The Evolving Storm of Regulatory Complexity: Why It’s Time to Act Now

How is regulatory complexity evolving? There are much more regulations nowadays. That is one aspect but it’s also growing with the geographical tensions that are going on such as wars, the shortage of energy and the whole environmental, social, and governance (ESG) movement. While ESG is a little bit forgotten right now, it will come back.

It’s more rules and regulations that we have to comply with, but not only that: it’s getting more and more complicated because the people that make the regulations start to understand better what they should look at.

Today, trying to run compliance without advanced tooling is almost impossible. It is a dynamic world. Rules and regulations change, you need to change your controls, risks, procedures, responsibilities, systems et cetera. What we always say is: try to do automatic analysis on the gaps between all these complicated rules, regulations and controls that are implemented in your organisation. Figure out where you can go wrong and then pick the biggest problems. It is really, really, really growing every day, every month, every year. It’s not going to stop.

Lessons from the GDPR: From Stress to "Calm and Collected"

We all remember that the GDPR came around not too long ago. Everybody jumped on it because the fines for non-compliance were increasing, that’s something we see more often now.

When privacy projects were "hot," everybody thought it was really, really important, but there was no leadership and there was no structure. Everybody started to jump on it. Advisors and software companies came in and started to increase the fear, making more things complicated.

But then, after a while, we were able to standardize it and to simplify it. We made sure you focus on the matters that you have to focus on. It is really interesting to see an organization go from sort of stress to eventually a calm and collected way of managing privacy, making it transparent and being open to your audience, your auditors, and your supervisors.

The AI Act, DORA, and the "Silo" Problem

After GDPR, we had the ESG projects, and now we have the AI Act, and rightfully so. But again, everyone’s like, "Oh yeah, this is going to be expensive." We have DORA for cybersecurity, and organizations are almost overwhelmed with what they have to do.

What we always try to do is say: Don’t make silos. It’s not necessary anymore. You might have a set of controls where a specific control is relevant for DORA, but it’s also relevant for GDPR, and by the way, it’s also relevant for the AI Act. It is possible and feasible to combine these things together and to address compliance requirements in a sustainable way.

Why Spreadsheets Can't Work Anymore

At RiskRhino, we don't look necessarily only at compliance; you also need to understand your risk through process orientation. As an organization, you execute processes. That’s what you have to do best, because that will increase your competitive advantage.

When you execute a process, you might have a risk. It could be a compliance risk, or another kind of risk. You want to address those from a process-oriented view. This is what we call Integrated Risk Management, where everything is related: your people, your IT systems, and your processes.

"Software is the only way to support that. No spreadsheets anymore, no teams database or what have you not. It doesn’t work. It can’t work anymore. We are preaching to the choir, we know that, but integrated software is the only way to do this in an efficient manner."

Anticipating the Future: GRC for Less Regulated Companies

We almost all start with reacting. Something happens, there is a trigger, a shortage of staff, or an incident, and then we react. But eventually, it’s very good if you start looking ahead and think: "What could theoretically go wrong? And if so, what are we going to do about it before it happens?"

It’s about anticipating and doing the right things at the right moment, not more than you need to do, but exactly that.

In the old days, even two years ago, it’s going fast, we noticed that banks and pension funds were at the forefront. Nowadays, we see manufacturing companies, logistic companies, all kinds of less regulated companies that are becoming aware of what risk management can mean to them in a positive sense. They see how they can outperform the competition and keep a good reputation.