6 minute read

triple r: recognizing regulatory risk is everybody’s business!

triple r: recognizing regulatory risk is everybody’s business!


by Kaila Mayers

It is not solely up to the risk management team to identify, assess, monitor, manage and treat regulatory risk; this responsibility is borne by the whole business. The failure to recognize this may lead to noncompliance with laws and regulations, leading to fines and worse outcomes. But do we fully understand what constitutes “regulatory risk” in this changing regulatory landscape, especially as regulators worldwide grasp the changes caused by the COVID-19 pandemic?

what is regulatory risk and who is involved

Regulatory risk is the risk of changes in laws and regulations that will have an impact on a business or sector. New laws and regulations are frequent occurrences, as various levels of government and regulatory bodies deal with crises while balancing fairness, competition, and oversight. How a company reacts to newly applied rules will dictate how regulatory risk is managed and treated, and ultimately impact on performance.

To be a proactive risk management professional, continuous monitoring of the regulatory environment as it relates to the company’s business is a must. Regulators consult with registrants in their respective industry once laws and regulations are drafted, and this gives an early warning signal to businesses of changes to come, together with a chance to participate in the development of new rules. Once laws and regulations are passed, it is up to the company to determine potential non-compliance, the timeframe to comply, the impact if not met, and its risk treatment.

Additionally, compliance and risk management functions should be clearly separated within the second line of defense. The compliance team assesses and monitors compliance and non-compliance to legislation. Risk management, on the other hand, identifies and measures the potential material noncompliance risk of legislation by reviewing its impact, confirms there are appropriate risk treatments in place (within the company’s risk appetite), and accurately reports material risk-related information to senior management and the board of directors.

004Intelligent Risk - February 2022


Once these basics are established, how can we help a company recognize its regulatory risk? Simple, by introducing an easy to remember acronym, RULES, to guide the process:

• Review the existing legislation related to the company’s business.

• Understand the responsibilities, powers and functions of the regulators and the potential impact of non-compliance to related legislation.

• Liaise with the compliance team to create and maintain a working report to monitor and manage non-compliance and to verify that the company can prove its compliance. Perform a risk assessment to clearly identify non-compliance risk and, with the assistance of the business, identify risk treatments.

• Environment scans can be done for draft legislation, working papers and any news on upcoming regulatory legislative changes or new legislation to proactively monitor emerging non-compliance risk.

• Strive to maintain a relationship with regulators and continually reach out to always be on top of potential changes to the regulatory landscape.

building an overall framework upon RULES

A regulatory risk management framework can further be developed off the newly created acronym, RULES, to help manage and treat regulatory risk more efficiently. How can we do this? Create a regulatory risk management framework document and address the guideline areas based on a company’s regulatory risk capacity and appetite. An example could include sections such as:

• Purpose – the framework sets out to guide companies to identify, assess, monitor and treat risks

• Scope – the business units involved in the operational process

• Definitions – terminology used throughout the framework

• Operational – those components which enact the purpose of the framework

• Roles and responsibilities – how key stakeholders interact


Let’s look at an example to drive the point home in recognizing regulatory risk.

A risk management professional named Michael works for a financial institution in Country B andwas recently assigned to identify regulatory risk within the company he works for.

Intelligent Risk - February 2022005

Let’s use the RULES acronym to assist Michael:

• Review the existing legislation governing the financial sector in Country B. Example: Country B’s Central Bank Act.

• Understand the responsibilities, powers and functions of all the regulators governing the company’s business and fully understand the potential impact of non-compliance to its laws and regulations. Example: Michael should familiarize himself with the offenses that can result in criminal penalties, administrative fines and potential supervision of the business.

• Liaise with the Compliance Team within the company: develop rapport, work to identify noncompliance early and then ensure risk treatments together with the respective risk owner and business unit.

• Environmental scans are performed frequently on the regulatory landscape to anticipate any changes to existing or new legislation. Example: monitoring regulators’ websites regularly for updates.

• Strive to maintain a good relationship with regulators by promptly addressing their requests on a timely basis and by keeping in contact with invitations to mutually beneficial events.


In conclusion, it is important to clearly define regulatory risk and the roles which the compliance and risk management teams fulfill within the second line of defense. Regulatory risk constantly changes as governments and regulators try to keep up with shifting conditions and react to sudden crises like the ongoing pandemic.

Regulatory risk is the responsibility of the whole business and everyone can do their part by following a fewsimple RULES and learning to RECOGNIZE REGULATORY RISK.

author Kaila Mayers

Kaila Mayers became a certified Professional Risk Manager in 2020 and is a holder of a Master of Science in Finance from the University of London via distance learning. Kaila is currently part of the Financial Risk Team within a local mutual fund organization in her home country of Trinidad and Tobago, where she focuses on financial risk management, stress testing, reserve requirements calculations and enterprise risk management.

Kaila has been a finance professional for over 12 years in the financial services industry, with in-depthknowledge of financial risk management, regulatory compliance, deposit insurance and banking.

006 Intelligent Risk - February 2022