Getting Ahead of Regulatory Changes:
Yes, It Can Be Done.
In the wake of the 2008 financial crisis, governments and regulators around the world have imposed a seemingly unending series of new regulations on financial institutions (FIs) – think Basel, Anti-Money Laundering (AML), International Financial Reporting Standards (IFRS), and proposals to amend capital market legislation in Ontario to regulate benchmarks like the Canadian Dollar Offered Rate (CDOR) and the Canadian Overnight Repo Rate Average (CORRA), to name a few. The focus on financial safety for consumers, markets and the world economy continues to generate new regulations that are hard to predict – who would have thought FI sales practices would be a focus across North America two years ago?
They keep coming, and they matter. All of them cost money. “Small” changes can cost $20 million for an FI to comply, while larger ones are upward of $100 million, and even more if the program goes off the rails. Regulators often require such programs to meet tight deadlines, after which the work does not stop, but rather continues in a different form as the organization learns to work under the new regulatory regime. Some regulatory changes in reporting (e.g., IFRS) affect bottom-line reporting directly. Rarely does an executive get excited by compliance – or at least, before they learn their organization might not be able to comply, at which point everyone gets excited and agitated. Until then, everybody wants to go to the party – that is, be compliant with regulatory changes – but nobody wants to stay and clean up – that is, put in the time and effort required to implement these changes.
At Optimus SBR, we run very large programs for financial services companies; we’ve completed 25 such implementations in the last year alone. We know that every organization responds to these challenges and implements solutions differently.
Based on this experience, we offer below an overview of four challenges, and four solutions for FIs working to stay on top of regulatory changes today and tomorrow.
FIs do many things well – they operate at a great scale, pool capital for investment, and price and allocate risk, supporting robust financial markets and economic growth. They do all this repeatedly and, for the most part, without much drama. So why should they struggle with regulatory change? There are several reasons.
It’s always more work than you think.
Regulatory change programs typically require the cooperation of multiple divisions or departments – often Risk, Finance, IT, Business Intelligence, not to mention HR or product lines. To further complicate matters, these change programs are often misidentified as simple regulatory or accounting projects. In reality, these are actually large, complex, multi-function projects or programs.
At first, FIs often suppose they need to coordinate with others who already have what is needed to proceed. Then, slowly, they’ll realize they don’t have the critical components, such as analytics and modelling tools, or data in a form that’s usable to genuinely impact the critical path to delivery.
In the meantime, the regulator’s deadline hasn’t changed. You will find that no one person knows everything the organization needs to know, precisely because this is highly complex and new terrain. But the organization will need to draw on its collective wisdom to get all this knowledge in one place and will need to do so well before the deadline. Often this means an enormous amount of work, and many organizations do not realize this until it is too late.
Your current organizational design and infrastructure was not built for this.
Regulatory compliance creates new responsibilities and accountabilities that can cut across organizations. The Sarbanes-Oxley Act, for example, meant many FIs’ Enterprise Risk divisions found themselves responsible for calculations that directly affected financial statements, which had previously been regarded as the sole preserve of Finance departments, to increase accountability and ensure that financial disclosures are accurate and controlled. The Sarbanes-Oxley Act also affected contributors to disclosures, requiring them to design, run, and evidence controls for auditors.
Regulatory programs often drive changes in accountabilities, working relationships, and much else besides the initial requirements. Infrastructure – be it physical, organizational or electronic – that has sufficed for years or decades is often deemed inadequate for new activities and tasks, and there’s no time to replace it before the regulator’s deadline.
And just to complicate things further, many of the new requirements are now calling for augmented historical information. Data that was never previously collected or subject to quality control is now required. Teams are left scrambling to complete a puzzle with pieces that don’t fit or don’t exist at all.
A lot of energy is spent trying to keep your eye on the right prize.
When organizations do get Risk, Finance, IT, Business Intelligence and product people in a room together, they often find it difficult to focus on the regulatory concerns, compliance requirements, and parameters that are important. Finance cares about the details balancing correctly. Risk is focused on the biggest enterprise risks, monetary or otherwise. Business Intelligence is worried about the accuracy of the data and flexibility of analytical tools.
