top of page
Writer's pictureRaimund Laqua

Are You Effectively Managing the Impacts of Regulatory Change?

Organizations today face frequent and increasing regulatory changes across multiple jurisdictions, domains, and categories. It is these changes that often become a significant source of risk to an organization’s resilience if not done carefully. Therefore, it is of vital importance that organizations successfully manage the impact of regulatory change before and when they occur.


Impacts Introduced By Regulatory Change


Regulations when changed may affect a number of areas of a business that include:


1. Strategy, goals, and objectives outlined in policies,

2. Processes, standards, and practices documented in procedure documents,

3. Roles, responsibilities, and personal as part of the organizational structure, and

4. Sites, facilities and equipment structured as assets


Regulatory Change Impacts

These areas are considered critical having the greatest potential when changed to impact existing controls, expose latent risk, or introduce new risks to an organization. Each area of impact may have its own change process to address specific risk considerations but will usually follow a risk-based process as outlined below.


Risk-based Change Process


Risk-based Change Process

Implementing regulatory change will involve actions and sometimes requires the benefits of a project to implement. However, in all cases the impacts of a regulatory change need to be first identified and understood.


The identification of impacts is usually done as part of a change process. In highly regulated, high-risk industries this process is called Regulatory Management of Change (MOC) while others simply call it Regulatory Change Management.


To effectively manage regulatory change companies will adopt a risk-based process to identify and address direct and indirect impacts. This process will move a regulatory change through a series of stages where activities are performed by assigned resources often determined by the nature and the areas impacted by the change.


The change process starts with the Initiate step to capture specifics of the regulatory change along with the risk context of the organization. Differences in risk culture will impact the level of rigour required in subsequent steps of the process involving planning, approvals, implementation, verification and close out:


1. Initiate Regulatory Change

  • Identify regulatory change

  • Identify changed compliance outcomes and objectives

  • Identify risk context

2. Assess Impacts

  • Engage stakeholders impacted by the change

  • Conduct impact analysis (policy, organizational, procedure, asset)

  • Identify change objectives (what you intend to implement)

  • Conduct risk assessment

3. Plan Implementation

  • Create implementation plan (technical changes)

  • Create transition plan (changes to behaviour, culture, values, etc.)

  • Create stakeholder communication plan

  • Identify necessary approvals

4. Approve Implementation

  • Obtain necessary approvals to proceed with implementation of regulatory change

5. Implement Regulatory Change

  • Execute plans

  • Notify stakeholders

  • Conduct necessary training and qualification

6. Verify Regulatory Change

  • Verify training and change objectives are met

  • Verity that it is safe to restart changed process or use changed product

  • Validate compliance outcomes

7. Close Regulatory Change

  • Capture lessons learned

  • Communicate to stakeholders

  • Update documents, records, and systems


The purpose of following this process is to increase the probability for changes to be implemented successfully with minimal risk to the organization. Each change will go through the same stages but the level of rigour will differ based on the level of risk introduced by the change itself.


For example, low risk changes may be fast-tracked and use prescribed risk-adjusted procedures while higher risk changes may involve a more comprehensive assessment and implementation.


In all cases, each change is tracked and monitored so that organizations will always know the status of its overall operational and compliance risk.


Benefits of Using A Risk-based Change Process


The benefits of using a regulatory change process that is risk-based are many and include:


  1. Increased visibility of risk

  2. Improved stakeholder notification and communication

  3. Standardized approach to treating risk

  4. Coordination of timing to reduce overall disruption

  5. Greater alignment with business strategy and goals

  6. Opportunity for process improvement through the capturing of lessons learned


The most important benefit of course is the increased certainty that impacts arising from regulatory change do not become a significant source of risk for the business.




1,109 views

Related Posts

See All
bottom of page