SlideShare ist ein Scribd-Unternehmen logo

Reporting to the Board on Corporate Compliance

Resolver Inc.
Resolver Inc.

Boards of directors are expected to provide oversight and challenge for the compliance program. To assist them, compliance professionals need to provide more sophisticated reporting based on observable facts. Fortunately, this is one of the biggest payoffs of the Resolver regulatory compliance management tool. Learn how Resolver can facilitate your board reporting and align to the challenges of a modern regulatory environment.

Leadership & Management
1 von 43
Downloaden Sie, um offline zu lesen
Reporting to the Board on Corporate Compliance: Informed Decision Making
Hello! I am John Jason Canadian Compliance Group john.jason@cancomgroup.com
The Board and Regulatory Compliance
The Board and Regulatory Compliance ▪ Corporate statutes generally provide that it is the responsibility of the board to supervise the management of the corporation Leading Cases: ▪ In Re Caremark International Inc. Derivative Litigation ▪ Stone v. Ritter ▪ Directors must be reasonably informed concerning the corporation
The Board and Regulatory Compliance Directors must assure themselves that: ▪ Information and reporting systems exist ▪ These systems are reasonably designed to provide senior management and the board with timely, accurate information sufficient to allow them to reach informed judgments concerning compliance with law
The Board and Regulatory Compliance ▪ The board must exercise a good faith judgment that the corporation’s information and reporting system is adequate in both concept and design ▪ Once these systems are implemented, the board must take steps to monitor or oversee their operations
Basel Committee Corporate Governance Guidance
Basel Committee Corporate Governance Guidance The Board: ▪ Is responsible for overseeing the management of compliance risk ▪ Should establish a compliance function and approve the bank’s policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk The Compliance Function: ▪ Should advise the board on the bank’s compliance with applicable laws, rules and standards and keep them informed of developments in the area
Basel Committee Corporate Governance Guidance Goal of Risk Reporting ▪ Information should be communicated to the board in a timely, accurate and understandable manner ▪ While the board should be sufficiently informed, reports should avoid voluminous information that makes it difficult to identify key issues ▪ Information should be prioritised and presented in a concise, fully contextualised manner
Basel Committee Corporate Governance Guidance Report to the Board ▪ Senior management should, with the assistance of the compliance function, at least once a year, report to the board on the management of compliance risk ▪ The report should be made in such a manner as to assist board members to make an informed judgment on whether compliance risk is being managed effectively
Basel Committee Corporate Governance Guidance The head of compliance should report on a regular basis to senior management on: ▪ The compliance risk assessment conducted during the period, including any changes in the compliance risk profile ▪ Relevant measurements such as performance indicators ▪ Identified breaches and/or deficiencies ▪ Corrective measures recommended to address them and corrective measures already taken
Oversight Functions
Oversight Functions Role of Functions ▪ Provide independent and objective assessments to the directors to allow them to fulfill their responsibilities ▪ Identify, measure, and report on the FRFI’s risks ▪ Assess the effectiveness of the FRFI’s risk management and internal controls ▪ Determine whether the FRFI’s operations, results and risk exposures are consistent with the FRFI’s risk appetite.
Oversight Functions Heads of the Oversight Functions Should: ▪ Have sufficient stature and authority within the organization ▪ Be independent from operational management ▪ Have unfettered access and a direct reporting line to the board or the appropriate board committee
Role of the Board Board must regularly review and discuss: ▪ FRFI’s exposure to material regulatory compliance risk ▪ Significant RCM policies ▪ CCO reports and Internal Audit or other independent review function reports, as appropriate ▪ Progress in implementing remedial actions taken with respect to instances of material non-compliance or control weakness, and ▪ Effectiveness of compliance oversight
Responsibilities of the CCO The CCO should be responsible for: ▪ Assessing the adequacy of, adherence to and effectiveness of the FRFI’s day-to-day controls ▪ Providing an opinion to the board whether, based on the independent monitoring and testing conducted, the RCM controls are sufficiently robust to achieve compliance with the applicable regulatory requirements enterprise-wide ▪ The opinion should be supported by sufficient pertinent information that is verified or reasonably verifiable
What is the Basis for the Opinion? Self-Assessments and Testing Depending on available resources opinion can be based on: ▪ Self-assessments from accountable executives (guided or ad hoc) ▪ Hands-on compliance testing
Is the Opinion Subjective or Objective? Compliant Versus Effective Program Even programs that incorporate a significant testing program can result in subjective opinions. ▪ Why? ▪ Testing can never cover the universe of risks
Inputs Require Subjective Measurement Program Effectiveness ▪ Although the equation is simple: Inherent Risk – Control effectiveness = Residual Risk ▪ Assessing the components often requires a subjective assessment Example: Monitoring is a component of an effective control How much monitoring is enough?
Is it Possible to Introduce Objective Measurements?
Three Critical Areas Three areas where measurement is essential: ▪ Risk Assessments ▪ Issue Classification ▪ KPIs and KRIs
Risk Assessments ▪ Identifies not only what are the biggest risks but why they are the biggest ▪ Risk Assessments: Provide a basis for resource decisions ▪ How many ▪ What kind ▪ Educate management and the board about the nature and level of risk
What are the benefits Input in many critical compliance steps ▪ Resourcing and allocation ▪ Control assessment ▪ Issue priority ▪ Reporting ▪ Monitoring
Developing a Measurement System ▪ What is the potential universe of data? ▪ Are the requirements straightforward or complex? ▪ Are the regulations stable or constantly changing? ▪ Are our products stable or do they constantly change? ▪ Do we control all of the processes or have they been outsourced?
Develop the Scorecard
Likelihood Scores Complexity of Regulation (High) Regulation imposes multiple requirements or detailed analysis (Medium) Multiple requirements but the analysis is straightforward (Low) Straightforward requirement Complexity of Business (High) Complex and involves the application of specialized skill (Medium) Moderate degree of complexity and skill (Low) Straightforward business not requiring advanced training or skill
Impact Scores Business objective subject to regulatory requirement (High) Core objective (Medium) Business unit objective (Low) Local objective Degree of impact on business objective (High) Would prevent or materially alter achievement of objective (Medium) May significantly delay or impact cost of achievement of objective (Low) Nominal impact to timing or cost of achieving objective
Scoring Grid RISK ASSESSMENT CHART RISK SCORING 0 TO 4 TRIVIAL TO LOW RISK 5 TO 14 MODERATE TO MAJOR RISK 16 OR HIGHER HIGH TO SEVERE RISK
Benefits of Scorecard ▪ Risks identified on the basis of some empirical data ▪ Mix of objective and subjective data provides a more accurate assessment ▪ Accumulation of several subjective elements reduces the impact of judgment
Issue Reporting ▪ Tendency is to report issues as if they were all the same magnitude ▪ Size the Compliance Gap ▪ Examples Major Control Issue Significant Control Issue Minor Control Issue ▪ Incorporate inherent risk score ▪ Size of Gap + Inherent Risk Score = Issue Priority
KPIs ▪ Example: How are the 3 lines of defense functioning? ▪ Performance issue with framework as too many issues identified by regulators
KRIs ▪ Example: New Initiatives ▪ Number of initiatives rated as high risk ▪ Indicates potential risk of non-compliance as number of new initiatives may exceed ability to absorb
KRIs ▪ Example: Regulatory Change ▪ Number of New Regulations ▪ Indicates potential risk of non-compliance as amount of regulatory change may exceed ability to absorb
KRIs ▪ Example: Compliance Monitoring/Audit ▪ Percent of High Risk Requirements Subject to Monitoring ▪ Indicates potential risk of non-compliance as monitoring inadequate
What Do Boards Really Want to Know? What they want to know: ▪ Is the organization in compliance? What they should want to know: ▪ Why do you think the organization is in compliance?
Thanks! Any questions? john.jason@cancomgroup.com
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance

