With continuously evolving regulations, ever changing risk environment, and rapidly advancing technology, risk and compliance policies will need to significantly adapt. Organisations need ‘smart’ policies that are future-proof and give them space to be nimble and innovative. Going forwards, it’s important that organisations adapt their policy design to enable them to remain compliant, agile and importantly, competitive!

The current state – Policy inflation and paralysis  

Many regulatory bodies, including the Australian Prudential Regulation Authority (APRA), have adopted a principles-based, outcomes-focused (‘PB/OF’) approach to regulation. Refreshingly, APRA notes that their approach offers several benefits:

• Flexibility in implementation
• Adaptability to changing circumstances
• Encouragement of innovation
• Reduced compliance costs

However, based on my personal experience, the reality on the ground often differs from this ideal. Risk and compliance policies tend to be lengthy and prescriptive. ‘Policy inflation’ arises from the default response to issues, regulatory changes, or audit findings. It provides a false sense of security through infinitely growing rules within policies, seldom removing anything in the process. Policy changes are often considered in isolation with little consideration for business strategy, the way they operate, and impact on their people, resources, and systems. This is a reactive and often self-defeating approach that stifles innovation and can impair business through increased operational complexity.  

The need for evolution

Here’s why risk and compliance policies need to evolve:

1. Regulatory shift: Regulators are increasingly adopting PB/OF approaches. Organisations need ‘smarter’ policies that align with this approach and are easier to keep up to date.
2. Rapid innovation and decision-making: Organisations need to compete with disruptors and adapt quickly to emerging technologies. ‘Old-school’ polices are typically rigid and don’t support innovative approaches that help organsiations respond quickly enough to keep up with these changes.
3. Technological advancement: Artificial intelligence and machine learning will increasingly be leveraged for sophisticated risk assessment and compliance monitoring. Policies should reflect and leverage that technology. It’s important to remember that these technologies also introduce new risks.
4. Management of interconnected risk (the ‘Holy Grail’): Historically, the assessment of interconnected risks has been challenging to implement primarily because of technological limitations and siloed policies and  functions. That has not swayed unsympathetic regulators from demanding more action in this space. Advancements in technology now provide the ability to measure the compounding effect of risks wherever they arise throughout  organisations. ‘Smart technology’ will provide a holistic view of risks, automate the identification of control weaknesses, and provide real-time insights into impacts across functions and infrastructure.  These technological advancements make it exponentially easier to implement a truly integrated risk management approach.

These issues are really just the tip of the iceberg – changing business models, stakeholder expectations, globalisation and a complex web of regulations – mean organisations must adapt. To address these challenges, businesses need to align their risk and compliance policies with the regulatory evolution they are seeing, making them more PB/OF too.

Strategies for future-proofing policies

To create flexible and effective risk and compliance frameworks that are better suited to complex and rapidly changing business environments, consider the following strategies:

• Emphasise Principles and Outcomes: Organisations should center their policies on key regulatory principles and outcomes. They should adopt a risk-proportionate approach that clarifies desired outcomes rather than prescribing detailed rules. This allows for greater flexibility and adaptability while fulfilling regulatory objectives. Businesses need to recognise that some aspects may still require rules, and strike a balance that suits their specific needs. Policies should be kept concise to enhance understanding, implementation, and ease of updates.
• Alignment with Strategic Objectives: Simply, but critically, ensure risk and compliance strategies support overall business goals. It should be ‘too easy’!
• Aligning Risk Appetite and Controls: Policies must provide guidelines that ensure an organisation’s risk-taking activities align with its declared risk tolerance levels. Policies must also recognise the possibility of control failure and incorporate tolerances that can be monitored (indeed, zero tolerance in some instances). Control environments should be calibrated so that businesses operate within acceptable risk thresholds. Reasonable, proportionate and defensible risk-based thresholds within the mandated risk appetite are more easily accepted where mechanisms for evidencing, monitoring and reporting on these exist.
• Embed a Culture of Accountability: To fully succeed requires a significant shift in organisational culture. This includes clarifying accountabilities and ensuring ownership of risk and compliance across all levels. Teams must exercise more judgment and critical thinking, rather than simply following prescriptive rules. Leaders need to adapt by focusing on core principles and values, providing guidance for decision-making rather than micromanaging compliance. This cultural shift, emphasising individual and collective accountability, is crucial for the successful implementation of PB/OF policies and overall risk and compliance success.
• Leverage Technology: As technology continues to shape the future of risk and compliance, organisations must embrace innovative tools to support agile processes while maintaining strong controls. Implement real-time risk monitoring and reporting systems, leveraging data analytics and AI for enhanced risk identification, assessment, and mitigation. This approach allows businesses to quickly adapt strategies in response to new information.
• Engage in Open Dialogue: Organisations should engage in open conversations with staff, auditors, and regulators about their transition to PB/OF policies. This proactive approach can help address concerns, gain support, and create feedback loops to continuously refine their approach.
• Invest in Training and Development: Help staff understand how to apply principles in their daily work. This is crucial for moving from a rules-based to a principles-based approach.

Organisations will face several hurdles in transitioning to a PB/OF policy approach. Mainly, legacy systems that are notoriously difficult and costly to update. Data quality issues abound. And there is a shortage of skilled people in risk, compliance and technology. Addressing these challenges requires strategic planning, investment, and a collaborative culture open to change.

Conclusion

By evolving policies in line with regulatory PB/OF approaches, supported by a culture of proactive risk management and innovative technologies – businesses can create ‘smarter’, flexible and effective risk and compliance frameworks. This evolution will not only help them meet their regulatory obligations but also supports proactive and real-time risk-management and successful strategic outcomes.  

This is an empowering time for risk and compliance professionals, with significant potential for innovation and leadership in efficiency and effectiveness. I invite you to share your thoughts and experiences on this topic. How is your business adapting its policies for the future? What challenges do you face? What strategies have you found effective? Connect with me to continue the conversation!

About the author

Mark de Araujo is a Principal at ParagonFortis, a consultancy based in Sydney, Australia, specialising  in risk and compliance solutions. We provide strategic insights and solutions to help organisations navigate the complex landscape of risk management and regulatory compliance.