Getting Ahead of Regulatory Changes:
Yes, It Can Be Done.
In the wake of the 2008 financial crisis, governments and regulators around the world have imposed a seemingly unending series of new regulations on financial institutions (FIs) – think Basel, Anti-Money Laundering (AML), International Financial Reporting Standards (IFRS), and proposals to amend capital market legislation in Ontario to regulate benchmarks like the Canadian Dollar Offered Rate (CDOR) and the Canadian Overnight Repo Rate Average (CORRA), to name a few.[1] The focus on financial safety for consumers, markets and the world economy continues to generate new regulations that are hard to predict – who would have thought FI sales practices would be a focus across North America two years ago?
They keep coming, and they matter. All of them cost money. “Small” changes can cost $20 million for an FI to comply, while larger ones are upward of $100 million, and even more if the program goes off the rails. Regulators often require such programs to meet tight deadlines, after which the work does not stop, but rather continues in a different form as the organization learns to work under the new regulatory regime. Some regulatory changes in reporting (e.g., IFRS) affect bottom-line reporting directly. Rarely does an executive get excited by compliance – or at least, before they learn their organization might not be able to comply, at which point everyone gets excited and agitated. Until then, everybody wants to go to the party – that is, be compliant with regulatory changes – but nobody wants to stay and clean up – that is, put in the time and effort required to implement these changes.
At Optimus SBR, we run very large programs for financial services companies; we’ve completed 25 such implementations in the last year alone. We know that every organization responds to these challenges and implements solutions differently.
Based on this experience, we offer below an overview of four challenges, and four solutions for FIs working to stay on top of regulatory changes today and tomorrow.
Four Challenges
FIs do many things well – they operate at a great scale, pool capital for investment, and price and allocate risk, supporting robust financial markets and economic growth. They do all this repeatedly and, for the most part, without much drama. So why should they struggle with regulatory change? There are several reasons.
It’s always more work than you think.
Regulatory change programs typically require the cooperation of multiple divisions or departments – often Risk, Finance, IT, Business Intelligence, not to mention HR or product lines. To further complicate matters, these change programs are often misidentified as simple regulatory or accounting projects. In reality, these are actually large, complex, multi-function projects or programs.
At first, FIs often suppose they need to coordinate with others who already have what is needed to proceed. Then, slowly, they’ll realize they don’t have the critical components, such as analytics and modelling tools, or data in a form that’s usable to genuinely impact the critical path to delivery.
In the meantime, the regulator’s deadline hasn’t changed. You will find that no one person knows everything the organization needs to know, precisely because this is highly complex and new terrain. But the organization will need to draw on its collective wisdom to get all this knowledge in one place and will need to do so well before the deadline. Often this means an enormous amount of work, and many organizations do not realize this until it is too late.
Your current organizational design and infrastructure was not built for this.
Regulatory compliance creates new responsibilities and accountabilities that can cut across organizations. The Sarbanes-Oxley Act, for example, meant many FIs’ Enterprise Risk divisions found themselves responsible for calculations that directly affected financial statements, which had previously been regarded as the sole preserve of Finance departments, to increase accountability and ensure that financial disclosures are accurate and controlled. The Sarbanes-Oxley Act also affected contributors to disclosures, requiring them to design, run, and evidence controls for auditors.
Regulatory programs often drive changes in accountabilities, working relationships, and much else besides the initial requirements. Infrastructure – be it physical, organizational or electronic – that has sufficed for years or decades is often deemed inadequate for new activities and tasks, and there’s no time to replace it before the regulator’s deadline.
And just to complicate things further, many of the new requirements are now calling for augmented historical information. Data that was never previously collected or subject to quality control is now required. Teams are left scrambling to complete a puzzle with pieces that don’t fit or don’t exist at all.
A lot of energy is spent trying to keep your eye on the right prize.
When organizations do get Risk, Finance, IT, Business Intelligence and product people in a room together, they often find it difficult to focus on the regulatory concerns, compliance requirements, and parameters that are important. Finance cares about the details balancing correctly. Risk is focused on the biggest enterprise risks, monetary or otherwise. Business Intelligence is worried about the accuracy of the data and flexibility of analytical tools.
Depending on the change in question, the regulatory division might be concerned about things that are immaterial. Controls and auditors may follow frameworks that require new focuses, some of which may not be the critical path for the project.
