Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
0
Regulatory
Compliance
Health Check
Survey Results
September 2018
1 of 18
Index:
1.0 About This Survey
2.0 Process Maturity:
2.1 High Level Analysis
2.2 Comparing Industry Sectors
2.3 What Do the Scores Mean?
3.0 Product Regulatory Risk Management for Manufacturers
4.0 Risk:
4.1 High Level Analysis
4.2 Comparing Industry Sectors
4.3 What Do the Scores Mean?
5.0 Sample Actions to Improve Your Compliance Processes
6.0 The Challenge of the Regulatory Avalanche
7.0 What’s Next?
8.0 About Compliance & Risks
2 of 18
1.0 About This Survey
The Regulatory Compliance Health Check Survey was carried out by Compliance & Risks to
allow companies to benchmark the maturity of their regulatory compliance and risks
processes against the industry average, as well as to gain an insight into averages across
varying industries.
Questions were asked to establish how each organization;
● discovers regulatory developments
● analyses regulatory developments
● communicates regulatory developments
● implements regulatory developments
135 companies responded from a range of industries as seen in the chart below:
3 of 18
The answers provided allow an analysis using an adaptation of the Capability Maturity Model
(CMM) which assesses process capability. This approach originates in the software industry,
but has broad applicability. The term "maturity" relates to the degree of formality and
optimization of a process, from ad-hoc practices, through to active monitoring and
optimization of the process.
In order to gain insights, we have broken the regulatory compliance process down into its
four main elements, (corresponding to the four bars in each chart on the following pages)
namely;
Discovery
This is how your organization finds out about developments in regulatory requirements. It could be by means of newsletters, bulletins, attending conferences, standards committees or other events, or via a structured information service or database.
Analysis
This refers to how a piece of regulatory content is assessed for its impact on your organization or its products.
Communication
How the outcome of the analysis is communicated to those who need to know the information. Having the right information, at the right time and in the right format are key here.
Compliance Actions
If regulatory development requires something to be done, how is this managed? Is there a closed loop and traceability to ensure actions follow in a timely manner?
“ The term “maturity” relates to the degree of formality and optimization of a process…
”
4 of 18
2.1 Process Maturity - High Level Analysis
The chart below shows scores for each of the four regulatory process stages for each of the
respondent industry sectors.
Only 5 companies reported one or more elements of their process at level 5 (Regularly
Updated). There tends to be slightly higher scoring for self-scoring on implementation of
compliance actions, than for the process of finding, analyzing and communicating the
regulatory developments. This raises the question of whether the right things are being
done, as there appears to be lower capability maturity in the process to find and analyze
regulations.
Based on our sample size, some sectors show a relative weakness in a particular process
stage such as ‘Implementation’ (compliance actions) for Industrial, Agricultural Machinery
companies and ‘Discovery’ for Consumer Electronics, Healthcare and Apparel industries.
(Note: Some sectors omitted due to insufficient sample size.)
5 of 18
2.2 Process Maturity - Comparing Industry Sectors
Combining the four process stages to give an overall Regulatory Management Process
score for each sector reveals a variation in process capability between industry sectors.
It is noteworthy that on average, only one sector reaches an average level 4: ‘Audited’, and
are well below achieving a process that they would regard as responsive (corresponding to
level 5: ‘Regularly Updated’).
6 of 18
2.3 Process Maturity - What Do the Scores Mean?
Answers to the questions in our survey broadly correspond to the 5 levels of maturity in the
CMM model for each of the process stages.
Scoring is on a scale of 1 - 5:
Score What does this look like? Potential downsides Opportunities
1 - 2:
Informal
unwritten
Processes are informal /
unwritten. Much activity will be
ad-hoc.
Outcomes and risk
exposure unknown, tend
to be very short-term
focused, regular surprises,
unnecessary costs.
Small improvements will
bring noticeable results.
2 - 3:
Formal
written
Processes are mostly formal /
written. A start has been
made on controlling the
process, outcomes and risk,
but results are unpredictable,
and risk exposure is
unmeasured.
Having process
documents can lead to a
false sense of security.
They may not be followed,
and unpredictability may
result.
Being at this stage should
mean there is buy-in to the
principle of process
documentation. It is a basis
to ensure they are followed.
3 - 4:
Adhered
to
Written processes are in
place, and mostly followed.
Good processes need to
keep up with the times,
creeping changes may
mean new needs are not
being met.
This is a great place to be
in order to start validating
that the desired process
results are being achieved.
4 - 5:
Audited
Process is controlled and
predictable, until demands
and circumstances change.
Audits can ignore the
needs of your organization
and merely become a box-
checking exercise.
Use audits as an
opportunity to validate
process, to ensure that it’s
keeping up with changing
needs. This will help
progress to level 5.
