Complexity of regulatory compliance is heightened for modern enterprises due their global footprints and multiple regulations they are subjected to across varied domains and geographies and continual changes therein. This necessitates a method for compliance management that is capable of establishing compliance to both regulations and changes to regulations from a holistic perspective of governance, risk, and compliance (GRC). We propose such a method using a conceptual model of integrated GRC whereby formal compliance checking and norm change techniques for regulations represented as formal rules are coupled with business process change propagation and risk modeling. The method also considers legal and business goals of regulators and regulatees respectively in enacting compliance to regulation and changes therein. The method is substantiated with a brief example of a real world banking regulation.
1. Sagar Sunkle and Vinay Kulkarni
Tata Consultancy Services Research, India
Toward a Holistic Method for Regulatory Change Management
2. 1. Increasing spend on compliance (in US estimated at $15 Billion. Estimated to
increase 5 times more by 2018)
2. Demand for governance, risk management, and compliance (GRC) in US is most
high but Canada, Japan, India, Australia, South Africa, and members of EU have
started enforcing various regulations for some time now
3. Non-compliance is penalized severely
4. Largely document-oriented process with conservative interpretation of rules
5. Uncertainty about what constitutes compliance
6. Main challenges
a. Non-compliance identification + remediation + proof explanation
b. Regulatory change management with risk adjusted decision making
Motivation
4. Internal
Controls
Risk
Appetite
Processes
Risks Issues
Heat maps
Inquiries/Su
rveys
Governance
Compliance
Regulations and
Standards
Risk
determine
use
prevent,
detect,
correct,
track
associated
identify risks
in
may be
ensure
compliance with
assessment
leads to
update
define
fulfill
In reality- Industry GRC needs to be
improved
1. Informal
representation of
regulations-content
Management-based
2. Compliance proofs are
document-driven
3. Risk handling is expert-
reliant
5. Changes in
Internal
Controls
Changed
Processes
Change
Risks
Inquiries/Su
rveys
Business Process Modeling + Change Propagation
Formal Compliance Checking + Norm Change
Changes in
Regulations and
Standards
Risk Modeling + Change Risk
use
prevent,
detect, correct,
track
associated
Identify risks
in
ensure
compliance with
define
fulfill
enact in
In reality- Formal Research Needs to be Coordinated
6. Changes in
Internal
Controls
Formal Compliance Checking + Norm Change
Changes in
Regulations and
Standards
ensure
compliance with
fulfill
Formal Treatment of Changes in Regulations
• Distinction between legal and
count-as rules
• Distinction between norms
and their legal effects
• Distinction between Ex Tunc
and Ex Nunc norms
• Ways in which expansion and
contraction of legal effects is
achieved
7. Changes in
Internal
Controls
Formal Compliance Checking + Norm Change
Changes in
Regulations and
Standards
ensure
compliance with
fulfill
Formal Treatment of Changes in Regulations
To use norm change research,
formal representation of
regulations is necessary that is
capable of handling norm change
8. Changes in
Internal
Controls
Changed
Processes
Business Process Modeling + Change Propagation
Formal Compliance Checking + Norm Change
Changes in
Regulations and
Standards
ensure
compliance with
define
fulfill
enact in
Formal Treatment of Changes in Processes
• Considerable work in business
process compliance checking-
Enact regulations as rules in
business processes- One Size
Fits all solutions
• But do not take into
consideration where do
processes of enterprise lie along
the process rule continuum
9. Embedded Rules
Explicit Navigation Paths
Complex Navigation Analysis
Rule Guided Process Behavior
Rule-driven Process Composites
Rule-driven Services
Rule-Dynamic
Process-rule ContinuumLow Changeability High Changeability
Change in rules separate from
change in process model
Stable processes with no
frequent changes in process
model
Rules use process
context; frequent
changes in rules to adjust
to attribute values of
process elements
Rules use not only the process context but other
business data including historical data about attributes
of business objects
Domain-specific and meta-rules determine how to
evolve a process to optimize achievement of business
goals
Same as rule-driven process composites, but at a much
fine-grained level of services
Rules change dynamically leading
to dynamic composition of
business processes and services
Tailoring Propagation of Changes in Regulations to
Process Types
10. Changes in
Internal
Controls
Changed
Processes
Change
Risks
Inquiries/Su
rveys
Formal Compliance Checking + Norm Change
Changes in
Regulations and
Standards
Risk Modeling + Change Risk
use
prevent,
detect, correct,
track
associated
Identify risks
in
ensure
compliance with
fulfill
enact in
Risk Modeling in relation to Business Processes
Sizeable work in risk modeling
and some in risk aware
business processes
But risks and especially legal
risks are domain-specific=
probability of domain-specific
event evaluated by its domain-
specific consequences
11. Changes in
Internal
Controls
Changed
Processes
Change
Risks
Inquiries/Su
rveys
Business Process Modeling + Change Propagation
Formal Compliance Checking + Norm Change
Changes in
Regulations and
Standards
Risk Modeling + Change Risk
use
prevent,
detect, correct,
track
associated
Identify risks
in
ensure
compliance with
define
fulfill
enact in
Best of Both worlds- Integrated Formal GRC
13. Early work II- Tie together Key Elements of
Business
Changes in
Internal
Controls
Changed
Processes
Change
Risks
Inquiries/Su
rveys
Business Process Modeling + Change Propagation
Formal Compliance Checking + Norm Change
Changes in
Regulations and
Standards
Risk Modeling + Change Risk
use
prevent,
detect, correct,
track
associated
Identify risks
in
ensure
compliance with
define
fulfill
enact in
Key
Objectives
define
fulfill
14. Early work II- Simulation of Regulatory Scenarios
1. Take into consideration business objectives of regulatee and regulation objectives
of regulator
2. Also represent actions of other important stakeholders such as regulatee’s
customers
3. Simulate core GRC components of processes, risk, and compliance along with
courses of action taken by regulatee, regulatee’s customers, and regulator
4. Early work with simulation machinery based on actor model of computation
5. Capable of representing propagation of changes triggered by changing
regulations
15. Conclusions
1. Regulatory compliance and regulatory change management are critical problems
and need to be solved with an integrated perspective
2. Best features of current industry GRC and formal solutions need to be put
together for a holistic treatment
3. Our proposal marries formal representation of regulations and changes therein to
a) business process and rule stage and b) risk in changes to regulation in GRC
context
Major
Risk adjusted decision making and risk evaluation for other corporate business objectives Ex. Active Risk Manager, Archer EMC-RSA
Data collection for risk-based decision making Ex. Most GRC solutions provide some support but none exemplary [based on Gartner 2011 and 2012 GRC Magic Quadrants]
Data and risk visualization Ex. Jade MethodWare
Geography support meeting specific needs of geographies outside native geography Ex. CMO Compliance
Minor
Integration of GRC software with office productivity software Ex. IBM OpenPages
Open source capabilities for content management Ex. AlignAlytics