Regulatory Compliance in Agile

Many of the world’s largest and most important systems have extremely high social or economic costs of failure. To protect public safety, these systems are often subject to extensive regulatory compliance requirements. Additionally, many enterprises are subject to other government regulations that require similar attention and audits to ensure compliance.

In Agile development, effective compliance management means applying Lean-Agile methods to build systems that have the highest possible quality, while simultaneously assuring they meet any regulatory, industry, or other relevant standards and remain “audit ready.”

Three capabilities – Governance, Risk Management and Compliance, or “GRC” – are the pillars organizations use to support audit-readiness. Regardless of a company’s industry or size, GRC capabilities can be difficult to implement and require experienced resources and well-defined processes. Large organizations face the added complexity of having many stakeholders, multi-jurisdictional global structures, and complicated legal requirements. At the same time, smaller companies face the same levels of regulatory compliance demands, but often with fewer resources and less experienced teams.

The Current GRC Environment

We’re witnessing an overwhelming shift in the GRC landscape, with rapidly evolving regulatory environments and organizations being under increased pressure to deliver customer value quickly and regularly.

Greatest Changes to the GRC Environment:

  • Over 180 financial regulations introduced or changed every day
  • Increases in compliance staff accounting for 50% of new hires in financial institutions
  • The speed of compliance requirements compressing from months to days

The vast majority of organizations are currently managing risk and compliance in an ad-hoc, siloed fashion, with reactive tendencies and little to no sharing of data intelligence across business segments. Low-impact regulations are receiving the same attention as their high-impact counterparts, resulting in the diversion of expensive legal resources away from higher priority action-items.

What Industries are Most Regulated?

All types of businesses are regulated to ensure that certain standards are met and that people are not harmed – or that if they are, there is legal recourse. But some industries tend to be more highly regulated than others, and some are so new that regulators are just starting to figure out what to do.

If your business operates in any of the following sectors, regulatory compliance should be one of your top priorities as a manager. Keep in mind, however, that this is not even close to an exhaustive list. If you’re curious about the regulatory environment for your industry, there’s no substitute for professional counsel.

The most regulated industries are typically ones that have the deepest impact on people’s lives and could cause the most potential harm.

Two industries that are subject to the greatest number of compliance regulations:

Healthcare – It should probably come as no surprise that health care is the most regulated industry of them all. Its practitioners poke and prod us, test and prescribe, and help to prolong and save lives. Given the important role of healthcare practitioners and their work, their industry is understandably overseen quite carefully and subject to much regulation.

Banking and Financial Services – Not quite as personal as our bodies and physical health are our finances. People who handle money and invest it on behalf of others are also supposed to be under intense regulatory scrutiny and to follow the numerous rules set out for them in the law. But some would say we need even more financial and banking industry regulation in light of problems exposed in the markets in the economic downturn and the failure of recent reforms to adequately address conditions that led to it.

Other prominent sectors that are subject to extensive compliance requirements include:

  • Medical Device Manufacturers
  • Automobile Manufacturers
  • Aerospace and Defence Firms
  • Energy and Power Generation
  • Telecommunications

Outside of these highly-regulated industries, the organizations and sectors that are subject to regulatory compliance requirements are still quite broad. Enterprises in almost every sector are subject to regulations on their financial, environmental, taxation, and information-handling activities, and for businesses operating in these areas, failure to become and stay compliant can have serious consequences.

Falling short of compliance requirements means these companies could face serious financial penalties and/or harm to their reputation, partnerships, or market-share.

Challenges in Managing Risk and Compliance

Business leaders increasingly understand the importance of staying on top of regulatory compliance requirements. A survey of 400 US CEOs found that regulatory compliance tops the list of issues that can have the biggest impact on the way forward.

In a regulatory compliance environment, stakes are high. Ineffective compliance requirements can put a project and an entire organization at financial and legal risk.

The most successful regulated companies iterate quickly by adopting technologies allowing them to become more Agile and innovative.

External Challenges – The Changing Regulatory Environment

The most highly-regulated sectors have to continually pivot to comply with evolving compliance requirements. As the regulatory environment becomes more demanding and complex in terms the actual regulations being enforced, it is also becoming increasingly complex in terms of the required reporting structure and time-frame to prove compliance.

Stricter Regulations on Consumer Data

Data protection legislation and regulatory enforcement actions are rapidly changing throughout the world and are having an immediate impact on how organizations globally approach cybersecurity, privacy, breach notification and data storage and protection.

All sectors, but particularly healthcare and financial services, have recently faced growing compliance requirements around the handling of people’s personal information. The General Data Protection Regulation (GDPR) that was recently enacted in Europe is just one example. This regulation applies not only to organizations based in Europe, but to any organization that markets to, does business with, or otherwise interacts with the personal data of consumers who live in the EU.

Stricter Reporting Requirements

Compliance regulations have also added complexity to requirements for reporting around compliance.