5:
Regularly
updated
Responsive process in place
and organization's changing
needs are being met.
Keep it up, don’t let
complacency set in!
Apply metrics to ensure
resources are made
available to meet ongoing
needs.
7 of 18
Scoring below average in a specific process stage can mean increased likelihood of...
Discovery
Surprises can be expensive and disruptive. Effort and resources will be spent reactively rather than planning and streamlining. Good discovery means staying ahead of developments, looking 2-3 years or more ahead.
Analysis
This can mean that those in your organization needing specific regulatory information are dealing with irrelevant or low-priority information. This can lead to duplication of effort and/or inadequate targeting of information.
Communication
Delays to new product releases and recalls are all too common. Reputations and bottom lines are damaged when those acting on regulatory updates don’t have the information to hand at the time and point of application.
Compliance Actions
All work done in discovery, analysis and communication can be nullified if there is no follow- through. Action in development programs need to be as early in development as possible. All the other downsides on the left can still happen without appropriate action following it up.
8 of 18
3.0 Product Regulatory Risk Management for Manufacturers
Risk in the context of product compliance involves recognizing that there are constant
developments in regulations and standards worldwide that present a degree of
unforeseeable impact on the company’s ability to sell its products. This risk must be
recognized and managed by all companies manufacturing and selling products.
Responsibility for management of risk, including product compliance risk, ultimately
belongs to an organization’s board of directors. Where there is lack of clarity that the board
‘owns’ that risk, it can lead to many of the issues experienced by many companies who
struggle to meet their basic compliance obligations with many of the inherent downsides that
entails.
Risk reporting to the board, even in product companies, often omits any reference to
product compliance risk. Product compliance is about ensuring access to the company
markets, and yet this is often absent from the board’s considerations. Where there is a
disconnect between the board’s ownership of risk and the operational functions of the
organization the effect can be similar, it often results in under-resourcing and lack of
prioritization of market access functions.
Where risk management is happening at operational level, there will be tools and methods
employed to manage risk. The survey questions relating to risk in the survey were designed
to ascertain insights into these three factors:
● clarity of responsibility at board level
● acceptance of that responsibility by incorporating appropriate risk management
practices into company policies and processes
● looking at the example of ‘risk rating’ of regulatory developments as representative of
the use of tools and innovation
9 of 18
4.1 Risk – High Level Analysis
In every sector it is worth noting that in almost every case, ownership of risk scores highest,
whilst in the working out of that ownership throughout the organization scores are lower.
From the companies surveyed, it’s also interesting to note that Aerospace, Technology
Hardware, and Industrial sectors score towards the lower end of the scale when it comes to
risk capability. Only seven companies from the total number who participated in the survey
had no risk scoring system in place.
10 of 18
4.2 Risk – Comparing Industry Sectors
Unsurprisingly, Health Care Equipment scores highest when it comes to risk ownership
management and processes amongst manufacturers. What might be more surprising to
readers is that Household Appliances comes in second place. As we work with companies in
this sector quite intensively, we at Compliance & Risks are aware of how competitive the
sector is. Organization and anticipation of regulatory developments is a strategic enabler.
11 of 18
4.3 Risk – What Do the Scores Mean?
Q1: Is responsibility for product regulatory risk at the top of the organization defined and
understood?
Score What does this look like?
5
Clearly defined and understood by
all - responsibility at, or near board
level is clear and informs strategy.
Seen as sector leader due to
coordination of corporate
knowledge and resources
Outcomes High-End Ratings:
Timely international product launches and market
penetration. Good integration of R&D and
international sales organization into market
access program. Prioritized resourcing of market
access function. Predictable cost of compliance
and low cost of non-compliance.
Outcomes Low-End Ratings:
Lack of understanding at top of the organization
of importance of market access function, and the
constant increase in regulatory burden.
Difficulties in obtaining resources for product
compliance and market access activities. Lack of
coordination with other business activities.
Duplication and gaps in effort in, and between
business units. Large variations in performance
between projects, business units, territories.
Compliance viewed as a cost centre rather than
business enabler.
4
Responsibility is implied -
ownership is defined, but not
necessarily widely understood
3
Diffused responsibility - divided
between general management, but
not clearly defined
2 A little - those at operational level
do their best to manage risk
1 No one has that responsibility
12 of 18
Q2: Is product regulatory risk management and mitigation systematically incorporated in
business processes? Is prioritization of regulatory developments on the basis of risk
assessment a consistent part of the normal operation of the organization? In other words, is
it embedded in SOPs and product development processes?
Score What does this look like?
5
Cutting edge / Ongoing review - As
below, plus system is looking
forward at the regulatory horizon,
i.e. 2 years ahead. Proactive
Outcomes High-End Ratings:
Predictable product development project
durations. Early incorporation of forward looking
regulatory developments into product design.