Empfohlen

Compliance framework
Compliance frameworkCompliance framework
Compliance framework
Manoj Agarwal
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance Executive
Max Neira Schliemann
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
Mahesh Patwardhan
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Corporate Compliance Management
Corporate Compliance ManagementCorporate Compliance Management
Corporate Compliance Management
Pavan Kumar Vijay
 

Empfohlen

Compliance framework
Compliance frameworkCompliance framework
Compliance framework
Manoj Agarwal
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance Executive
Max Neira Schliemann
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
Mahesh Patwardhan
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Corporate Compliance Management
Corporate Compliance ManagementCorporate Compliance Management
Corporate Compliance Management
Pavan Kumar Vijay
 
Corporate Compliance Overview
Corporate Compliance OverviewCorporate Compliance Overview
Corporate Compliance Overview
Sam Carr
 
Introduction to Operational Risk Management for Bank Junior Officers in India
Introduction to Operational Risk Management for Bank Junior Officers in IndiaIntroduction to Operational Risk Management for Bank Junior Officers in India
Introduction to Operational Risk Management for Bank Junior Officers in India
mlvenkat
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
NehaKamboj10
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
Manoj Agarwal
 
How to measure and manage legal risk
How to measure and manage legal riskHow to measure and manage legal risk
How to measure and manage legal risk
Berkman Solutions
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Resolver Inc.
 
FSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoV
Frederic Girardeau-Montaut
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Chapter 8 financial compliance programme
Chapter 8 financial compliance programmeChapter 8 financial compliance programme
Chapter 8 financial compliance programme
Quan Risk
 
Corporate Compliance Management
Corporate Compliance Management Corporate Compliance Management
Corporate Compliance Management
Pavan Kumar Vijay
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
Uppala Anand
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
Obrina Candra, CISA, ISMS-LA
 
Hernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler SCCE New ISO 37301 Compliance Management SystemsHernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler, MBA CPA
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
Corporater
 
The EISA Audit Presentation
The EISA Audit PresentationThe EISA Audit Presentation
The EISA Audit Presentation
Senthil Kumar Manian (Amirtham)
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to Operational Risk Management for Bank Junior Officers in India
Introduction to Operational Risk Management for Bank Junior Officers in IndiaIntroduction to Operational Risk Management for Bank Junior Officers in India
Introduction to Operational Risk Management for Bank Junior Officers in India
mlvenkat
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Chapter 8 financial compliance programme
Chapter 8 financial compliance programmeChapter 8 financial compliance programme
Chapter 8 financial compliance programme
Quan Risk
 
Corporate Compliance Management
Corporate Compliance Management Corporate Compliance Management
Corporate Compliance Management
Pavan Kumar Vijay
 
Hernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler SCCE New ISO 37301 Compliance Management SystemsHernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler, MBA CPA
 

Was ist angesagt? (20)

Corporate Compliance Overview
Corporate Compliance OverviewCorporate Compliance Overview
Corporate Compliance Overview
 
Introduction to Operational Risk Management for Bank Junior Officers in India
Introduction to Operational Risk Management for Bank Junior Officers in IndiaIntroduction to Operational Risk Management for Bank Junior Officers in India
Introduction to Operational Risk Management for Bank Junior Officers in India
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
How to measure and manage legal risk
How to measure and manage legal riskHow to measure and manage legal risk
How to measure and manage legal risk
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 
FSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoV
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Chapter 8 financial compliance programme
Chapter 8 financial compliance programmeChapter 8 financial compliance programme
Chapter 8 financial compliance programme
 
Corporate Compliance Management
Corporate Compliance Management Corporate Compliance Management
Corporate Compliance Management
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Hernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler SCCE New ISO 37301 Compliance Management SystemsHernan Huwyler SCCE New ISO 37301 Compliance Management Systems
Hernan Huwyler SCCE New ISO 37301 Compliance Management Systems
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
 

Ähnlich wie Reporting to the Board on Corporate Compliance

Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Ramaica Ona
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Aahil Malik
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Nimonik
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformation
Mark Micallef
 
Covering Your Bases McDonald
Covering Your Bases McDonaldCovering Your Bases McDonald
Covering Your Bases McDonald
EDR
 

Ähnlich wie Reporting to the Board on Corporate Compliance (20)

The EISA Audit Presentation
The EISA Audit PresentationThe EISA Audit Presentation
The EISA Audit Presentation
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
SFC Plan of engagement
SFC Plan of engagementSFC Plan of engagement
SFC Plan of engagement
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptx
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
 
2. Risk Management.pptx
2. Risk Management.pptx2. Risk Management.pptx
2. Risk Management.pptx
 
Proactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemProactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality System
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
 
Compliance Basics Presentation
Compliance Basics PresentationCompliance Basics Presentation
Compliance Basics Presentation
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformation
 
2012-01-12 Audit Committees: Roles
2012-01-12 Audit Committees: Roles2012-01-12 Audit Committees: Roles
2012-01-12 Audit Committees: Roles
 
Oliver Laloux's The 'One Approach' - Integrating Risk Management, Governance ...
Oliver Laloux's The 'One Approach' - Integrating Risk Management, Governance ...Oliver Laloux's The 'One Approach' - Integrating Risk Management, Governance ...
Oliver Laloux's The 'One Approach' - Integrating Risk Management, Governance ...
 