In other words, everyone is having a hard time getting on the same page when it comes to what actually matters, which in this instance, is what the regulator requires.
To further complicate things, divisional or department concerns, and localized focus may obscure the real work at hand or mistake it for the core need rather than knock-on implications that will need to be dealt with later on. And between corralling the disparate information in an environment that wasn’t designed to handle this, you’ve got enough work to do without getting distracted by secondary concerns.
It’s a marathon and a sprint.
Deadlines to implement regulatory changes are beginnings, not the end. While cobbling together the infrastructure, data, reporting, and organizational know-how to comply is no small feat, it typically takes many months, or years, for these capabilities to become business as usual. Just as you let out a big exhale crossing the regulator’s finish line, you can see you still have a much longer road ahead of you – better take a deep breath.
Depending on the scale of change and impact on workflows, organizational designs and target operating models may need to be adjusted. Integration with other standard reporting and governance controls may be required.
In short, organizations need to find a way to make living with the new regulatory change sustainable. This requires knowledge transfer, transitioning people and knowledge from programs and projects to operations, and ensuring everything can be executed repeatedly.
Four Solutions
Take another deep breath. Despite the number of big challenges and a looming deadline, you can come out on top if you execute on the following.
Get with the Program.
To make sure everyone appreciates how much work regulatory change can be, take it seriously and lay the foundations early. Set up a large program with many separate but interrelated projects or workstreams. Many organizations can run projects – few can run programs effectively.
By doing this, you and your organization will begin to understand the end-to-end change requirements and their severity, the impact on the business, and the challenge of meeting the regulator’s timelines.
If you have been through an experience like this, you already get it. If your colleagues have not, or have not had to live with the consequences, they will not. They will need to change how they work and who they work with. You need to set up a program to help them do this.
Figure out what is going to happen once you hit the gas.
Part of the reason people don’t realize how much work a new regulation can create is because it may not affect aspects of the business that are typically gauged to determine whether something is “big” – e.g., dollars, employees, branches, transformations, number of products affected, and so on.
New data and reporting requirements can still require a massive effort, even if the book of business in question is small. The same goes for the number of products affected – major changes to a few products or new data collection requirements can drive enormous amounts of work. Sometimes, it is simply a higher order skillset or level of execution that is needed. When a VP asks, “So, how big is this?” there’s often no immediate answer.
One way to find an answer is to conduct careful discovery grounded in fact. As we said, no one person in the organization knows everything needed to gauge the extent of the work required. Domain expertise matters. Data expertise matters. In general, depth matters, so it is worth diving in early to get a handle on things.
You can’t boil the ocean, so don’t.
You can’t make wholesale changes to your organization in response to every new regulatory directive. However, you can figure out where change can happen, and where it is unlikely to be successful in the short term.
Once you have set up a program and completed your discovery sessions, you need to assess the organizational and resource constraints you will have, and what changes to ask of key stakeholders.
On the bright side, this can help create a burning platform – large change in the face of constraints creates more concern than an ambiguous amount of change and loose talk of how to address it.
Find your Switzerland.
You need someone in charge who understands the amount of work required and its complexity, and who is also seen as a neutral third party. You also need a consistent gauge of where the organization is in the implementation life cycle.
Internal parties are technically capable, but a department or division may be seen as biased and have blind spots. Third parties can offer better transparency and reporting of problems, because their careers and reputations don’t suffer the same way from reporting bad news as internal resources might. Also, neutral third parties can more easily ensure equal voices across divisional lines.
Call the Program Management Experts
Must-do projects like regulatory changes can seem overwhelming and daunting, but it doesn’t need to be. With some careful forethought and the right expertise, regulatory programs can extend beyond just staying onside with the regulator, and set your organization up for long-term success.
In the meantime, if you need help preparing for this hard work, give us a call, or send us a note.
Carolyn Kingaby, Senior Vice President, Financial Services
Carolyn.Kingaby@optimusssbr.com
416.649.9219
Peter Snelling, Senior Vice President
Peter.Snelling@optimussbr.com
416.649.9128
[1] See Government of Ontario (2018). A Plan for the People: Ontario Economic Outlook and Fiscal Review, Toronto: Queen’s Printer, p. 57.

