Advertisement
Reporting to the Board on Corporate Compliance
May. 31, 2018•0 likes•1,693 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Leadership & Management
Boards of directors are expected to provide oversight and challenge for the compliance program. To assist them, compliance professionals need to provide more sophisticated reporting based on observable facts. Fortunately, this is one of the biggest payoffs of the Resolver regulatory compliance management tool. Learn how Resolver can facilitate your board reporting and align to the challenges of a modern regulatory environment.
Resolver Inc.Follow
Resolver Inc.Advertisement
Advertisement
Advertisement
Recommended
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
Internal auditing for “one & all” (second edition)Mohammad Wahid Abdullah Khan
Customer Due DiligenceAbinash Mandilwar
Risk Based Audit ApproachSALIH AHMED ISLAM
The Role of Internal AuditArmeniaFED
11. materiality and audit riskSyed Osama Rizvi
Reporting to the Board on Corporate Compliance
- Reporting to the Board on Corporate Compliance: Informed Decision Making
- Hello! I am John Jason Canadian Compliance Group john.jason@cancomgroup.com
- The Board and Regulatory Compliance
- The Board and Regulatory Compliance ▪ Corporate statutes generally provide that it is the responsibility of the board to supervise the management of the corporation Leading Cases: ▪ In Re Caremark International Inc. Derivative Litigation ▪ Stone v. Ritter ▪ Directors must be reasonably informed concerning the corporation
- The Board and Regulatory Compliance Directors must assure themselves that: ▪ Information and reporting systems exist ▪ These systems are reasonably designed to provide senior management and the board with timely, accurate information sufficient to allow them to reach informed judgments concerning compliance with law
- The Board and Regulatory Compliance ▪ The board must exercise a good faith judgment that the corporation’s information and reporting system is adequate in both concept and design ▪ Once these systems are implemented, the board must take steps to monitor or oversee their operations
- Basel Committee Corporate Governance Guidance
- Basel Committee Corporate Governance Guidance The Board: ▪ Is responsible for overseeing the management of compliance risk ▪ Should establish a compliance function and approve the bank’s policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk The Compliance Function: ▪ Should advise the board on the bank’s compliance with applicable laws, rules and standards and keep them informed of developments in the area
- Basel Committee Corporate Governance Guidance Goal of Risk Reporting ▪ Information should be communicated to the board in a timely, accurate and understandable manner ▪ While the board should be sufficiently informed, reports should avoid voluminous information that makes it difficult to identify key issues ▪ Information should be prioritised and presented in a concise, fully contextualised manner
- Basel Committee Corporate Governance Guidance Report to the Board ▪ Senior management should, with the assistance of the compliance function, at least once a year, report to the board on the management of compliance risk ▪ The report should be made in such a manner as to assist board members to make an informed judgment on whether compliance risk is being managed effectively
- Basel Committee Corporate Governance Guidance The head of compliance should report on a regular basis to senior management on: ▪ The compliance risk assessment conducted during the period, including any changes in the compliance risk profile ▪ Relevant measurements such as performance indicators ▪ Identified breaches and/or deficiencies ▪ Corrective measures recommended to address them and corrective measures already taken
- Oversight Functions
- Oversight Functions Role of Functions ▪ Provide independent and objective assessments to the directors to allow them to fulfill their responsibilities ▪ Identify, measure, and report on the FRFI’s risks ▪ Assess the effectiveness of the FRFI’s risk management and internal controls ▪ Determine whether the FRFI’s operations, results and risk exposures are consistent with the FRFI’s risk appetite.
