GRC Tuesdays: Where Can You Expect Most New Regulatory Requirements in 2021?
Back in 2019, I had released a GRC Tuesdays blog: Regulatory Super-Inflation Is Here to Stay. So What Can be Done? where I tried to explain the root causes for the constant increase in regulatory requirements and how organizations could manage this challenge and even, to some extent, turn this into a competitive advantage.
Since this trend is definitely not going away, I wanted to take a different view this year and see if I could identify some of the areas where organizations could expect new laws to be published. And therefore, new policies and controls to implement.
I don’t have a crystal ball (unfortunately!) but I have had discussions with Compliance departments from many companies, in different geographies, so I consolidated below the topics I have heard being raised most frequently. Even if not exhaustive, I hope this list can still provide some useful inputs.
1. Post-COVID Workplace
As per most indicators, employees will be able to go back to their workplace during the course of 2021. Probably in the second half of the year. To do so, restrictions associated with the pandemic will need to be lifted of course, and there is no doubt that new governmental and local requirements will be issued to ensure public safety. Employees themselves will also have expectations to be kept safe in their workplace and, for some, to be able to continue working remotely or partially remotely if preferred.
This therefore means that companies will have to implement new guidelines and procedures and be very flexible and reactive as requirements evolve over time. The good news is that there is a high likelihood that employees will fully embrace this new culture and therefore help in implementing any procedures needed.
In addition, either within the same set of regulations or in a second wave, requirements for employee mental health and wellbeing will probably be addressed by the regulator as well.
2. Global Trade
The global trade landscape is constantly changing of course. But 2020 has been prolific in these modifications. With new trade agreements signed in Asia Pacific – especially with China – or with Brexit that resulted from lengthy negotiations for instance. And even though a post-Brexit trade deal has been signed, it will by no means be effortless as it triggers border checks and customs declarations introduced on January 1st and will also most likely lead to new sanction lists for regulated industries, new tax regimes, new therefore reporting requirements, etc. All areas that companies will have to act on.
3. Data Governance
With improved cognitive technologies such as machine learning capabilities, AI-based algorithmics supporting behavioural analytics and so on, 2020 has been an anchor year for technological change.
Digital transformation programs and a drive towards using artificial intelligence capabilities have nevertheless all been accompanied by even more stringent data privacy and protection regulations across the globe. And there is no sign that these will reduce in number, on the contrary. Including when it comes to further increased rights of individuals whose data is being processed.
This is leading many companies to put “data governance” at the heart of any new IT project: what data do we really need and why? This not only helps in limiting the technological part of the initiative, but more importantly, helps reduce data leakage scope since only the information that truly required by the solution to deliver its output is now fed in. This further fully supports customer protection as requested by regulators. In my opinion, this is definitely something to keep on the radar in 2021.
4. Ubiquitous Security
As a continuation of data governance, security is also a key concern for all. Including regulators. New or revised legislations around Data Loss Prevention are popping up and companies have to implement them to be able to continue operating. Having OnPremise, Cloud and Hybrid landscapes creates an additional challenge for organizations who first need to map their infrastructure and assess potential security risks in various conditions.
2021 will add yet another complexity with employees working remotely for quite some time still – and for some, potentially permanently. There were already security policies about BYOD (Bring You Own Device), but now will be the time to review and retest them in the new telecommuting workspace environment.
5. Environmental Protection
As per World Economic Forum’s 2020 Global Risk Report, environmental and societal risks will be of the utmost concern going forward. So I guess it’s not a surprise that here as well, more and more regulation will be issued. The Paris Agreement which is a legally binding international treaty on climate change is an example of a transnational initiative that is then transcribed locally. Meaning more requirements for companies.
Of course, most countries haven’t waited for this initiative and “Water Acts” for instance have been in force for some time in regions where water is a scarce resource to ensure that it is conserved and efficiently managed and protected. More similar regulations are bound to be emitted to be able to help tackle the environmental and societal risks, but also enable the 195 signatories of the Paris Agreement to respect their engagements.
6. Ethical Practices
With remote working, there is a perception that employees might not abide by the same rules as when in the office. Especially with regards to insider trading – and this actually could be a good point in financial services as communication tracking becomes more complex if done via a not traced device in an open workspace, but also in relations to outside business activities that could lead to conflict of interest.
Further to these concerns, conduct risk – especially when it relates to new forms of harassment in virtual workplace – is also a current investigation area for regulators.
As a result, there is a great chance that we’ll see some HR-related regulations in the near future focusing on this work area.
7. Senior Management Accountability
Recent financial scandals but also massive data breaches have increased demands from the public – and from professional organizations, to hold Senior Management more accountable.
As a result, regulators are increasingly holding senior individuals to account for the compliance, adherence to recognized professional standards and also for the adoption of risk-aware culture of their organization. A good example of that is in the United Kingdom where the Financial Conduct Authority – the financial regulatory body regulating financial firms providing services to consumers and tasked with maintaining the integrity of the financial markets in the United Kingdom, has extended the Senior Managers and Certification Regime to 47,000 companies in 2019, encouraging greater individual accountability. Personal individual accountability is a trend that is likely to continue in 2021, and not just for the Financial Service industry or for the UK.
8. Whistleblower Protection
An interesting article on the HISTORY Channel website mentions that US whistleblowers first got government protection in 1777 but there are still many grey areas when it comes to whisleblower protection. Australia, like many other countries, has started to improve this situation with the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 that aims at encouraging ethical whistleblowing and discouraging illegal or unethical activities, while holding employers accountable for protecting whistleblowers. It includes who is an eligible whistleblower as well as what is a relevant disclosure of information but more legislation from other countries and regions is bound to be released, possibly even around work‑related grievances when this could impact an employee’s wellbeing.
There are also industry specific regulations such as the sixth Anti-Money Laundering Directive (6AMLD) in Europe for instance but I didn’t intend to list individual regulations. Rather suggest areas where I think companies should keep an eye on as they are likely to be scrutinized further by regulators.
What about you, what other areas do you think will be most impacted by new requirements in 2021? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard