How do compliance teams measure and monitor compliance as regulations change?
Measuring change in regulations and laws affecting your organization is critical when determining your compliance risk profile. One key facet is the creation, management and monitoring of metrics. By utilizing metrics, compliance departments can report what they are doing and how effective compliance activities are to address regulatory change.
Risk and compliance metrics typically come in three forms:
- Key Performance Indicators (KPIs)
- Key Risk Indicators (KRIs)
- Key Control Indicators (KCIs)
What’s the difference between a KPI, KRI and KCI?
Each of these indicators may stand alone or correlate with one another. For example, organizing these metrics from a regulatory perspective, a KPI may measure how well a company is complying with applicable laws and regulations.
KRIs are a natural extension of a KPI, where the organization wants to know how the most significant risks are affecting its ability to be in conformance.
KCIs measure how effective the controls are for each risk. These measures tie to the organization’s appetite and tolerance levels, which are frequently very conservative with no tolerance for non-compliance.
Delving deeper into regulatory change metrics, there is an impetus to define the relevancy of each regulation and law to your organization and the business areas in which you operate. This extends to your vendors and partners as well. Establishing relevancy can be convoluted given variables such as the organization’s size, geographic footprint, regulator, industry, and business model.
To operationalize, regulatory change should be an explicit part of the compliance framework and reporting process. Management must be cognizant of what changes are possible, how they may affect your business and their implementation. Illustrative measures may include:
- Number of possible, relevant changes
- Number of incoming notifications per geography, type, regulator, etc.
- Number of applicable notifications
- Percentage of processes impacted
- Strategic objectives influenced
- Number of dispensations/waivers
- Overview of assessments
- Action plans outstanding
How do you manage the multiple variables involved in regulatory changes?
To gain efficiencies in maintaining compliance with the implementation and sustainability of regulatory change, organizations frequently turn to GRC software. One way in which the software can enable regulatory change is through monitoring metrics, changes in measures, and analyzing trends.
Moreover, software can take information from internal and external data sources (such as information from regulatory agencies themselves, vendors, consultancies, law firms, etc.) and automatically bring such data into the software to populate a metric versus manually inputting data.
For example, analyzing enforcement notices can provide valuable insights that allow companies to focus resources on high-priority areas. Over time, these metrics can also support how well/not well the organization is responding to implementing and managing a changed regulation. In addition, this helps compliance teams create visibility around their output, substantiate requests for additional capacity if required as well as efficiently manage resources.
Coupled with other risk information, regulatory change metrics can provide insight into the details of the compliance risk and control environment. Presented well, it gives confidence to the board, executives, and regulators alike that applicable regulatory changes are actively being addressed.
Where do you get started? Check out SAI360’s Buyer’s Guide to Regulatory Change Management Technology.