- Oversight Functions Heads of the Oversight Functions Should: ▪ Have sufficient stature and authority within the organization ▪ Be independent from operational management ▪ Have unfettered access and a direct reporting line to the board or the appropriate board committee
- Role of the Board Board must regularly review and discuss: ▪ FRFI’s exposure to material regulatory compliance risk ▪ Significant RCM policies ▪ CCO reports and Internal Audit or other independent review function reports, as appropriate ▪ Progress in implementing remedial actions taken with respect to instances of material non-compliance or control weakness, and ▪ Effectiveness of compliance oversight
- Responsibilities of the CCO The CCO should be responsible for: ▪ Assessing the adequacy of, adherence to and effectiveness of the FRFI’s day-to-day controls ▪ Providing an opinion to the board whether, based on the independent monitoring and testing conducted, the RCM controls are sufficiently robust to achieve compliance with the applicable regulatory requirements enterprise-wide ▪ The opinion should be supported by sufficient pertinent information that is verified or reasonably verifiable
- What is the Basis for the Opinion? Self-Assessments and Testing Depending on available resources opinion can be based on: ▪ Self-assessments from accountable executives (guided or ad hoc) ▪ Hands-on compliance testing
- Is the Opinion Subjective or Objective? Compliant Versus Effective Program Even programs that incorporate a significant testing program can result in subjective opinions. ▪ Why? ▪ Testing can never cover the universe of risks
- Inputs Require Subjective Measurement Program Effectiveness ▪ Although the equation is simple: Inherent Risk – Control effectiveness = Residual Risk ▪ Assessing the components often requires a subjective assessment Example: Monitoring is a component of an effective control How much monitoring is enough?
- Is it Possible to Introduce Objective Measurements?
- Three Critical Areas Three areas where measurement is essential: ▪ Risk Assessments ▪ Issue Classification ▪ KPIs and KRIs
- Risk Assessments ▪ Identifies not only what are the biggest risks but why they are the biggest ▪ Risk Assessments: Provide a basis for resource decisions ▪ How many ▪ What kind ▪ Educate management and the board about the nature and level of risk
- What are the benefits Input in many critical compliance steps ▪ Resourcing and allocation ▪ Control assessment ▪ Issue priority ▪ Reporting ▪ Monitoring
- Developing a Measurement System ▪ What is the potential universe of data? ▪ Are the requirements straightforward or complex? ▪ Are the regulations stable or constantly changing? ▪ Are our products stable or do they constantly change? ▪ Do we control all of the processes or have they been outsourced?
- Develop the Scorecard
- Likelihood Scores Complexity of Regulation (High) Regulation imposes multiple requirements or detailed analysis (Medium) Multiple requirements but the analysis is straightforward (Low) Straightforward requirement Complexity of Business (High) Complex and involves the application of specialized skill (Medium) Moderate degree of complexity and skill (Low) Straightforward business not requiring advanced training or skill
- Impact Scores Business objective subject to regulatory requirement (High) Core objective (Medium) Business unit objective (Low) Local objective Degree of impact on business objective (High) Would prevent or materially alter achievement of objective (Medium) May significantly delay or impact cost of achievement of objective (Low) Nominal impact to timing or cost of achieving objective
- Scoring Grid RISK ASSESSMENT CHART RISK SCORING 0 TO 4 TRIVIAL TO LOW RISK 5 TO 14 MODERATE TO MAJOR RISK 16 OR HIGHER HIGH TO SEVERE RISK
- Benefits of Scorecard ▪ Risks identified on the basis of some empirical data ▪ Mix of objective and subjective data provides a more accurate assessment ▪ Accumulation of several subjective elements reduces the impact of judgment
- Issue Reporting ▪ Tendency is to report issues as if they were all the same magnitude ▪ Size the Compliance Gap ▪ Examples Major Control Issue Significant Control Issue Minor Control Issue ▪ Incorporate inherent risk score ▪ Size of Gap + Inherent Risk Score = Issue Priority
- KPIs ▪ Example: How are the 3 lines of defense functioning? ▪ Performance issue with framework as too many issues identified by regulators
- KRIs ▪ Example: New Initiatives ▪ Number of initiatives rated as high risk ▪ Indicates potential risk of non-compliance as number of new initiatives may exceed ability to absorb
- KRIs ▪ Example: Regulatory Change ▪ Number of New Regulations ▪ Indicates potential risk of non-compliance as amount of regulatory change may exceed ability to absorb
- KRIs ▪ Example: Compliance Monitoring/Audit ▪ Percent of High Risk Requirements Subject to Monitoring ▪ Indicates potential risk of non-compliance as monitoring inadequate
- What Do Boards Really Want to Know? What they want to know: ▪ Is the organization in compliance? What they should want to know: ▪ Why do you think the organization is in compliance?
- Thanks! Any questions? john.jason@cancomgroup.com
Advertisement