Making the transition
If you are a regulated entity and find yourself in a jurisdiction in which a risk-based regulatory compliance model has been implemented or is about to be implemented, consider three key points to help align your business with what is fast becoming the new normal:
Understand expectations – Speak with your regulatory body and understand their future direction. Are they thinking of moving toward a more risk-based model? What is, or will be expected of you under the new approach? When are you expected to comply by? It can be difficult to meet requirements under a changed regime without, at least partially, discussing new/changed nuances with your regulator. A surveillance department, for instance, may want to understand the timing of reporting critical incidents vs. those non-critical incidents that can be batched and reported at intervals. A risk-based regulator may have varying processes, dependent upon the inherent risk of the incident.
Embrace and adapt – These changes will undoubtedly cause a ripple effect with substantial impact on other areas of your business. Be prepared to adapt processes where necessary and continually communicate with affected staff. Managing change will need to be an important focus. For example, a change in how and which incidents are communicated for a regulated Internet gaming entity may impact an incident manager in Europe, a technical resource in Asia, and a relationship manager in Canada. Communicating and subsequently adopting the approach properly from the outset can be cumbersome, but will also be helpful to ensure success.
Evaluate opportunities for efficiency – Above all, the risk-based regulatory compliance model, when properly adhered to, can help streamline operations and present areas for improved efficiencies. Objectively evaluating each procedure might be a hassle in the short term, but may help your business operate more effectively in the long run. If previous prescriptive requirements mandated details of your internal controls, a risk-based model may provide flexibility to rationalize and streamline these procedures across your organization. Remain open to considering how you meet regulatory requirements; a risk-based shift might be an opportunity to revamp your approach for the better.