The Agile Organisation GRC in Context of Regulatory Change Michael Rasmussen GRC 20-20

Regulatory Change Management
Maturity Model: From Ad Hoc to Agile

November 2015
Michael Rasmussen, J.D., GRCP, CCEP
The GRC Pundit @ GRC 20/20 Research, LLC
OCEG Fellow @ www.OCEG.org
Change is the Greatest Challenge in GRC
© 2015, all rights reserved, www.GRC2020.com

2
REGULATORY
Regulatory ACTIVITY TRACKED
Activity in Financial Services 2014-15
Tracked 2015-15
*Note: Tracked activity includes document changes, announcements, and enforcements by regulators.
Average Daily Alerts = Total Alerts Year-on-Year / 261 Working Days
3
The hydra of inefficiency
Organizations are burdened by manual ad
hoc processes. This involves being
overwhelmed with emails and documents
— leading to, in varying degrees…
 Excessive emails, documents,
and paper trails
 Poor visibility & reporting
 Files and documents out of sync
 Wasted resources and spending
 Overwhelming complexity
 No accountability

4
. . . and we hope nothing fails
 Inability to gain clear view of
compliance dependencies;
 High cost of consolidating

compliance information;
 Difficulty maintaining
accurate compliance
information;
 Failure to trend across

compliance assessment
periods;
 Redundant approaches limit

correlation, comparison and
integration of compliance
information; and
 Lack of agility to respond

timely to changing risks,
regulations, laws, and
situations.
5
Current Situation in Financial Services
The current situation: Challenges to process and resources:

 The typical organization has a myriad of subject  Insufficient head count and subject matter
matter experts doing ad hoc monitoring of expertise
regulatory change and emailing parties of interest  Frequency of change and number of
with little or no consistent follow-up, accountability, information sources overwhelms
or business impact analysis.  Limited workflow and task management.
 Lack of an audit trail
 The organization is in a resource intensive
 Limited reporting
confused state of monitoring regulatory risk,
enforcement actions, new regulations, and pending  Wasted resources and spending
legislation resulting in an inability to adequately  Misaligned business and regulatory agility
predict the readiness of the organization to meet  No accountability and structure
new requirements.
 There is no overall strategy to gather and share

regulatory change information, and decide what to
do about it.

6
Federated Compliance Management

7
Elements of a Regulatory Change Management Process
Regulatory
Taxonomy
Regulatory
Content
Technolog
y
Enableme
nt

8
Changes Funnel into Regulatory Change Process
Monitor Determine Review

Change Impact Policies

9
Gathering & Filtering Regulatory Change Alerts
Understand
1 fragmented
approaches
Determine
2 synergies
3 Critical Changes

10
360° Regulatory Contextual Intelligence
Action Items
Analyzed to
understand relationships
Integrated and
mapped
together to
Distributed & provide context
Disconnected
IT GRC
Data Points
11
Conduct Analysis and Manage Regulatory Change Process
Regulatory Integrated Regulatory Regulatory Change Management Process

Content Content
Sourcing
New
Regulations Auto-Assigned
to pre-defined
Amended subject matter Impact None or
Regulatory Change Management
CLOSED
Regulations expert (SME) Assessments Limited
with full context Product
Regulatory of change
 Line of business impact Offering
management project tracking

Guidance
Ongoing regulatory change

 Regulatory reporting change Review
News and  Product or process impact Regulatory Yes
Circulars  Policy and procedure revision Research
required
Comment  Control modification Business Task
Letters Triage Impact
assessment  Training revisions completed?
Enforcement and manual Executive
Actions assignment for Briefing No
changes Action Plan Assign tasks
Change
Feedback without context Policies and
Statements
Procedures
Speeches

