Reframing Regulatory Change: Adapting to Win Download By Carol Beaumier and Bernadine Reese Why it matters: Regulatory change in the financial industry is constant. Financial institutions stand to benefit in multiple ways if they decide to be proactive.Big picture: Regulations continue to expand in number and scope, driven by a variety of sources. As a result, the industry must deal with regulatory change on an ongoing basis. Some companies take an ‘adapting to win’ approach, which benefits not just how they manage regulations (and regulators) but their systems, controls and processes.Call to action: We itemise a list of steps for preparing and addressing change, including impact assessment frameworks, implementation strategies, change management procedures, and more. Download Topics Internal Audit and Corporate Governance Risk Management and Regulatory Compliance Regulatory change is endemic to the financial services industry. Whether prompted by industry crises, political and legislative goals, customer needs or demands, world events, or technological innovation, the changes keep coming and seem more far-reaching and complex than ever. Financial institutions can choose the way they manage regulatory change. They can choose to “adapt to cope or adapt to win."[1]At the risk (but not with the intent) of insulting CEOs and board members of financial institutions, we believe it’s important to call out a problem that has faced the financial services industry for a long time: wavering support for the compliance function. No, it doesn’t happen in all institutions, but it does happen in too many. And it needs to change for the good of the industry.Understanding the breadth of changeIn 2022, the number of global regulatory change events, as reported by Thomson Reuters Regulatory Intelligence, was 61,228 or an average of 234 per day.[2] The nature of regulations has continued to expand and evolve from traditional areas of compliance such as consumer and market protection, privacy, financial crime compliance, and safety and soundness issues to broader risk mandates [3] including environmental, social and governance issues, conduct and culture, and the challenges posed by emerging technology. While the applicability and implementation challenges of these changes vary significantly across the financial services industry, even dealing with a small number may overwhelm already stretched compliance departments and other financial institution partners critical to the implementation process.Also, it’s important to remember that regulatory change is not only driven by new regulatory developments. It can have many sources including changes in an organisation’s regulatory obligations (e.g., a merger/acquisition or entry into a new market), third-party impacts, industry or shareholder pressure, or emerging areas of concern in regulatory enforcement actions.Even modifications to the way regulators do their jobs can require financial institutions to make changes. The trend toward data-driven supervision, for example, is resulting in increased regulator demand for data, often in real time, and means that regulators are performing continuous monitoring of an institution’s activity rather than performing sample reviews as they may have done traditionally during onsite examinations. This requires a financial institution to ensure that its data management practices (including collection, storage, protection, usage and destruction of data) measure up to regulator expectations. It may also necessitate additional investment in technology to ensure that a financial institution can respond to the regulatory demands and be able to self-analyse the data it is returning to regulators in order to consider proactively any follow-up action that may be required.Embracing changeYou can’t argue with more than 2,500 years of wisdom: “Change is constant.” [4] But, “the pace of change in financial services, coupled as it is with significant change in our external environment … is making change in the present feel very different from change in the past.” [5] From technological innovation, rising consumer and market expectations which are often fueled real time by social media, to climate concerns and shifts in the world order, change is all around us. Such change inevitably leads lawmakers and regulators to move to manage these risks either by introducing new requirements or attempting to adapt existing requirements to new circumstances. As a result, the industry must deal with regulatory change on an ongoing basis.Adapting to CopeAdapting to WinReactiveAnticipatoryDepends on heroicsFormal governance structureAd hoc methodologyDefined methodologyNarrow lens – just get it doneWide lens – consider opportunities for innovationOverreliance on third parties to effect changeProactive management of needed third-party changesResults in an additive processIntegrated into/leverages existing processesNo formal oversight of implementationReal-time reporting on change risk statusPredominantly manualTechnology-enabled Some companies – those that are focused on “adapting to win” – see regulatory change as an opportunity to improve their systems and controls, to integrate and streamline existing processes, and to generate business or strategic advantages, such as improved customer service. These companies may also embrace change as an opportunity to introduce “best practice” regulatory controls globally and take advantage of technology innovations to implement the required regulatory changes.For other companies, regulatory change is solely an obligation. It is a tick-the-box exercise predicated on minimum effort and cost. This approach often results in a piecemeal “patch” to an existing process without addressing the wider implications. Not only does this “adapt to cope” approach fail to consider potential business benefits, but in the long term it often results in a significantly higher cost of compliance, and a higher likelihood of non-compliance and regulatory fines stemming from the challenges of dealing with a complex, fragmented and confusing control framework. It can also result in higher staff turnover as team members are demotivated by constant rounds of regulatory remediation to deal with changes that were not made effectively or were too narrowly defined. This can create