Identify: Capture Regulatory Changes

The process begins with systematic identification of relevant regulatory changes. This includes:

• Monitoring regulatory agency publications, Federal Register, industry body updates, and legal counsel alerts
• Subscribing to regulatory intelligence services or AI-assisted monitoring tools (ChangeGear's Luma Knowledge Management serves as this layer)
• Establishing a standard intake process for regulatory alerts from legal counsel, external consultants, and business line leaders
• Documenting each potential regulatory change in a central repository with source, publication date, and summary

Owner: Regulatory Change Manager / Compliance team
Output: Log of regulatory changes requiring assessment

Assess: Impact Analysis

Not every regulatory change requires the same response. The assessment step determines the scope and urgency of each change:

• Which business functions, processes, systems, or controls are affected?
• What is the compliance deadline (effective date vs. examination date)?
• What is the risk of non-compliance (regulatory penalty, examination finding, reputational)?
• What actions are required to achieve or maintain compliance?
• Who owns each required action?

In ChangeGear, the assessment is documented as part of the change request, creating a formal record of the analysis that supports the change.

Owner: Business line compliance officers, legal, IT
Output: Impact assessment document with action list and owners

Plan: Change Request and Approval

Each required action becomes a formal change request in ChangeGear. The planning step includes:

• Creating a change request for each implementation action, linked to the regulatory source
• Defining the implementation scope, approach, and resources
• Routing the change request through the appropriate approval chain based on risk level
• Scheduling the change on the Change Events Calendar to ensure visibility and prevent conflicts with other planned changes
• Establishing the evidence requirements for the change (what documentation will demonstrate completion?)

Owner: Change Manager, Business Owner
Output: Approved change request with implementation plan

Implement: Execute the Required Changes

Implementation is where the regulatory requirement becomes operational reality. Depending on the nature of the change, this may involve:

• Process documentation updates (policies, procedures, job aids)
• System configuration changes (routed through IT change management workflows)
• Training or communication to affected staff
• Vendor or third-party coordination where external parties are affected
• Testing and validation of changed processes or systems

ChangeGear's workflow automation notifies implementers, tracks progress, and escalates overdue tasks automatically — without the change manager having to manually follow up.

Owner: Implementation teams (IT, operations, HR, legal as applicable)
Output: Implemented change with documented completion

Evidence: Collect and Organize Documentation

This step is where many manual processes break down. Evidence collection in ChangeGear is largely automated:

• Every approval action is timestamped and attributed in the change record
• Attached documents (test results, training records, configuration screenshots) are linked to the change request
• The complete change history — who did what, when, with what authorization — is maintained in the immutable audit trail
• Compliance reports can be generated on demand, organized by regulatory requirement

Owner: Compliance team
Output: Audit-ready evidence package

Report: Demonstrate Compliance

The reporting step serves both internal governance and external audit requirements:

• Management reporting: dashboards showing the status of regulatory changes in progress, upcoming deadlines, and completion rates
• Regulatory reporting: evidence packages organized by regulatory requirement and compliance control, ready for examination or audit
• Continuous monitoring: ongoing compliance status available in real time, not just at audit time

ChangeGear's visual reporting, KPI dashboards, and compliance metrics provide all three levels of reporting from a single system.

Owner: Compliance team, CISO, CCO
Output: Management and audit reports