360factors.com hosted a one hour webinar session on Thursday, September 12, 2013 at 1 PM CST where our thought leaders spoke on the critical role of implementing a regulatory change management system to effectively manage and monitor your compliance process and ensure that it is institutionalized in a way that compliance becomes part of the “culture”. In the webinar we discussed: 1. Roles and Responsibilities of Key Management Functions 2. Regulatory Knowledge Base & Taxonomy 3. Regulatory Workflow Automation. 4. Internal Controls & Reporting 5. Regulatory Compliance Software

1. Webinar Q&A Recap
1
Five Steps to Manage Regulatory Compliance
Thanks for participating last week in our webinar with our panel experts on 'Five Steps to Manage Regulatory
Compliance'.
Below is a recap of the webinar Q&A for those missed it. For those who are only interested in the presentation, please
Click Here to view the presentation on our website.
STEP 1: ROLES AND RESPONSIBILITY
Q1. Why is it important to define the roles and responsibilities before you create a Regulatory Compliance
Framework?
Ed Sattar, CEO, 360factors, Inc.
Creating a governance structure involves clarifying roles and responsibilities,
resources, capabilities, and escalation procedure, as well as the information reporting
system that governs business processes. It also entails the use of tools andsystem
to enable analysis for efficient monitoring and reporting.
Dwayne Jorgensen – CIA, CFE
Governance/Risk/Controls/Audit
Expert
In a nutshell, from my perspective, this is the most important aspect prior to talking
about any automation. When you deal with the risk function in most organization even
today, it tends tobe adhoc at best and a lot of that makes it more difficult at your
organization to have any kind regulatory compliance framework that is not clearly
defined who is accountable for any kind of regulatory framework, what are the lines of
reporting, who monitors what, and who is assigned what when the follow up occurs.
Q2. What are the barriers to creating a Regulatory Compliance Framework?
Joe LeBas – Principal and
Founder, Carswell, LLC –
Risk and Compliance Industry
One of the biggest barriers to creating a regulatory compliance framework is reliance
on email. A lot of regulatory alerts arecomingto us by email. Email doesn’t keep up
the dynamic nature of the business and actually lessens accountability instead of
raising visibility.

2. Webinar Q&A Recap
2
Executive
Ed Sattar, CEO, 360factors,
Inc.
Commitment from the top and people’s resistance tochange.
Q3. Is there a specific role and responsibility structure or can it vary from organization to organization?
Ed Sattar, CEO, 360factors,
Inc.
It can vary from industry to industry and even from company to company. However,
some industries are more mature such as Financial Services. They have clear roles as
to who owns Risk, Audit, Security, Compliance etc, other industries such as Utilities,
Energy, and Oil & Gas are emerging industries with respect tothe influx and
complexity of regulations.
STEP 2: REGULATORY KNOWLEDGE BASE AND TAXONOMY
Q1. What are the components of a Regulatory Knowledge Base?
Ed Sattar, CEO, 360factors,
Inc.
It is necessary tobe adequately prepared by creating a Regulatory Compliance Model
which includes, but not limited to, identifying components of regulatory knowledge base
and develop a regulatory taxonomy mapped to your organization’s risk framework.
Some of the Components of Regulatory Knowledge Base are :
1. Regulatory library management that allows an organization to manage multiple
regulations regardless of the industry
2. Translationsof Regulatory Requirements into Practices
3. Regulation Applicability – which regulations apply to me is something a lot
firms struggle with
4. Monitor Regulatory Change – To get updates, alerts and identify gaps as the
regulations changes
5. Mapping- regulatory requirements mapped to CAPA , Policy Procedures and
Evidence

3. Webinar Q&A Recap
3
STEP 3: REGULATORY WORKFLOW AUTOMATION
Q1. Is Automation Cost Effective?
Ed Sattar, CEO, 360factors,
Inc.
If you read most of my blogs, you will notice that I am a big advocate of automation. If
you look at the historical data on this, you will see automation does help in scaling and
in somecases it is very cost effective. So, the short answer is that automation is highly
cost effective. Recently, KPMG did a research that shows most of the regulatory
compliance is done in silos. You have various functional departments managing
compliance through multiple tools. I have seen as high as six or seven tools by one
division, Imagine six or seven departments using different tools. If all of them are using
different tools, you can really do the math. If regulatory compliance is automated
through one platform, it is not only cost effective, but it also increases the performance
of the company with more efficient and timely division of risk. This may also lead to
having a competitive advantage. Vertical integration of your regulatory departments
through one platform should lead tobetter recording of the hierarchy.
Joe LeBas – Principal and
Founder, Carswell, LLC –
I like to reference a KPMG study two years back that estimated thecost of compliance
to be near 4% percent of thecompanies top line revenue. That is a very large number,
especially for companies operating at 10-20% net margins. Reducing and automating
the cost of compliance is thus necessary as it is asizable percentage of any
company’s net income.
Q2. What processes can be automated and what processes will continue to be manual?
Ed Sattar, CEO, 360factors,
Inc.
Gathering of the regulations is still going to be a manual process, translations of the
regulations and standards is still going tobe a manual process.
Chris Duden – COO,
360factors, Inc.
Some of the obvious ones that cannot be automated are staff translations and
subject matter expertise.

4. Webinar Q&A Recap
4
Dwayne Jorgensen – CIA, CFE
Governance/Risk/Controls/Audit
Expert
As far as the COSO framework goes, we look at what usedto be at thebottom most
layers of the COSO framework. With the new ERM COSO framework, they flipped it
so now it is sort of at the top. It is basically at that base level where you are
understanding what risk is that is relevant to that organization, defining your risk ,
and, most importantly, making those adjustments as to whether or not you are
acceptingthe risk as is or choosingto mitigate it that for quite a while remained inthe
realm of amanual process. Thesignificant importance of subject matter experts
comes into play once you get out of that definition of what are the risk of any
organization, which in this case, pertains to the regulatory compliance framework
with all these recent advancement in technologies Not everything from there canbe
automated.
STEP 4: INTERNAL CONTROLS AND REPORTING
Q1. What are internal Controls?
Dwayne Jorgensen – CIA, CFE
–
Governance/Risk/Controls/Audit
Expert
It’s a key component in a process, which specifically defined the internal control as
the fact that it should bespecifically meeting akey control objective put in place in
order to effectively mitigate akey risk. You cannot think of internal control without
incorporating the entire risk process. Identify the risk. Determine whether it is a key
risk. Accept or mitigate the risk. Define the key control objective. Determine what
steps need to be taken to satisfy the objective. Those are internal controls.
Ed Sattar, CEO, 360factors,
Inc.
There are various internal control models that may include various processes,
policies, procedures, risk assessments, communication processes, etc. In order for
the organization to manage their risk and regulatory compliance, they should define
their internal controls, business impact, and risk analysis.

5. Webinar Q&A Recap
5
Q2.What is management’s responsibility with regard to internal controls and reporting?
Dwayne Jorgensen – CIA, CFE
–
Governance/Risk/Controls/Audit
Expert
The key thing to understand is, at the end of the day, management’s responsibility for
Internal Controls is 100%. At the end of the day, the management team owns the
control framework of any organization, which then is given that it also owns
regulatory compliance framework. For that reason, they have tobe actively involved.
They have to have clearly defined roles and responsibilities and, ideally, have gone
through the process of describing: which is in this area of regulations, identifyingkey
risk universe is or regulations impacting industry or organizations, the definition of
which ones are key, how do you mitigate it, and then, assigning within the
management roster who has the responsibility for monitoring and reporting, how the
internal controls are put in place, tomitigate those risks, and how effectively do you
mitigate them. -
Ed Sattar, CEO, 360factors,
Inc.
The business processes are at the core of the organization andthe holistic model.
These processes should have strong controls and reportingcapabilities. Surrounding
the business processes is the GRC operational model, the layer at which the
governance, risk management, and compliance management is put into practice to
drive enterprise assurance.
Q3. What is audit’s responsibility with regard to internal controls and reporting?
Joe LeBas – Principal and
Founder, Carswell, LLC –
It’s critical role that needs to happen at the right time. Once the risk assessment is
completed and thebusiness is aware of the risk andcontrols that are put into place,
the audit plan canstart. And it usually go smoother as it builds on the levels of defense
– 1) stratifyingthe line of business, 2) risk and compliance functions, and 3) the audit
organization.
Q4. What is the board’s responsibilitywith regard to internal controls and reporting?
Joe LeBas – Principal and
Founder, Carswell, LLC –
What theboard is looking for is actionable and concise information. To be a proper
governance function the Board needs tosee trend lines and potential hotspots. Once
Boards have access to actionable types of reporting where visualization of hotspots or
trend lines go the wrong way, they can drill into thebusiness process, rather than just
data for data’s sake, and detect poorly performing or well-performingbusiness
processes and process owners. I really believe in – forboard members to fulfil their
true governance obligations – is to be able to identify and take action on data that
signifies that, in most cases a poorly performingbusiness process.

6. Webinar Q&A Recap
6
STEP 5: REGULATORY COMPLIANCE SOFTWARE
Q1 .Is Technology perceived as a catalyst for growth and performance?
Ed Sattar, CEO, 360factors,
Inc.
Once predominantly seen as an expense, technology is now viewed by more business
leaders as a worthwhile investment and a source of strategic advantage. Additionally,
the advent of cloud-based technology offers more affordable alternatives for mid-
market companies as they work to drive growth in their organizations. Further, it is not
simply a technology tool; it is a way to rationalize risk management and controls, giving
management the information they need to improve business performance and achieve
compliance.
Q2. Are people or technology barriers to Regulatory Compliance Automation?
Ed Sattar, CEO, 360factors,
Inc.
People – not technology – present the greatest barrier tosuccessful convergence.
Integration is likely to involve amajor transformation program. So perhaps,
unsurprisingly, resistance to change is considered the singlebiggest obstacle (44
percent), followed by complex convergence processes (39 percent), and a lack of
available experts (36 percent). Less than one in ten mentioned inadequate technology
as a hurdle to overcome.