Hello everybody! A slightly belated Happy New Year to you all. With 2012 barely behind us, 2013 is already shaping up to be a very busy and very exciting year for us as we race ahead with exciting product innovations and thought leadership. RSA recently sponsored a series of roundtable webcasts and I had the pleasure of participating as one of the panelists. Our moderator was Michael Rasmussen, noted GRC pundit and a member of the Leadership Council of OCEG, the Open Compliance Ethics Group. The focus of our discussions centered on the different stages of an organizational policy management program. Leading up to the discussions we helped to create a series of illustrations that were featured over several articles published in Compliance Week.
Over the next few posts I’ll recap these discussions and share some insights. One of the areas of focus was tracking changes that affect policies. Shifting regulatory landscapes, third-party relationships, business climate changes such as expanding into emerging markets or M&A, all serve to influence and impact organizational risk and policy. How do we detect and manage this swarm of change and measure the potential impact? What are the best ways to demonstrate diligence and manage risk? How do we ensure organizational policies remain aligned?
During the webcasts our audience was polled for how their organizations kept up with changes that could impact policy. This is one of the toughest challenges that companies face. Not only is the global regulatory environment a growing burden, but the ability to demonstrate consistent and timely diligence can itself be a burden. One of the most revealing statistics our audience reported was that over 80% of them used email and ad-hoc, fly-by-the-seat-of-the-pants approaches as their primary means of keeping pace. Perhaps that’s why a Gartner reported regulatory uncertainty as the top risk identified in a recent global CEO study. So where do we begin to gain a solid foothold on the problem?
Whether it’s legal & regulatory influencers or changes in business direction, the first step is to establish clear ownership of the process. This role may live in the legal department or maybe it’s just thrown out to the business. Recognizing this as a core enterprise process is the first step and then building a cross functional team to own the methods the organization uses to keep track of regulatory changes is imperative.
Secondly, there are several commercial “watch dog” services available that can monitor and report on changes to regulations and a variety of other things. These services may also bundle legal opinions and advice with certain subscriptions which can be helpful for their customers to gauge the initial impact. But there are also a number of free options available too. In the US for instance, nearly every major government agency provides RSS feeds to report their activities, including notices and proposed rule changes. Aggregation sites like Justia.com also provide consolidated RSS feeds for most of the federal register.
Whether using a commercial service, tapping into free resources, or both, receiving alerts is only half the battle. What do you do with the information? How organizations respond to these changes will determine whether they remain compliant and having the ability to document the impact is critical. The ability to filter down to the business critical items and put them through a consistent process of review, impact analysis, and action is the key. This can’t just be a thread of emails bouncing around the organization. It needs to be a defined process with a clear documentation trail to not only remain organized but also demonstrate proper diligence around the process. Next time we’ll explore the impact of internal changes and the elements of review workflow and response. Until then, all my best for 2013!