Regulatory Change Management - MetricStream
Regulatory Change Management Maturity Model: From Ad Hoc to Agile November 2015 Michael Rasmussen, J.D., GRCP, CCEP The GRC Pundit @ GRC 20/20 Research, LLC OCEG Fellow @ www.OCEG.org
Change is the Greatest Challenge in GRC 2015, all rights reserved, www.GRC2020.com 2
REGULATORY ACTIVITY TRACKED Regulatory Activity in Financial Services 2014-15 Tracked 2015-15 *Note: Tracked activity includes document changes, announcements, and enforcements by regulators. Average Daily Alerts Total Alerts Year-on-Year / 261 Working Days 2015, all rights reserved, www.GRC2020.com 3
The hydra of inefficiency Organizations are burdened by manual ad hoc processes. This involves being overwhelmed with emails and documents — leading to, in varying degrees Excessive emails, documents, and paper trails Poor visibility & reporting Files and documents out of sync Wasted resources and spending Overwhelming complexity No accountability 2015, all rights reserved, www.GRC2020.com 4
. . . and we hope nothing fails Inability to gain clear view of compliance dependencies; High cost of consolidating compliance information; Difficulty maintaining accurate compliance information; Failure to trend across compliance assessment periods; Redundant approaches limit correlation, comparison and integration of compliance information; and Lack of agility to respond timely to changing risks, regulations, laws, and situations. 2015, all rights reserved, www.GRC2020.com 5
Current Situation in Financial Services The current situation: The typical organization has a myriad of subject matter experts doing ad hoc monitoring of regulatory change and emailing parties of interest with little or no consistent follow-up, accountability, or business impact analysis. The organization is in a resource intensive confused state of monitoring regulatory risk, enforcement actions, new regulations, and pending legislation resulting in an inability to adequately predict the readiness of the organization to meet new requirements. There is no overall strategy to gather and share regulatory change information, and decide what to do about it. Challenges to process and resources: Insufficient head count and subject matter expertise Frequency of change and number of information sources overwhelms Limited workflow and task management. Lack of an audit trail Limited reporting Wasted resources and spending Misaligned business and regulatory agility No accountability and structure 2015, all rights reserved, www.GRC2020.com 6
Federated Compliance Management 2015, all rights reserved, www.GRC2020.com 7
Elements of a Regulatory Change Management Process Regulatory Taxonomy Regulatory Content Technolog y Enableme nt 2015, all rights reserved, www.GRC2020.com 8
Changes Funnel into Regulatory Change Process Monitor Change Determine Impact 2015, all rights reserved, www.GRC2020.com Review Policies 9
Gathering & Filtering Regulatory Change Alerts 1 Understand fragmented approaches 2 Determine synergies 3 Critical Changes 2015, all rights reserved, www.GRC2020.com 10
360 Regulatory Contextual Intelligence Action Items Analyzed to understand relationships Distributed & Disconnected IT GRC Data Points Integrated and mapped together to provide context 2015, all rights reserved, www.GRC2020.com 11
Conduct Analysis and Manage Regulatory Change Process Regulatory Content Sourcing New Integrated Regulatory Content Regulations News and Circulars Comment Letters Enforcement Actions Feedback Statements Triage assessment and manual assignment for changes without context Impact Assessments None or Limited Line of business impact Regulatory reporting change Product or process impact Policy and procedure revision required Control modification Training revisions Action Plan Assign tasks CLOSED Product Offering Review Regulatory Research Business Impact Executive Briefing Change Policies and Procedures Ongoing regulatory change management project tracking Regulatory Guidance Regulatory Change Management Amended Regulations Auto-Assigned to pre-defined subject matter expert (SME) with full context of change Regulatory Change Management Process Yes Task completed? No Speeches 2015, all rights reserved, www.GRC2020.com 12
Route Regulatory Change to Subject Matter Experts 2015, all rights reserved, www.GRC2020.com 13
Conduct Business Impact Analysis of Regulatory Change 2015, all rights reserved, www.GRC2020.com 14
Determine Actions Needed in Context of Regulatory Change 2015, all rights reserved, www.GRC2020.com 15
Regulatory Change Management Metrics 2015, all rights reserved, www.GRC2020.com 16
Regulatory Change Management: Keys to Success 2015, all rights reserved, www.GRC2020.com 17
Power of Information Drives Effective Regulatory Change Management OBJECTIVES & GOALS ASSETS & RELATIONSHIPS RISK & ANALYSIS REGULATIONS & OBLIGATIONS CONTROLS & ASSESSMENT POLICIES & TRAINING INCIDENTS & ISSUES ROLES & RESPONSIBILITIES 2015, all rights reserved, www.GRC2020.com 18
GRC 20/20’s Regulatory Change Management Maturity Model Strategic Process, Information & Technology Architecture Alignment 5 AGILE 4 INTEGRATED 3 MANAGED 2 FRAGMENTED 1 AD HOC Unstructured approach. Constantly putting out fires. Often caught off guard. Limited structure in regulatory change reponsibilities. Process is accomplished via email and documents with limited accountability and oversight. Roles & responsibilities are defined with use of technology to manage workflow and tasks to provide accountability. Inconsistencies remain. There is no integration of technology and content. Regulatory intelligence architecture across the organization enables consistent management of regulatory change process with the integration of content feeds from regulatory intelligence knowlege providers. Regulatory intelligence architecture that integrates feeds from regulatory knowlwedge providers that map to policies, risks, controls, etc. Enables full situational awareness of regulatory change in the context of business. Regulatory feeds deliver fully analyzed content that identifies relevancy, impacts, and tasks. Issue to Departments to Enterprise Coordination and Integration 2015, all rights reserved, www.GRC2020.com 19
