top of page
  • Julien Haye

The Impact of Regulatory Changes on ERM

The Impact of Regulatory Changes on Enterprise Risk Management

Is your Enterprise Risk Management (ERM) compliant? Does it encourage compliance by design throughout your organisation?


Regulatory changes have a significant impact on ERM frameworks and systems, requiring organisations to continuously adapt their risk management frameworks to comply with new standards and avoid penalties.


In this article, we will analyse recent regulatory changes and their implications for ERM, as well as list the primary sources of regulations that organisations must consider.


Are you on top of your ERM regulatory requirements?


Your organisation might be dedicating significant resources to comply with the never-ending list of regulations. Yet, no matter how much you invest, regulators often find some breach, leading to potential sanctions and certainly more work.


You are unsure about the effectiveness of regulatory intervention, and you are even less certain about the benefits you are receiving from all this "red tape."


Regulators, regrettably, aim to tackle general risks without considering the unique specificities of individual organisations. As a result, they may impose a significant burden on your organisation without achieving their primary goal.


Here are some issues you and your teams are likely to face:


  • You are facing an ever-increasing list of regulations, and you can’t keep up.

  • You are trying your best to identify applicable existing and upcoming regulations, but it seems like an impossible task. You have even invested in a shiny new regulatory horizon scanning tool, but still no luck.

  • Your regulatory change and control budget seems to have been on an upward trajectory for years, with no end in sight.

  • The list of "mandatory" regulatory trainings that you and your staff must undertake is forever growing. You are now spending days in front of a screen clicking on the “next” button and taking assessments.

  • Regulators do not seem to agree on how best to manage a risk. They keep issuing contradictory requirements that your organisation does its best to comply with.

  • You have established a new compliance team solely for the purpose of interpreting regulations. They don't agree on how to interpret these rules, so you end up with a distributed and inconsistent way of managing the same risk across your footprint and product or service lines.

  • Your business teams keep facing disruption because of "go-live" requirements, leading to constant system updates.

  • The term “day 1 compliance” has become part of your organisation's lexicon. Day 2 breaches typically follow, necessitating additional resources to rectify the delivery and successfully implement this regulation within your organisation.


This list is by no means exhaustive. But if you are facing any of these situations, you would benefit from urgently reviewing your regulatory compliance governance and frameworks.



What does compliance mean?


Compliance by design is a proactive approach to ensuring that legal, regulatory, and ethical requirements are integrated into the design and development of systems, processes, and products from the outset. Instead of addressing compliance as an afterthought or through periodic audits, this approach embeds compliance into the foundational aspects of business operations.


At Aevitium LTD, compliance by design is a core focus, ensuring the long-term sustainability of your product and compliance management, while also reducing the overall cost of compliance for your business. This approach includes:


  1. Integration into Processes: From the outset, business processes, software development, product design, and other operational activities incorporate compliance requirements.

  2. Risk Management: Identifying potential compliance risks early in the project lifecycle and implementing controls to mitigate these risks.

  3. Continuous Monitoring: Implementing systems for ongoing monitoring and reporting to ensure continued adherence to compliance requirements.

  4. Automation: Using technology to automate compliance checks and controls reduces the risk of human error and ensures consistency.

  5. Collaboration: Encouraging collaboration between different departments (e.g., legal, IT, operations) to ensure a comprehensive understanding and implementation of compliance requirements.

  6. Documentation: Maintaining thorough documentation of compliance measures and decisions to provide evidence of compliance efforts.


What are the primary regulatory sources?


My Compliance Office compiled a useful list that suggests the financial sector alone could face over 60 regulatory bodies, and the list likely extends further. More broadly, you should consider:


  1. Government Agencies: Organisations like the Securities and Exchange Commission (SEC), the Financial Conduct Authority (FCA), and the European Central Bank (ECB) frequently develop and enforce regulations.

  2. International Regulatory Bodies: Organisations like the Basel Committee on Banking Supervision and the International Organisation of Securities Commissions (IOSCO) set international standards for financial regulation.

  3. Legislative Bodies: National legislatures, such as the United States Congress and the European Parliament, enact laws that establish regulatory requirements.

  4. Industry Standards Organisations: Bodies such as the International Organisation for Standardisation (ISO) develop industry-specific standards that often influence regulatory requirements.

  5. Self-Regulatory Organisations: Entities like the Financial Industry Regulatory Authority (FINRA) create and enforce rules that govern the conduct of their members within the financial industry.


