More Related Content

Similar to Reporting to the Board on Corporate Compliance(20)


More from Resolver Inc.(20)

Recently uploaded(20)


Reporting to the Board on Corporate Compliance

  1. Reporting to the Board on Corporate Compliance: Informed Decision Making
  2. Hello! I am John Jason Canadian Compliance Group
  3. The Board and Regulatory Compliance
  4. The Board and Regulatory Compliance ▪ Corporate statutes generally provide that it is the responsibility of the board to supervise the management of the corporation Leading Cases: ▪ In Re Caremark International Inc. Derivative Litigation ▪ Stone v. Ritter ▪ Directors must be reasonably informed concerning the corporation
  5. The Board and Regulatory Compliance Directors must assure themselves that: ▪ Information and reporting systems exist ▪ These systems are reasonably designed to provide senior management and the board with timely, accurate information sufficient to allow them to reach informed judgments concerning compliance with law
  6. The Board and Regulatory Compliance ▪ The board must exercise a good faith judgment that the corporation’s information and reporting system is adequate in both concept and design ▪ Once these systems are implemented, the board must take steps to monitor or oversee their operations
  7. Basel Committee Corporate Governance Guidance
  8. Basel Committee Corporate Governance Guidance The Board: ▪ Is responsible for overseeing the management of compliance risk ▪ Should establish a compliance function and approve the bank’s policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk The Compliance Function: ▪ Should advise the board on the bank’s compliance with applicable laws, rules and standards and keep them informed of developments in the area
  9. Basel Committee Corporate Governance Guidance Goal of Risk Reporting ▪ Information should be communicated to the board in a timely, accurate and understandable manner ▪ While the board should be sufficiently informed, reports should avoid voluminous information that makes it difficult to identify key issues ▪ Information should be prioritised and presented in a concise, fully contextualised manner
  10. Basel Committee Corporate Governance Guidance Report to the Board ▪ Senior management should, with the assistance of the compliance function, at least once a year, report to the board on the management of compliance risk ▪ The report should be made in such a manner as to assist board members to make an informed judgment on whether compliance risk is being managed effectively
  11. Basel Committee Corporate Governance Guidance The head of compliance should report on a regular basis to senior management on: ▪ The compliance risk assessment conducted during the period, including any changes in the compliance risk profile ▪ Relevant measurements such as performance indicators ▪ Identified breaches and/or deficiencies ▪ Corrective measures recommended to address them and corrective measures already taken
  12. Oversight Functions
  13. Oversight Functions Role of Functions ▪ Provide independent and objective assessments to the directors to allow them to fulfill their responsibilities ▪ Identify, measure, and report on the FRFI’s risks ▪ Assess the effectiveness of the FRFI’s risk management and internal controls ▪ Determine whether the FRFI’s operations, results and risk exposures are consistent with the FRFI’s risk appetite.
  14. Oversight Functions Heads of the Oversight Functions Should: ▪ Have sufficient stature and authority within the organization ▪ Be independent from operational management ▪ Have unfettered access and a direct reporting line to the board or the appropriate board committee
  15. Role of the Board Board must regularly review and discuss: ▪ FRFI’s exposure to material regulatory compliance risk ▪ Significant RCM policies ▪ CCO reports and Internal Audit or other independent review function reports, as appropriate ▪ Progress in implementing remedial actions taken with respect to instances of material non-compliance or control weakness, and ▪ Effectiveness of compliance oversight
  16. Responsibilities of the CCO The CCO should be responsible for: ▪ Assessing the adequacy of, adherence to and effectiveness of the FRFI’s day-to-day controls ▪ Providing an opinion to the board whether, based on the independent monitoring and testing conducted, the RCM controls are sufficiently robust to achieve compliance with the applicable regulatory requirements enterprise-wide ▪ The opinion should be supported by sufficient pertinent information that is verified or reasonably verifiable
  17. What is the Basis for the Opinion? Self-Assessments and Testing Depending on available resources opinion can be based on: ▪ Self-assessments from accountable executives (guided or ad hoc) ▪ Hands-on compliance testing
  18. Is the Opinion Subjective or Objective? Compliant Versus Effective Program Even programs that incorporate a significant testing program can result in subjective opinions. ▪ Why? ▪ Testing can never cover the universe of risks
  19. Inputs Require Subjective Measurement Program Effectiveness ▪ Although the equation is simple: Inherent Risk – Control effectiveness = Residual Risk ▪ Assessing the components often requires a subjective assessment Example: Monitoring is a component of an effective control How much monitoring is enough?
  20. Is it Possible to Introduce Objective Measurements?
  21. Three Critical Areas Three areas where measurement is essential: ▪ Risk Assessments ▪ Issue Classification ▪ KPIs and KRIs
  22. Risk Assessments ▪ Identifies not only what are the biggest risks but why they are the biggest ▪ Risk Assessments: Provide a basis for resource decisions ▪ How many ▪ What kind ▪ Educate management and the board about the nature and level of risk
  23. What are the benefits Input in many critical compliance steps ▪ Resourcing and allocation ▪ Control assessment ▪ Issue priority ▪ Reporting ▪ Monitoring
  24. Developing a Measurement System ▪ What is the potential universe of data? ▪ Are the requirements straightforward or complex? ▪ Are the regulations stable or constantly changing? ▪ Are our products stable or do they constantly change? ▪ Do we control all of the processes or have they been outsourced?
  25. Develop the Scorecard
  26. Likelihood Scores Complexity of Regulation (High) Regulation imposes multiple requirements or detailed analysis (Medium) Multiple requirements but the analysis is straightforward (Low) Straightforward requirement Complexity of Business (High) Complex and involves the application of specialized skill (Medium) Moderate degree of complexity and skill (Low) Straightforward business not requiring advanced training or skill
  27. Impact Scores Business objective subject to regulatory requirement (High) Core objective (Medium) Business unit objective (Low) Local objective Degree of impact on business objective (High) Would prevent or materially alter achievement of objective (Medium) May significantly delay or impact cost of achievement of objective (Low) Nominal impact to timing or cost of achieving objective
  29. Benefits of Scorecard ▪ Risks identified on the basis of some empirical data ▪ Mix of objective and subjective data provides a more accurate assessment ▪ Accumulation of several subjective elements reduces the impact of judgment
  30. Issue Reporting ▪ Tendency is to report issues as if they were all the same magnitude ▪ Size the Compliance Gap ▪ Examples Major Control Issue Significant Control Issue Minor Control Issue ▪ Incorporate inherent risk score ▪ Size of Gap + Inherent Risk Score = Issue Priority
  31. KPIs ▪ Example: How are the 3 lines of defense functioning? ▪ Performance issue with framework as too many issues identified by regulators
  32. KRIs ▪ Example: New Initiatives ▪ Number of initiatives rated as high risk ▪ Indicates potential risk of non-compliance as number of new initiatives may exceed ability to absorb
  33. KRIs ▪ Example: Regulatory Change ▪ Number of New Regulations ▪ Indicates potential risk of non-compliance as amount of regulatory change may exceed ability to absorb
  34. KRIs ▪ Example: Compliance Monitoring/Audit ▪ Percent of High Risk Requirements Subject to Monitoring ▪ Indicates potential risk of non-compliance as monitoring inadequate
  35. What Do Boards Really Want to Know? What they want to know: ▪ Is the organization in compliance? What they should want to know: ▪ Why do you think the organization is in compliance?
  36. Thanks! Any questions?