5. Regulatory change is significantly impacting
organizations and their policies
Source: Davis, Polk Dodd-Frank Infographics
Regulatory Change Management Page 5
6. Four Reasons to Implement
Regulatory Change Management
1. Over or Under complying is expensive
2. Organizations need to be able to react to risk and
Regulatory Change Management Page 6
business change
3. Regulators are tired of paper-based compliance
programs
4. Regulatory change management needs to be defensible
7. Regulatory Change Management Methodology
Regulatory Change Management Page 7
Business
Process
Requirements
Regulations
Standards
Business
Requirements
Risks &
Controls
Organization
Location/
Assets
HOW
WHY
WHAT
WHO
WHERE
8. Five Steps to Manage Regulatory
Compliance
1. Regulatory knowledge base and taxonomy
2. Risk and internal controls
3. Business process -> Regulatory workflow
4. Location / Assets
5. Roles and responsibilities of key management functions
Regulatory Change Management Page 8
9. Step 1- Requirements Knowledge
Base & Taxonomy
Business
Process
Requirements
Knowledge Based &
Taxonomy
Risk and Internal
Controls
Roles and
Responsibilities
COMPONENTS OF A REQUIREMENTS KNOWLEDGE BASE
Locations and
Assets
Regulatory Change Management Page 9
1. Regulations, standards, requirements
and objectives library management
2. Parse the actions from requirements:
who, what, when, where, and frequency.
3. Monitor regulatory change
4. Effective vs. Proposed.
5. Mapping- regulatory requirements to
CAPA, policy procedures, evidence,
checklists, and day-to-day compliance
tasks
6. Applicability
10. Step 1 a- Effective and Mature
Regulatory Intelligence Delivers:
Regulatory Change Management Page 10
Regulatory
Intelligence
Maturity
Delivers . .
.
Holistic awareness of changing regulatory risk
Alignment of culture and policy
Risk-intelligent decision-making
Accountability of regulotry change risk
Multidimensional regulatorion analysis and planning
Visibility of risk as it relates to performance and strategy
11. Step 1 b- GRC 20/20’s Regulatory Intelligence
Maturity Model Steps to Increase Maturity
1
• Define a regulatory taxonomy
2
• Establish subject matter experts
3
• Map policies and other content
to regulations
4
• Integrate content feeds from
knowledge providers
5
• Provide accountability through
workflow and task management
Regulatory Change Management Page 11
12. Step 2- Risk & Internal Controls
Roles and
Responsibility
Regulatory Change Management Page 12
1. What is impacted?
2. Define internal controls
3. Define risk levels
Requirements
Knowledge Based &
Taxonomy
Risk and
Internal
Controls
Reporting
Regulatory
Compliance
Software
13. Step 2 a- Risk & Internal Controls
Roles and
Responsibility
Requirements
Knowledge Based &
Taxonomy
Risk and
Internal
Controls
Reporting
Regulatory
Compliance
Software
Regulatory Change Management Page 13
What is management’s responsibility with regards to
internal controls and reporting?
What is audit’s responsibility with regards to internal
controls and reporting?
What is the board’s responsibility with regards to
internal controls and reporting?
14. Step 2 b - Risk & Internal Controls
Regulatory Change Management Page 14
Weak Technology
• Documents&
spreadsheets
• Email for workflow &
tasks
• No audit trail or
accountability
Moderate
Technology
• Basic workflow &
task management
• No regulatory
content feeds
• Audit trail for
accountability
Strong
Technology
• Enterprise workflow
• Integrated and
actionable regulatory
content with policy
management
• Closed loop process
– everything
integrated into one
platform
• Indexing of
regulations to other
policies
Small Workforce Large Workforce
Low Risk High Risk
15. Step 3- Business Process
Business
Process
Regulatory Change Management Page 15
1. Business Process Impact,
compliance process around
sites, assets, events , timely
decisions
3. Process automation and cost
4. Manual vs automation
Requirements
Knowledge Based &
Taxonomy
Risk and Internal
Controls
Reporting
Regulatory
Compliance
Software
16. Step 3 a- Business Process
Business
Process
Regulatory Change Management Page 16
PROCESSESS THAT CAN BE AUTOMATED
Automate corrective action to increase
speed, eliminate waste and cut costs
Automate scheduling, tasking and
tracking
Embed transparency and accountability
Automate management of change
PROCESSESS THAT CANNOT BE AUTOMATED
Determining Applicability
Subject matter expertise
Requirements
Knowledge Based &
Taxonomy
Risk and Internal
Controls
Reporting
Regulatory
Compliance
Software
17. Step 4. Location & Assets
Business Process
Regulatory Change Management Page 17
1. Where is compliance
being done?