Using finance as an example, the European Banking Authority (EBA) has been mandated to set up uniform reporting requirements for all banks in the EU, under a regulation called ‘ITS on supervisory reporting’ (Implementing Technical Standards on supervisory reporting). These requirements present a considerable additional burden to the already demanding data and systems needed to be compliant with the International Financial Reporting Standards (IFRS). Although, the good news is that these requirements should ensure a full harmonization of prudential reporting requirements among banks within the EU.

One important additional source of difficulty for financial institutions is the fact that these reporting requirements are ever changing.

In December 2013, the EBA published a final draft of Technical Standards on metrics for monitoring additional liquidity. Every year since then, they have issued updates and revisions on these standards. And insurance companies face the same obstacle: the EIOPA plans the release of one reporting taxonomy per year. It is therefore essential for both banks and insurers to always make sure that they are up-to-date on the latest revisions of data reporting requirements.

Shorter Timelines to Prove Compliance

And while the reporting requirements have grown, the timelines have shortened. As an illustration, BCBS 239 is a standard set by the Basel Committee for Banking Supervision that has imposed strong constraints on the capacity of banks to aggregate risk data. On a rather short timeline (3 years between 2013 and 2016), banks had to adapt their governance systems, IT infrastructures, reporting tools and internal control mechanisms to make sure they comply with these principles.

Risk leaders anticipate further regulatory changes and continued supervisory pressure, where any failure to properly demonstrate a compliant solution can result in massive regulatory and reputational risk. With no compromise on data and reporting quality standards, these compliance requirements call for a cultural transformation with heavy implications for risk and finance data and technology.

Growing Costs of Regulatory Compliance

Growing regulatory compliance demands come at a cost. Every year, more than $100 billion is spent on compliance functions. In the financial services industry alone, over 180 regulations are introduced or changed every day. Financial institutions spend approximately 40 to 60 percent of their transformation budget on regulatory compliance, and over 50 percent of their new hires are compliance professionals.

Additionally, the cost of compliance is expected to double in the next five years. As such, regulated companies and regulators are looking for cost-effective ways to manage the complex regulatory challenges that are impacting their compliance, legal, finance, technology and operational units.

Internal Challenges – Software Projects in a Regulated Environment

Creating effective requirements for software development is always a challenge. In a regulated sector, however, it can be especially demanding.

For Business Analysts (BAs) and Product Owners, it’s important to get compliance requirements right. BAs and product owners must be able to analyze the full impact of regulatory change, defining compliance requirements in a way that developers and testers can interpret them accurately.

Of course, there are challenges to developing effective requirements in a way that ensures regulatory compliance. Some of the most common challenges include: 

Fragmented Teams

Compliance management requires collaboration across multiple teams. While large organizations have the added difficulty or coordinating disparate teams working from multiple locations, even organizations with co-located teams tend to manage risk and compliance in an ad-hoc, siloed fashion, with reactive tendencies and no sharing of data intelligence across business units.

Poor Data Governance

Many organizations have data that exists in silos and requires greater standardization in terms of:

  • Granularity: Maintaining and managing the desired granularity of data to the level of transaction, customer, product, region, cost center, etc.
  • Quality: Poor data quality poses a big challenge for accuracy in processing and reporting. Data integrity can be at a big risk with insufficient and ineffective data quality frameworks.
  • Consistency: Inconsistency in data hampers an organization’s ability to consolidate and present reporting figures.
  • Completeness: Reconciliations and adjustments need to be done downstream to bring about completeness, which can significantly increase the time required for compliance.

Additionally, data validation is a major issue for many organizations. They need to have the ability to collect, organize, and manage all required evidence and then trace back the final reporting information to its origin and regulatory interpretations to prove compliance.

Lack of Compliance Management Tools

Even in a digital marketplace, too many companies still rely on spreadsheets, word processing documents, and emails to manage their compliance requirements. This heavy dependence on manual methods is slow and error-prone, and as the compliance requirements grow, manual processes become increasingly ineffective.

Multiple GRC and Risk Management Systems

Across different sectors of the organization, risk, compliance, operational regulations and threat regulations are managed by disparate programs and resources, creating misalignment and opening the organization up to even greater risk. Without a centrally managed system of risk and compliance, business leaders do not have complete oversight of critical business and information risks. Critical business decisions are resultantly affected.

Overlapping Jurisdiction

Today’s business is global, and organizations that operate in multiple geographies have the added complexity of ensuring compliance with the regulatory standards set by different regulators across the jurisdiction. Consider the European Union (EU) General Data Protection Regulations (GDPR). Even if your organization is not located in the EU, do you collect personal information from EU citizens, even an email address? If so, you are captured by the GDPR and must comply with its rules.

When you consider large organizations with diverse, distributed systems and numerous regulations, the complexity of managing compliance increases exponentially.

Poor Compliance Management Leads To:

  • Increased GRC and regulatory change management costs
  • Failed compliance audits
  • Greater inaccuracy
  • Missed enactment dates
  • Higher penalties and fines
  • Slow and labor-intensive processes

Going forward, there needs to be a smart, comprehensive solution to managing the compliance requirements today’s companies are facing. The solutions must be fast, flexible, collaborative and responsive.

Although tighter compliance regulations are challenging organizations in a variety of ways, those who adapt best may enjoy a distinct competitive advantage.