Boards of directors are expected to provide oversight and challenge for the compliance program. To assist them, compliance professionals need to provide more sophisticated reporting based on observable facts. Fortunately, this is one of the biggest payoffs of the Resolver regulatory compliance management tool. Learn how Resolver can facilitate your board reporting and align to the challenges of a modern regulatory environment.

1. Reporting to the Board on
Corporate Compliance: Informed
Decision Making

3. Hello!
I am John Jason
Canadian Compliance Group
john.jason@cancomgroup.com

4. The Board and Regulatory
Compliance

5. The Board and Regulatory Compliance
▪ Corporate statutes generally provide that it is the responsibility
of the board to supervise the management of the corporation
Leading Cases:
▪ In Re Caremark International Inc. Derivative Litigation
▪ Stone v. Ritter
▪ Directors must be reasonably informed concerning the
corporation

6. The Board and Regulatory Compliance
Directors must assure themselves that:
▪ Information and reporting systems exist
▪ These systems are reasonably designed to provide senior
management and the board with timely, accurate information
sufficient to allow them to reach informed judgments
concerning compliance with law

7. The Board and Regulatory Compliance
▪ The board must exercise a good faith judgment that the
corporation’s information and reporting system is adequate in
both concept and design
▪ Once these systems are implemented, the board must take
steps to monitor or oversee their operations

8. Basel Committee Corporate
Governance Guidance

9. Basel Committee Corporate Governance Guidance
The Board:
▪ Is responsible for overseeing the management of compliance risk
▪ Should establish a compliance function and approve the bank’s
policies and processes for identifying, assessing, monitoring and
reporting and advising on compliance risk
The Compliance Function:
▪ Should advise the board on the bank’s compliance with
applicable laws, rules and standards and keep them informed of
developments in the area

10. Basel Committee Corporate Governance Guidance
Goal of Risk Reporting
▪ Information should be communicated to the board in a timely,
accurate and understandable manner
▪ While the board should be sufficiently informed, reports should
avoid voluminous information that makes it difficult to identify
key issues
▪ Information should be prioritised and presented in a concise, fully
contextualised manner

11. Basel Committee Corporate Governance Guidance
Report to the Board
▪ Senior management should, with the assistance of the
compliance function, at least once a year, report to the board on
the management of compliance risk
▪ The report should be made in such a manner as to assist board
members to make an informed judgment on whether compliance
risk is being managed effectively

12. Basel Committee Corporate Governance Guidance
The head of compliance should report on a regular basis to senior
management on:
▪ The compliance risk assessment conducted during the period,
including any changes in the compliance risk profile
▪ Relevant measurements such as performance indicators
▪ Identified breaches and/or deficiencies
▪ Corrective measures recommended to address them and
corrective measures already taken

13. Oversight Functions

14. Oversight Functions
Role of Functions
▪ Provide independent and objective assessments to the
directors to allow them to fulfill their responsibilities
▪ Identify, measure, and report on the FRFI’s risks
▪ Assess the effectiveness of the FRFI’s risk management and
internal controls
▪ Determine whether the FRFI’s operations, results and risk
exposures are consistent with the FRFI’s risk appetite.

15. Oversight Functions
Heads of the Oversight Functions Should:
▪ Have sufficient stature and authority within the organization
▪ Be independent from operational management
▪ Have unfettered access and a direct reporting line to the
board or the appropriate board committee

16. Role of the Board
Board must regularly review and discuss:
▪ FRFI’s exposure to material regulatory compliance risk
▪ Significant RCM policies
▪ CCO reports and Internal Audit or other independent review
function reports, as appropriate
▪ Progress in implementing remedial actions taken with respect to
instances of material non-compliance or control weakness, and
▪ Effectiveness of compliance oversight

17. Responsibilities of the CCO
The CCO should be responsible for:
▪ Assessing the adequacy of, adherence to and effectiveness of
the FRFI’s day-to-day controls
▪ Providing an opinion to the board whether, based on the
independent monitoring and testing conducted, the RCM
controls are sufficiently robust to achieve compliance with the
applicable regulatory requirements enterprise-wide
▪ The opinion should be supported by sufficient pertinent
information that is verified or reasonably verifiable