2.Compliance done at the
site and asset level
Requirements Knowledge
Based &
Taxonomy
Risk and Internal
Controls
Roles &
Responsibility
Location /
Assets
18. Step 5. Roles & Responsibility
Business Process
Regulatory Change Management Page 18
1. Why is it important to define
the roles and responsibilities
before you create an
Regulatory Compliance
Framework?
2. What are the barriers to
creating a Regulatory
Compliance Framework?
3. Is there a specific role and
responsibility structure or
can it vary from organization
and industries?
Requirements Knowledge
Based &
Taxonomy
Risk and Internal
Controls
Roles &
Responsibility
Location / Assets
19. Step 5 a- Roles & Responsibility
Business Process
Regulatory Change Management Page 19
COMPONENTS OF ROLES AND RESPONSIBILITES
1. What are key roles and structure?
2. What are the key functions?
3. What are the key actions?
4. Outcome / Results
Requirements Knowledge
Based &
Taxonomy
Risk and Internal
Controls
Roles &
Responsibility
Location / Assets
20. Automate Regulatory Compliance
Through Software
BENEFITS OF AN INTEGRATED MANAGEMENT SYSTEM
Regulatory Change Management Page 20
Source: Global survey by KPMG, Inc
Welcome every body, My name is Ed Sattar and I am with 360factors, which is Regulatory Change Management Solutions company. I’ve spent the past 15 years in the Regulatory Compliance policy making and workflow automation space, which essentially involved in building regulatory intelligence models, change management methodology and developing Software to scale and stream line compliance for corporations, agencies, consulting firms and regulators
Welcome to regulatory change management webinar- In an environment where we experience the demise of major institutions, impact on the environment and lives of human beings and as we experience business landscape change led to stricter regulations in many countries and across major industries, the word “Regulatory Change Management” has taken on much greater meaning in the world of corporate america. An organization’s ability to manage RCM can make or break an organization, its officers and the communities we live in.
The purpose of this webinar is to share with you a regulatory change management methodology, best practices, and insightful experiences of our moderator panelists that can help you build out a successful regulatory change management system solution irrespective of the regulation type, standards and corporate objectives.
We expect that you will walk away performing some mental assessment of your regulatory compliance maturity model and hopefully identifying those activities that you will stop, start and continue doing.
Each panelist introduces themselves
Lets look at how the regulatory landscape is changing ……
The heritage Foundation has researched that massive amount of regulations have been added since 2009, and that regulatory burdens on American business has increased by nearly $70 billion during just during President Obama’s first term in office.
Ask a question to panelists about industry trends and regulations and their impact
(Optional for moderator depending on panelist comments) With over hundreds and thousands of regulations around the world that are constantly being modified and updated, it is very critical to understand what’s applicable to each organization. That will vary from the type of industry and the nature of the organization and its business imperatives.
There are a lot of change happening with in FS
50% of them are in the US
We have doubled the regulatory changes in the last 5 years
North America counts for half the change
One Brazlian bank had a 18 month project to document of 81K requirements ( not regulations)
FCAP fined Siemens $800 MIL in the FCPA history
Bribery & Corruption is another
We are only 39% completion in implementing dodd frank act
Dodd Frank does not just impact financial services….ti impacts every organization
Step 1 - 1. Most of the time organizations don’t know if they are over complying or under complying …..in either, case it is expensive, it can be costly in terms of safety, product, brand, and reputation. The impact of the risks and the probability of them occurring identified in the governing regulations depends on how well you understand the four I’s – the Intent of the law, how well you Interpret the law, how you Implement the law, and how well regulatory change management is Institutionalized within your organization.
