0

Regulatory

Compliance

Health Check

Survey Results

September 2018

1 of 18

Index:

1.0 About This Survey

2.0 Process Maturity:

2.1 High Level Analysis

2.2 Comparing Industry Sectors

2.3 What Do the Scores Mean?

3.0 Product Regulatory Risk Management for Manufacturers

4.0 Risk:

4.1 High Level Analysis

4.2 Comparing Industry Sectors

4.3 What Do the Scores Mean?

5.0 Sample Actions to Improve Your Compliance Processes

6.0 The Challenge of the Regulatory Avalanche

7.0 What’s Next?

8.0 About Compliance & Risks

2 of 18

1.0 About This Survey

The Regulatory Compliance Health Check Survey was carried out by Compliance & Risks to

allow companies to benchmark the maturity of their regulatory compliance and risks

processes against the industry average, as well as to gain an insight into averages across

varying industries.

Questions were asked to establish how each organization;

● discovers regulatory developments

● analyses regulatory developments

● communicates regulatory developments

● implements regulatory developments

135 companies responded from a range of industries as seen in the chart below:

3 of 18

The answers provided allow an analysis using an adaptation of the Capability Maturity Model

(CMM) which assesses process capability. This approach originates in the software industry,

but has broad applicability. The term "maturity" relates to the degree of formality and

optimization of a process, from ad-hoc practices, through to active monitoring and

optimization of the process.

In order to gain insights, we have broken the regulatory compliance process down into its

four main elements, (corresponding to the four bars in each chart on the following pages)

namely;

Discovery

This is how your organization finds out about developments in regulatory requirements. It could be by means of newsletters, bulletins, attending conferences, standards committees or other events, or via a structured information service or database.

Analysis

This refers to how a piece of regulatory content is assessed for its impact on your organization or its products.

Communication

How the outcome of the analysis is communicated to those who need to know the information. Having the right information, at the right time and in the right format are key here.

Compliance Actions

If regulatory development requires something to be done, how is this managed? Is there a closed loop and traceability to ensure actions follow in a timely manner?

“ The term “maturity” relates to the degree of formality and optimization of a process…

”

4 of 18

2.1 Process Maturity - High Level Analysis

The chart below shows scores for each of the four regulatory process stages for each of the

respondent industry sectors.

Only 5 companies reported one or more elements of their process at level 5 (Regularly

Updated). There tends to be slightly higher scoring for self-scoring on implementation of

compliance actions, than for the process of finding, analyzing and communicating the

regulatory developments. This raises the question of whether the right things are being

done, as there appears to be lower capability maturity in the process to find and analyze

regulations.

Based on our sample size, some sectors show a relative weakness in a particular process

stage such as ‘Implementation’ (compliance actions) for Industrial, Agricultural Machinery

companies and ‘Discovery’ for Consumer Electronics, Healthcare and Apparel industries.

(Note: Some sectors omitted due to insufficient sample size.)

5 of 18

2.2 Process Maturity - Comparing Industry Sectors

Combining the four process stages to give an overall Regulatory Management Process

score for each sector reveals a variation in process capability between industry sectors.

It is noteworthy that on average, only one sector reaches an average level 4: ‘Audited’, and

are well below achieving a process that they would regard as responsive (corresponding to

level 5: ‘Regularly Updated’).

6 of 18

2.3 Process Maturity - What Do the Scores Mean?

Answers to the questions in our survey broadly correspond to the 5 levels of maturity in the

CMM model for each of the process stages.

Scoring is on a scale of 1 - 5:

Score What does this look like? Potential downsides Opportunities

1 - 2:

Informal

unwritten

Processes are informal /

unwritten. Much activity will be

ad-hoc.

Outcomes and risk

exposure unknown, tend

to be very short-term

focused, regular surprises,

unnecessary costs.

Small improvements will

bring noticeable results.

2 - 3:

Formal

written

Processes are mostly formal /

written. A start has been

made on controlling the

process, outcomes and risk,

but results are unpredictable,

and risk exposure is

unmeasured.

Having process

documents can lead to a

false sense of security.

They may not be followed,

and unpredictability may

result.

Being at this stage should

mean there is buy-in to the

principle of process

documentation. It is a basis

to ensure they are followed.

3 - 4:

Adhered

to

Written processes are in

place, and mostly followed.

Good processes need to

keep up with the times,

creeping changes may

mean new needs are not

being met.

This is a great place to be

in order to start validating

that the desired process

results are being achieved.

4 - 5:

Audited

Process is controlled and

predictable, until demands

and circumstances change.

Audits can ignore the

needs of your organization

and merely become a box-

checking exercise.

Use audits as an

opportunity to validate

process, to ensure that it’s

keeping up with changing

needs. This will help

progress to level 5.

