Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Toward a holistic method for regulatory change management

295 views

Published on

Complexity of regulatory compliance is heightened for modern enterprises due their global footprints and multiple regulations they are subjected to across varied domains and geographies and continual changes therein. This necessitates a method for compliance management that is capable of establishing compliance to both regulations and changes to regulations from a holistic perspective of governance, risk, and compliance (GRC). We propose such a method using a conceptual model of integrated GRC whereby formal compliance checking and norm change techniques for regulations represented as formal rules are coupled with business process change propagation and risk modeling. The method also considers legal and business goals of regulators and regulatees respectively in enacting compliance to regulation and changes therein. The method is substantiated with a brief example of a real world banking regulation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Toward a holistic method for regulatory change management

  1. 1. Sagar Sunkle and Vinay Kulkarni Tata Consultancy Services Research, India Toward a Holistic Method for Regulatory Change Management
  2. 2. 1. Increasing spend on compliance (in US estimated at $15 Billion. Estimated to increase 5 times more by 2018) 2. Demand for governance, risk management, and compliance (GRC) in US is most high but Canada, Japan, India, Australia, South Africa, and members of EU have started enforcing various regulations for some time now 3. Non-compliance is penalized severely 4. Largely document-oriented process with conservative interpretation of rules 5. Uncertainty about what constitutes compliance 6. Main challenges a. Non-compliance identification + remediation + proof explanation b. Regulatory change management with risk adjusted decision making Motivation
  3. 3. Internal Controls Risk Appetite Key Objectives Processes Risks Policies Issues Heat maps Inquiries/Su rveys Governance Compliance Regulations and Standards Risk define determine use contemplate prevent, detect, correct, track associated fulfill identify risks in may be ensure compliance with assessment leads to fulfill are established in update define fulfill Ideal- Integrated Governance, Risk, and Compliance
  4. 4. Internal Controls Risk Appetite Processes Risks Issues Heat maps Inquiries/Su rveys Governance Compliance Regulations and Standards Risk determine use prevent, detect, correct, track associated identify risks in may be ensure compliance with assessment leads to update define fulfill In reality- Industry GRC needs to be improved 1. Informal representation of regulations-content Management-based 2. Compliance proofs are document-driven 3. Risk handling is expert- reliant
  5. 5. Changes in Internal Controls Changed Processes Change Risks Inquiries/Su rveys Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk use prevent, detect, correct, track associated Identify risks in ensure compliance with define fulfill enact in In reality- Formal Research Needs to be Coordinated
  6. 6. Changes in Internal Controls Formal Compliance Checking + Norm Change Changes in Regulations and Standards ensure compliance with fulfill Formal Treatment of Changes in Regulations • Distinction between legal and count-as rules • Distinction between norms and their legal effects • Distinction between Ex Tunc and Ex Nunc norms • Ways in which expansion and contraction of legal effects is achieved
  7. 7. Changes in Internal Controls Formal Compliance Checking + Norm Change Changes in Regulations and Standards ensure compliance with fulfill Formal Treatment of Changes in Regulations To use norm change research, formal representation of regulations is necessary that is capable of handling norm change
  8. 8. Changes in Internal Controls Changed Processes Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards ensure compliance with define fulfill enact in Formal Treatment of Changes in Processes • Considerable work in business process compliance checking- Enact regulations as rules in business processes- One Size Fits all solutions • But do not take into consideration where do processes of enterprise lie along the process rule continuum
  9. 9. Embedded Rules Explicit Navigation Paths Complex Navigation Analysis Rule Guided Process Behavior Rule-driven Process Composites Rule-driven Services Rule-Dynamic Process-rule ContinuumLow Changeability High Changeability Change in rules separate from change in process model Stable processes with no frequent changes in process model Rules use process context; frequent changes in rules to adjust to attribute values of process elements Rules use not only the process context but other business data including historical data about attributes of business objects Domain-specific and meta-rules determine how to evolve a process to optimize achievement of business goals Same as rule-driven process composites, but at a much fine-grained level of services Rules change dynamically leading to dynamic composition of business processes and services Tailoring Propagation of Changes in Regulations to Process Types
  10. 10. Changes in Internal Controls Changed Processes Change Risks Inquiries/Su rveys Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk use prevent, detect, correct, track associated Identify risks in ensure compliance with fulfill enact in Risk Modeling in relation to Business Processes Sizeable work in risk modeling and some in risk aware business processes But risks and especially legal risks are domain-specific= probability of domain-specific event evaluated by its domain- specific consequences
  11. 11. Changes in Internal Controls Changed Processes Change Risks Inquiries/Su rveys Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk use prevent, detect, correct, track associated Identify risks in ensure compliance with define fulfill enact in Best of Both worlds- Integrated Formal GRC
  12. 12. BankType IdentityProof CustomerType DocumentType AddressProof obligatedTo Perform admits 1..* hasRelated obtain 1..* 1..* DocumentSubmission 1..* RiskProfile hasRelated 1 hasRelated Process applicable To 1..*Processes Risk Regulations BranchType has RiskPerception isBasedOn 1..* drives 1..* DDDOfficer DueDillegenceActivity isCarriedOutBy 1..* 1..* usedToMitigateA MLRisk 1..* Rules customerType_data(Customer_ID,Conditions...) customerType_KYC_document_data(Customer_ID,Conditions...) Low < Medium < High Prob(ML/FTevent, Consequence) customerRiskProfile( Customer_ID, Risk_Status) 1..* Early work I- Domain-specific Regulation Model
  13. 13. Early work II- Tie together Key Elements of Business Changes in Internal Controls Changed Processes Change Risks Inquiries/Su rveys Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk use prevent, detect, correct, track associated Identify risks in ensure compliance with define fulfill enact in Key Objectives define fulfill
  14. 14. Early work II- Simulation of Regulatory Scenarios 1. Take into consideration business objectives of regulatee and regulation objectives of regulator 2. Also represent actions of other important stakeholders such as regulatee’s customers 3. Simulate core GRC components of processes, risk, and compliance along with courses of action taken by regulatee, regulatee’s customers, and regulator 4. Early work with simulation machinery based on actor model of computation 5. Capable of representing propagation of changes triggered by changing regulations
  15. 15. Conclusions 1. Regulatory compliance and regulatory change management are critical problems and need to be solved with an integrated perspective 2. Best features of current industry GRC and formal solutions need to be put together for a holistic treatment 3. Our proposal marries formal representation of regulations and changes therein to a) business process and rule stage and b) risk in changes to regulation in GRC context
  16. 16. Questions? Please feel free to contact me at sagar.sunkle@tcs.com

×