It is therefore critical that a firm implements a regulatory change management system to effectively manage and monitor the compliance process to ensure that these are institutionalized in a way that compliance becomes part of the “culture”.
2. (Optional for moderator)The second step towards compliance is to get a clear understanding of which regulations are applicable to the organization and their various business units and sites, In ability to determine which rules apply or don’t apply. The inability to do this accurately will more than likely result in under or over complying. Again, in both cases, this drives unnecessary costs.
3. (Optional for moderator) Firms have no structured approach to managing regulatory change and are often caught “Working IN Compliance” VS “Working ON Compliance” . Working in compliance involves being caught off guard, being reactive and putting out fires. Working on compliance involves performing proper analysis in advance, being proactive and putting a regulatory change management structure in place. Hence, automating and streamlining Regulatory Change Management will give you quality key performance indicators so that you can react quickly to issues and even predict issues.
4- (Optional) If there aren’t tighter systems or a methodology around the First Three Steps, your risks that may stem from non-compliance with key regulatory requirements; this can be very costly and damaging to a organization and the custodians of governance within the organization. We all know that consequences of non-compliance range from penalties and fines, to imprisonment, withdrawal of licenses, lawsuits and reputational risk which may individually and or collectively have a fundamental impact on the organization’s sustainability as a going concern- That cost is substantially more than putting in a system that automates your tracking and monitoring of compliance, day to day compliance tasks, events, incidents and investigations.
(Optional example) Step 2- add few industry specific examples and trends that tie to the above Example- Halliburton fine in PA ..fined about a $ 1 MIL and a system would be a fraction of the cost.
------------------------
Optional: Firms are challenged with constant addition and modification of hundreds and thousands of regulations with multijurisdictional requirements, and increased pressure to deliver uncompromising compliance with reduced budgets and significant resource constraints
Here is a regulatory change management methodology made simple
Ed will speak on this slide
Regulatory change management model is comprised of five components
(Optional) Compliance programs should include the uncertainties surrounding regulatory requirements that affect significant capital projects and investments. By addressing the uncertainties, the compliance program is better aligned with the company's strategic initiatives, rather than treated as a policy vehicle.
1. It is necessary to be adequately prepared by creating a regulatory knowledge base and develop a regulatory taxonomy mapped to your organization’s enterprise risk framework. Components of Requirements knowledge base should include:
Panelists to answer/moderator answers optional
1 Requirements library –
Q. What is a regulatory library? Panelists can speak on this.
A Regulatory library should enable an organization to maintain regulations and standards. Ideally this library will have the second and third party actions (the tasks that those entities must perform to be compliant) highlighted or parsed out.
Map reference documents, notes, templates of various kinds, checklists, audits at the standard at a minimum at the requirement level; ideally at the action level (see point #2)
Search engine that allows compliance professionals to search for standards and requirements
Map requirements to day-to-day compliance activities
2. Putting requirements into practice–
Q. Why is it important to extract second and third party actions from the regulatory requirements?
A. This links to the four I’s I talked about earlier and the comment I made about over complying and under complying. Knowing exactly what you need to do in the vast sea of regulations is key, and this makes the parsing of those second and third party actions from the regulations or standards a critical factor in enabling the compliance change management process.
3. Monitor Regulatory Change-
Q. How can you automate regulatory change?
A. is about conducting a business impact analysis to understand regulatory change impact on your business by implementing a workflow within a regulatory change management system that enables you to send alerts to specific works groups when the regulations change and having a workflow in place that identifies and streamlines the touching\updating of all of the artifacts linked to the changed requirements (think tasks, policies & procedures, mock audits, checklists, inspections etc.)
4. Regulations: Effective vs. Proposed
A RKB should handle both effective and proposed requirements changes.