further risks as corporate memory of why a change was made in a certain way fades. An “adapt to cope” approach also frequently results in a slower response to significant change or regulatory interventions. This, in turn, can result in the regulator losing patience and taking enforcement action.The choice seems clear: the advantages of adapting to win far outweigh those of adapting to cope. But that does not mean it is easy. Even institutions that think they are positioned to adapt to win do not always succeed. Many organisations underestimate the scale of regulatory change because they have defined it too narrowly. When you account for the many internal and external factors impacting regulatory change, the true challenges facing organisations become clearer and considerably larger. Thomas Giltrow, Managing Director, Regulatory Practice Lead, Protiviti Preparing for and addressing changeInstitutions that are focused on adapting to win eschew ad hoc responses to regulatory change in favor of a structured, systemic process – a regulatory change playbook that is shared broadly with all the key players.The exact contents of a regulatory change playbook may vary based on factors such as the size and complexity of the institution, its risk profile, and geographical footprint but generally would be expected to include the following:Overview of the regulatory landscape: An understanding of the current regulatory landscape for the institution as well as any new or emerging regulatory changes that are being tracked and communicated to relevant stakeholders by the institution’s horizon scanning function. This provides the context for considering the regulatory change at hand.Accountability and ownership: Delineation of roles and responsibilities for all the players who may be involved in the change process, including required approvers. It is important to remember that just because it’s a regulatory change doesn’t mean it should be owned in whole by Compliance! For many changes, it is important that the business also share accountability for the change process.Impact assessment framework: A methodology for assessing the impact of new or modified requirements on the organisation's operations, its strategies and its risk profile. To perform this assessment effectively and design an optimal approach for dealing with the change requires forming a connected view of the institution’s risks (and the causes of those risks); this requires outlining how the requirement maps to specific policies, procedures, controls, and products/services and, in many cases, also considering the impact of a change on the customer journey across multiple processes. This helps in identifying the full impact of the regulation on the institution. It is critically important that the impact assessment be a collaborative exercise which gives the business a voice in not only determining the potential impacts of the change, but also in deciding how the change programme should be structured. This step both fosters buy-in by the business and provides the basis for reinforcing the shared goals for the change programme.Implementation strategy: A high-level overview of the implementation plan. This might include a design-thinking or other brain-storming session to challenge the strategy and explore opportunities to innovate. It would include a premortem evaluation of what could go wrong that would identify any known challenges (including any expected cultural challenges or pushback) or impediments to successful implementation and, as necessary, agreed-upon workarounds.Change management procedures: Step-by-step guide for effecting the required changes, including routine communication and escalation protocols. Financial institutions that use an agile approach and flexible resourcing can respond more quickly and can significantly enhance their success rate by introducing flexibility, adaptability and a continuous improvement mindset.Review and feedback procedures: Plans for validating the effectiveness of the changes at critical points in the process as well as when implementation is complete. This should also include procedures for gathering feedback from impacted stakeholders to identify any needs to adjust the implementation plans and/or deal with unexpected challenges or obstacles.Training and awareness: Plan for ensuring that all affected stakeholders are aware of the change and the role they need to play in ensuring compliance.Postmortem review: Process for evaluating what went well and what did not go well with the implementation of the change.Why do regulatory change projects go wrong?Developing the playbook is the easy part. We all know change programmes can and often do fail. Sometimes the failure can be attributed to not adhering to the playbook, failing to present and explain the plan convincingly, or underestimating the challenges and obstacles, particularly those related to the institution’s culture and resistance to change. Another critically important determinant of the likely success of a regulatory change programme is leadership commitment. If the board of directors and senior management don’t advocate for the change programme and/or are unwilling to provide the resources – time, people and money – necessary, the chances of a successful programme are significantly reduced. In some institutions, achieving the level of leadership commitment needed will require a mindset shift away from short-term cost control to a recognition of the rewards of an adapt-to-win strategy.Other reasons that regulatory change programmes may be ineffective include a failure by the compliance team to understand fully the operational impacts of the change or being too rigid and inflexible in designing the proposed implementation plan. Also, the institution may fail to take the steps necessary to ensure that the change becomes fully embedded in the business, i.e., that the change is sustainable.The fact that change programmes can and often do fail, however, should not be the excuse for not trying. It does highlight the importance of a postmortem review to provide the basis for the institution to make continuous improvement to its change playbook. Understanding the end-to-end processes for products and services and the intended business, regulatory and customer outcomes provides the platform