Skip to main content

Mastering regulation by design

Effective strategies for success

This article is part two of a three-part series written by Deloitte risk leaders, providing insights and practical advice on how organisations can better align the regulatory agenda with broader business goals. You can read part one here, and part three here.

The concept of weaving regulatory obligations into the fabric of how technology systems, operational processes and people work, is now well accepted. We understand it’s a sound strategy for ensuring confidence that regulatory obligations are met, but organisations want more.

These aspirations typically include:

  • streamlining to enable teams to focus on delivery, increasing productivity
  • creating efficiency by simplifying what really needs to be done, and
  • reducing the cost of compliance by leveraging data and technology-enabled tooling.

The first step to delivering an effective regulatory strategy that withstands scrutiny and the test of time, is to ask: what is the problem we are trying to solve here?

Is it a layer cake you are just eating pieces of?

Many organisations have historically taken an organic approach, reacting to new or amended regulation or events with interventions and changes to the way things are done. This results in layers of overhead and duplication. Programmes are stood up and shutdown and the changes never get bedded into business as usual.

Leading organisations have moved more towards a blueprint approach, where the response to regulatory change is grounded in an enterprise-wide set of protocols, ways of working and iterative design techniques. These combine to form a consistent playbook of “how we do things around here."

Better design techniques are reductive control methods and implementing early warning lead indicators. Applying these close to the action, reduces heavy reliance on manual detective, report-based mechanisms.

The north star should be about appetite, not perfection

Risk frameworks and their comfortable friend, “the risk appetite statement” are typically how organisations manage and monitor risks, including those of a regulatory nature. These frameworks remain largely unchanged in substance and approach for many years. With some organisations using versions that were developed well before the advent of governance, risk and compliance (GRC), or generative AI tooling. The complexity and profile of data and modern supply chain risk can also be ill considered.

Ensuring your regulatory strategy aligns well to an effective and contemporary risk framework is a good place to start making life simpler and help drive the behaviours and techniques needed for success.

Sharpen the skills of risk practitioners.

Leading organisations ensure their regulatory risk practitioners are capable of providing implementation insight. Traditional techniques are proving less effective and there’s a need to refresh the toolkit. Looking in the review mirror to confirm what’s already gone wrong won't suffice in a complex digitally driven world.

Risk professionals need to evolve and position their advice to ensure risk is managed earlier in the value chain.

Ownership, accountability and all things in-between

Accountability for design, implementation and business-as-usual is complex and requires a more sophisticated multi-ownership model. A clear leader-led approach to implementing regulatory change sets the tone for the style and effectiveness of the engineering that lies beneath it.

However, there’s often a natural and appropriate tension between the views of the risk practitioners and the business areas who are ultimately accountable for continuous operation. Identifying a senior business owner to provide sponsorship guidance will support an environment for good business outcomes.

Regulatory programmes may lack glamour, but license to operate is critical

Whether it’s regulatory licence or social licence, getting it wrong creates risk. Making building better business engagement crucial Leaders need to:

  • Elevate the agenda at a board level to secure support for the blueprint
  • Ensure governance regimes are effective -manage scope, resourcing and costs the same as any transformation
  • Leverage the design authority concept to support long term sustainability and integration with other transformation initiatives
  • Respect your teams and don’t treat this activity as “off the side of your desk compliance”
  • Set clear goals and have a concise narrative around what success looks like, including the why”
  • Acknowledge that detailed work takes time and resource with the right capability
  • Emphasise skill development such as analytical thinking, project management and regulatory expertise, but don’t expect that it will just happen without intervention
  • Recognise contribution, reward efficiencies that make the boat go faster and celebrate innovation
  • Showcase where efforts benefit customers, consumers and the public more broadly
  • Be realistic and transparent about what went wrong the last time you tried

Having the courage to course correct is crucial as early intervention will lead to a better outcome.