Regulatory Change Management
•Download as PPTX, PDF•
4 likes•3,055 views
Regulatory Change Management Webinar with GRC 20/20
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (18)
Similar to Regulatory Change Management
Similar to Regulatory Change Management (20)
More from 360factors
More from 360factors (20)
Recently uploaded
Recently uploaded (17)
Regulatory Change Management
- 1. by 360factors and GRC 20/20 Regulatory Change Management Page 1
- 2. Regulatory Change Management Page 2 Panelists Ed Sattar- Moderator CEO- 360factors Regulatory Change Management Thought Leader Michael Rasmussen -Moderator Chief GRC Pundit & Principal Analyst Christopher Duden-Panelist COO-360factors Dwyayne Jorgenson – Panelist CIA, CFE - Governance/Risk/Controls/Audit Expert
- 3. Rising Regulations and Cost Regulatory Change Management Page 3
- 4. Regulatory Change Impacting Policies Source: Thomson Reuters Regulatory Change Management Page 4
- 5. Regulatory change is significantly impacting organizations and their policies Source: Davis, Polk Dodd-Frank Infographics Regulatory Change Management Page 5
- 6. Four Reasons to Implement Regulatory Change Management 1. Over or Under complying is expensive 2. Organizations need to be able to react to risk and Regulatory Change Management Page 6 business change 3. Regulators are tired of paper-based compliance programs 4. Regulatory change management needs to be defensible
- 7. Regulatory Change Management Methodology Regulatory Change Management Page 7 Business Process Requirements Regulations Standards Business Requirements Risks & Controls Organization Location/ Assets HOW WHY WHAT WHO WHERE
- 8. Five Steps to Manage Regulatory Compliance 1. Regulatory knowledge base and taxonomy 2. Risk and internal controls 3. Business process -> Regulatory workflow 4. Location / Assets 5. Roles and responsibilities of key management functions Regulatory Change Management Page 8
- 9. Step 1- Requirements Knowledge Base & Taxonomy Business Process Requirements Knowledge Based & Taxonomy Risk and Internal Controls Roles and Responsibilities COMPONENTS OF A REQUIREMENTS KNOWLEDGE BASE Locations and Assets Regulatory Change Management Page 9 1. Regulations, standards, requirements and objectives library management 2. Parse the actions from requirements: who, what, when, where, and frequency. 3. Monitor regulatory change 4. Effective vs. Proposed. 5. Mapping- regulatory requirements to CAPA, policy procedures, evidence, checklists, and day-to-day compliance tasks 6. Applicability
- 10. Step 1 a- Effective and Mature Regulatory Intelligence Delivers: Regulatory Change Management Page 10 Regulatory Intelligence Maturity Delivers . . . Holistic awareness of changing regulatory risk Alignment of culture and policy Risk-intelligent decision-making Accountability of regulotry change risk Multidimensional regulatorion analysis and planning Visibility of risk as it relates to performance and strategy
- 11. Step 1 b- GRC 20/20’s Regulatory Intelligence Maturity Model Steps to Increase Maturity 1 • Define a regulatory taxonomy 2 • Establish subject matter experts 3 • Map policies and other content to regulations 4 • Integrate content feeds from knowledge providers 5 • Provide accountability through workflow and task management Regulatory Change Management Page 11
- 12. Step 2- Risk & Internal Controls Roles and Responsibility Regulatory Change Management Page 12 1. What is impacted? 2. Define internal controls 3. Define risk levels Requirements Knowledge Based & Taxonomy Risk and Internal Controls Reporting Regulatory Compliance Software
- 13. Step 2 a- Risk & Internal Controls Roles and Responsibility Requirements Knowledge Based & Taxonomy Risk and Internal Controls Reporting Regulatory Compliance Software Regulatory Change Management Page 13 What is management’s responsibility with regards to internal controls and reporting? What is audit’s responsibility with regards to internal controls and reporting? What is the board’s responsibility with regards to internal controls and reporting?