Depending on the change in question, the regulatory division might be concerned about things that are immaterial. Controls and auditors may follow frameworks that require new focuses, some of which may not be the critical path for the project.
In other words, everyone is having a hard time getting on the same page when it comes to what actually matters, which in this instance, is what the regulator requires.
To further complicate things, divisional or department concerns, and localized focus may obscure the real work at hand or mistake it for the core need rather than knock-on implications that will need to be dealt with later on. And between corralling the disparate information in an environment that wasn’t designed to handle this, you’ve got enough work to do without getting distracted by secondary concerns.
It’s a marathon and a sprint.
Deadlines to implement regulatory changes are beginnings, not the end. While cobbling together the infrastructure, data, reporting, and organizational know-how to comply is no small feat, it typically takes many months, or years, for these capabilities to become business as usual. Just as you let out a big exhale crossing the regulator’s finish line, you can see you still have a much longer road ahead of you – better take a deep breath.
Depending on the scale of change and impact on workflows, organizational designs and target operating models may need to be adjusted. Integration with other standard reporting and governance controls may be required.
In short, organizations need to find a way to make living with the new regulatory change sustainable. This requires knowledge transfer, transitioning people and knowledge from programs and projects to operations, and ensuring everything can be executed repeatedly.
Take another deep breath. Despite the number of big challenges and a looming deadline, you can come out on top if you execute on the following.
Get with the Program.
To make sure everyone appreciates how much work regulatory change can be, take it seriously and lay the foundations early. Set up a large program with many separate but interrelated projects or workstreams. Many organizations can run projects – few can run programs effectively.
By doing this, you and your organization will begin to understand the end-to-end change requirements and their severity, the impact on the business, and the challenge of meeting the regulator’s timelines.
If you have been through an experience like this, you already get it. If your colleagues have not, or have not had to live with the consequences, they will not. They will need to change how they work and who they work with. You need to set up a program to help them do this.
Figure out what is going to happen once you hit the gas.
Part of the reason people don’t realize how much work a new regulation can create is because it may not affect aspects of the business that are typically gauged to determine whether something is “big” – e.g., dollars, employees, branches, transformations, number of products affected, and so on.
New data and reporting requirements can still require a massive effort, even if the book of business in question is small. The same goes for the number of products affected – major changes to a few products or new data collection requirements can drive enormous amounts of work. Sometimes, it is simply a higher order skillset or level of execution that is needed. When a VP asks, “So, how big is this?” there’s often no immediate answer.
One way to find an answer is to conduct careful discovery grounded in fact. As we said, no one person in the organization knows everything needed to gauge the extent of the work required. Domain expertise matters. Data expertise matters. In general, depth matters, so it is worth diving in early to get a handle on things.
You can’t boil the ocean, so don’t.
You can’t make wholesale changes to your organization in response to every new regulatory directive. However, you can figure out where change can happen, and where it is unlikely to be successful in the short term.
Once you have set up a program and completed your discovery sessions, you need to assess the organizational and resource constraints you will have, and what changes to ask of key stakeholders.
On the bright side, this can help create a burning platform – large change in the face of constraints creates more concern than an ambiguous amount of change and loose talk of how to address it.
Find your Switzerland.
You need someone in charge who understands the amount of work required and its complexity, and who is also seen as a neutral third party. You also need a consistent gauge of where the organization is in the implementation life cycle.
Internal parties are technically capable, but a department or division may be seen as biased and have blind spots. Third parties can offer better transparency and reporting of problems, because their careers and reputations don’t suffer the same way from reporting bad news as internal resources might. Also, neutral third parties can more easily ensure equal voices across divisional lines.
Call the Program Management Experts
Must-do projects like regulatory changes can seem overwhelming and daunting, but it doesn’t need to be. With some careful forethought and the right expertise, regulatory programs can extend beyond just staying onside with the regulator, and set your organization up for long-term success.
In the meantime, if you need help preparing for this hard work, give us a call, or send us a note.
Carolyn Kingaby, Senior Vice President, Financial Services
Peter Snelling, Senior Vice President
 See Government of Ontario (2018). A Plan for the People: Ontario Economic Outlook and Fiscal Review, Toronto: Queen’s Printer, p. 57.