Michael Rasmussen, Chief GRC Pundit at GRC 20/20 Research, is in the process of publishing a blog series on the daunting challenges that organizations must face when addressing governance, risk, and compliance (GRC). His first post focuses on regulatory change management and what he calls the “tsunami” of regulatory change that overwhelms many organizations. One need only consider the recent changes to big-name regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) to see this playing out in various industries.
Rasmussen lists seven ways that organizations are affected by these types of regulatory changes.
- Frequency of change
- Global context
- Inconsistency in regulations
- Expansion into new markets
- Focus on risk assessment
- Hordes of regulatory information
- Defensible compliance
When an organization operates within a heavily regulated industry, across international borders, or becomes publicly traded, the list of regulations with which they must comply can become staggeringly large. Rasmussen states that, “The volume and redundancy of information adds to the problem…. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.”
Wouldn’t it be great if there were a tool that could keep track of regulations for you? Actually, there is.
Master Regulatory Change with the UCF
If you’re tired of wading through the sea of regulatory information, you need our friend the Unified Compliance Framework (UCF). The UCF is a database that cross-maps hundreds of regulations spanning industries and international borders, helping you to identify the overlap between them. Using the UCF, you can lessen your compliance requirements through a consolidated list of controls. We’re strong believers in the “fix once, comply with many” approach, and you should be too.
Now you’ve got this list of consolidated controls and are putting strategies in place to fulfill your compliance requirements. “What’s to stop them from becoming outdated as the regulations continue to evolve?” you ask. The UCF comes to the rescue, again. The developers and managers of the UCF track new IT regulations, standards, guidelines, and other authority documents, and provide updates to their subscribers on a quarterly basis. The UCF keeps you in the know, to ensure that you don’t get caught off guard.
Intréis has provided clients with UCF content integrated with the ServiceNow IT service management (ITSM) platform since 2013. That integration enables each of those clients to simplify their controls environment, automate testing, and gain better insights through reporting and analytics. It also enables each of those clients to implement their controls framework atop their chosen ITSM platform. This approach results in ITSM fully integrated with key IT and business processes – the same processes housing critical data required for effective GRC management.
Take Regulatory Change Management to the next level, by integrating ServiceNow and the UCF
With its upcoming “Fuji” release, ServiceNow is expected to offer a version of its GRC application that incorporates UCF content. Whenever it is officially made available, this offering will provide a strong validation of the Intréis approach to UCF-enabled ITSM-GRC integration. It will also extend the value of UCF content and its integration with ServiceNow to more enterprises, enabling higher levels of operational effectiveness and defensible compliance for all.
Read: “What is the UCF and why are we integrating it with ServiceNow”
Whatever path you take at your enterprise, your goal should not just be compliance, but rather defensible compliance. As Rasmussen states, “Regulators across industries and jurisdictions are requiring that compliance is not just well documented, but is operationally effective.” He goes on to describe the real life example of the much-praised compliance program of Morgan Stanley. Morgan Stanley was the first company in 35 years of Foreign Corrupt Practices Act (FCPA) history to not be prosecuted, despite a guilty plea by a Morgan Stanley official. The Department of Justice (DoJ) credited Morgan Stanley’s ability to keep compliance current in the midst of regulatory change for this feat.
Your enterprise’s approach to GRC must be comprehensive, transparent, and defensible. UCF content can ease and speed your progress toward these goals, and should definitely be part of your compliance toolkit.
About the authors
“Life is too short to live un-inspired by the world” - margaret muir