Measurements of a Healthy Regulatory Change Management Function 1 - Aware 2 - Aligned 3 - Responsive 4 - Agile 5 - Resilient 6 - Lean Have a finger on how regulatory change impacts business Watch for change in external regulatory environment & changes to internal business environment Turn data into information that can be, and is, analyzed Share regulatory change information in every relevant direction Support and inform business objectives in context of regulatory change Continuously align objectives and operations to regulatory risk of the entity Give strategic consideration to information from regulatory change and compliance enabling appropriate strategic decisions You can’t react to something you don’t sense Gain greater awareness and understanding of change that will impact decisions and actions Improve transparency, but also quickly cut through the morass of data to what you need to know to make the right decisions Be nimble, being fast isn’t helpful if you are headed in the wrong direction. Regulatory change management enables decisions and actions that are quick, coordinated and well thought out. Agility allows an entity to use change to its advantage, adapt strategy, and be confident in its ability to stay on course. Be able to bounce back quickly from changes with limited business impact Have sufficient tolerances to allow for some missteps Have confidence necessary to rapidly adapt and respond to situations Build the muscle, trim the fat Get rid of expense from unnecessary duplication, redundancy and misallocation of resources within regulatory change management processes Lean the organization overall with enhanced capability and related decisions about adapting to change 2015, all rights reserved, www.GRC2020.com 20
Questions? Michael Rasmussen, J.D. The GRC Pundit & OCEG Fellow mkras@grc2020.com 1.888.365.4560 GRC 20/20 Newsletter LinkedIn: GRC 20/20 LinkedIn: Michael Rasmussen Twitter: GRCPundit Blog: GRC Pundit Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.
GRC 20/20's Regulatory Change Management Maturity Model email and documents AD HOC Unstructured approach. Constantly putting out fires. Often caught off guard. Limited structure in regulatory change reponsibilities. Process is accomplished via with limited accountability and oversight. Roles & responsibilities are defined with use of .
Leader in Gartner Magic Quadrants Business Continuity Mgmt. Highest current product capability scores IT Risk Mgmt. MetricStream has made good investments in R&D, focusing on risk intelligence/big data, cloud, Zaplet architecture, and its ComplianceOnline content. Operational Risk Mgmt. MetricStream received high customer ratings for the .
A formal Regulatory Management System [RMS] can help with: reduction of regulatory burden on citizens and firms improvement of regulatory quality identification of best choice of policy options Comprised of four elements: 1. regulatory quality tools 2. regulatory processes 3. regulatory institutions 4. regulatory policies 16
MetricStream is pleased to announce its 3rd Annual GRC Summit 2016, the largest gathering of GRC leaders in the world, taking place at the Grand Connaught Rooms, London, UK from November 7th to 8th, 2016.We extend an invitation to the GRC Community at large, including our customers,
Page 1 of 9 Rapid Regulatory Courses in HealthStream Getting Started Tip Sheet Please note: Everyone is required to take two compliance trainings titled: Rapid Regulatory Compliance: Non-clinical I Rapid Regulatory Compliance: Non-clinical II Depending on your position at CHA, you may have more courses on your list. One must complete them all.File Size: 1MBPage Count: 9Explore furtherRapid Regulatory Compliance: Clinical II - KnowledgeQ .quizlet.comRapid Regulatory Compliance: Clinical I - An HCCS .quizlet.comRapid Regulatory Compliance: Non-clinical II-KnowledgeQ .quizlet.comThe Provider Compliance Tip fact sheets are now available .www.cms.govRapid Regulatory Compliance - Non-Clinical - Part Istudyres.comRecommended to you b
Key words: regulation, regulatory quality, regulatory burden, regulatory management system, regulatory impact analysis, regulatory impact statement, cost of doing business . P a g e 792 . competitiveness, erodes public trust in government and encourages corruption in public institutions and public processes [OECD 2010].
3.4 ITIL Change Management Process 25 3.5 Change Advisory Board 29 3.6 Change Management KPI's 31 CHAPTER 4 - EMPIRICAL ANALYSIS 32 . 4.4.1 Process Goals 40 4.4.2 Change Management Process Flow 40 4.4.3 Nature of Change Requests 49 4.4.4 KPI's for Change Management 50 4.4.5 Change Management Tools 50 4.5 Roles and Responsibilities 53 .
system (what is in place) from the requisite regulatory management system (what is required for an ideal or high-performing regulatory management system). By the formal regulatory management system we mean the set of special measures that apply to the development of new, or the review of existing, regulations but do not apply to other policy
Introduction to Takaful Prepared by: Dr. Khalid Al Amri 6 Conventional Insurance (non-mutual) Takaful Insurance Five Key Elements Speculation Uncertainty Prohibited activities Mutual Guarantee: The basic objective of Takaful is to pay a defined loss from a defined fund. Liability and all losses are divided between policyholders. The policyholders are both the insurer and the insured Ownership .