Examples of regulatory changes and their implications for ERM


Each new regulation will translate into a different set of requirements and impact the way you manage your risks. It could impact your control environment, business practices, organisational structure, and more. It could even force you to create entire new functions, as has happened with conduct, operational resilience, or client money in the UK.


  1. General Data Protection Regulation (GDPR)

GDPR, implemented in the European Union in 2018, has stringent requirements for data protection and privacy. 

  • To ensure the privacy and security of personal data, organisations must improve data governance frameworks.

  • Establishing continuous monitoring and auditing processes is necessary to ensure ongoing compliance with GDPR requirements.

  • Robust incident response plans must be in place to quickly address data breaches and notify regulators within the required timeframe.


  1. Basel III

Basel III is a set of international banking regulations developed by the Basel Committee on Banking Supervision to strengthen regulation, supervision, and risk management within the banking sector.

  • To withstand financial stress and reduce risk exposure, banks must maintain higher capital reserves.

  • To meet increased liquidity requirements, robust liquidity risk management frameworks must be in place.

  • To assess the impact of adverse economic scenarios on the bank's capital and liquidity positions, regular stress testing is required.


  1. Sarbanes-Oxley Act (SOX)

Enacted in the United States in 2002, SOX aims to protect investors by improving the accuracy and reliability of corporate disclosures.

  • Organisations must implement and maintain effective internal controls over financial reporting.

  • To ensure transparency and accountability in financial reporting, detailed audit trails are required.

  • Regular compliance audits are necessary to confirm the effectiveness of internal controls.


  1. The Dodd-Frank Wall Street Reform and Consumer Protection Act

Enacted in the United States in 2010, Dodd-Frank aims to reduce risks in the financial system and protect consumers. 

  • Enhanced risk governance frameworks are required to ensure effective oversight and management of financial risks.

  • To reduce systemic risk, increase transparency and regulation of derivative transactions.

  • Stronger consumer protection measures must be implemented to safeguard against unfair and deceptive practices.


  1. Health Insurance Portability and Accountability Act (HIPAA)

Enacted in the United States in 1996, HIPAA sets standards for the protection of health information.

  • Organisations must implement strict data privacy and security measures to protect patient health information.

  • Regular risk assessments are required to identify potential vulnerabilities in the handling of health data.

  • Prompt breach notification processes must be in place to inform affected individuals and regulators of data breaches.


Thematic Comparison of Regulatory Frameworks in the Financial Services Industry


A basic method is to examine regulatory bodies thematically. This makes it easy to compare rules and regulations from different countries. By categorising everything into common themes such as key regulatory frameworks, consumer protection rules, data protection, cybersecurity, financial crime compliance, and so on, you can easily identify the similarities and variations across regulatory environments in other jurisdictions. It would also indicate whether you were missing a crucial section. We compiled an initial view for you, with the support of Chat-GPT.


Major Regulatory Authorities

List of Major Regulatory Authorities in the Financial Services Industry
Major Regulatory Authorities in the Financial Services Industry

Capital Adequacy and Risk Management

Capital Adequacy and Risk Management requirements in the Financial Services Industry
Capital Adequacy and Risk Management

Consumer Protection and Conduct 

Consumer Protection and Conduct regulations in the Financial Services Industry
Consumer Protection and Conduct 

 Data Protection and Cybersecurity

 Data Protection and Cybersecurity regulations in the Financial Services Industry
 Data Protection and Cybersecurity

Financial Crime and AML Compliance

Financial Crime and AML Compliance regulations in the Financial Services Industry
Financial Crime and AML Compliance

Environmental, Social, and Governance (ESG)

Environmental, Social, and Governance (ESG) regulations in the Financial Services Industry
Environmental, Social, and Governance (ESG)

Payment and Electronic Money Regulations

Payment and Electronic Money Regulations
Payment and Electronic Money Regulations

Operational Resilience

Operational Resilience regulations in the Financial Services Industry
Operational Resilience

 

Regulatory changes have a profound impact on Enterprise Risk Management, requiring organisations to adapt their risk management frameworks to stay compliant and mitigate risks. The various lists above illustrate how complex it can be to identify what you need to consider to stay compliant. The bigger the organisation, the more regulatory bodies and risks your ERM framework will have to cater for.


Effective ERM systems and frameworks that incorporate robust compliance monitoring, data management, and risk governance frameworks are essential for navigating these changes successfully and ensuring compliance by design.


Want to learn more about Enterprise Risk Management? Discover our detailed resource page covering all the key ERM components. 

 

32 views0 comments

Kommentare

Mit 0 von 5 Sternen bewertet.
Noch keine Ratings

Rating hinzufügen
bottom of page