Remediation
How to keep
pace with regulatory change

Following my previous blog on the critical success factors of running a remediation programme, many have commented that remediation has now become a permanent feature for Financial Institutions. The rate of regulatory change is so high, that there is now a constant cycle of ‘remediation – delayed implementation – remediation‘.  This leads to a key question, how do organisations keep pace with regulatory change and manage requirements efficiently?

Governance is key

The first thing successful organisations have is a clear governance structure – a process through which any new change is assessed. Critically this governance structure will define the roles and responsibilities associated with assessing future regulatory changes:

Horizon scan

The majority of organisations have some form of ‘horizon scanning’ in place. There is a range of technology solutions in this space that, when implemented well, can reduce the manual workload of identifying which regulatory updates impact areas of interest for your business. Regardless of the tool you choose for monitoring new changes, be sure to have a mechanism to capture and communicate these to your nominated teams.

Note. Many of the horizon scanning tools will allow for requirements tracking through a built in workflow, however, basic tooling that many organisations already have in house (e.g. JIRA/confluence type platforms) are more than sufficient to ensure individual items are addressed and tracked.

Initial business impact assessment

Organisations that have a good understanding of the likely impact of upcoming regulatory changes, also have a nominated team (ideally not just one individual to avoid key person dependencies) with a broad understanding of the business activities and operational environment. They do not need to be experts in every detail but hold enough information to assess the impact of change across functions. It is their job to outline (& track) a high-level business requirement statement, assigning this to the relevant function or identified project team: “There is an obligation to do x [by y date].”

Note. Depending on the complexity of the obligation, there may be a need to engage legal or other teams to gain an early indication of the potential impact to help guide this initial statement.

Functional (project) review and constructive challenge

On receipt of a high-level business requirement statement, it is the job of the receiving function to review, prioritise and ultimately respond to the request.  Try to keep this separate from the team setting the initial objective, otherwise there is a risk of ‘marking your own homework’.

The function must assess the request in detail, reviewing the regulatory text or advice. These should be the subject matter experts and they should have the opportunity to both question and constructively challenge the initial statement to ensure both the need and impact of the change is well understood and relevant to the business. There are many reasons for review and challenge – the obligation may already be being met through another mechanism; the associated business volumes may be low and due consideration should be given to ensuring the response is appropriate; or broader business impacts may need to be considered if data and/or processes need to change across multiple functions.

Ultimately there is a need to determine whether the obligation can be met using existing resources – if there is a need for assistance (potentially in the form of a dedicated project if the obligations are significant enough); or whether a more fundamental discussion is warranted on alternative approaches to ensure compliance is maintained.

Thoughtful implementation

With the initial assessment of new obligations being covered, the question now turns to how to approach implementation of the required changes.

  1. Prioritise (& think carefully before changing course)

Prioritisation is an obvious step when fitting regulatory change into a broader book of work, just remember to focus on when the requirement must be delivered, and not just when the obligation comes into force. Some obligations will be required ‘day 1’, others (provided the relevant data is maintained and available) may not need to be delivered until the end of the month/quarter/year – that can provide an element of relief if multiple obligations come into force at the same time.

Once a delivery is in flight, think carefully about changing course and adjusting priorities. It can often result in a significant amount of lost time if team members need to change course and refocus mid delivery. Working with our clients, we have helped teams define a ‘delivery locked’ milestone – this helps to minimise ‘dead time’ switching between priorities, and ultimately leads to increased productive effort. While not always practical, careful consideration of re-prioritisation after a certain point can minimise the overall backlog – sacrificing one delivery could mean a wider range of priorities are delivered on schedule.

  1. Deliver big changes in multiple small packages

For overall regulatory prioritisation, a long-term roadmap is key, and the further ahead that can be documented the better. For individual deliveries though, smaller targeted releases are often advantageous. While not necessarily advocating Agile as a framework (that’s a wider discussion for another post), small individual deliveries can assist where priorities are frequently changing. Although this does create the overhead of having to track multiple inter-related deliveries, it is often more than offset by the benefit of being able to tweak requirements as further clarity is inevitably obtained throughout the delivery lifecycle.

  1. Where else is there an impact?

Delivery of regulatory change must often be completed under tight timeframes and it is not just the primary function that is impacted. How is the input information being provided? Who will be using the output? Are any checks and controls impacted by the change? The obvious objective will be to meet the immediate requirement, however, the need to consider the broader regulatory control environment is essential. Ideally this is handled by a business architect with oversight of the entire regulatory environment. Depending on the specific setup, be careful handing this responsibility to Technology teams if they do not have a clear obligation to provide a holistic business judgement.

Controls in place 

Delivering functionality to meet specific regulatory obligations will always be the primary objective, however, demonstrating robust control will always be of paramount importance.

  1. Ensure robust controls are an essential element of every change

Inevitably once a regulatory requirement has been delivered the question will not be whether a particular requirement is being met, but how can the accuracy and completeness be demonstrated? For some obligations this will be straightforward, for others detailed complex data reconciliations may be required. It is here that a carefully considered quantitative approach is needed. How can the relevant data be surfaced, and from where? What does the data imply in a business context? How can that be synthesised to convey an actionable insight to the user?

Bringing together business data in a coherent manner to provide management insight and intelligence is often one of the most compelling internal benefits in delivering a regulatory change programme. Further, it will help stave off future remediations, reducing future workload and consequently helping organisations to keep on top of their regulatory change programme.

  1. Consider how each part of the process can be simplified and automated

Regulatory change is neither slowing nor receding. Even though regulators continue to review the applicability and benefit of some requirements, the pace of new additions far outstrips any retirements.

This pace of regulatory change has resulted in many organisations implementing manual processes, however, this model is unsustainable going forwards. Organisations must look to simplify and automate these processes where possible. While this requires an upfront investment, the benefit of removing key person dependencies, achieving efficiencies and improving control, provides the basis for a strong business case. Many organisations are now placing significant focus in this area.

The implementation of regulatory change is seen by many financial institutions as simply a cost of doing business. Facing the reality that continual regulatory change is here to stay provides the organisations with an opportunity to modernise their operations, consolidate disparate data sets and automate their processes. This will enable them to gain greater control, increase insight into their businesses and use the mandated changes as a learning environment to assist with the adoption of digitisation technologies in other areas of the business.

Beyond has extensive experience working with clients to simplify their processes across client onboarding, (regulatory) operations and compliance – especially in response to regulatory change. We help clients introduce new approaches and technologies, tailored to their needs, which both meet their mandatory obligations while also delivering quantifiable benefits such as efficiencies, increased control and enhanced client experience within their businesses. Interested to know more? We’d be happy to discuss our experiences and your business challenges in more detail.

 

This blog first appeared on Financial IT on 10th March 2021.

Read More