Compliance teams face an ongoing challenge: how to keep their policies and procedures current amid business updates and regulatory change. The key to keeping up? According to Michael Rasmussen, GRC Analyst & Pundit at GRC 20/20 Research and author of the OCEG Policy Management Illustrated eBook, continuous and proactive policy and risk assessment enables firms to swiftly identify compliance gaps and promptly implement corrective actions.
Beyond the Annual Review: Keeping Policies and Compliance Current Amid Regulatory Change
During the webinar Beyond the Annual Review: Keeping Policies and Compliance Current Amid Regulatory Change, Rasmussen provided practical guidance on prioritizing compliance risks, evaluating regulatory obligations, and verifying policy effectiveness through targeted testing and monitoring.
The Critical Role of Policy Governance in Compliance
According to Rasmussen, policies are the backbone of any organization’s governance framework. They define corporate culture, establish behavioral expectations, and provide the structure necessary to reliably achieve business objectives. He emphasized during the webinar that policies are not just compliance documents; they are governance and risk management tools. Each policy addresses an identified risk and sets boundaries, responsibilities, and controls to mitigate that risk.
He asked attendees to imagine their firm's business without clear policies and procedures—it would be chaotic, inconsistent, and prone to failure. Policies ensure that employees understand their roles and obligations, enable regulatory compliance and foster a culture of ethics and integrity.
Developing a culture of compliance is key to effective policy and procedure management. Read more about the intersection of culture and compliance.
Every policy is intrinsically linked to risk. According to ISO 31000, risk is “the effect of uncertainty on objectives.” Policies directly address this uncertainty by establishing risk appetite, tolerance, and ownership.
Taking a Centralized Approach to Policy Management and Regulatory Change is Critical
One of the most significant challenges organizations continue to face in the financial services industry is the steady pace of regulatory change. According to Rasmussen, in the financial services sector alone, there are approximately 257 regulatory change events every business day from over 1,300 regulators worldwide. These changes include new laws, amendments, enforcement actions, and notices of proposed rulemaking, creating a constantly shifting landscape.
Organizations must also contend with internal changes such as evolving business strategies, shifting employee roles, and an expanding extended enterprise that includes suppliers, vendors, and contractors. Keeping policies aligned with all these external and internal changes is no small feat.
Rasmussen shared an example from a global European bank where a single regulatory change event took six months to update one related policy, involving 75 reviewers in a manual document check-in/check-out process. He shared another example of a large insurance firm with 28 different policy portals, each with inconsistent content. And firms that have been part of mergers and acquisitions can accumulate thousands of unharmonized policies and procedures.
Policy Management and Policy Risk Assessment Tools Drive Cohesive Compliance
To overcome these challenges, organizations need a well-designed compliance management strategy that integrates policy management and risk assessment with regulatory change processes. This requires a suite of policy management tools that:
- Maps policies to regulatory obligations, ensuring regulatory changes trigger timely policy reviews.
- Aligns policies with organizational structures, distinguishing entity-level, process-level, and asset-level policies.
- Links policies to corporate objectives and identified risks.
- Authorizes and identifies policy controls embedded in policies
- Connects issues, incidents, and investigations back to relevant policies to identify root causes and areas for improvement.
- Defines clear roles and responsibilities for policy owners and other stakeholders in the process
See how MCO’s Know Your Obligations solution suite provides configurable policy management tools and policy risk assessment tools for optimal policy governance.
Rasmussen pointed out that a structured approach to policy management and risk assessment improves the quality of compliance information, optimizes resource allocation, enhances policy effectiveness, protects brand reputation and reduces costs. This approach also enables firms to take a strategic and proactive approach to policy management and risk assessment, rather than constantly reacting to changes that have already occurred.
To implement that structured and standardized approach, firms need an integrated suite of policy management tools and risk assessment tools to unify regulatory obligations, automate workflows to manage those obligations, and improve efficiency and agility across the enterprise.
Make the Move from Manual to Automated Compliance Management
Many organizations still rely on spreadsheets, emails, and disconnected systems to manage policies and compliance, leading to inefficiencies and risks. A compliance system that can automate core areas of compliance using a single source of data and can be configured to meet your firm's unique needs eliminates the risk and inefficiencies that a siloed approach will bring.
Michael reminded the audience, however, that technology alone is not a silver bullet; it must be embedded within a strong compliance strategy and governance framework.
Read a white paper on selecting compliance technology
Looking Ahead: Taking a Risk-Based Approach to Compliance Management
According to Rasmussen, the future of compliance risk management varies by geography and regulatory philosophy. He notes that in the United States, deregulation and restructuring of regulators are prominent trends, often emphasizing checklist-driven compliance. In contrast, Europe and many Commonwealth countries adopt a principles and outcome-based approach focused on risk and results.
This shift toward risk-based regulation demands more agile and proactive compliance programs focusing on achieving desired outcomes rather than simply meeting prescriptive requirements.
Simplified Compliance Management with MCO
Keeping policies and compliance current amid continual regulatory and business change is a demanding and ongoing challenge for financial service firms of all sizes. It requires a holistic approach integrating policy management, regulatory change management, risk assessment and compliance monitoring within a unified framework.
Rasmussen notes that organizations can transform compliance from a reactive burden into a strategic advantage by adopting structured policy management lifecycles and leveraging advanced compliance technology. This transformation enables agility, resilience, and effectiveness in navigating the complex regulatory landscape, ensuring that businesses not only meet their obligations but thrive in a dynamic environment.
And that means keeping compliance activities, including policy governance and risk assessment, at the forefront all year long—not just when it’s time for the annual compliance review. The MyComplianceOffice platform enables firms to keep that focus with a comprehensive and robust compliance program management framework, automating the core elements of a global compliance program on a single system with a central database.
Our Know Your Obligations suite enables firms to maximize the efficiency and effectiveness of the compliance oversight process with regulatory change management, policy design and governance tools, risk assessment, control testing, metrics and policy and control assurance.
Ready to learn more? Contact us for a demo today!
More from GRC Expert and Pundit Michael Rasmussen
