It would seem that efforts to comply with regulatory changes are here to stay. No sooner has an organisation turned itself inside out to cope with the implementation of one regulatory initiative than another emerges – and a whole new implementation effort begins.
That might not seem too much of a problem. Compliance initiatives can be expensive and laborious, but at least they have a solid foundation. The requirements and deadlines are set in stone, there are limited options when it comes to implementation, and their mandatory nature gives the business every incentive to ensure the requirements are met on an ongoing basis. Regulatory change projects are thus comparatively straightforward compared with those driven by business requirements – aren’t they?
In fact, regulatory compliance and change programmes have proven to be just as difficult to manage as those that originate within the business – if not more so. Regulatory change requirements are often open to interpretation and can be highly subjective. How compliant do we want to be? What does this requirement really mean?
Their deadlines are externally imposed, but frequently moved – for example the recurring delays seen with the Sarbanes-Oxley Act. They can also demand changes to business practices that are difficult to introduce and enforce: in the UK, for example complying with 'Treating Customers Fairly' regulation must be built into day-to-day operations.
Firms can significantly improve the effectiveness of their regulatory compliance programmes by ensuring that they apply the appropriate traditional programme management techniques to the initiation and delivery of these projects. Specifically, firms need to:
- clearly establish their ambition in responding to the compliance challenge before setting up the programme – that is, deal with the strategic-level ambiguity;
- design the organisation and work programme to enable it to deal with changing regulatory requirements and delivery timescales – understand the programme-level ambiguity; and
- plan to embed the ability to remain compliant in the business – managing the operational-level ambiguity.
Dealing with the strategic ambiguity
With more regulators opting for principles-based regulation over prescriptive regulation, firms are increasingly faced with significant choices in the way that they interpret and apply the regulations. The FSA’s General Prudential Sourcebook, for example, comprises a raft of 'guidance' rather than 'rules'.
These options create the first significant challenge for regulatory change programmes: the shape and scale of response given the regulatory requirements. Is the aim to move to the leading edge of regulatory compliance, or simply to meet the minimum requirements? Should the programme be driven through rapidly, or should it be more relaxed, allowing the firm to adjust as the situation evolves?
In the absence of any clear direction, the tendency is for programme managers to make implicit trade-offs around these key questions. But we suggest that a structured approach will prove much more efficient. Just as firms set their ambitions for business change programmes, the first step in establishing a regulatory change programme is to answer the question: “How compliant do we want to be?”
Understanding the programme-level ambiguity
Although regulatory requirements are usually presented as being set in stone, it is a fact of life that both the measures to be taken and the deadlines for implementation do change over time. Regulators may themselves change their minds, while the regulated firms will tend to develop an industry-wide consensus on the interpretation of the rules.
Where ambiguity of scope exists, leave the project 'open' until clarity emerges, at which time the regime can shift into a more traditional 'command-and-control' mode. The challenge for the manager is to cope with the transition as clarity is gained.
Managing the operational-level ambiguity
It can be tempting to assume that because a regulatory change is seen as 'mandatory', compliance will be both attained and maintained automatically by some force of nature. This, however, would be sadly mistaken. Banks that are in the process of implementing MiFID well understand that it takes considerable effort to embed regulatory requirements into daily business practice, as do those who have implemented Sarbanes-Oxley.
By using a proven change methodology, adapted for the specific challenges resulting from regulatory change, attaining and maintaining compliance can be simplified. This approach requires the end-state of 'business as usual' operation to be planned for right from the start of the initiative, rather than leaving it as an afterthought towards the end.
Compliance becomes sustainable by focusing on four key activities:
- Make the need for compliance essential
- Prepare the business for maintaining compliance
- Implement the changes needed for maintaining compliance
- Ensure that the changes are robust and embedded.
Efforts to achieve regulatory compliance represent an effort to cope with ambiguity. Success lies not in focusing on the differences between regulatory change and other business change, but on the similarities.