- 14. Step 2 b - Risk & Internal Controls Regulatory Change Management Page 14 Weak Technology • Documents& spreadsheets • Email for workflow & tasks • No audit trail or accountability Moderate Technology • Basic workflow & task management • No regulatory content feeds • Audit trail for accountability Strong Technology • Enterprise workflow • Integrated and actionable regulatory content with policy management • Closed loop process – everything integrated into one platform • Indexing of regulations to other policies Small Workforce Large Workforce Low Risk High Risk
- 15. Step 3- Business Process Business Process Regulatory Change Management Page 15 1. Business Process Impact, compliance process around sites, assets, events , timely decisions 3. Process automation and cost 4. Manual vs automation Requirements Knowledge Based & Taxonomy Risk and Internal Controls Reporting Regulatory Compliance Software
- 16. Step 3 a- Business Process Business Process Regulatory Change Management Page 16 PROCESSESS THAT CAN BE AUTOMATED Automate corrective action to increase speed, eliminate waste and cut costs Automate scheduling, tasking and tracking Embed transparency and accountability Automate management of change PROCESSESS THAT CANNOT BE AUTOMATED Determining Applicability Subject matter expertise Requirements Knowledge Based & Taxonomy Risk and Internal Controls Reporting Regulatory Compliance Software
- 17. Step 4. Location & Assets Business Process Regulatory Change Management Page 17 1. Where is compliance being done? 2.Compliance done at the site and asset level Requirements Knowledge Based & Taxonomy Risk and Internal Controls Roles & Responsibility Location / Assets
- 18. Step 5. Roles & Responsibility Business Process Regulatory Change Management Page 18 1. Why is it important to define the roles and responsibilities before you create an Regulatory Compliance Framework? 2. What are the barriers to creating a Regulatory Compliance Framework? 3. Is there a specific role and responsibility structure or can it vary from organization and industries? Requirements Knowledge Based & Taxonomy Risk and Internal Controls Roles & Responsibility Location / Assets
- 19. Step 5 a- Roles & Responsibility Business Process Regulatory Change Management Page 19 COMPONENTS OF ROLES AND RESPONSIBILITES 1. What are key roles and structure? 2. What are the key functions? 3. What are the key actions? 4. Outcome / Results Requirements Knowledge Based & Taxonomy Risk and Internal Controls Roles & Responsibility Location / Assets
- 20. Automate Regulatory Compliance Through Software BENEFITS OF AN INTEGRATED MANAGEMENT SYSTEM Regulatory Change Management Page 20 Source: Global survey by KPMG, Inc
- 21. Regulatory Change Management Page 21
Editor's Notes
- Welcome every body, My name is Ed Sattar and I am with 360factors, which is Regulatory Change Management Solutions company. I’ve spent the past 15 years in the Regulatory Compliance policy making and workflow automation space, which essentially involved in building regulatory intelligence models, change management methodology and developing Software to scale and stream line compliance for corporations, agencies, consulting firms and regulators Welcome to regulatory change management webinar- In an environment where we experience the demise of major institutions, impact on the environment and lives of human beings and as we experience business landscape change led to stricter regulations in many countries and across major industries, the word “Regulatory Change Management” has taken on much greater meaning in the world of corporate america. An organization’s ability to manage RCM can make or break an organization, its officers and the communities we live in. The purpose of this webinar is to share with you a regulatory change management methodology, best practices, and insightful experiences of our moderator panelists that can help you build out a successful regulatory change management system solution irrespective of the regulation type, standards and corporate objectives. We expect that you will walk away performing some mental assessment of your regulatory compliance maturity model and hopefully identifying those activities that you will stop, start and continue doing.
- Each panelist introduces themselves
- Lets look at how the regulatory landscape is changing …… The heritage Foundation has researched that massive amount of regulations have been added since 2009, and that regulatory burdens on American business has increased by nearly $70 billion during just during President Obama’s first term in office. Ask a question to panelists about industry trends and regulations and their impact (Optional for moderator depending on panelist comments) With over hundreds and thousands of regulations around the world that are constantly being modified and updated, it is very critical to understand what’s applicable to each organization. That will vary from the type of industry and the nature of the organization and its business imperatives.
