Many of the world’s largest and most important systems have extremely high social or economic costs of failure. To protect public safety, these systems are often subject to extensive regulatory compliance requirements. Additionally, many enterprises are subject to other government regulations that require similar attention and audits to ensure compliance.
In Agile development, effective compliance management means applying Lean-Agile methods to build systems that have the highest possible quality, while simultaneously assuring they meet any regulatory, industry, or other relevant standards and remain “audit ready.”
Three capabilities – Governance, Risk Management and Compliance, or “GRC” – are the pillars organizations use to support audit-readiness. Regardless of a company’s industry or size, GRC capabilities can be difficult to implement and require experienced resources and well-defined processes. Large organizations face the added complexity of having many stakeholders, multi-jurisdictional global structures, and complicated legal requirements. At the same time, smaller companies face the same levels of regulatory compliance demands, but often with fewer resources and less experienced teams.
We’re witnessing an overwhelming shift in the GRC landscape, with rapidly evolving regulatory environments and organizations being under increased pressure to deliver customer value quickly and regularly.
The vast majority of organizations are currently managing risk and compliance in an ad-hoc, siloed fashion, with reactive tendencies and little to no sharing of data intelligence across business segments. Low-impact regulations are receiving the same attention as their high-impact counterparts, resulting in the diversion of expensive legal resources away from higher priority action-items.
All types of businesses are regulated to ensure that certain standards are met and that people are not harmed – or that if they are, there is legal recourse. But some industries tend to be more highly regulated than others, and some are so new that regulators are just starting to figure out what to do.
If your business operates in any of the following sectors, regulatory compliance should be one of your top priorities as a manager. Keep in mind, however, that this is not even close to an exhaustive list. If you’re curious about the regulatory environment for your industry, there’s no substitute for professional counsel.
The most regulated industries are typically ones that have the deepest impact on people’s lives and could cause the most potential harm.
Healthcare – It should probably come as no surprise that health care is the most regulated industry of them all. Its practitioners poke and prod us, test and prescribe, and help to prolong and save lives. Given the important role of healthcare practitioners and their work, their industry is understandably overseen quite carefully and subject to much regulation.
Banking and Financial Services – Not quite as personal as our bodies and physical health are our finances. People who handle money and invest it on behalf of others are also supposed to be under intense regulatory scrutiny and to follow the numerous rules set out for them in the law. But some would say we need even more financial and banking industry regulation in light of problems exposed in the markets in the economic downturn and the failure of recent reforms to adequately address conditions that led to it.
Outside of these highly-regulated industries, the organizations and sectors that are subject to regulatory compliance requirements are still quite broad. Enterprises in almost every sector are subject to regulations on their financial, environmental, taxation, and information-handling activities, and for businesses operating in these areas, failure to become and stay compliant can have serious consequences.
Falling short of compliance requirements means these companies could face serious financial penalties and/or harm to their reputation, partnerships, or market-share.
Business leaders increasingly understand the importance of staying on top of regulatory compliance requirements. A survey of 400 US CEOs found that regulatory compliance tops the list of issues that can have the biggest impact on the way forward.
In a regulatory compliance environment, stakes are high. Ineffective compliance requirements can put a project and an entire organization at financial and legal risk.
The most successful regulated companies iterate quickly by adopting technologies allowing them to become more Agile and innovative.
The most highly-regulated sectors have to continually pivot to comply with evolving compliance requirements. As the regulatory environment becomes more demanding and complex in terms the actual regulations being enforced, it is also becoming increasingly complex in terms of the required reporting structure and time-frame to prove compliance.
Data protection legislation and regulatory enforcement actions are rapidly changing throughout the world and are having an immediate impact on how organizations globally approach cybersecurity, privacy, breach notification and data storage and protection.
All sectors, but particularly healthcare and financial services, have recently faced growing compliance requirements around the handling of people’s personal information. Considering that in many cases, this information is routinely processed and handled by bots, every time there's a regulatory change, the RPA (Robotic Process Automation) maintenance adds a level of complexity and overhead that is a challenge to manage. For the organizations that don't have a strong RPA compliance audit infrastructure that facilitates the ability to analyze change quickly and easily, the effort and complexity increase exponentially.
The General Data Protection Regulation (GDPR) that was recently enacted in Europe is just one example. This regulation applies not only to organizations based in Europe, but to any organization that markets to, does business with, or otherwise interacts with the personal data of consumers who live in the EU.