5:

Regularly

updated

Responsive process in place

and organization's changing

needs are being met.

Keep it up, don’t let

complacency set in!

Apply metrics to ensure

resources are made

available to meet ongoing

needs.

7 of 18

Scoring below average in a specific process stage can mean increased likelihood of...

Discovery

Surprises can be expensive and disruptive. Effort and resources will be spent reactively rather than planning and streamlining. Good discovery means staying ahead of developments, looking 2-3 years or more ahead.

Analysis

This can mean that those in your organization needing specific regulatory information are dealing with irrelevant or low-priority information. This can lead to duplication of effort and/or inadequate targeting of information.

Communication

Delays to new product releases and recalls are all too common. Reputations and bottom lines are damaged when those acting on regulatory updates don’t have the information to hand at the time and point of application.

Compliance Actions

All work done in discovery, analysis and communication can be nullified if there is no follow- through. Action in development programs need to be as early in development as possible. All the other downsides on the left can still happen without appropriate action following it up.

8 of 18

3.0 Product Regulatory Risk Management for Manufacturers

Risk in the context of product compliance involves recognizing that there are constant

developments in regulations and standards worldwide that present a degree of

unforeseeable impact on the company’s ability to sell its products. This risk must be

recognized and managed by all companies manufacturing and selling products.

Responsibility for management of risk, including product compliance risk, ultimately

belongs to an organization’s board of directors. Where there is lack of clarity that the board

‘owns’ that risk, it can lead to many of the issues experienced by many companies who

struggle to meet their basic compliance obligations with many of the inherent downsides that

entails.

Risk reporting to the board, even in product companies, often omits any reference to

product compliance risk. Product compliance is about ensuring access to the company

markets, and yet this is often absent from the board’s considerations. Where there is a

disconnect between the board’s ownership of risk and the operational functions of the

organization the effect can be similar, it often results in under-resourcing and lack of

prioritization of market access functions.

Where risk management is happening at operational level, there will be tools and methods

employed to manage risk. The survey questions relating to risk in the survey were designed

to ascertain insights into these three factors:

● clarity of responsibility at board level

● acceptance of that responsibility by incorporating appropriate risk management

practices into company policies and processes

● looking at the example of ‘risk rating’ of regulatory developments as representative of

the use of tools and innovation

9 of 18

4.1 Risk – High Level Analysis

In every sector it is worth noting that in almost every case, ownership of risk scores highest,

whilst in the working out of that ownership throughout the organization scores are lower.

From the companies surveyed, it’s also interesting to note that Aerospace, Technology

Hardware, and Industrial sectors score towards the lower end of the scale when it comes to

risk capability. Only seven companies from the total number who participated in the survey

had no risk scoring system in place.

10 of 18

4.2 Risk – Comparing Industry Sectors

Unsurprisingly, Health Care Equipment scores highest when it comes to risk ownership

management and processes amongst manufacturers. What might be more surprising to

readers is that Household Appliances comes in second place. As we work with companies in

this sector quite intensively, we at Compliance & Risks are aware of how competitive the

sector is. Organization and anticipation of regulatory developments is a strategic enabler.

11 of 18

4.3 Risk – What Do the Scores Mean?

Q1: Is responsibility for product regulatory risk at the top of the organization defined and

understood?

Score What does this look like?

5

Clearly defined and understood by

all - responsibility at, or near board

level is clear and informs strategy.

Seen as sector leader due to

coordination of corporate

knowledge and resources

Outcomes High-End Ratings:

Timely international product launches and market

penetration. Good integration of R&D and

international sales organization into market

access program. Prioritized resourcing of market

access function. Predictable cost of compliance

and low cost of non-compliance.

Outcomes Low-End Ratings:

Lack of understanding at top of the organization

of importance of market access function, and the

constant increase in regulatory burden.

Difficulties in obtaining resources for product

compliance and market access activities. Lack of

coordination with other business activities.

Duplication and gaps in effort in, and between

business units. Large variations in performance

between projects, business units, territories.

Compliance viewed as a cost centre rather than

business enabler.

4

Responsibility is implied -

ownership is defined, but not

necessarily widely understood

3

Diffused responsibility - divided

between general management, but

not clearly defined

2 A little - those at operational level

do their best to manage risk

1 No one has that responsibility

12 of 18

Q2: Is product regulatory risk management and mitigation systematically incorporated in

business processes? Is prioritization of regulatory developments on the basis of risk

assessment a consistent part of the normal operation of the organization? In other words, is

it embedded in SOPs and product development processes?

Score What does this look like?

5

Cutting edge / Ongoing review - As

below, plus system is looking

forward at the regulatory horizon,

i.e. 2 years ahead. Proactive

Outcomes High-End Ratings:

Predictable product development project

durations. Early incorporation of forward looking

regulatory developments into product design.