- There are a lot of change happening with in FS 50% of them are in the US We have doubled the regulatory changes in the last 5 years North America counts for half the change One Brazlian bank had a 18 month project to document of 81K requirements ( not regulations) FCAP fined Siemens $800 MIL in the FCPA history Bribery & Corruption is another
- We are only 39% completion in implementing dodd frank act Dodd Frank does not just impact financial services….ti impacts every organization
- Step 1 - 1. Most of the time organizations don’t know if they are over complying or under complying …..in either, case it is expensive, it can be costly in terms of safety, product, brand, and reputation. The impact of the risks and the probability of them occurring identified in the governing regulations depends on how well you understand the four I’s – the Intent of the law, how well you Interpret the law, how you Implement the law, and how well regulatory change management is Institutionalized within your organization. It is therefore critical that a firm implements a regulatory change management system to effectively manage and monitor the compliance process to ensure that these are institutionalized in a way that compliance becomes part of the “culture”. 2. (Optional for moderator)The second step towards compliance is to get a clear understanding of which regulations are applicable to the organization and their various business units and sites, In ability to determine which rules apply or don’t apply. The inability to do this accurately will more than likely result in under or over complying. Again, in both cases, this drives unnecessary costs. 3. (Optional for moderator) Firms have no structured approach to managing regulatory change and are often caught “Working IN Compliance” VS “Working ON Compliance” . Working in compliance involves being caught off guard, being reactive and putting out fires. Working on compliance involves performing proper analysis in advance, being proactive and putting a regulatory change management structure in place. Hence, automating and streamlining Regulatory Change Management will give you quality key performance indicators so that you can react quickly to issues and even predict issues. 4- (Optional) If there aren’t tighter systems or a methodology around the First Three Steps, your risks that may stem from non-compliance with key regulatory requirements; this can be very costly and damaging to a organization and the custodians of governance within the organization. We all know that consequences of non-compliance range from penalties and fines, to imprisonment, withdrawal of licenses, lawsuits and reputational risk which may individually and or collectively have a fundamental impact on the organization’s sustainability as a going concern- That cost is substantially more than putting in a system that automates your tracking and monitoring of compliance, day to day compliance tasks, events, incidents and investigations. (Optional example) Step 2- add few industry specific examples and trends that tie to the above Example- Halliburton fine in PA ..fined about a $ 1 MIL and a system would be a fraction of the cost. ------------------------ Optional: Firms are challenged with constant addition and modification of hundreds and thousands of regulations with multijurisdictional requirements, and increased pressure to deliver uncompromising compliance with reduced budgets and significant resource constraints
- Here is a regulatory change management methodology made simple Ed will speak on this slide
- Regulatory change management model is comprised of five components (Optional) Compliance programs should include the uncertainties surrounding regulatory requirements that affect significant capital projects and investments. By addressing the uncertainties, the compliance program is better aligned with the company's strategic initiatives, rather than treated as a policy vehicle.
- 1. It is necessary to be adequately prepared by creating a regulatory knowledge base and develop a regulatory taxonomy mapped to your organization’s enterprise risk framework. Components of Requirements knowledge base should include: Panelists to answer/moderator answers optional 1 Requirements library – Q. What is a regulatory library? Panelists can speak on this. A Regulatory library should enable an organization to maintain regulations and standards. Ideally this library will have the second and third party actions (the tasks that those entities must perform to be compliant) highlighted or parsed out. Map reference documents, notes, templates of various kinds, checklists, audits at the standard at a minimum at the requirement level; ideally at the action level (see point #2) Search engine that allows compliance professionals to search for standards and requirements Map requirements to day-to-day compliance activities 2. Putting requirements into practice– Q. Why is it important to extract second and third party actions from the regulatory requirements? A. This links to the four I’s I talked about earlier and the comment I made about over complying and under complying. Knowing exactly what you need to do in the vast sea of regulations is key, and this makes the parsing of those second and third party actions from the regulations or standards a critical factor in enabling the compliance change management process. 3. Monitor Regulatory Change- Q. How can you automate regulatory change? A. is about conducting a business impact analysis to understand regulatory change impact on your business by implementing a workflow within a regulatory change management system that enables you to send alerts to specific works groups when the regulations change and having a workflow in place that identifies and streamlines the touching\updating of all of the artifacts linked to the changed requirements (think tasks, policies & procedures, mock audits, checklists, inspections etc.) 4. Regulations: Effective vs. Proposed A RKB should handle both effective and proposed requirements changes. Q. How do organizations handle this today? A. It is all over the board. Some people watch federal and state registers and the equivalents internationally. Others rely on third party services to send them alerts about changed or proposed regulatory changes. 