Compliance regulations have also added complexity to requirements for reporting around compliance.
Using finance as an example, the European Banking Authority (EBA) has been mandated to set up uniform reporting requirements for all banks in the EU, under a regulation called ‘ITS on supervisory reporting’ (Implementing Technical Standards on supervisory reporting). These requirements present a considerable additional burden to the already demanding data and systems needed to be compliant with the International Financial Reporting Standards (IFRS). Although, the good news is that these requirements should ensure a full harmonization of prudential reporting requirements among banks within the EU.
One important additional source of difficulty for financial institutions is the fact that these reporting requirements are ever changing.
In December 2013, the EBA published a final draft of Technical Standards on metrics for monitoring additional liquidity. Every year since then, they have issued updates and revisions on these standards. And insurance companies face the same obstacle: the EIOPA plans the release of one reporting taxonomy per year. It is therefore essential for both banks and insurers to always make sure that they are up-to-date on the latest revisions of data reporting requirements.
And while the reporting requirements have grown, the timelines have shortened. As an illustration, BCBS 239 is a standard set by the Basel Committee for Banking Supervision that has imposed strong constraints on the capacity of banks to aggregate risk data. On a rather short timeline (3 years between 2013 and 2016), banks had to adapt their governance systems, IT infrastructures, reporting tools and internal control mechanisms to make sure they comply with these principles.
Risk leaders anticipate further regulatory changes and continued supervisory pressure, where any failure to properly demonstrate a compliant solution can result in massive regulatory and reputational risk. With no compromise on data and reporting quality standards, these compliance requirements call for a cultural transformation with heavy implications for risk and finance data and technology.
Growing regulatory compliance demands come at a cost. Every year, more than $100 billion is spent on compliance functions. In the financial services industry alone, over 180 regulations are introduced or changed every day. Financial institutions spend approximately 40 to 60 percent of their transformation budget on regulatory compliance, and over 50 percent of their new hires are compliance professionals.
Additionally, the cost of compliance is expected to double in the next five years. As such, regulated companies and regulators are looking for cost-effective ways to manage the complex regulatory challenges that are impacting their compliance, legal, finance, technology and operational units.
Creating effective requirements for software development is always a challenge. In a regulated sector, however, it can be especially demanding.
For Business Analysts (BAs) and Product Owners, it’s important to get compliance requirements right. BAs and product owners must be able to analyze the full impact of regulatory change, defining compliance requirements in a way that developers and testers can interpret them accurately.
Of course, there are challenges to developing effective requirements in a way that ensures regulatory compliance. Some of the most common challenges include:
Compliance management requires collaboration across multiple teams. While large organizations have the added difficulty or coordinating disparate teams working from multiple locations, even organizations with co-located teams tend to manage risk and compliance in an ad-hoc, siloed fashion, with reactive tendencies and no sharing of data intelligence across business units.
Many organizations have data that exists in silos and requires greater standardization in terms of:
Additionally, data validation is a major issue for many organizations. They need to have the ability to collect, organize, and manage all required evidence and then trace back the final reporting information to its origin and regulatory interpretations to prove compliance.
Even in a digital marketplace, too many companies still rely on spreadsheets, word processing documents, and emails to manage their compliance requirements. This heavy dependence on manual methods is slow and error-prone, and as the compliance requirements grow, manual processes become increasingly ineffective.
Across different sectors of the organization, risk, compliance, operational regulations and threat regulations are managed by disparate programs and resources, creating misalignment and opening the organization up to even greater risk. Without a centrally managed system of risk and compliance, business leaders do not have complete oversight of critical business and information risks. Critical business decisions are resultantly affected.
Today’s business is global, and organizations that operate in multiple geographies have the added complexity of ensuring compliance with the regulatory standards set by different regulators across the jurisdiction. Consider the European Union (EU) General Data Protection Regulations (GDPR). Even if your organization is not located in the EU, do you collect personal information from EU citizens, even an email address? If so, you are captured by the GDPR and must comply with its rules.
When you consider large organizations with diverse, distributed systems and numerous regulations, the complexity of managing compliance increases exponentially.
Going forward, there needs to be a smart, comprehensive solution to managing the compliance requirements today’s companies are facing. The solutions must be fast, flexible, collaborative and responsive.
Although tighter compliance regulations are challenging organizations in a variety of ways, those who adapt best may enjoy a distinct competitive advantage.