Product exhibits leading-edge technology and

environmental performance.

Outcomes Low-End Ratings:

Low predictability in product development

projects. Late, expensive modifications needed

before release. Delayed product release. Market

access difficulties for new products and

shortened product life-span significantly

impacting profitability.

4

Comprehensive - As below, plus

risk approach consistent and

quantifiable across

markets/products

3 Mostly in place - for important

markets/products

2

Partially - Exists for some

markets/activities/products. Mostly

understood, not necessarily

systematically or consistently

1 Does not exist, or ad hoc, reactive,

firefighting

13 of 18

Q3: Is there a structured approach to regulatory risk rating in place? For example, using a

market and/or subject matter weighted risk scoring scheme. Is regulatory activity risk

prioritized? For example, on the basis of the importance of the market to your organisation

and/or prioritized on the basis of ‘product safety’ rather than other subjects?

This is a developing area, being enabled by modern data systems assisting manual risk

rating or providing automated or partially-automated risk rating.

Score What does this look like?

5

Cutting edge / Ongoing review - As

below, plus system is looking

forward at the regulatory horizon,

i.e. 2 years ahead. Proactive

Outcomes High-End Ratings:

Good allocation of resources, regulatory growth

trends identified, resources allocated

appropriately and in timely manner. Rare fire-

fighting, work can be planned and measured.

Good metrics / Key Performance Indicators.

Outcomes Low-End Ratings:

Risk of uneven, poor allocation of compliance

resources. Loudest (or most senior) voice gets

the resources. Important regulatory

developments not prioritized, time and effort

often spent on wrong things. Lack of

responsiveness to trends such as growth of

regulations in a particular parts of the world.

4

Comprehensive - As below, plus

risk approach consistent and

quantifiable across

markets/products

3 Mostly in place - for important

markets/products

2

Partially - Exists for some

markets/activities/products. Mostly

understood, not necessarily

systematically or consistently

1 Does not exist, or ad hoc, reactive,

firefighting

14 of 18

5.0 Sample Actions to Improve Your Compliance Processes

Score(s) in any of the process stages below industry average, or where there are significant

differences between capability scores between process stages, point to an area of risk

exposure and an opportunity to improve.

In addressing the kind of issues raised by this survey it is important to get to the root cause

in each case. In doing this it is helpful to ask the ‘why?’ questions. For example;

15 of 18

6.0 The Challenge of the Regulatory Avalanche

With the constant growth of the regulatory avalanche, often existing resources that are in

place can no longer keep up. Established ways of managing regulatory requirements

continue to be stretched due to the increasing volume of regulations worldwide. The chart

below shows new regulations since 2003 under seven of the main subject areas impacting

products.

C2P: Global Regulations by Subject

Note: Subject totals are greater than region totals (see chart on pg 16) because certain regulations impact more

than one subject

Discovery in particular can be stretched by growing regulatory activity in regions where

historically there was little regulation e.g. Asia and Latin America. Lack of familiarity with the

market or people on the ground are compounded by language issues. This makes

‘Discovery’, ‘Analysis’ and ‘Communication’ more difficult than was previously the case.

16 of 18

C2P: Global Regulations by Region

.

17 of 18

7.0 What’s Next?

Do you have trouble justifying expenditure on compliance resources? Are you unsure if there

are gaps in your coverage? Worried about duplication of effort? Are you trying to move to a

more strategic approach to compliance?

Compliance & Risks offers a Regulatory Process Consulting service that helps companies

address their resource and process challenges. Through our holistic approach we work with

you and your staff to identify areas of high-risk and help you to make the business case for

resource allocation.

18 of 18

8.0 About Compliance & Risks

Established in 2002, Compliance & Risks helps manufacturers, retailers and their supply

chain partners monitor and manage requirements, regulations and standards for a cleaner,

safer and better world. It creates business advantage for clients by providing reliable

legislative information, insights and actions through C2P, its knowledge management

platform, consulting, market access, managed services and other solutions.

The company is recognized as the end to end global regulatory solutions provider across the

technology, consumer goods and retail, industrial goods and life sciences sectors.

Headquartered in Cork, they also have offices in Brussels, California, London and New York.

For more information, please visit www.complianceandrisks.com

Important Notice: All information provided by Compliance and Risks Limited and its contributing researchers in this report is provided for strategic and informational purposes only and should not be construed as company specific legal compliance advice or counsel. Compliance & Risks Limited makes no representation whatsoever about the suitability of the information and services contained herein for resolving any question of law. Compliance and Risks Limited does not provide any legal services. © 2018 Compliance & Risks Limited. All rights reserved.