5. Mapping of the work and artifacts back to the actions & the requirements they are derived from- Q. What are the benefits of Mapping and what is involved? A sophisticated RCM allows you to map Regulatory requirements to CAPA , Policy Procedures, Evidence, checklists, audits, day-to-day compliance tasks, event driven tasks, etc. this way you know which regulations are triggering most of your actions and those need to be “touched” or updated with when a regulations\standards\requirements change. 6. Regulation\Standard Applicability – Q. Would anyone like to talk about challenges around applicability? A. In most industries, compliance activity is performed at the site or asset level so it important to get a clear understanding of which regulations are applicable to the organization and their various business units, sites and assets. A good RKB will provide tools and workflow for identifying applicable requiements and then managing their lifecycle. Parsing of second and third party requirements plays a key part here from a sheer workload perspective.
- have proper accountability
- Moderator: Risk and Controls – In order for the organization to manage their risk and regulatory compliance, they should define their Internal Controls and Risks. Risk Analysis tells what is impacted and based on a systematic process allows us to prioritize and therefore tells us what to address first. (Responses to these questions are optional to moderator depending on responses from panelists) Q. How do you Define Internal Controls? A. There are various internal control models. Internal controls are the activities and\or processes that are put in place to help minimize risk, allowing us to achieve our objectives which includes complying with regulatory requirements. Controls take many forms including various processes, policies, procedures, risk assessments, communication process, training, reoccurring and measurable tasks\activities etc….you can define very specific set of environmental health and safety corrective and preventive actions as your internal controls. Q. How do you perform Risk analysis? A. In its simplest form Risk Analysis is asking three simple questions: i) What can go wrong? ii) What can we do to prevent it? iii) What can we do to reduce the consequences if something does go wrong? …quantifying the answers and then stacking ranking them based upon impact. Q2. Ed’s Response - The business processes are at the core of the organization and the holistic model. These processes should have strong controls and reporting capabilities. Surrounding the business processes is the GRC operational model, the layer at which the governance, risk management, and compliance management is put into practice to drive enterprise assurance.
- Moderator: With low risk and a small workforce, Health and Safety activities or internal controls and risk are simple and straight-forward with high risk, e.g. if you have offshore drilling and onshore drilling, to avoid or mitigate your hazards, your EHS activities going to be more extensive. ….when the organization is complex and risk is high, then consultants and organization should consider software automation So risk levels for various hazards and internal controls should be defined based on the what environmental health safety managers are concerned with based on the industry and complexity of their organization Questions asked by the moderator (the graph disappears and lists questions); Responses from panelists Q1.What is management’s responsibility with regard to internal controls and reporting? Q2.What is audit’s responsibility with regard to internal controls and reporting? Q3.What is the board’s responsibility with regard to internal controls and reporting?
- Moderator: Once the organizations has identified their EHS internal controls and identified their risks or hazards from high to low, the management would be required to further develop and streamline compliance routines, process and procedures into a coherent system. List all the questions asked by the moderator-panelists to respond/moderator responses as needed Q1- What should be the impact of this business process and what should it look like? A. This system should allow you to pull reports so that you are able to understand regulatory change impact and make informed and timely decisions. These days, when regulators do their audit they are not necessarily only interested in knowing if you achieved compliance, but interested in knowing the compliance process around personnel, product, equipment, policies, procedures, materials, assets, sites, events, assets and operating conditions. Q2. Is Automation Cost Effective? Q3. What processes can be automated and what processes will continue to be manual? Ed’s Response 1: The short answer is Automation is Highly Cost Effective. KPMG recently did research that most of the regulatory compliance is done in silos- various functional departments are managing compliance through multiple tools ( some external and some internal) in some cases most of these tools don’t talk to each other and then each department has additional head count to manage compliance- if regulatory compliance across all divisions is automated through one platform then not only it will be cost effective, it will really increase the performance of the company by being able to make better and timely decisions compare to its competitors. Ed’s – Vertically integration of all the regulatory departments through one platform should lead to better reporting up the hierarchy and hence a more complete view of critical risks facing the organization. A lack of such oversight was arguably a major cause of the current financial crisis. gathering of the regulations is still going to be a manual process, translations of the regulations and standards is still going to be a manual process.
