Our series on dealing with the complexity of organisations now considers the impacts of Regulation, which is a significant external factor. Regulations – set by governments and international trade bodies – can serve a number of generally benign purposes. These include protecting public health and safety, consumer protection, safeguarding the environment, ensuring fair competition, and upholding standards of ethical conduct in business. Every legitimate enterprise on the planet is obliged to work within the legal and regulatory framework of the markets within which it operates. Sadly, the enterprises affected generally have little influence on the development and interpretation of these externally imposed rules of the game.
There are three major problems for companies attempting to comply fully with regulatory requirements. First is the sheer spread and depth of the rules and guidelines, which can reach into every corner of a business from product safety through data protection to the rights of individual workers. Second is the fact that regulations covering the same areas can vary significantly between countries, sometimes even with conflicting requirements. The third problem is that regulations can sometimes be changed with very little warning, often triggered by political pressures rather than in direct response to genuine needs.
Non-compliance with regulations can, however, have serious consequences for firms. According to a recent British Government source, “Failure to comply with regulations can result in a range of consequences, from fines, penalties, legal actions, damage to the company’s reputation and consumer trust, and/or a negative impact to the bottom line.” And in the worst case scenario: “The most severe infractions can lead to complete cessation of operations until regulatory compliance is achieved.”
Ignorance of the rules is no defence. A company should therefore strive to mitigate the risks of non-compliance by capturing sufficiently detailed information on those aspects of the business that are clearly impacted by regulations and then following that up by taking appropriate action with the support of the knowledge provided. An enterprise architecture (EA) support tool should be deployed to record the necessary information, and it should then be used to provide management reports that show where the regulations impact on the organisation’s business functions, people, processes and systems. This should provide a firm basis for an action programme.
Sometimes regulations are agreed and announced well in advance of their actual implementation, an example being the European General Data Protection Regulation (GDPR) which was announced several years before the implementation date. In such cases organisations have had time to gauge the impacts of the changes on their business processes and systems and then take appropriate action. It should, nevertheless, be clear that having had these impacted elements and their dependencies recorded in a repository would make the action programme a good deal easier to manage and less prone to error, as questions could be asked, impacts mapped out and validated.
In other cases, where regulatory changes are made in response to major unforeseen events, the experience can be very disruptive. For example, in many countries the Corona Virus pandemic triggered a huge and rapidly introduced stream of regulations that impacted many aspects of everyday life for businesses as well as for individuals. Working from home with appropriate supporting technology became a necessity, rather than an optional lifestyle choice. Retail companies that had been tentatively developing online channels were suddenly forced into accelerating and expanding their implementation. And for a whole generation of children in some parts of the world, online education became the norm. Those organisations that already held detailed and accurate knowledge of their existing business operations in their EA repository were better placed to assess the impacts of the new regulations and how to adjust to them.
Even in more normal times, certain sectors are extremely sensitive to the impacts of frequent regulatory change. Companies within the financial services sector are constantly struggling to keep pace with the demands of their regulators, who in turn are trying to cope with the growing sophistication of both the market and the criminals who exploit its weaknesses. The international pharmaceutical industry also has particularly onerous regulatory challenges. These include restrictions on the transfer of sensitive data across national boundaries. Having tight control of these data flows is mission critical, so the need to make use of a suitable tool to map out the enterprise architecture for this purpose should not be in question.
Regulations developed and imposed by external agencies are a fact of life for all organisations, and, for commercial enterprises, they are an unavoidable cost of doing business. Enterprise architects have a key role in identifying those areas within their organisation that are impacted by regulation. They should then ensure that the relevant elements are recorded in their organisation’s Enterprise Architecture repository and kept up to date. Having this knowledge available will then enable the risks of non-compliance to be properly managed.