Corporate Governance

Utilizing Metrics to Substantiate Management of Regulatory Change

Nasdaq BWise

Measuring change in regulations and laws affecting the organization is critical when determining the compliance risk profile. One key facet is the creation, management, and monitoring of metrics. By utilizing metrics, compliance departments can report what they are doing and how effective compliance activities are to address regulatory change. Risk and compliance metrics typically come in three forms:

  1. Key Performance Indicators (KPIs)
  2. Key Risk Indicators (KRIs)
  3. Key Control Indicators (KCIs)

Each of these indicators may stand alone or correlate with one another. For example, organizing these metrics from a regulatory perspective, a KPI may measure how well a company is complying with applicable laws and regulations. KRIs are a natural extension of a KPI, where the organization wants to know how the most significant risks are affecting its ability to be in conformance. KCIs measure how effective the controls are for each risk. These measures tie to the organization’s appetite and tolerance levels, which are frequently very conservative with no tolerance for non-compliance.

Delving deeper into regulatory change metrics, there is an impetus to define relevancy of each regulation and law to the organization and its businesses. This extends to the organization’s vendors and partners as well. Establishing relevancy is also convoluted given specific organizational variables such as the organization’s size, geographic footprint, regulator, industry, and business model.

To operationalize, regulatory change should be an explicit part of the compliance framework and reporting process. Management must be cognizant of what changes are possible, how they may affect the business, and their implementation. Illustrative measures may include:

  • Number of possible, relevant changes
  • Number of incoming notifications per geography, type, regulator etc.
  • Number of applicable notifications
  • Percentage of processes impacted
  • Strategic objectives influenced
  • Number of dispensations/waivers
  • Overview of assessments
  • Action plans outstanding

To gain efficiencies in maintaining compliance with the implementation and sustainability of regulatory change, organizations frequently turn to GRC software . One way in which the software can enable regulatory change is through the monitoring of metrics, changes in measures, and analyzing trends. Moreover, software can take information from internal and external data sources (such as information from regulatory agencies themselves, vendors, consultancies, law firms, etc.) and automatically bring the information into the software to populate the metric versus manually inputting data. For example, the analysis of enforcement notices can provide valuable insights allowing companies to focus resources on high priority areas. Over time, these metrics can also support how well/not well the organization is responding to implementing and managing regulatory change. In addition, these help compliance function create visibility around their output, substantiate requests for additional capacity if required as well as efficiently manage resources.

Coupled with other risk information, regulatory change metrics can provide insight into the details of the compliance risk and control environment. Presented well, it gives confidence to the board, executives, and regulators alike that applicable regulatory changes are actively being addressed.

To learn more about how GRC software can help your organization manage regulatory change, please visit or contact us.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Other Topics

Risk & Compliance