Compliance Risk Assessment
Fall 2016 Class 4
Stephen Paine
Compliance Risk Assessment
Overview
Recap of Class 1
Pfizer Case Study and Compliance Risks
Legal and Regulatory Incentives/Conflicts of Interest
Political Failure of Controls
Reputational Recidivism
Point of Sale/Distribution
Definitions
Compliance Risk is the risk of failing to comply with applicable legal or regulatory requirements resulting in a material loss (financial or reputational) or legal/regulatory sanction
A Compliance Risk Assessment is a framework to enable the evaluation and analysis of the overall Compliance risk (both inherent risks and control effectiveness) associated with a particular business area
Recap of Class 2
The Five Elements of an Effective Compliance Program
Tone at the Top
Enron Chronology: July 1985 Enron established through merger and by November 2006 entire senior management team has either been indicted or convicted with Enron and Arthur Andersen no longer operating
Corporate Culture and Communication
Codes of Conduct set the values for employees to follow and those values are based on Compliance Risk.
3. Compliance Risk Assessment
4. Testing and Monitoring
5. Chief Compliance Officer
Case Study: HSBC
Financing drug cartels
Permitting sanctioned regimes to process dollar payments
Claw back of compensation (including Compliance Officers)
Criminal charges for “failure to maintain an effective AML program”
Recap of Class 3
Compliance Tools/Controls
Advisory Function
Coverage of Front Office and Technology, Finance and Operations
Conflicts of Interest -- A Deep Dive
Conflicts of interest are inherent in the financial services business
Historical success of the industry has been managing these conflicts by eliminating or disclosing them
Top to bottom review of business operations to address conflicts of interest of every kind
Risk Assessments
Follow-Up
Policies and Procedures
Education and Training
Compliance Surveillance and Business Unit Review and Testing
‹#›
In the News This Week
The Wells Fargo Cross-Selling Matter
Consent Order
Unauthorized Deposit Accounts and Simulated Funding
Unauthorized Credit Cards
Unauthorized Enrollments into Online Banking
Unauthorized Debit Cards
Independent Consultant’s Remit
Pay Redress Costs to Customers
$185 Million in Civil Penalties and Fines
Compliance Monitoring (page 23)
John Stumpf, Wells Fargo CEO, Appears before Senate Committee on Banking
http://www.cnn.com/videos/cnnmoney/2016/09/21/elizabeth-warren-wells-fargo-ceo-cnnmoney.cnn
‹#›
Our Journey So Far
Class 1
Class 2
Class 3
Tonight . . . finally
Compliance Risk
Compliance Program
Compliance Controls
Compliance Risk Assessment
Compliance Risk Assessment
A Compliance Risk Assessment is a framework to enable the evaluation and analysis of the overall Compliance risk (both inherent ri ...
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
1. Compliance Risk Assessment
Fall 2016 Class 4
Stephen Paine
Compliance Risk Assessment
Overview
Recap of Class 1
Pfizer Case Study and Compliance Risks
Legal and Regulatory Incentives/Conflicts of
Interest
Political Failure of Controls
Reputational Recidivism
Point of Sale/Distribution
Definitions
Compliance Risk is the risk of failing to comply with applicable
legal or regulatory requirements resulting in a material loss
(financial or reputational) or legal/regulatory sanction
A Compliance Risk Assessment is a framework to enable the
evaluation and analysis of the overall Compliance risk (both
inherent risks and control effectiveness) associated with a
particular business area
2. Recap of Class 2
The Five Elements of an Effective Compliance Program
Tone at the Top
Enron Chronology: July 1985 Enron established through merger
and by November 2006 entire senior management team has
either been indicted or convicted with Enron and Arthur
Andersen no longer operating
Corporate Culture and Communication
Codes of Conduct set the values for employees to follow and
those values are based on Compliance Risk.