Q. How do organizations handle this today?
A. It is all over the board. Some people watch federal and state registers and the equivalents internationally. Others rely on third party services to send them alerts about changed or proposed regulatory changes.
5. Mapping of the work and artifacts back to the actions & the requirements they are derived from-
Q. What are the benefits of Mapping and what is involved?
A sophisticated RCM allows you to map Regulatory requirements to CAPA , Policy Procedures, Evidence, checklists, audits, day-to-day compliance tasks, event driven tasks, etc. this way you know which regulations are triggering most of your actions and those need to be “touched” or updated with when a regulations\standards\requirements change.
6. Regulation\Standard Applicability –
Q. Would anyone like to talk about challenges around applicability?
A. In most industries, compliance activity is performed at the site or asset level so it important to get a clear understanding of which regulations are applicable to the organization and their various business units, sites and assets. A good RKB will provide tools and workflow for identifying applicable requiements and then managing their lifecycle. Parsing of second and third party requirements plays a key part here from a sheer workload perspective.
have proper accountability
Moderator: Risk and Controls – In order for the organization to manage their risk and regulatory compliance, they should define their Internal Controls and Risks. Risk Analysis tells what is impacted and based on a systematic process allows us to prioritize and therefore tells us what to address first.
(Responses to these questions are optional to moderator depending on responses from panelists)
Q. How do you Define Internal Controls?
A. There are various internal control models. Internal controls are the activities and\or processes that are put in place to help minimize risk, allowing us to achieve our objectives which includes complying with regulatory requirements. Controls take many forms including various processes, policies, procedures, risk assessments, communication process, training, reoccurring and measurable tasks\activities etc….you can define very specific set of environmental health and safety corrective and preventive actions as your internal controls.
Q. How do you perform Risk analysis?
A. In its simplest form Risk Analysis is asking three simple questions:
i) What can go wrong?
ii) What can we do to prevent it?
iii) What can we do to reduce the consequences if something does go wrong?
…quantifying the answers and then stacking ranking them based upon impact.
Q2. Ed’s Response - The business processes are at the core of the organization and the holistic model. These processes should have strong controls and reporting capabilities. Surrounding the business processes is the GRC operational model, the layer at which the governance, risk management, and compliance management is put into practice to drive enterprise assurance.
Moderator:
With low risk and a small workforce, Health and Safety activities or internal controls and risk are simple and straight-forward
with high risk, e.g. if you have offshore drilling and onshore drilling, to avoid or mitigate your hazards, your EHS activities going to be more extensive. ….when the organization is complex and risk is high, then consultants and organization should consider software automation
So risk levels for various hazards and internal controls should be defined based on the what environmental health safety managers are concerned with based on the industry and complexity of their organization
Questions asked by the moderator (the graph disappears and lists questions); Responses from panelists
Q1.What is management’s responsibility with regard to internal controls and reporting?
Q2.What is audit’s responsibility with regard to internal controls and reporting?
Q3.What is the board’s responsibility with regard to internal controls and reporting?
Moderator: Once the organizations has identified their EHS internal controls and identified their risks or hazards from high to low, the management would be required to further develop and streamline compliance routines, process and procedures into a coherent system.
List all the questions asked by the moderator-panelists to respond/moderator responses as needed
Q1- What should be the impact of this business process and what should it look like?
A. This system should allow you to pull reports so that you are able to understand regulatory change impact and make informed and timely decisions. These days, when regulators do their audit they are not necessarily only interested in knowing if you achieved compliance, but interested in knowing the compliance process around personnel, product, equipment, policies, procedures, materials, assets, sites, events, assets and operating conditions.
Q2. Is Automation Cost Effective?
Q3. What processes can be automated and what processes will continue to be manual?
Ed’s Response 1: The short answer is Automation is Highly Cost Effective. KPMG recently did research that most of the regulatory compliance is done in silos- various functional departments are managing compliance through multiple tools ( some external and some internal) in some cases most of these tools don’t talk to each other and then each department has additional head count to manage compliance- if regulatory compliance across all divisions is automated through one platform then not only it will be cost effective, it will really increase the performance of the company by being able to make better and timely decisions compare to its competitors.