18. What is the Basis for the Opinion?
Self-Assessments and Testing
Depending on available resources opinion can be based on:
▪ Self-assessments from accountable executives
(guided or ad hoc)
▪ Hands-on compliance testing

19. Is the Opinion Subjective or Objective?
Compliant Versus Effective Program
Even programs that incorporate a significant testing program can
result in subjective opinions.
▪ Why?
▪ Testing can never cover the universe of risks

20. Inputs Require Subjective Measurement
Program Effectiveness
▪ Although the equation is simple:
Inherent Risk – Control effectiveness = Residual Risk
▪ Assessing the components often requires a subjective
assessment
Example: Monitoring is a component of an effective control
How much monitoring is enough?

21. Is it Possible to Introduce
Objective Measurements?

22. Three Critical Areas
Three areas where measurement is essential:
▪ Risk Assessments
▪ Issue Classification
▪ KPIs and KRIs

23. Risk Assessments
▪ Identifies not only what are the biggest risks but why they are the
biggest
▪ Risk Assessments:
Provide a basis for resource decisions
▪ How many
▪ What kind
▪ Educate management and the board about the nature and level of
risk

24. What are the benefits
Input in many critical compliance steps
▪ Resourcing and allocation
▪ Control assessment
▪ Issue priority
▪ Reporting
▪ Monitoring

25. Developing a Measurement System
▪ What is the potential universe of data?
▪ Are the requirements straightforward or complex?
▪ Are the regulations stable or constantly changing?
▪ Are our products stable or do they constantly change?
▪ Do we control all of the processes or have they been outsourced?

26. Develop the Scorecard

27. Likelihood Scores
Complexity of Regulation
(High) Regulation imposes multiple requirements or detailed analysis
(Medium) Multiple requirements but the analysis is straightforward
(Low) Straightforward requirement
Complexity of Business
(High) Complex and involves the application of specialized skill
(Medium) Moderate degree of complexity and skill
(Low) Straightforward business not requiring advanced training or
skill

28. Impact Scores
Business objective subject to regulatory requirement
(High) Core objective
(Medium) Business unit objective
(Low) Local objective
Degree of impact on business objective
(High) Would prevent or materially alter achievement of objective
(Medium) May significantly delay or impact cost of achievement of objective
(Low) Nominal impact to timing or cost of achieving objective

29. Scoring Grid
RISK ASSESSMENT CHART
RISK SCORING
0 TO 4 TRIVIAL TO LOW RISK
5 TO 14 MODERATE TO MAJOR RISK
16 OR HIGHER HIGH TO SEVERE RISK

30. Benefits of Scorecard
▪ Risks identified on the basis of some empirical data
▪ Mix of objective and subjective data provides a more accurate
assessment
▪ Accumulation of several subjective elements reduces the impact
of judgment

31. Issue Reporting
▪ Tendency is to report issues as if they were all the same
magnitude
▪ Size the Compliance Gap
▪ Examples
Major Control Issue
Significant Control Issue
Minor Control Issue
▪ Incorporate inherent risk score
▪ Size of Gap + Inherent Risk Score = Issue Priority

32. KPIs
▪ Example: How are the 3 lines of defense functioning?
▪ Performance issue with framework as too many issues
identified by regulators

33. KRIs
▪ Example: New Initiatives
▪ Number of initiatives rated as high risk
▪ Indicates potential risk of non-compliance as number of new
initiatives may exceed ability to absorb

34. KRIs
▪ Example: Regulatory Change
▪ Number of New Regulations
▪ Indicates potential risk of non-compliance as amount of
regulatory change may exceed ability to absorb

35. KRIs
▪ Example: Compliance Monitoring/Audit
▪ Percent of High Risk Requirements Subject to Monitoring
▪ Indicates potential risk of non-compliance as monitoring
inadequate

36. What Do Boards Really Want to Know?
What they want to know:
▪ Is the organization in compliance?
What they should want to know:
▪ Why do you think the organization is in compliance?

37. Thanks!
Any questions?
john.jason@cancomgroup.com