2014 started with a key infographic on how and why “privacy” ended the year as the 2013 Word of the Year. From our collective experience, 2014 however will forever be known as the “Year of the Data Breach”. A recent infographic published by www.databreachtoday.com, highlighted the Top Breaches of 2014 comparing not only the number or records and people affected, but the nature of the breach – no brand was immune to cyber-worry. While vulnerabilities with funny names hit the headlines; I anticipate that 2015 will be known as the “Year of the Regulatory Office”
With new compliance requirements coming from all directions from both federal and state viewpoints, it will be challenging to manage the compliance due dates and overall coordination of activities. With regulatory expectations for stronger management oversight of risk functions, including audit committees and boards of directors, there is an expectation that regulatory monitoring functions become as mature as your traditional information technology “program office” that manages the suite of IT projects each year.
Regulatory compliance expectations can span multiple senior leadership functions, or officers within an organization. Creating a centralized regulatory management office is a concept that enables an organization to implement program management disciplines for managing the timelines and requirements from multiple compliance drivers. Creating efficiency in managing compliance can create synergies in helping educate senior management on compliance risk. Your key stakeholders who need to own the risk and compliance functions can better manage risk if they have additional resource on the blocking and tackling of regulatory project management. With centralized management of regulatory functions, tracking, and monitoring an organization can improve decision making within organizational silos
While it may be challenging to justify the investment in the regulatory management corner office, there are some simple steps you can implement in 2015 to advance the concept. No matter what size of your organization, there are three things you can do to start your Compliance New Year’s Resolutions for improved regulatory management functions that are attainable:
- Review and update your regulatory monitoring, governance committee structures: Identify where you may have overlap in key controls, and review participants to find synergies that are efficient. Leverage a checklist or inventory so that shows which governance committees are managing compliance risk for specific regulatory obligations.
- Strengthen management reporting for governance, risk and compliance functions to address expanded regulatory expectations: Update and review your calendar of compliance updates to all levels of management – top down and bottom up. Identify commonalities in reporting functions across your compliance programs to avoid duplication in reporting. Review the frequency of updates to different audiences and identify ways to simplify the message with enhanced dashboards, benchmarks, and scorecards.
- Implement a Regulatory Management Program Office concept to manage concurrent regulatory risk assessment, action plans, and assurance initiatives: Take a page out of the project management 101 playbook and apply those disciplines to your regulatory compliance functions. You can create a “virtual” Program Office by structuring common reporting, tracking and calendar activities – even if the day to day compliance tasks are handled in separate functional areas. Even simple tools like identifying a program owner to collect compliance milestones and key dates across all regulatory action plans, with a centralized monthly status conference call or webinar can improve the maturity of the regulatory management function.
2015 is already kicking off with many top ten lists predicting an acceleration of regulatory change. Anticipated changes from the CFPB with payday loans, debt collection, overdraft protection, mortgage servicing, and disparate impact will require all financial institutions to review and adapt their existing regulatory management plans. Aggressiveness from the states in areas of breach notification and consumer protection will add to the checkerboard of compliance activities to monitor and track. Creating even a “virtual” regulatory compliance office is a starting point to build your business case for 2015 and beyond on how to navigate the Year of Compliance.
The focus on regulatory compliance is not isolated to internal functions, but influences a financial institution’s strategy for monitoring and implementing oversight functions for third party risk. The Shared Assessments Program, which acts as a standards organization for managing third party risk is tackling the compliance topic of how to address regulatory compliance due diligence in third party relationships with an industry working group in 2015. I will be co-chairing this industry working group in 2015 to better understand the hot topics in regulatory compliance oversight, and what tools organizations may need to improve their overall management of operational risk and regulatory compliance risk functions.
Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs