Organizations today face frequent and increasing regulatory changes across multiple jurisdictions, domains, and categories. It is these changes that often become a significant source of risk to an organization’s resilience if not done carefully. Therefore, it is of vital importance that organizations successfully manage the impact of regulatory change before and when they occur.
Impacts Introduced By Regulatory Change
Regulations when changed may affect a number of areas of a business that include:
1. Strategy, goals, and objectives outlined in policies,
2. Processes, standards, and practices documented in procedure documents,
3. Roles, responsibilities, and personal as part of the organizational structure, and
4. Sites, facilities and equipment structured as assets
These areas are considered critical having the greatest potential when changed to impact existing controls, expose latent risk, or introduce new risks to an organization. Each area of impact may have its own change process to address specific risk considerations but will usually follow a risk-based process as outlined below.
Risk-based Change Process
Implementing regulatory change will involve actions and sometimes requires the benefits of a project to implement. However, in all cases the impacts of a regulatory change need to be first identified and understood.
The identification of impacts is usually done as part of a change process. In highly regulated, high-risk industries this process is called Regulatory Management of Change (MOC) while others simply call it Regulatory Change Management.
To effectively manage regulatory change companies will adopt a risk-based process to identify and address direct and indirect impacts. This process will move a regulatory change through a series of stages where activities are performed by assigned resources often determined by the nature and the areas impacted by the change.
The change process starts with the Initiate step to capture specifics of the regulatory change along with the risk context of the organization. Differences in risk culture will impact the level of rigour required in subsequent steps of the process involving planning, approvals, implementation, verification and close out:
1. Initiate Regulatory Change
Identify regulatory change
Identify changed compliance outcomes and objectives
Identify risk context
2. Assess Impacts
Engage stakeholders impacted by the change
Conduct impact analysis (policy, organizational, procedure, asset)
Identify change objectives (what you intend to implement)
Conduct risk assessment
3. Plan Implementation
Create implementation plan (technical changes)
Create transition plan (changes to behaviour, culture, values, etc.)
Create stakeholder communication plan
Identify necessary approvals
4. Approve Implementation
Obtain necessary approvals to proceed with implementation of regulatory change
5. Implement Regulatory Change
Execute plans
Notify stakeholders
Conduct necessary training and qualification
6. Verify Regulatory Change
Verify training and change objectives are met
Verity that it is safe to restart changed process or use changed product
Validate compliance outcomes
7. Close Regulatory Change
Capture lessons learned
Communicate to stakeholders
Update documents, records, and systems
The purpose of following this process is to increase the probability for changes to be implemented successfully with minimal risk to the organization. Each change will go through the same stages but the level of rigour will differ based on the level of risk introduced by the change itself.
For example, low risk changes may be fast-tracked and use prescribed risk-adjusted procedures while higher risk changes may involve a more comprehensive assessment and implementation.
In all cases, each change is tracked and monitored so that organizations will always know the status of its overall operational and compliance risk.
Benefits of Using A Risk-based Change Process
The benefits of using a regulatory change process that is risk-based are many and include:
Increased visibility of risk
Improved stakeholder notification and communication
Standardized approach to treating risk
Coordination of timing to reduce overall disruption
Greater alignment with business strategy and goals
Opportunity for process improvement through the capturing of lessons learned
The most important benefit of course is the increased certainty that impacts arising from regulatory change do not become a significant source of risk for the business.