Taking compliance to the next level

Feb 11, 2021
Written by
Salvatore Piu
Salvatore Piu

Taking compliance to the next level

Internal regulations governance has become more and more critical both because of exogenous pressures (e.g. an ever-changing legislative environment, increased scrutiny from regulatory institutions) as well as endogenous ones (e.g. frequent organizational changes and corporate acquisitions). A company’s own regulatory framework consists of various sorts of documents. Some have merely an informative purpose, others regulate operational activities, while others still focus on the internal control system.

Internal regulations are as follows: policies, manuals, organizational communications, organizational and management models, ethical codes, information notes, service orders, procedures, operating instructions, operating manuals, function charts, job descriptions etc. We’re still far from universally adopted reference standards, so each company creates its own terminology. For example, those who adopt a quality system will most likely use terms such as “manual”, “procedure” and “operating instructions”. But despite the certifying bodies and industry guidelines, in each company each document will have a slightly different connotation, with significantly different purposes, content type, and level of detail.

In everyday experience, we are all well aware that the complexity of regulations is layered over time. The difficulty of accessing and using information can give rise to situations where employees adopt operational practices that are a far cry from official ones. These are often based on word of mouth, which can result in conduct that does not comply with current legislation and exposes the company to high risks.

A bit of history of internal regulation in Italian banks
An important innovation boost to the entire documenting system linked to internal regulation took place in the banking sector towards the end of the nineties and the beginning of the new millennium. Mergers and acquisitions in previous years had greatly increased the size of banks. An undesirable consequence of this consolidation process was the emergence of difficulties in coordinating and controlling these new structures.

In those years, the first revision initiatives started, with the result being that regulations were rewritten using BPA (Business Process Analysis) tools. Although those efforts were far from perfect, one cannot deny that they achieved surprising results. A large banking group, as a result of the merger of three different companies, managed to reduce the number of documents to do with regulation from 27,000 to just 2,800. Other banking groups achieved even more surprising results to do with reclassifying and updating content.

The negative inheritance, beyond a few virtuous examples, was above all to cement the idea of a passive repository (of processes and regulations), into which the contents were fed retrospectively once the design already existed. That is because BPA tools were not used for process improvement by experienced analysts, but simply for documenting the ‘as is’. In practice, it reduced work to “taking minutes” of existing activities and practices.

Today, business process analysts are turning their tools towards their primary role, that of analysis, while those who used them exclusively for documentation are abandoning them. Thanks to those experiences, the drafting of regulatory content as well as the way it gets approved is changing. Specifically, by taking advantage of the most modern collaborative and social platforms, such as Bizzdesign HoriZZon, in an environment that is becoming increasingly integrated with existing systems while continuing its path to the cloud.

Internal regulations today
The regulatory management process in medium and large companies is very varied depending on industry sectors and business complexity. Digitization is a need felt by all businesses, but Word and email are still the most used tools today. When it comes to designing internal regulations, many organizations use Word for the drafting phase, while the publication takes place through the corporate intranet. We can see that the degree of digitization is particularly low compared to the potential expressed by the process.

The most interesting aspect concerns the sharing and dissemination of rules, which nevertheless remain documents (albeit electronic). The transition of the standard from a “document” to a set of “content”, which began in the 2000s, has only partially been completed. The improvement of use and legibility is entrusted above all to search features, able to provide direct access to the paragraphs of interest and navigability between the different sections.

In my experience working with customers, I believe that it is possible to achieve better results by working upstream on the initial design of the document structure and their drafting process. Current technologies allow the application of methods of rationalization to regulatory content. This has been proven to be effective in overcoming the technological and cultural limits that historically resulted in subpar use of BPA tools, while at the same time preserving their integration. These methods and technologies also greatly improve the use, facilitating the introduction of chatbots and allowing the integration of FAQs.

All digitization projects share objectives such as the reduction of low-value-added manual activities and the traceability of activities. In addition, a digital transformation project in this area must be measured by the ability to implement, and therefore not only describe, the desired changes in the shortest possible time. Further benefits can be achieved by breaking away from the ineffective practices of ‘record keeping’. Since internal regulation describes the functioning of a company, its governance is an integral part of the broader change management process.

This will be a key success factor in the future, both because of its ability to adapt quickly to new design regulations and to respond quickly to market changes. And this chameleon-like ability will only be further stimulated thanks to the integration between the world of regulation, risk management, and enterprise architecture.  After all, is managing the internal regulation not part of Enterprise Architecture?