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
 
Covering Your Bases McDonald
Covering Your Bases McDonaldCovering Your Bases McDonald
Covering Your Bases McDonald
 
Internal Audit Strategic Framework
Internal Audit Strategic FrameworkInternal Audit Strategic Framework
Internal Audit Strategic Framework
 
Risk review v diagnostic review
Risk review v diagnostic reviewRisk review v diagnostic review
Risk review v diagnostic review
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
 

Mehr von Resolver Inc.

How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
Resolver Inc.
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 

Mehr von Resolver Inc. (20)

How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
 
Terrorism in a Corporate Setting
Terrorism in a Corporate SettingTerrorism in a Corporate Setting
Terrorism in a Corporate Setting
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance Application
 
Information Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data SafeInformation Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data Safe
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
 
Modelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver CoreModelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver Core
 
How Resolver Uses Resolver
How Resolver Uses ResolverHow Resolver Uses Resolver
How Resolver Uses Resolver
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management StrategyA Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management Strategy
 
An Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience ApplicationAn Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience Application
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
How to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business ResilienceHow to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business Resilience
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data Clean
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)
 
Leveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM ProgramLeveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM Program
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will Anderson
 

Kürzlich hochgeladen

Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
Nimot Muili
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
alinstan901
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
dollysharma2066
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Riyadh +966572737505 get cytotec
 

Kürzlich hochgeladen (15)

Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysis
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC Bootcamp
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 

