Change Impact Assessment

When a regulatory change is detected, the impact assessment determines what it means for your compliance program. Does the change create a new obligation? Modify an existing one? Remove one? Change the evidence requirements? Alter the enforcement timeline? The impact assessment maps the change to the compliance matrix and identifies which rows are affected.

1. Obligation Delta Analysis Compare the new requirement against the current obligation in the compliance matrix. What changed? Is the scope broader? Is the evidence requirement more specific? Is the compliance timeline shorter? The delta is the specific change that must be reflected in the matrix.
2. Control Adequacy Check For each affected obligation, evaluate whether the current control still satisfies the modified requirement. A control designed for the old requirement may be insufficient for the new one. The adequacy check identifies which controls need modification, which need replacement, and which remain adequate.
3. Implementation Timeline Determine the deadline for compliance with the changed requirement. Some changes take effect immediately. Others include a transition period. The implementation timeline drives the urgency of the remediation plan. [RISK]: Transition periods for major regulatory changes are often shorter than expected — begin implementation as soon as the change is final, not when the deadline approaches.