- Moderator to speak on this slide
- Moderator: Q. Why is it important to define where compliance is done ? Panelists to answer (moderator answer optional) A. While you are creating a EPA Or OSHA regulatory compliance workflow and defining processes, it is critical to define it at site, asset and people level to get a clear understanding of which regulations are applicable to the organization and their various business units, sites, people and assets since compliance is done at site, people and asset level. For example, if hazard analysis, contamination assessments are done, they are typically done at the site level and even on specific assets and even some assets have permits and compliance activities that have to be tracked even when those assets are moved Another example is in offshore drilling, contractors and sub contractors are constantly moving from one platform to another and one company to another, tracking those people can be a daunting task…this is where automation can create some efficiency.
- Panelists to answer/moderator answers optional Q1. Why is it important to define the roles and responsibilities before you create a Regulatory Compliance Framework? A1. For Good, safe work practices, creating an EHS regulatory compliance governance structure is very critical. It involves clarifying roles, responsibilities and resource capabilities and escalation procedures, as well as the information and reporting systems that govern business processes. It also entails the use of tools and systems to enable analysis, efficient monitoring, and reporting. Basically, this last and 5th step ties into all of the 4 steps we talked about Q2. What are the barriers to creating a Regulatory Compliance Framework? A2. Commitment from the top and 2. People’s resistance to change. Q3. Is there a specific role and responsibility structure or can it vary from organization to organization? A3. It can vary from industry to industry and even from company to company. However, in some countries like UK , the regulators require certain functions to be done at a specific level of management. For example internal controls should be set by the organization’s mgmt. team. Nonetheless, persons with responsibility must have the knowledge and authority to take action when circumstances require.
- Panelists to answer/moderator answers optional We’ve already determined there is no hard-and fast approach. Companies approach this differently, but we should be able to answer the above questions…. There are best practices for defining who is responsible for what. Q1. What are the key roles and structure? A. For example, the board, Owners, executive team, management, EHS Managers, Safety Coordinators, Field Management/operators, auditors Q2 What are the key functions? A. EHS, OSHA, Regulatory, legal, compliance, audit, risk Q3. What are the key actions? A. Compliance, Reliability, Quality and Sustainability, health and Safety, Training Outcome / Results
- Moderator: Vertically integrated GRC system- it is more critical for the Regulatory Compliance Management across all departments to be integrated through one platform to see the whole picture with respect to risk. More and more, companies are looking at reducing risk, cutting costs and improving performance by adopting a more integrated approach to managing their and Gas and EHS governance, risk and compliance. In survey done by KPMG in 2010, 64 percent of respondents prefer to have a vertically integrated GRC platform as priority for their organization. In this graph, “the ability to identify and manage risks more quickly is singled out by 59 percent of respondents” as one of the key benefits of an integrated platform Less than 39 percent believe this can improve corporate performance and only 26 percent feel it will help reduce the costs of duplication Panelists to answer/moderator answers optional Q!. What are your thoughts on vertically integrating compliance management – benefits, advantage / disadvantage A1.I believe vertically integrating your regulatory compliance management will bring in rewards…when you get in there and start implementing controls in various areas, you then you realize you’ve got a bad process. Instead of sinking money into protecting a bad process, you can rework it and get all kinds of savings and may have partially paid for the integrated platform by identifying new business process efficiencies In conclusion, I would will also like to share a quote by Dr. Weterman MIT’s Sloan School of Management “ If something is more complex, it is just more risky. “But when companies go beyond that, to actively manage unnecessary complexity out of their business processes and technologies, they benefit not only from lower risk but also higher efficiency and agility.”