This article is part one of a three-part series written by Deloitte risk leaders, providing insights and practical advice on how organisations can better align the regulatory agenda with broader business goals. You can read part two here, and part three here.
Regulatory compliance by design, an approach aimed at integrating regulatory change, is in many cases proving to be more challenging than anticipated.
The notion of weaving regulatory obligations into the fabric of how technology systems, operational processes and our people work, remains a sound strategy that helps reduce the cost of compliance, create more confidence that obligations are met and reduce the risk of regulatory events.
The concept is now well accepted, but the execution is difficult and the road is proving to be a long and bumpy one. This is leading many stakeholders to ask, “how do we know we are on the right path?”
Having an enterprise-wide regulatory strategy is an imperative
All organisations have a myriad of regulation that must be adhered to as part of doing business, but many are looking at the regulatory agenda in isolation.
Limiting focus to the individual regulation itself (net new, amended or remediated), or as a response to the implementation of technology change, leads to a patchwork quilt of methods, “learn as we go” approaches and downstream reporting regimes – all of which are proving inefficient, costly, and ultimately unsustainable. Those at the forefront of the change are becoming naturally combat weary.
Questions to consider:
- What is the risk appetite for the occurrence of a regulatory event and are we all working towards a consistent north star?
- How is the way we respond to the regulatory agenda across the enterprise repeatable and designed to create sustainable change?
- How are we enabled as an organisation to illicit what’s required so we can invoke a design thinking approach?
Look up from the weeds – understand what really matters
The risk of regulatory non-compliance is not merely the inverse of compliance.
How we go about doing business in a way that is in alignment with our regulatory obligations is what counts. To do this there is a need to understand the detail around what systems, processes, and technology support that intent.
Equally, there is a sensible aspiration to reduce the volume of activity, whether it be controls, reporting or post-event examinations that are designed to assist with providing confidence that regulatory obligations are being effectively managed. This can often lead to the desire to rationalise through aggregation, the volume of controls in place to manage risk events.
Unfortunately, the journey to achieve efficiency through this method is often flawed and the result can be the “sleeping giant” version of a regulatory non-compliance event – one which ultimately awakes in years to come.
Questions to consider:
- How does our risk framework effectively consider the complexities of regulatory risk in a modern and contemporary way?
- How have we obtained a good understanding of the lineage from our regulatory obligations through to our systems, processes, and tools - down to the storage of related records?
- Through that lineage, how have we determined the “what must go rights” to ensure we bake in the regulatory requirements from system inception and design as well as to create opportunities to enable a more sophisticated use of data, tooling, and generative AI?
You must go broad to go narrow. Not doing the detail results merely in the decorative.