Boards of directors are expected to provide oversight and challenge for the compliance program. To assist them, compliance professionals need to provide more sophisticated reporting based on observable facts. Fortunately, this is one of the biggest payoffs of the Resolver regulatory compliance management tool. Learn how Resolver can facilitate your board reporting and align to the challenges of a modern regulatory environment.
5. The Board and Regulatory Compliance
▪ Corporate statutes generally provide that it is the responsibility
of the board to supervise the management of the corporation
Leading Cases:
▪ In Re Caremark International Inc. Derivative Litigation
▪ Stone v. Ritter
▪ Directors must be reasonably informed concerning the
corporation
6. The Board and Regulatory Compliance
Directors must assure themselves that:
▪ Information and reporting systems exist
▪ These systems are reasonably designed to provide senior
management and the board with timely, accurate information
sufficient to allow them to reach informed judgments
concerning compliance with law
7. The Board and Regulatory Compliance
▪ The board must exercise a good faith judgment that the
corporation’s information and reporting system is adequate in
both concept and design
▪ Once these systems are implemented, the board must take
steps to monitor or oversee their operations
9. Basel Committee Corporate Governance Guidance
The Board:
▪ Is responsible for overseeing the management of compliance risk
▪ Should establish a compliance function and approve the bank’s
policies and processes for identifying, assessing, monitoring and
reporting and advising on compliance risk
The Compliance Function:
▪ Should advise the board on the bank’s compliance with
applicable laws, rules and standards and keep them informed of
developments in the area
10. Basel Committee Corporate Governance Guidance
Goal of Risk Reporting
▪ Information should be communicated to the board in a timely,
accurate and understandable manner
▪ While the board should be sufficiently informed, reports should
avoid voluminous information that makes it difficult to identify
key issues
▪ Information should be prioritised and presented in a concise, fully
contextualised manner
11. Basel Committee Corporate Governance Guidance
Report to the Board
▪ Senior management should, with the assistance of the
compliance function, at least once a year, report to the board on
the management of compliance risk
▪ The report should be made in such a manner as to assist board
members to make an informed judgment on whether compliance
risk is being managed effectively
12. Basel Committee Corporate Governance Guidance
The head of compliance should report on a regular basis to senior
management on:
▪ The compliance risk assessment conducted during the period,
including any changes in the compliance risk profile
▪ Relevant measurements such as performance indicators
▪ Identified breaches and/or deficiencies
▪ Corrective measures recommended to address them and
corrective measures already taken
14. Oversight Functions
Role of Functions
▪ Provide independent and objective assessments to the
directors to allow them to fulfill their responsibilities
▪ Identify, measure, and report on the FRFI’s risks
▪ Assess the effectiveness of the FRFI’s risk management and
internal controls
▪ Determine whether the FRFI’s operations, results and risk
exposures are consistent with the FRFI’s risk appetite.
15. Oversight Functions
Heads of the Oversight Functions Should:
▪ Have sufficient stature and authority within the organization
▪ Be independent from operational management
▪ Have unfettered access and a direct reporting line to the
board or the appropriate board committee
16. Role of the Board
Board must regularly review and discuss:
▪ FRFI’s exposure to material regulatory compliance risk
▪ Significant RCM policies
▪ CCO reports and Internal Audit or other independent review
function reports, as appropriate
▪ Progress in implementing remedial actions taken with respect to
instances of material non-compliance or control weakness, and
▪ Effectiveness of compliance oversight
17. Responsibilities of the CCO
The CCO should be responsible for:
▪ Assessing the adequacy of, adherence to and effectiveness of
the FRFI’s day-to-day controls
▪ Providing an opinion to the board whether, based on the
independent monitoring and testing conducted, the RCM
controls are sufficiently robust to achieve compliance with the
applicable regulatory requirements enterprise-wide
▪ The opinion should be supported by sufficient pertinent
information that is verified or reasonably verifiable
18. What is the Basis for the Opinion?
Self-Assessments and Testing
Depending on available resources opinion can be based on:
▪ Self-assessments from accountable executives
(guided or ad hoc)
▪ Hands-on compliance testing
19. Is the Opinion Subjective or Objective?
Compliant Versus Effective Program
Even programs that incorporate a significant testing program can
result in subjective opinions.
