A couple of years ago, a new term in social media appeared: FOMO, which stands for Fear of Missing Out. This is due to the bombardment of activities and images on social media, which leads some to feel they may be missing out on life, an event or a person by turning away from their screens. On a more serious note, we regularly have clients who express concerns about the fear of missing out on a regulatory change or a proposed change that may impact their business.
It is not easy managing regulatory risk for a large corporation. You need to cover everything from HR regulatory changes to product safety and import regulations – not to mention the environment, health and safety regulations. With rapid change occurring in nearly every country, the regulatory landscape is a vast and uneven one. But there are a few potential solutions.
One solution includes law firms who offer newsletters and updates. This can be a good first step, but these updates are rarely comprehensive as they typically only cover the largest and most significant regulations. Also, a law firm will often specialize in one practice of law such as HR or Environment. If you request a law firm to create tailored updates for your team, this can add value, but the costs can very quickly spiral out of control. And, regardless of what a law firm delivers, it is unlikely to be built into an information management system that allows you to conduct follow-up within your organization.
A second option is to do it in-house. You can hire regulatory analysts and subject matter experts who track regulatory change and notify the appropriate people internally. This has the obvious challenges of staffing, turnover and quality control. If you work at a business that is changing rapidly, entering new markets or strung across many jurisdictions, tracking regulatory changes internally can be very challenging. You have the same problem as with lawyers. You need to get this information into a system that is more robust than Excel, Word and Emails. This requires you to purchase or build some sort of software.
Depending on your business, there are a variety of software options. The financial industry and others often turn to Governance, Risk Management and Compliance Software, known as GRC. These software allow you to track your internal workflows, set procedures, checks and potentially load in regulatory requirements. They are designed to help you reduce risk, but mostly financial risk and not the operational risk. Softwares such as this include LogicGate, Resolver, RSA Archer, and LogicManager. These platforms tend to be highly flexible and can be a good fit. However, they rarely provide regulatory content, and if they do, it is typically restricted to financial regulatory issues such as Sarbanes Oxley type regulations.
For operational risk, you will often turn to environmental, health and safety platforms such as Intelex, VelocityEHS, Enablon, Gensuite or others. SAP, the dominant enterprise resource planning software, also offers EHS modules that help you control some of your EHS risks. However, none of these platforms provide content. You will need to purchase content from a third party provider such as Nimonik or others. Using an EHS platform can work, but it has some downsides such as limiting your coverage of regulatory risk to EHS issues, limited functionality for delegating tasks to Subject Matter Experts and rolling up regulatory reports.
From what we can tell at Nimonik, there is no easy solution for comprehensive regulatory coverage with one software and content solution. There is one critical element within this challenge that is difficult to solve. The buyers of regulatory data are spread across multiple departments or business units in large organizations. This will often lead to a mix of solutions at a large corporation. We often see a company running both a GRC platform, an EHS management platform, a dedicated regulatory update service for EHS and a set of regulatory update services that feed into legal counsel.
In short, we tend to see:
- An environmental regulatory team, often decentralized to the facility level buying local regulatory compliance services
- An HS regulatory team, also decentralized
- A VP EHS who wants centralized data, but has different needs than the facility EHS people and will buy high-level data from providers
- A financial regulatory team, centralized and using a GRC that may include basic financial data
- A product stewardship regulatory team, centralized, but without proper tools and trying to get data from multiple sources
- A product safety team that is centralized, but struggles with any system and tends to monitor government websites
- An HR department that has regulatory services, but is a mix of centralized and decentralized with update services such as BLR or others etc.
It’s messy! Personally, with this structure, I would be fearful that someone misses something somewhere in some business division!
The Best Path Forward
In the long term, if you want to ensure total compliance across your organization, something needs to change. For multi-site and multi-jurisdiction companies, it will become imperative to centralize your compliance work. Facilities cannot be expected to manage compliance across all the spheres they are subject to (which are basically the same as the central company, but without the resources). A centralized regulatory compliance service is the logical endpoint of this challenge, along with a GRC platform that integrates EHS and other operational risk areas. If you look closely, most GRC platforms have the same functionalities as the EHS platforms. The only difference is their marketing. As an organizational leader, the next ten years may be about trying to get HR, Product people, EHS people and others around a table to implement a comprehensive compliance and risk management program.
Nimonik started in EHS but aims to offer global regulatory coverage. We have expanded our coverage for a number of clients. If you are interested in discussing your compliance challenges or tracking regulations and assuring comprehensive compliance across countries and issues, please get in touch; email@example.com | +1 888-608-7511