Compliance professionals continue to place significant importance on the presence of appropriate change management controls in their organizations. While regulatory agencies typically don’t formally define change management, it’s generally considered to be the identification, evaluation, and implementation of processes and controls to help institutions make developments in accordance with regulatory requirements. Regulatory agencies insist that change management is a key element of a company’s compliance management system. Here, we’ll dive into why this is important, and detail proper controls and best practices for institutions to implement.
When Something Goes Wrong
Imagine you’re the Compliance Officer at a company undergoing a regulatory exam, and the examiner comes into your office to speak with you. Turns out, your organization is going to be cited for a violation related to your premier rewards product. The product offers a high interest rate, but the minimum transaction criteria to earn this rate isn’t properly disclosed to the customer. Also, a monthly maintenance fee is being charged that’s $3 higher than the amount included in your Fee Schedule.
The examiner hands you copies of three different advertisements for the product, all of which reference different terms. They explain to you that several retail employees were questioned about the product, but each expressed some level of confusion over it. Ultimately, your company is going to be cited for a violation in the examination report. Not only will your company have to take steps to implement corrections for disclosures, systems, documents, training, and advertising, but it will also have to endure considerable expense to reimburse customers who were under-credited interest or over-assessed fees.
An analysis of the circumstances that led to this violation is then performed, and concludes that:
- The business line decided to make changes to the product but neglected to discuss the change with the Compliance Department at any point before or after the changes took effect.
- Account opening disclosures were revised by the business line, but the person responsible for this task left the company for another opportunity shortly before implementation. Consequently, the correct disclosures were never finalized and distributed to retail or marketing department.
- No formal training ever occurred for the revisions to the product. The business line simply sent out an informal email to retail staff talking about how the product was being enhanced but gave very little details.
These results demonstrate that the organization lacks sufficient change management controls. If adequate controls existed, these failures could have been identified and remediated prior to the exam, avoiding the violation and reimbursement issues.
The Importance of Change Management
Change is a constant. It’s something that companies and compliance professionals will always have to endure. Common examples of events that warrant change include:
- Corrective action for addressing audit or examination findings
- Improvements or efficiencies in existing processes
- New vendors
- Regulatory updates
- Strategy or policy amendments
- System conversions or upgrades
- The creation of new products and services
- Turnover in management or personnel
Do not only prepare for change on a large scale, such as a major regulatory shift like the expansion of Anti-Money Laundering reporting. Even small events, such as a new interpretation or a software patch, can have ripple effects. Companies should anticipate change as a frequently occurring event.
These changes also come with great risk. The Federal Financial Institution Examination Council (FFIEC) is one agency that specifically includes change management within its Uniform Interagency Consumer Compliance Rating System. Institutions that fail to display appropriate controls over change management may not just face a specific technical violation, but also a lower examination rating. Although the SEC and other agencies may not explicitly call for compliance change management programs, failure to appropriately address change could also result in issues like reduced operational efficiency, inadequate communication, customer confusion, customer service issues, or reputational risk. These issues could have a domino effect throughout the organization if not handled appropriately.
Controls and Best Practices
Thorough Risk Assessments
There are a variety of key controls and best practices to ensure proper preparations prior to the change. Whenever a prospective change is imminent, consider performing a risk assessment, which can be a critical tool over the change management process. A risk assessment can be utilized to address a new product or service, handle a vendor or system change, or be part of a broader evaluation of how the company addresses their requirements and regulatory environment. As part of this evaluation, ask questions such as:
- Why is this change taking place?
- Is the change required, or optional?
- Are there any exceptions or limitations regarding the change?
- What is the volume of personnel in the organization impacted by the change?
- What is the volume of customers impacted by the change?
- Is customer notification required? If yes, what are the time periods?
- What is the prospective cost to implement the change?
- How will the change impact the company’s ability to comply and meet its operational and strategic objectives?
By performing a risk assessment, potential benefits and pitfalls that will be involved throughout the change can be evaluated. While some changes will be required no matter what, whether due to regulatory updates or expiration of vendor contracts, there are often business decisions to be made regarding aspects of the change. This assessment will enable the management to evaluate the net results of the change, determine its level of importance, and decide what resources need to be allocated where. You may even determine that the change will have a negative net impact on the company, and ultimately consider not making it at all.