3. Compliance Risk Assessment
4. Testing and Monitoring
5. Chief Compliance Officer
Case Study: HSBC
Financing drug cartels
Permitting sanctioned regimes to process dollar payments
Claw back of compensation (including Compliance
Officers)
Criminal charges for “failure to maintain an effective AML
program”
3. Recap of Class 3
Compliance Tools/Controls
Advisory Function
Coverage of Front Office and Technology, Finance and
Operations
Conflicts of Interest -- A Deep Dive
Conflicts of interest are inherent in the financial services
business
Historical success of the industry has been managing these
conflicts by eliminating or disclosing them
Top to bottom review of business operations to address conflicts
of interest of every kind
Risk Assessments
Follow-Up
Policies and Procedures
Education and Training
Compliance Surveillance and Business Unit Review and Testing
‹#›
In the News This Week
The Wells Fargo Cross-Selling Matter
Consent Order
Unauthorized Deposit Accounts and Simulated Funding
Unauthorized Credit Cards
Unauthorized Enrollments into Online Banking
Unauthorized Debit Cards
4. Independent Consultant’s Remit
Pay Redress Costs to Customers
$185 Million in Civil Penalties and Fines
Compliance Monitoring (page 23)
John Stumpf, Wells Fargo CEO, Appears before Senate
Committee on Banking
http://www.cnn.com/videos/cnnmoney/2016/09/21/elizabeth-
warren-wells-fargo-ceo-cnnmoney.cnn
‹#›
Our Journey So Far
Class 1
Class 2
Class 3
Tonight . . . finally
Compliance Risk
Compliance Program
5. Compliance Controls
Compliance Risk Assessment
Compliance Risk Assessment
A Compliance Risk Assessment is a framework to enable the
evaluation and analysis of the overall Compliance risk (both
inherent risks and control effectiveness) associated with a
particular business area
1. Identifying Business Area(s) and Metrics
2. Mapping Applicable Rules
3. Identifying Key Compliance Risks and Themes
4. Defining a Controls Inventory
5. Rating Control Effectiveness
6. Determining Residual Risks
7. Scoring, Rating and Reporting
6. Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
Score, Rate and Report
Identifying Business Areas: The Challenge
7. Compliance Risk Assessment: Business Areas
The Compliance Risk Assessment seeks to provide senior
management/BoD with an assessment of risk ACROSS THE
ENTIRE ORGANIZATION
But risks can be local . . . both local by business area and by
geography
CRA results need to be consistent as possible to promote “read
across” opportunities
Identifying Business Areas: The Approach
List the business areas and primary regional geographies to be
assessed
Conduct individual assessments that can then roll-up into one
global, organizational-wide risk assessment
Pharmaceuticals
Financial Services
Compliance Risk Assessment: Business Areas
MS
Investment Banking & Capital Markets
Wealth Management
Sales and Trading
8. Research
Investment Management
Merck
Biopharmaceuticals
Consumer Health (OTC)
Allergopharma
Biosimilars
Life Science (R&D)
Performance Materials (LCD, Effect pigments)
UBS
Wealth Management
Asset Management
Investment Bank
Financial Intermediaries
Novartis
Pharmaceuticals
Alcon (Eye Care)
Sandoz (Generics)
Consumer Health
All four have a global scope across the Americas, EMEA and
APAC
Pharmaceuticals
9. Financial Services
Compliance Risk Assessment: Business Areas
MS
Investment Banking & Capital Markets
Wealth Management
Sales and Trading
Research
Investment Management
Digging Deeper: What’s under Sales and Trading?
Equity
Fixed Income
New York Equity Desk
London Equity Desk
Hong Kong Equity Desk
Merck
Biopharmaceuticals
Consumer Health (OTC)
Allergopharma
Biosimilars
Life Science (R&D)
Performance Materials (LCD, Effect pigments)
Digging Deeper: What’s under Biopharmaceuticals?
Research & Development
Manufacturing
Distribution
10. US Manufacturing
European Manufacturing
APAC Manufacturing
Compliance Risk Assessment: Business Area Metrics
DO
Metrics
Laboratory
Inherent Risk: The risk to an entity that in absence of any
actions management might take to alter either the risk’s
likelihood or impact.
Quantitative Metrics about a business area can provide the first
component of the inherent risk profile
What are some categories of quantitative metrics?
Governance and Management
Performance
Client/Distribution Base
Other Assessments/Evaluations
Case Study: Morgan Stanley
Morgan Stanley’s Wealth Management business in the US has
been identified as under evaluation for a compliance risk
assessment. This business has over 17,000 Financial Advisors
providing investment advice to individual clients in all 50 states
of the US for their investment accounts held at Morgan Stanley.
Develop a set of metrics to use in a Compliance Risk
Assessment for this business area
Rate the Inherent Risk as Low, Medium or High
Discuss the lines between quantitative and qualitative in the
metrics
Purpose of Business Area Metrics: Inherent Risk
Business Area and Metrics
Class Discussion
11. How do you go about getting the metrics?
Business Area?
Financial Accounting?
HR?
Dedicated Unit?
Does it matter where and how those metrics are obtained?
Automated in preferred
Objective provider (Financial Accounting, Operations,
Compliance)
‹#›
Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
12. Score, Rate and Report
Compliance Risk Assessment: Rule Mapping
What is Rule Mapping?
Sources for the Rules
Definition: Rule mapping is the process by which applicable
legal and regulatory requirements are mapped to the appropriate
business lines and areas
Scope of Rule Mapping
Focus is on Compliance Risk; therefore: Compliance Rules
The rules in scope are typically the rules of the local regulator
that are relevant to compliance and therefore do not always
include rules relating to corporate governance and subjects such
as accounting etc. (as these are covered by Finance and Risk
rather than by Compliance)
Class Discussion on Compliance Risk and Other Types of Risk:
Back to Enron
FERC versus GAAP
Rule sources include:
Laws and Codes
Regulatory Authorities
External Content Providers
New Rules
13. Rules and Compliance Risk Themes
Format and Systems
Rule Mapping: Rule 10b-5
§ 240.10b-5 Employment of manipulative and deceptive
devices.
It shall be unlawful for any person, directly or indirectly, by the
use of any means or instrumentality of interstate commerce, or
of the mails or of any facility of any national securities
exchange,
(a) To employ any device, scheme, or artifice to defraud,
(b) To make any untrue statement of a material fact or to omit
to state a material fact necessary in order to make the
statements made, in the light of the circumstances under which
they were made, not misleading, or
(c) To engage in any act, practice, or course of business which
operates or would operate as a fraud or deceit upon any person,
in connection with the purchase or sale of any security.
Sec. 10; 48 Stat. 891; 15 U.S.C. 78j
Compliance Risk Assessment: Rule Mapping
What do we want to know about Rule 10b-5?
14. Rule Mapping: Return to Morgan Stanley Case Study
What rules would be mapped to Morgan Stanley’s Wealth
Management business?
US Securities and Exchange Commission
Financial Regulatory Authority
Stock Exchanges
US Commodity Futures Trading Commission
The Federal Reserve
Rule Mapping
Class Discussion
Once all rules are mapped to a business area, what other
analysis can be done?
Volume/Number of Rules
Complexity of Rules
Could this be rated/scored?
What is the interplay between rules and controls?
‹#›
Compliance Risk Assessment Steps
15. Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
Score, Rate and Report
Compliance Risk Assessment: Compliance Risks
Legal and Regulatory
Political
Reputational
16. Point of Sale/Distribution
Integrating these Compliance Risks into the Assessment
Class 1
Key Category is Legal and Regulatory Risk
Rule Mapping is critical to this exercise
Developing Compliance Risk Themes also assists
Compliance Risk Themes are based on applicable rules
Compliance Risk Themes provide universal risks for businesses
within the organization
Examples of Compliance Risk Themes for Legal and Regulatory
Risks
Anti-Money Laundering
Anti-Corruption
Data Protection and Privacy
Conflicts of Interest
Anti-Fraud
Business/Regulatory Complexity
Industry Specific: Food, Drug and Cosmetic Act; Securities and
Exchange Act
Class Discussion: How do the other risks above (from Class 1)
fit in?
The results of the questionnaire are the second component of
inherent risk
Incentives/Conflicts of Interest
Failure of Controls
Recidivism
Non-RM FTEs: 470 to 460, reflects 32 RIFs, offset by 10 FTE
increase in branch support, 10 FTE transfer from Operations,
and 2 pending net hires
21
17. Compliance Risk Assessment: Compliance Risks
Assessing these Compliance Risks against a specific business
area
How do we do it?