Reporting to the Board on Corporate Compliance

  • 1. Reporting to the Board on Corporate Compliance: Informed Decision Making
  • 2.
  • 3. Hello! I am John Jason Canadian Compliance Group john.jason@cancomgroup.com
  • 4. The Board and Regulatory Compliance
  • 5. The Board and Regulatory Compliance ▪ Corporate statutes generally provide that it is the responsibility of the board to supervise the management of the corporation Leading Cases: ▪ In Re Caremark International Inc. Derivative Litigation ▪ Stone v. Ritter ▪ Directors must be reasonably informed concerning the corporation
  • 6. The Board and Regulatory Compliance Directors must assure themselves that: ▪ Information and reporting systems exist ▪ These systems are reasonably designed to provide senior management and the board with timely, accurate information sufficient to allow them to reach informed judgments concerning compliance with law
  • 7. The Board and Regulatory Compliance ▪ The board must exercise a good faith judgment that the corporation’s information and reporting system is adequate in both concept and design ▪ Once these systems are implemented, the board must take steps to monitor or oversee their operations
  • 9. Basel Committee Corporate Governance Guidance The Board: ▪ Is responsible for overseeing the management of compliance risk ▪ Should establish a compliance function and approve the bank’s policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk The Compliance Function: ▪ Should advise the board on the bank’s compliance with applicable laws, rules and standards and keep them informed of developments in the area
  • 10. Basel Committee Corporate Governance Guidance Goal of Risk Reporting ▪ Information should be communicated to the board in a timely, accurate and understandable manner ▪ While the board should be sufficiently informed, reports should avoid voluminous information that makes it difficult to identify key issues ▪ Information should be prioritised and presented in a concise, fully contextualised manner
  • 11. Basel Committee Corporate Governance Guidance Report to the Board ▪ Senior management should, with the assistance of the compliance function, at least once a year, report to the board on the management of compliance risk ▪ The report should be made in such a manner as to assist board members to make an informed judgment on whether compliance risk is being managed effectively
  • 12. Basel Committee Corporate Governance Guidance The head of compliance should report on a regular basis to senior management on: ▪ The compliance risk assessment conducted during the period, including any changes in the compliance risk profile ▪ Relevant measurements such as performance indicators ▪ Identified breaches and/or deficiencies ▪ Corrective measures recommended to address them and corrective measures already taken
  • 14. Oversight Functions Role of Functions ▪ Provide independent and objective assessments to the directors to allow them to fulfill their responsibilities ▪ Identify, measure, and report on the FRFI’s risks ▪ Assess the effectiveness of the FRFI’s risk management and internal controls ▪ Determine whether the FRFI’s operations, results and risk exposures are consistent with the FRFI’s risk appetite.
  • 15. Oversight Functions Heads of the Oversight Functions Should: ▪ Have sufficient stature and authority within the organization ▪ Be independent from operational management ▪ Have unfettered access and a direct reporting line to the board or the appropriate board committee
  • 16. Role of the Board Board must regularly review and discuss: ▪ FRFI’s exposure to material regulatory compliance risk ▪ Significant RCM policies ▪ CCO reports and Internal Audit or other independent review function reports, as appropriate ▪ Progress in implementing remedial actions taken with respect to instances of material non-compliance or control weakness, and ▪ Effectiveness of compliance oversight
  • 17. Responsibilities of the CCO The CCO should be responsible for: ▪ Assessing the adequacy of, adherence to and effectiveness of the FRFI’s day-to-day controls ▪ Providing an opinion to the board whether, based on the independent monitoring and testing conducted, the RCM controls are sufficiently robust to achieve compliance with the applicable regulatory requirements enterprise-wide ▪ The opinion should be supported by sufficient pertinent information that is verified or reasonably verifiable
  • 18. What is the Basis for the Opinion? Self-Assessments and Testing Depending on available resources opinion can be based on: ▪ Self-assessments from accountable executives (guided or ad hoc) ▪ Hands-on compliance testing
  • 19. Is the Opinion Subjective or Objective? Compliant Versus Effective Program Even programs that incorporate a significant testing program can result in subjective opinions. ▪ Why? ▪ Testing can never cover the universe of risks
  • 20. Inputs Require Subjective Measurement Program Effectiveness ▪ Although the equation is simple: Inherent Risk – Control effectiveness = Residual Risk ▪ Assessing the components often requires a subjective assessment Example: Monitoring is a component of an effective control How much monitoring is enough?
  • 21. Is it Possible to Introduce Objective Measurements?
  • 22. Three Critical Areas Three areas where measurement is essential: ▪ Risk Assessments ▪ Issue Classification ▪ KPIs and KRIs
  • 23. Risk Assessments ▪ Identifies not only what are the biggest risks but why they are the biggest ▪ Risk Assessments: Provide a basis for resource decisions ▪ How many ▪ What kind ▪ Educate management and the board about the nature and level of risk
  • 24. What are the benefits Input in many critical compliance steps ▪ Resourcing and allocation ▪ Control assessment ▪ Issue priority ▪ Reporting ▪ Monitoring
  • 25. Developing a Measurement System ▪ What is the potential universe of data? ▪ Are the requirements straightforward or complex? ▪ Are the regulations stable or constantly changing? ▪ Are our products stable or do they constantly change? ▪ Do we control all of the processes or have they been outsourced?
  • 27. Likelihood Scores Complexity of Regulation (High) Regulation imposes multiple requirements or detailed analysis (Medium) Multiple requirements but the analysis is straightforward (Low) Straightforward requirement Complexity of Business (High) Complex and involves the application of specialized skill (Medium) Moderate degree of complexity and skill (Low) Straightforward business not requiring advanced training or skill
  • 28. Impact Scores Business objective subject to regulatory requirement (High) Core objective (Medium) Business unit objective (Low) Local objective Degree of impact on business objective (High) Would prevent or materially alter achievement of objective (Medium) May significantly delay or impact cost of achievement of objective (Low) Nominal impact to timing or cost of achieving objective
  • 29. Scoring Grid RISK ASSESSMENT CHART RISK SCORING 0 TO 4 TRIVIAL TO LOW RISK 5 TO 14 MODERATE TO MAJOR RISK 16 OR HIGHER HIGH TO SEVERE RISK
  • 30. Benefits of Scorecard ▪ Risks identified on the basis of some empirical data ▪ Mix of objective and subjective data provides a more accurate assessment ▪ Accumulation of several subjective elements reduces the impact of judgment
  • 31. Issue Reporting ▪ Tendency is to report issues as if they were all the same magnitude ▪ Size the Compliance Gap ▪ Examples Major Control Issue Significant Control Issue Minor Control Issue ▪ Incorporate inherent risk score ▪ Size of Gap + Inherent Risk Score = Issue Priority
  • 32. KPIs ▪ Example: How are the 3 lines of defense functioning? ▪ Performance issue with framework as too many issues identified by regulators
  • 33. KRIs ▪ Example: New Initiatives ▪ Number of initiatives rated as high risk ▪ Indicates potential risk of non-compliance as number of new initiatives may exceed ability to absorb
  • 34. KRIs ▪ Example: Regulatory Change ▪ Number of New Regulations ▪ Indicates potential risk of non-compliance as amount of regulatory change may exceed ability to absorb
  • 35. KRIs ▪ Example: Compliance Monitoring/Audit ▪ Percent of High Risk Requirements Subject to Monitoring ▪ Indicates potential risk of non-compliance as monitoring inadequate
  • 36. What Do Boards Really Want to Know? What they want to know: ▪ Is the organization in compliance? What they should want to know: ▪ Why do you think the organization is in compliance?