This is an important topic for every organization, whether public or private, local or global.
It's especially true when you add interpretations by the regulators and courts of existing laws and regulations.
Something that you thought you understood to mean A now appears to mean B.
If you are not up to date on the laws and regulations with which you need to comply, there is a significant potential for harm.
OCEG recently shared an infographic on the topic of Regulatory Change Management. Sponsored and developed by Thomson Reuters, the accompanying article points out that technology assists that can help monitor changes in the regulatory environment that might affect the organization, its risks, and its ability to remain in compliance.
I agree that technology like this can be very useful. But I am not 100 percent convinced that it is sufficient.
If it were up to me, I would develop a map that shows all the areas where laws, regulations, and societal expectations might apply to the enterprise. I add societal expectations because failing to live up to them can be damaging, directly to the organization's reputation and indirectly to its revenue and more.
I would then, for each area, identify how we could ensure we remain up to date, and who is responsible. I would not ignore sources like:
- The external law firms.
- The external auditors.
- Government affairs consultants.
- The management team and other advisors.
But it's not enough for designated individuals to receive notification of changes that might affect the organization.
It's not enough, as implied in the piece, for analysis to be performed at HQ.
The changes and their implications need to be communicated to all potentially affected individuals across the extended enterprise. That population includes not only employees but partners, service providers, and others in the supply chain.
Training may be needed; policies and procedures may need to be updated. As noted by the authors, controls may need to be changed or adapted to the new environment.
It is quite possible that regulatory change may mean that current strategies and objectives need to be changed as well.
This is an important area, one that deserves the attention of both risk practitioners and internal auditors. From time to time, the board might consider asking management to report on its ability to both identify and then respond to regulatory change.
Perhaps you can share sources of information about regulatory change that I have missed, as well as measures that organizations should take to address them.
OCEG is a great source of materials and training. Membership is free!