Product exhibits leading-edge technology and
environmental performance.
Outcomes Low-End Ratings:
Low predictability in product development
projects. Late, expensive modifications needed
before release. Delayed product release. Market
access difficulties for new products and
shortened product life-span significantly
impacting profitability.
4
Comprehensive - As below, plus
risk approach consistent and
quantifiable across
markets/products
3 Mostly in place - for important
markets/products
2
Partially - Exists for some
markets/activities/products. Mostly
understood, not necessarily
systematically or consistently
1 Does not exist, or ad hoc, reactive,
firefighting
13 of 18
Q3: Is there a structured approach to regulatory risk rating in place? For example, using a
market and/or subject matter weighted risk scoring scheme. Is regulatory activity risk
prioritized? For example, on the basis of the importance of the market to your organisation
and/or prioritized on the basis of ‘product safety’ rather than other subjects?
This is a developing area, being enabled by modern data systems assisting manual risk
rating or providing automated or partially-automated risk rating.
Score What does this look like?
5
Cutting edge / Ongoing review - As
below, plus system is looking
forward at the regulatory horizon,
i.e. 2 years ahead. Proactive
Outcomes High-End Ratings:
Good allocation of resources, regulatory growth
trends identified, resources allocated
appropriately and in timely manner. Rare fire-
fighting, work can be planned and measured.
Good metrics / Key Performance Indicators.
Outcomes Low-End Ratings:
Risk of uneven, poor allocation of compliance
resources. Loudest (or most senior) voice gets
the resources. Important regulatory
developments not prioritized, time and effort
often spent on wrong things. Lack of
responsiveness to trends such as growth of
regulations in a particular parts of the world.
4
Comprehensive - As below, plus
risk approach consistent and
quantifiable across
markets/products
3 Mostly in place - for important
markets/products
2
Partially - Exists for some
markets/activities/products. Mostly
understood, not necessarily
systematically or consistently
1 Does not exist, or ad hoc, reactive,
firefighting
14 of 18
5.0 Sample Actions to Improve Your Compliance Processes
Score(s) in any of the process stages below industry average, or where there are significant
differences between capability scores between process stages, point to an area of risk
exposure and an opportunity to improve.
In addressing the kind of issues raised by this survey it is important to get to the root cause
in each case. In doing this it is helpful to ask the ‘why?’ questions. For example;
15 of 18
6.0 The Challenge of the Regulatory Avalanche
With the constant growth of the regulatory avalanche, often existing resources that are in
place can no longer keep up. Established ways of managing regulatory requirements
continue to be stretched due to the increasing volume of regulations worldwide. The chart
below shows new regulations since 2003 under seven of the main subject areas impacting
products.
C2P: Global Regulations by Subject
Note: Subject totals are greater than region totals (see chart on pg 16) because certain regulations impact more
than one subject
Discovery in particular can be stretched by growing regulatory activity in regions where
historically there was little regulation e.g. Asia and Latin America. Lack of familiarity with the
market or people on the ground are compounded by language issues. This makes
‘Discovery’, ‘Analysis’ and ‘Communication’ more difficult than was previously the case.
16 of 18
C2P: Global Regulations by Region
.
17 of 18
7.0 What’s Next?
Do you have trouble justifying expenditure on compliance resources? Are you unsure if there
are gaps in your coverage? Worried about duplication of effort? Are you trying to move to a
more strategic approach to compliance?
Compliance & Risks offers a Regulatory Process Consulting service that helps companies
address their resource and process challenges. Through our holistic approach we work with
you and your staff to identify areas of high-risk and help you to make the business case for
resource allocation.
18 of 18
8.0 About Compliance & Risks
Established in 2002, Compliance & Risks helps manufacturers, retailers and their supply
chain partners monitor and manage requirements, regulations and standards for a cleaner,
safer and better world. It creates business advantage for clients by providing reliable
legislative information, insights and actions through C2P, its knowledge management
platform, consulting, market access, managed services and other solutions.
The company is recognized as the end to end global regulatory solutions provider across the
technology, consumer goods and retail, industrial goods and life sciences sectors.
Headquartered in Cork, they also have offices in Brussels, California, London and New York.
For more information, please visit www.complianceandrisks.com
Important Notice: All information provided by Compliance and Risks Limited and its contributing researchers in this report is provided for strategic and informational purposes only and should not be construed as company specific legal compliance advice or counsel. Compliance & Risks Limited makes no representation whatsoever about the suitability of the information and services contained herein for resolving any question of law. Compliance and Risks Limited does not provide any legal services. © 2018 Compliance & Risks Limited. All rights reserved.