Automate and Digitize: Where Should Credit Unions Start to Build Efficiency?
Credit unions that want to improve efficiency should start by identifying their pain points, building a business case for digitization/automation, conducting a pilot program, implementing quick wins, and exploring new opportunities.

CAO Leadership Series: Municipal Budget Development
Addressing the challenges of municipal budget planning requires a holistic and forward-thinking approach. It necessitates active and continuous engagement with community members, proactive risk reduction strategies, and efficient procurement practices.

Unlocking Security Excellence: Essential IAM & RBAC Best Practices for Robust Application Access and IT Risk Management
The rise of new technologies and the ever-evolving IT landscape have necessitated the implementation of a robust Identity and Access Management (IAM) system accompanied by a Role-Based Access Control (RBAC) framework.

How Canadian Credit Unions Can Leverage ESG Principles and Technology to Reach a Younger Generation of Members
The incorporation of ESG principles by CCUs, coupled with the effective use of technology and targeted marketing, presents a powerful strategy for attracting younger members and securing future growth.

Building High Performing Teams: The 8 Components of Resilience
In a world where change is the only constant, organizations are awakening to the undeniable truth – resilience is the secret weapon for survival and success.

Natural Language in Data Visualization: A Showdown Between Tableau and Power BI
Two industry-leading data visualization tools, Tableau and Power BI, both offer the ability to query data using natural language. But how do they stack up?

7 Drivers of Economic Development
These seven drivers of economic development bring new money into the municipalities, accelerate the velocity of money within the city, increase the engagement of citizens, and propel the generation of new ideas, technologies, talent, success stories, wealth, and global rankings.

Steering Through Uncertainty: The Impact of IFRS 17 on Risk Management and Control Strategies
With a strong emphasis on accuracy and integrity, insurers are faced with the task of redefining their control environments and governance structures for financial reporting.

Analytical Data Mart vs. Data Lake: Which Approach is Better for Your Analytics?
Welcome to the world of data-driven organizations where it is crucial to have a well governed repository to efficiently store and manage your valuable data.

Mastering IFRS 17 with a Strategic Target Operating Model
When applied specifically to the realm of IFRS 17, a strategic Target Operating Model provides a high-level view of the end-to-end solution design, processes, controls, and close schedule required to execute the new finance model.

The Push for Companies to Prioritize Leadership Development
Leaders have been expected to do more than ever in the past few years. Navigating through uncertainty, dealing with new challenges, and responding to rapid change have all become commonplace demands for management teams.

Navigating a Hybrid Work Environment with Gen Z Employees
Millennials, who have dominated the workforce for the past decade, are now ceding the stage to the next generation of employees – Generation Z.

Developing Early Career Talent: 5 Strategies for Success
A robust and effective early career talent development program is essential for companies looking to grow their future leaders from within.

How to Capitalize on Your IFRS 17 Investment
With guidance and support insurers can move from IFRS 17 compliance to business as usual (BAU) and fully capitalize on their investment.

Leading & Engaging Gen Zs – The Bold Approach
Gen Zs are the new age workforce that is gradually changing the landscape of the corporate world. Leading and engaging Gen Zs in this environment requires a bold approach.

Power BI vs Tableau – Which is Better?
Although Tableau and Power BI are similar business intelligence tools, there are key differences that organizations should be aware of when considering analytical requirements.