely decisions. These days when regulators do their audit they are not necessarily only interested in knowing if you achieved compliance, but interested in knowing “ the how” - compliance process around personnel, product, equipment, policies, procedures, materials, assets, sites, events, assets and operating conditions…etc
What processes can be automated and what processes will continue to be manual
Ed’s Response 1: The short answer is Automation is Highly Cost Effective. KPMG recently did research that most of the regulatory compliance is done in silos- various functional departments are managing compliance through multiple tools ( some external and some internal) in some cases most of these tools don’t talk to each other and then each department has additional head count to manage compliance- if regulatory compliance across all divisions is automated through one platform then not only it will be cost effective, it will really increase the performance of the company by being able to make better and timely decisions compare to its competitors.
Ed’s – Vertically integration of all the regulatory departments through one platform should lead to better reporting up the hierarchy and hence a more complete view of critical risks facing the organization. A lack of such oversight was arguably a major cause of the current financial crisis.
gathering of the regulations is still going to be a manual process, translations of the regulations and standards is still going to be a manual process.
Skip
While you are creating a EPA, OSHA , NERC or FERC regulatory compliance workflow and defining processes, it is critical to define it at the site, asset and people level to get a clear understanding of which regulations are applicable to the organization and their various business units, sites, people and assets since compliance is done at site, people and asset level- A management system should enable you to do that.
For example, if hazard analysis, contamination assessments are done, they are typically done at the site level and even on specific assets and even some assets have permits and compliance activities that have to be tracked even when those assets are moved or removed
------------------------------------
Another example is in offshore drilling, contractors and sub contractors are constantly moving from one platform to another and one company to another, tracking those people can be a daunting task…this is where automation can create some efficiency.
1. For Good, safe work practices, creating an EHS regulatory compliance governance structure is very critical. It involves clarifying roles, responsibilities and resource capabilities and escalation procedures, as well as the information and reporting systems that govern business processes. It also entails the use of tools and systems to enable analysis, efficient monitoring, and reporting. Basically, this last and 5th step ties into all of the 4 steps we talked about
-----------------------------
2. Commitment from the top and 2. People’s resistance to change.
Q3. It can vary from industry to industry and even from company to company. However, in some countries like UK , the regulators require certain functions to be done specific level of management. For example internal controls should be set by organization’s mgmt team. Nonetheless, persons with responsibility must have the knowledge and authority to take action when circumstances require
There is no single recipe as to how structure your org, but there are some best practice of defining who is responsible and accountable for key roles and functions
Key Roles and Structure- For example, the board, Owners, executive team, management, EHS Managers, Safety Coordinators, Field Management/operators, auditors
Key Functions – EHS, OSHA, Regulatory, legal, compliance, audit, risk , NERC, FERC
Key Actions - Compliance, Reliability, Quality and Sustainability, health and Safety, Training
Outcome / Results and KPI’s
For something as having two simple objectives – 1, prevent accidents / incidents and 2. preventing from releasing harmful substances into the environment, it could get pretty complex if the organization has lots of employees, multiple sites, multiple countries and multiple regulations….the more you stack on, the more complex
Putting these internal controls managing risks that through a manual process can be cumbersome and a daunting task especially if it is done manually. Complex Organizations should leverage technology to enable an organization to stream line their compliance business process management to improve quality, efficiency, productivity and make proactive timely decisions.
Once perceived has high cost for software solutions, these days cost of technology is less than a half a head count and fraction of the fines that can be imposed by the regulators such as EPA , OSHA, NERC and FERC
------------------------------------------------
In conclusion, I would will also like to share a quote by Dr. Weterman MIT’s Sloan School of Management “ If something is more complex, it is just more risky. “But when companies go beyond that, to actively manage unnecessary complexity out of their business processes and technologies, they benefit not only from lower risk but also higher efficiency and agility.”
Optional information to share
Once predominantly seen as an expense, technology is now viewed by more business leaders as a worthwhile investment and a source of strategic advantage. Additionally, the advent of cloudbased technology offers more affordable alternatives for mid-market companies as they work to drive growth in their organizations.” Further, It is not simply a technology tool; it is a way to rationalize risk management and controls, giving management the information they need to improve business performance and achieve compliance
Ed’s Response: People – not technology – present the greatest barrier to successful convergence. Integration is likely to involve a major transformation program so perhaps, unsurprisingly, resistance to change is considered the single biggest obstacle (44 percent), followed by complex convergence processes (39 percent) and a lack of available experts (36 percent). Less than one in ten mentioned inadequate technology as a hurdle to overcome.
In a survey done by KPMG in 2010, 64 percent of respondents prefer to have a vertically integrated GRC platform as priority for their organization and
in this survey “the ability to identify and manage risks more quickly is singled out by 59 percent of respondents” as one of the key benefits of an integrated platform
39 percent believe it can improve corporate performance and only 26 percent feel it will help reduce the costs of duplication
it is more critical for the Regulatory Compliance Management across all departments to be integrated through one platform to see the whole picture with respect to risk. More and more, companies are looking at reducing risk, cutting costs and improving performance by adopting a more integrated approach to managing their EHS governance, risk and compliance.
-----------------------------------------------------------------------
I believe vertically integrating your regulatory compliance management will bring in rewards and drive enterprise excellence …when you get in there and start implementing controls in various areas, you then realize you’ve got a bad process. Instead of sinking money into protecting a bad process, you can rework it and get all kinds of savings and may have partially paid for the integrated platform by identifying new business process efficiencies
Skip
360factors has built a a unique, incomparable solution based on experience working with energy companies and specialist systems integrators on a diverse set of projects. Globally. As a seamless cloud application where collaboration between operations, service companies, suppliers, and regulators \: this is your solution to critical success
Consider infrastructure protection for assets such coupled with the intractable challenge for the energy industry, including all factors such as :engineering, design, and construction to maintenance and operations of a large and complex capital project. Compliance, managing regulatory changes and associated workflows, asset-connected documentation can serve as a bridge between brand protection OR an unexpected failure!. The general approach to EHS management as per international standards ISO 14001 and OHSAS 18001 is based on the methodology called "Plan-Do-Check-Act" (PDCA), made popular by W. Edwards Deming……3PREDICT360 is platform that build it’s platform based on the ISO14001 and OHSAS 18001 framework
So if you achieved an increase in operational excellence, sustainability and margins and balance between the three P’s ….that means your people ( board of directors protected and happy, you provided your people the right tools to achieve success and increased employee retention and satisfaction, you increased your profit margins and subsequently was able to protect your consumers which is made the planet …….so a lot of happy people and the feeling at levels could be some thing like this…..
Video Link: https://www.youtube.com/watch?v=y6Sxv-sUYtM