Many organizations face frequent and increasing regulatory changes across multiple jurisdictions, domains, and categories. These changes often become a significant source of risk to an organization’s resilience if not managed in a proactive and organized manner. Therefore, it is of vital importance that organizations successfully manage the impact of regulatory change before they occur and once they take effect.
Impacts Introduced by Regulatory Change
Changes to regulations (or other legislative tools such as codes, standards, and directives) may affect several areas of a business that include:
- Strategy, goals, and objectives outlined in policies,
- Processes, standards, and practices documented in procedure documents,
- Roles, responsibilities, and personal as part of the organizational structure, and
- Sites, facilities, and equipment structured as assets
These management tools are critical parts of any business and a change coming from the government can impact existing controls, expose latent risk, or introduce new risks to an organization. Each area of impact may have its own change process to address specific risk considerations but will usually follow a risk-based process as outlined below.
Regulatory Change Process
Implementing regulatory change will involve actions and sometimes requires the benefits of a project to fully implement the change into procedures, policies and other systems. However, regardless of the scope of the change the first step is always to identify and understand the impacts of a regulatory change.
The identification of impacts is usually done as part of a change process. In highly regulated, high-risk industries this process is called Regulatory Management of Change (MOC) while others simply call it Regulatory Change Management.
To effectively manage regulatory change companies will adopt a risk-based process to identify and address direct and indirect impacts. This process will move a regulatory change through a series of stages where activities are performed by assigned resources often determined by the nature and the areas impacted by the change.
The change process starts with the Initiate step to capture specifics of the regulatory change along with the risk context of the organization. Differences in risk culture will impact the level of rigour required in the subsequent steps of the process which will include planning, approvals, implementation, verification and close out:
- Initiate Regulatory Change
- Identify regulatory change
- Identify changed compliance outcomes and objectives
- Identify risk context
- Assess Impacts
- Engage stakeholders impacted by the change
- Conduct impact analysis (policy, organizational, procedure, asset)
- Identify change objectives (what you intend to implement)
- Conduct risk assessment
- Plan Implementation
- Create implementation plan (technical changes)
- Create transition plan (changes to behaviour, culture, values, etc.)
- Create stakeholder communication plan
- Identify necessary approvals
- Approve Implementation
- Obtain necessary approvals to proceed with implementation of regulatory change
- Implement Regulatory Change
- Execute plans
- Notify stakeholders
- Conduct necessary training and qualification
- Verify Regulatory Change
- Verify training and change objectives are met
- Verity that it is safe to restart changed process or use changed product
- Validate compliance outcomes
- Close Regulatory Change
- Capture lessons learned
- Communicate to stakeholders
- Update documents, records, and systems
The purpose of following this process is to increase the probability for changes to be implemented successfully with minimal risk to the organization. Each change will go through the same stages, but the level of rigour will differ based on the level of risk introduced by the change itself.
For example, low risk changes may be fast-tracked and use prescribed risk-adjusted procedures while higher risk changes may involve a more comprehensive assessment and implementation. In all cases, each change is tracked and monitored so a company will always know the status of its overall operational and compliance risk.
Benefits of Using a Regulatory Change Process
The benefits of using a regulatory change process that is risk-based are many and include:
- Increased visibility of risk
- Improved stakeholder notification and communication
- Standardized approach to treating risk
- Coordination of timing to reduce overall disruption
- Greater alignment with business strategy and goals
- Opportunity for process improvement through the capturing of lessons learned
The most important benefit of course is the increased certainty that the impacts of regulatory changes are not a significant source of risk for the business.
To learn more about how Nimonik can help your organization manage regulatory change please contact us.