12
Route Regulatory Change to Subject Matter Experts

13
Conduct Business Impact Analysis of Regulatory Change

14
Determine Actions Needed in Context of Regulatory Change

15
Regulatory Change Management Metrics

16
Regulatory Change Management: Keys to Success

17
Power of Information Drives Effective Regulatory Change Management
OBJECTIVES
& GOALS
ASSETS & RISK &

RELATIONSHIPS ANALYSIS
REGULATIONS & CONTROLS &

OBLIGATIONS ASSESSMENT
POLICIES & INCIDENTS

TRAINING & ISSUES
ROLES &
RESPONSIBILITIES
18
GRC 20/20’s Regulatory Change Management Maturity Model
5 AGILE
Regulatory intelligence
Strategic Process, Information & Technology Architecture Alignment
architecture that
integrates feeds from
4 INTEGRATED regulatory knowlwedge
Regulatory intelligence providers that map to
architecture across the policies, risks, controls,
organization enables etc. Enables full
3 MANAGED consistent management situational awareness
Roles & responsibilities of regulatory change of regulatory change in
are defined with use of process with the the context of business.
technology to manage integration of content Regulatory feeds deliver
2 FRAGMENTED workflow and tasks to feeds from regulatory fully analyzed content
Limited structure in provide accountability. intelligence knowlege that identifies relevancy,
regulatory change Inconsistencies remain. providers. impacts, and tasks.
reponsibilities. Process There is no integration
1 AD HOC is accomplished via of technology and
Unstructured approach. email and documents content.
Constantly putting with limited
out fires. Often caught accountability and
off guard. oversight.
Issue to Departments to Enterprise Coordination and Integration

19
Measurements of a Healthy Regulatory Change Management Function
1 - Aware 2 - Aligned 3 - Responsive 4 - Agile 5 - Resilient 6 - Lean

 Have a finger on  Support and inform  You can’t react to  Be nimble, being fast  Be able to bounce  Build the muscle,
how regulatory business objectives something you don’t isn’t helpful if you back quickly from trim the fat
change impacts in context of sense are headed in the changes with limited  Get rid of expense
business regulatory change  Gain greater wrong direction. business impact from unnecessary
 Watch for change in  Continuously align awareness and  Regulatory change  Have sufficient duplication,
external regulatory objectives and understanding of management tolerances to allow redundancy and
environment & operations to change that will enables decisions for some missteps misallocation of
changes to internal regulatory risk of the impact decisions and and actions that are  Have confidence resources within
business entity actions quick, coordinated necessary to rapidly regulatory change
environment  Give strategic  Improve and well thought out. adapt and respond management
 Turn data into consideration to transparency, but  Agility allows an to situations processes
information that can information from also quickly cut entity to use change  Lean the
be, and is, analyzed regulatory change through the morass to its advantage, organization overall
 Share regulatory and compliance of data to what you adapt strategy, and with enhanced
change information enabling appropriate need to know to be confident in its capability and
in every relevant strategic decisions make the right ability to stay on related decisions
direction decisions course. about adapting to
change

20
Questions?
Michael Rasmussen, J.D. GRC 20/20 Newsletter
LinkedIn: GRC 20/20
The GRC Pundit & OCEG Fellow
LinkedIn: Michael Rasmussen
mkras@grc2020.com
Twitter: GRCPundit
+1.888.365.4560
Blog: GRC Pundit
Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy
slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.

The Agile Organisation GRC in Context of Regulatory Change Michael Rasmussen GRC 20-20

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

The Agile Organisation GRC in Context of Regulatory Change Michael Rasmussen GRC 20-20

Enviado por

Direitos autorais:

Formatos disponíveis

Regulatory Change Management

Maturity Model: From Ad Hoc to Agile

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

 High cost of consolidating

 Failure to trend across

 Redundant approaches limit

 Lack of agility to respond

The current situation: Challenges to process and resources:

 There is no overall strategy to gather and share

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

Monitor Determine Review

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

Regulatory Integrated Regulatory Regulatory Change Management Process

management project tracking

Ongoing regulatory change

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

© 2015, all rights reserved, www.GRC2020.com

ASSETS & RISK &

REGULATIONS & CONTROLS &

POLICIES & INCIDENTS

Issue to Departments to Enterprise Coordination and Integration

1 - Aware 2 - Aligned 3 - Responsive 4 - Agile 5 - Resilient 6 - Lean

© 2015, all rights reserved, www.GRC2020.com

Você também pode gostar