The first thing successful organisations have is a clear governance structure – a process through which any new change is assessed. Critically this governance structure will define the roles and responsibilities associated with assessing future regulatory changes:
The majority of organisations have some form of ‘horizon scanning’ in place. There is a range of technology solutions in this space that, when implemented well, can reduce the manual workload of identifying which regulatory updates impact areas of interest for your business. Regardless of the tool you choose for monitoring new changes, be sure to have a mechanism to capture and communicate these to your nominated teams.
Note. Many of the horizon scanning tools will allow for requirements tracking through a built in workflow, however, basic tooling that many organisations already have in house (e.g. JIRA/confluence type platforms) are more than sufficient to ensure individual items are addressed and tracked.
Initial business impact assessment
Organisations that have a good understanding of the likely impact of upcoming regulatory changes, also have a nominated team (ideally not just one individual to avoid key person dependencies) with a broad understanding of the business activities and operational environment. They do not need to be experts in every detail but hold enough information to assess the impact of change across functions. It is their job to outline (& track) a high-level business requirement statement, assigning this to the relevant function or identified project team: “There is an obligation to do x [by y date].”
Note. Depending on the complexity of the obligation, there may be a need to engage legal or other teams to gain an early indication of the potential impact to help guide this initial statement.
Functional (project) review and constructive challenge
On receipt of a high-level business requirement statement, it is the job of the receiving function to review, prioritise and ultimately respond to the request. Try to keep this separate from the team setting the initial objective, otherwise there is a risk of ‘marking your own homework’.
The function must assess the request in detail, reviewing the regulatory text or advice. These should be the subject matter experts and they should have the opportunity to both question and constructively challenge the initial statement to ensure both the need and impact of the change is well understood and relevant to the business. There are many reasons for review and challenge – the obligation may already be being met through another mechanism; the associated business volumes may be low and due consideration should be given to ensuring the response is appropriate; or broader business impacts may need to be considered if data and/or processes need to change across multiple functions.
Ultimately there is a need to determine whether the obligation can be met using existing resources – if there is a need for assistance (potentially in the form of a dedicated project if the obligations are significant enough); or whether a more fundamental discussion is warranted on alternative approaches to ensure compliance is maintained.