Quantitative Analysis
Qualitative Analysis
Questionnaire as Analysis
Tool
Assessment
Conducting these analyses is at the heart of a Compliance Risk
Assessment
Develop a Questionnaire for Quantitative Input
Develop a Questionnaire for Qualitative Input
HSBC Case Study as an example
Compliance Risk Theme: Anti-Money Laundering
Qualitative Questionnaire
How are fund transfers handled?
Are automated filters used to screen for sanctioned countries
Qualitative Questionnaire
How many fund transfers per year?
How many incidents of payments being made to sanctioned
countries?
Later assignments and discussions will center on these
questionnaires
Non-RM FTEs: 470 to 460, reflects 32 RIFs, offset by 10 FTE
18. increase in branch support, 10 FTE transfer from Operations,
and 2 pending net hires
22
Identify Compliance Risk Themes
Class Discussion
One of the “critical path” elements of the CRA is identifying
and assessing the compliance risks of the business area and it is
based on questionnaires. Does that surprise you?
Who drafts the questionnaires?
Who answers the questionnaires?
How automated and systematic can this process be?
‹#›
Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
19. Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
Score, Rate and Report
Compliance Risk Assessment: Controls Inventory
Controls Laboratory
Controls breakdown into 5 broad categories:
Advisory Function
Communication, Training and Awareness
Policies and Procedures
Supervision and Controls
Monitoring and Surveillance
Then identify which are in place for the compliance risk noted
for the business area
Are there qualitative and quantitative components to each of
these control categories ?
Develop examples of quantitative indicators of controls
Controls Inventory
20. Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
Score, Rate and Report
Compliance Risk Assessment: Rate Control Effectiveness
Control Effectiveness Laboratory
Using Business Metrics and Quantitative Control Indicators,
21. rate the effectiveness of the control for the business area
Advisory Function - Ratio of Compliance Staff to Business Area
employees
Supervision and Controls – Ratio of supervisors to Business
Area employees
Monitoring and Surveillance – How many alerts generated?
How many were “false positives
Qualitative Control Indicators also are used
Develop a qualitative questionnaire to evaluate the effectiveness
of controls
Adopt a scoring methodology
Evaluating the effectiveness of controls in a business area
Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
22. Score, Rate and Report
Compliance Risk Assessment: Rate Control Effectiveness
Residual Risk Laboratory
INHERENT RISK
Develop a list factors to be reviewed in determining residual
risk
What types of data is needed to evaluate residual risk?
How do you think residual risk should be rated or scored?
Residual Risk
CONTROLS
RESIDUAL RISK
Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
23. Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
Score, Rate and Report
Assignment 2 Feedback
Use a formal, memorandum writing style for these assignments
and avoid a casual or informal style
No contractions
No first person
Colloquial expressions and cliches
Generally avoid subjective adjectives
Examples: Huge, Great, Good, Big
Avoid overstatements and generalizations
Think carefully before using “Never” or “All”
Number 1 Rule for Writing: Make It EASY (For your Reader)
Page numbers
24. Headings
Introductions that provide foundation
Short but meaty sentences
Grading Scale and Distribution
E = Excellent 2
G = Good 7
S = Satisfactory 12
P = Poor 0
‹#›
Assignment 3
Due at the start of class on September 28
Develop a breakdown of businesses to be assessed for one
regional area of your company. Consider the volume and
complexity of the rules that apply to each of the businesses and
provide volume and complexity ratings (1-5 with 5 being the
highest.) Include a list of suggested questions to interview the
head of one of the businesses as part of the assessment. Include
information categories that you would obtain to make the
assessment and note whether the information is qualitative or
quantitative
Consider yourself taking the role of a Compliance Professional
responsible for conducting the CRA of this particular region.
Format can be a list of the businesses within the region and then
25. note the volume and complexity of the rules that would apply by
rating each.
Then, select one business area and set the stage as to who the
title of the person you are interviewing (e.g., “Head of Wealth
Management APAC” or Head of Fixed Income Desk London”)
and list the categories or topics of information you would want
to obtain and note whether the information is qualitative or
quantitative.
2-3 pages
‹#›