▪ Why?
▪ Testing can never cover the universe of risks
20. Inputs Require Subjective Measurement
Program Effectiveness
▪ Although the equation is simple:
Inherent Risk – Control effectiveness = Residual Risk
▪ Assessing the components often requires a subjective
assessment
Example: Monitoring is a component of an effective control
How much monitoring is enough?
22. Three Critical Areas
Three areas where measurement is essential:
▪ Risk Assessments
▪ Issue Classification
▪ KPIs and KRIs
23. Risk Assessments
▪ Identifies not only what are the biggest risks but why they are the
biggest
▪ Risk Assessments:
Provide a basis for resource decisions
▪ How many
▪ What kind
▪ Educate management and the board about the nature and level of
risk
24. What are the benefits
Input in many critical compliance steps
▪ Resourcing and allocation
▪ Control assessment
▪ Issue priority
▪ Reporting
▪ Monitoring
25. Developing a Measurement System
▪ What is the potential universe of data?
▪ Are the requirements straightforward or complex?
▪ Are the regulations stable or constantly changing?
▪ Are our products stable or do they constantly change?
▪ Do we control all of the processes or have they been outsourced?
27. Likelihood Scores
Complexity of Regulation
(High) Regulation imposes multiple requirements or detailed analysis
(Medium) Multiple requirements but the analysis is straightforward
(Low) Straightforward requirement
Complexity of Business
(High) Complex and involves the application of specialized skill
(Medium) Moderate degree of complexity and skill
(Low) Straightforward business not requiring advanced training or
skill
28. Impact Scores
Business objective subject to regulatory requirement
(High) Core objective
(Medium) Business unit objective
(Low) Local objective
Degree of impact on business objective
(High) Would prevent or materially alter achievement of objective
(Medium) May significantly delay or impact cost of achievement of objective
(Low) Nominal impact to timing or cost of achieving objective
29. Scoring Grid
RISK ASSESSMENT CHART
RISK SCORING
0 TO 4 TRIVIAL TO LOW RISK
5 TO 14 MODERATE TO MAJOR RISK
16 OR HIGHER HIGH TO SEVERE RISK
30. Benefits of Scorecard
▪ Risks identified on the basis of some empirical data
▪ Mix of objective and subjective data provides a more accurate
assessment
▪ Accumulation of several subjective elements reduces the impact
of judgment
31. Issue Reporting
▪ Tendency is to report issues as if they were all the same
magnitude
▪ Size the Compliance Gap
▪ Examples
Major Control Issue
Significant Control Issue
Minor Control Issue
▪ Incorporate inherent risk score
▪ Size of Gap + Inherent Risk Score = Issue Priority
32. KPIs
▪ Example: How are the 3 lines of defense functioning?
▪ Performance issue with framework as too many issues
identified by regulators
33. KRIs
▪ Example: New Initiatives
▪ Number of initiatives rated as high risk
▪ Indicates potential risk of non-compliance as number of new
initiatives may exceed ability to absorb
34. KRIs
▪ Example: Regulatory Change
▪ Number of New Regulations
▪ Indicates potential risk of non-compliance as amount of
regulatory change may exceed ability to absorb
35. KRIs
▪ Example: Compliance Monitoring/Audit
▪ Percent of High Risk Requirements Subject to Monitoring
▪ Indicates potential risk of non-compliance as monitoring
inadequate
36. What Do Boards Really Want to Know?
What they want to know:
▪ Is the organization in compliance?
What they should want to know:
▪ Why do you think the organization is in compliance?