The impact analysis leads naturally into defining the level of
project management (i.e., formal, heavily documented process)
or task management (i.e., relying on less-formal coordination
with fewer groups involved) that will be required to ensure effective and timely implementation. Regardless of whether you will
utilize a formally trained project management office resource for
project management definition and workflow or be a one-man or
-woman show coordinating the implementation process primarily
via e-mail and one-on-one meetings, you should always consider
the following elements:
■ ■ Who is the executive sponsor and who are the stakeholders?
The executive sponsor will lend credibility to the process,
while the stakeholders provide the accountability. Stakeholders
might include compliance, legal, IT, bank protection, credit,
and operational risk.
■ ■ What are the roles and responsibilities of the stakeholders?
Providing definition early on establishes accountability and
decreases confusion regarding required tasks.
■ ■ Clearly describe what has to be done and why, including risks
■ ■ Describe any assumptions such as relying on a third-party
vendor for “xyz.” Describe any constraints that exist with regard
to resources, systems, or vendors. For example, it is known that
the current vendor will not be updating systems by the effective
date and an internal solution will be needed.
■ ■ Describe what success looks like.
■ ■ Outline deliverables and milestones to track your progress.
■ ■ Establish the communication plan. Will there be weekly status
reporting that flows up from working groups to a steering committee? Or will e-mail updates solicited by the task manager
■ ■ Define what type of sign-off will be required at each stage. Do
members of senior management need to acknowledge that
they are aware of the change and have identified the impact to
their business? Will sign-off be required for milestones? Will
changes require documentation? Who will provide the final
sign-off that the change was implemented successfully (e.g.,
compliance, LOB management, or both)?
Finally, as you move through the implementation phase, you
will want to make sure you continue to update the risk ratings on
your regulatory change dashboard. It is not likely that the regulation
risk will change over time. The inherent risk of the regulation is
static. However, with the other categories you may see movement
to green as the project approaches final implementation well
within established time frames. On the other hand, you could
also see a category of risk increase if prioritization within IT or
the LOB is not appropriate or needs to be escalated.
Integration involves two parts: immediate testing and ongoing
monitoring. The immediate testing is a bridge between imple-
mentation and integration. The implementation process likely
included some testing prior to final launch. However, no matter
how well you tested it during development, it is critical to test
compliance as quickly as possible after the regulatory change has
gone live. In all cases, regardless of the significance of the change,
the final testing should be documented and acknowledged by a
senior manager. This ensures that there is no misunderstanding
between groups that something was believed to have been done,
but didn’t actually get completed.
While all regulatory changes may be created equally through the
legislative process, the impact on the financial institution and the
effort to implement various changes are not always equal. With the
number of expected changes coming from the Dodd-Frank Act,
it will be important to be strategic in how you balance resources
and processes to design the best approach for effective regulatory
change management. Spending time on the front end and creating a framework that defines roles and responsibilities around
identification, impact analysis, implementation, and integration
will help to ensure that your bank does not get bogged down in
process over function. ■
About the AuthorS
MARY ClOUtHIeR is vice president and director of enterprise
compliance at Fifth Third Bank, headquartered in Cincinnati,
Ohio. She manages the bank’s compliance risk management
program, privacy office, and consumer complaints, and can
be reached in Denver, Colo., at (303) 997-9813 or by e-mail at
eDWARD W. bADe, CRCM, CRP, is senior vice president at
The Northern Trust Company in Chicago, Ill., where he serves as the
practice director for global compliance framework. In his 16 years
in compliance, he has a earned a strong record of service on various
national, state, and local compliance organization boards and
committees, and is a frequent conference speaker. He received his
M.B.A. in finance from DePaul University. Reach him at (312) 557-
9126 or at email@example.com.