Management should consider whether a formal committee or task force should be formed over any prospective changes. Many companies maintain compliance committees that include representatives from various business lines within the organization. The compliance committee is often seen as a good place to discuss and oversee the change management process. Other companies have separate working committees that are specifically created for the project. For example, many organizations have a new product/service committee, which is responsible for determining when a new product or service may be warranted and covering all relevant aspects of the changes it will impose throughout the organization. Others form temporary task forces when major changes occur, which are dedicated solely to the identified issue and disband upon completion.
Oftentimes a change will impact a wide variety of areas within the organization. So, regardless of what type of committee or task force is established, it’s critical that there’s proper representation from the different business lines in the organization. Beyond the primary business line impacting the change, departments such as Compliance, Marketing, Training, Accounting, Information Systems, and others may need to be involved. Meetings should occur frequently enough to support timely progress on the initiative.
Sufficient oversight of the change management process is also key to its success. It’s important to have buy-in on any change-related initiatives from senior management within the organization. At least one member of senior management, or someone who reports to them, should be directly involved in the change process. This involvement will assist in ensuring that strategic objectives are met, objectives are progressing on time, and team members are being held accountable. A formal action plan should be developed and implemented any time a material or significant change is necessary. By clearly delineating the deliverable timeframes, individuals and departments responsible for each task component can measure and track the project status and whether those involved are fulfilling their responsibilities.
Sometimes the systems and technologies utilized can be the most critical part of the change management process. For instance, when major regulatory changes occurred during the past few years, companies often found themselves in positions where they were at the mercy of their software vendor and couldn’t fully implement changes in processes until the vendor had upgraded its systems. Companies should proactively identify which systems and vendors are going to be impacted by the change and reach out to them as early as possible.
There are going to be times where existing vendors can’t handle the necessary upgrades. This situation may warrant due diligence to find a new vendor, which can be a lengthy process. Existing vendors can often handle the changes, but will need time to implement software upgrades. Establishing continuous communication with the vendor regarding any upgrades is important to properly oversee the change. The company should reverse engineer vendor due dates by identifying the project deadline and working backwards to make sure there’s sufficient lead time to perform testing and make any necessary corrections. When the upgrade takes place, all appropriate employee systems and access will need to be updated. Utilizing out-of-date systems can quickly lead to violations. Testing should be performed to confirm that any upgrades don’t have unintended effects on other automated processes.
Anytime a change is implemented, it’s highly likely that a variety of different documents will be impacted. Companies will want to do an inventory of any possible documents impacted to ensure all are updated accordingly. Written policies and the procedural documents that staff rely on when performing their duties are the most critical to this process. If properly maintained and sufficiently detailed, these documents can guard against issues driven by employee turnover because they provide detailed instructions on day-to-day processes.
Any training material that could possibly be impacted by the change should be re-evaluated to determine if it’s current and appropriately identifies new processes and controls in place. Many changes directly impact customer disclosures and must be updated. It’s critical that outdated disclosures are properly replaced and then destroyed. This caution also carries over into electronic material. Old policies and procedures should be removed from systems and network drives so only the current one can be accessed.
Evaluation & Audit
Controls to evaluate the change are also an important part of the change management process. When there is a mandatory implementation for regulatory changes, the ideal scenario is to have the changes ready one to two months in advance of that date. This time period will enable monitoring over the changes to see if updates have been effective and whether they cause any unforeseen issues. Pre-existing monitoring and quality control checklists should be amended to reflect anything new or different that’s impacted by the change. Necessary adjustments should be made to audit plans to capture the change into future testing. Any permanent change should be captured in each subsequent audit. As changes increase risk, it’s ideal to have an audit performed that analyzes the change within a year of implementation.
Is It Working?
One final best practice to consider is revisiting the change after a period to determine whether the change was worth it. Management will want to consider whether the change has had the net effect that was expected, going back to the risk assessment completed earlier in the process. Just because a change has taken place and was successfully implemented doesn’t mean that the expected results will occur, or that unexpected factors won’t come into play and affect things at a later point in time. Management will want to ensure any post-implementation evaluation doesn’t take place until enough time has passed so that there’s clean data.
Beyond formally auditing the process for regulatory compliance, companies will find such an evaluation helpful in seeing if strategic objectives have been met. In addition, it will be helpful to see whether there’s anything that came out of the process that should be considered for future instances where a change must be implemented.
Using these change management best practices, your company will adequately prepare for the shifts that impact your business, strengthen your agility, and improve your processes to capitalize on these changes – allowing you to accelerate in the market.