to manage compliance risk proactively and adopt an integrated business-wide approach to regulatory change. Mike Purvis, Managing Director, Protiviti Australia The rewards of an effective change processAn effective regulatory change process, one in which a financial institution adapts to win, has a number of potential benefits. These include:Faster path to compliance: While the “just get it done” approach may intuitively suggest that implementation will be completed sooner, the quick-fix approach in reality often requires redoing or revisions to address gaps in the compliance effort. The “adapt to win” mindset, because it is based on a disciplined and defined approach, generally produces a more thoughtful and complete solution.Greater operational efficiencies: The “adapt to cope” approach narrowly focuses on addressing the immediate regulatory change required and often defaults to building a new process rather than exploring (as would be the approach used by financial institutions adapting to win) how existing processes can be leveraged to maximise efficiency.Enhanced resilience: A defined change management programme fosters organisational resilience by preparing a financial institution to respond effectively and more nimbly to changes with minimal disruption; establishing a framework for proactively considering changes and the best risk approach to mitigation; fostering broader and more systematic engagement of stakeholders, leading to a better understanding of the changes and what’s needed to ensure compliance; and providing a platform to continue to iterate and improve the change process based on lessons learned.More likelihood to innovate: Considering innovation opportunities is fundamental to the wide lens view taken by financial institutions that adapt to win. It makes the likelihood that a financial institution will support innovation as part of a change process greater than for those institutions that are motivated by “just get it done.”Strategic or competitive advantage: Notwithstanding the prevailing view that Compliance is a cost center, some regulatory changes present clear opportunities for financial institutions to improve their positioning in the market or otherwise use the change for strategic advantage if they are considered within a broader context. For example, a requirement that mandates the collection of information from customers may also prove useful for refining marketing and customer retention strategies.Call to actionThe volume of global change events for the financial services industry is unlikely to decrease. Even in jurisdictions where the industry may be hoping for lighter touch regulation from new government leaders, it’s important to remember that modifications and even rollbacks of existing requirements are also changes that must be considered.For those institutions that recognise their approach as “adapting to cope,” now is the time to perform an objective self-assessment of the regulatory change process and consider the benefits and feasibility of “adapting to win.” Maximising these opportunities directly translates to reduced costs, and that’s a message we know will resonate with both Chief Compliance Officers and Chief Financial Officers alike. Thomas Giltrow, Managing Director, Regulatory Practice Lead, Protiviti About the authors Carol Beaumier is a senior managing director in Protiviti’s Risk and Compliance practice. Based in Washington, D.C., she has more than 30 years of experience in a wide range of regulatory issues across multiple industries. Before joining Protiviti, Beaumier was a partner in Arthur Andersen’s Regulatory Risk Services practice and a managing director and founding partner of The Secura Group, where she headed the Risk Management practice. Before consulting, Beaumier spent 11 years with the U.S. Office of the Comptroller of the Currency (OCC), where she was an examiner with a focus on multinational and international banks. She also served as executive assistant to the comptroller, as a member of the OCC’s senior management team and as liaison for the comptroller inside and outside of the agency. Beaumier is a frequent author and speaker on regulatory and other risk issues.Bernadine Reese is a managing director in Protiviti’s Risk and Compliance practice. Based in London, Reese joined Protiviti in 2007 from KPMG’s Regulatory Services practice. Reese has more than 30 years’ experience working with a variety of financial services clients to enhance their business performance by successfully implementing risk, compliance and governance change and optimising their risk and compliance arrangements. She is a Certified Climate Risk Professional. About Protiviti’s Compliance Risk Management Practice There's a better way to manage the burden of regulatory compliance. Imagine if functions were aligned to business objectives, processes were optimised, and procedures were automated and enabled by data and technology. Regulatory requirements would be met with efficiency. Controls become predictive instead of reactive. Employees derive more value from their roles. The business can take comfort that their reputation is protected, allowing for greater focus on growth and innovation.Protiviti helps organisations integrate compliance into agile risk management teams, leverage analytics for forward-looking, predictive controls, apply regulatory compliance expertise and utilise automated workflow tools for more efficient remediation of compliance enforcement actions or issues, translate customer and compliance needs into design requirements for new products or services, and establish routines for monitoring regulatory compliance performance. See our latest Compliance Insights Newsletter Learn More “Adaptability is about the powerful difference between adapting to cope and adapting to win,” Max McKeown.Cost of Compliance 2023, Thomson Reuters Regulatory Intelligence, p. 4.The evolving complexity of financial institution compliance: Top Compliance Priorities for 2023 and Top-of-Mind Compliance Issues for Financial Institutions in 2024, Protiviti: www.protiviti.com/au-en/whitepaper/top-of-mind-compliance-issues-financial-institutions-2024.Quote attributed to Heraclitus, 535 BC.The changing landscape for financial services, Gabriel Makhlouf, 2023, BIS: www.bis.org/review/r231113t.htm.