Ed’s – Vertically integration of all the regulatory departments through one platform should lead to better reporting up the hierarchy and hence a more complete view of critical risks facing the organization. A lack of such oversight was arguably a major cause of the current financial crisis.
gathering of the regulations is still going to be a manual process, translations of the regulations and standards is still going to be a manual process.
Moderator to speak on this slide
Moderator: Q. Why is it important to define where compliance is done ?
Panelists to answer (moderator answer optional)
A. While you are creating a EPA Or OSHA regulatory compliance workflow and defining processes, it is critical to define it at site, asset and people level to get a clear understanding of which regulations are applicable to the organization and their various business units, sites, people and assets since compliance is done at site, people and asset level.
For example, if hazard analysis, contamination assessments are done, they are typically done at the site level and even on specific assets and even some assets have permits and compliance activities that have to be tracked even when those assets are moved
Another example is in offshore drilling, contractors and sub contractors are constantly moving from one platform to another and one company to another, tracking those people can be a daunting task…this is where automation can create some efficiency.
Panelists to answer/moderator answers optional
Q1. Why is it important to define the roles and responsibilities before you create a Regulatory Compliance Framework?
A1. For Good, safe work practices, creating an EHS regulatory compliance governance structure is very critical. It involves clarifying roles, responsibilities and resource capabilities and escalation procedures, as well as the information and reporting systems that govern business processes. It also entails the use of tools and systems to enable analysis, efficient monitoring, and reporting. Basically, this last and 5th step ties into all of the 4 steps we talked about
Q2. What are the barriers to creating a Regulatory Compliance Framework?
A2. Commitment from the top and 2. People’s resistance to change.
Q3. Is there a specific role and responsibility structure or can it vary from organization to organization?
A3. It can vary from industry to industry and even from company to company. However, in some countries like UK , the regulators require certain functions to be done at a specific level of management. For example internal controls should be set by the organization’s mgmt. team. Nonetheless, persons with responsibility must have the knowledge and authority to take action when circumstances require.
Panelists to answer/moderator answers optional
We’ve already determined there is no hard-and fast approach. Companies approach this differently, but we should be able to answer the above questions…. There are best practices for defining who is responsible for what.
Q1. What are the key roles and structure?
A. For example, the board, Owners, executive team, management, EHS Managers, Safety Coordinators, Field Management/operators, auditors
Q2 What are the key functions?
A. EHS, OSHA, Regulatory, legal, compliance, audit, risk
Q3. What are the key actions?
A. Compliance, Reliability, Quality and Sustainability, health and Safety, Training
Outcome / Results
Moderator: Vertically integrated GRC system- it is more critical for the Regulatory Compliance Management across all departments to be integrated through one platform to see the whole picture with respect to risk. More and more, companies are looking at reducing risk, cutting costs and improving performance by adopting a more integrated approach to managing their and Gas and EHS governance, risk and compliance. In survey done by KPMG in 2010, 64 percent of respondents prefer to have a vertically integrated GRC platform as priority for their organization.
In this graph, “the ability to identify and manage risks more quickly is singled out by 59 percent of respondents” as one of the key benefits of an integrated platform
Less than 39 percent believe this can improve corporate performance and only 26 percent feel it will help reduce the costs of duplication
Panelists to answer/moderator answers optional
Q!. What are your thoughts on vertically integrating compliance management – benefits, advantage / disadvantage
A1.I believe vertically integrating your regulatory compliance management will bring in rewards…when you get in there and start implementing controls in various areas, you then you realize you’ve got a bad process. Instead of sinking money into protecting a bad process, you can rework it and get all kinds of savings and may have partially paid for the integrated platform by identifying new business process efficiencies
In conclusion, I would will also like to share a quote by Dr. Weterman MIT’s Sloan School of Management “ If something is more complex, it is just more risky. “But when companies go beyond that, to actively manage unnecessary complexity out of their business processes and technologies, they benefit not only from lower risk but also higher efficiency and agility.”