A Primer on the Nuts and Bolts of Effective Governance and Oversight: Part Two
by: Bruce Ortwine
Following up on a previous posting (“A Primer on the Nuts and Bolts of Effective Governance and Oversight: Part One”), effective corporate governance and oversight require the involvement of more than the organization’s board of directors and senior management. The organization’s legal, regulatory compliance, risk management and internal audit functions also play critical roles in the development and administration of an effective corporate compliance program (“CCP”), which is a precondition for an effective organizational governance and oversight framework. If the key players in a CCP are not adequately performing their respective functions, effective governance and oversight is impossible. And, conversely, if the organization lacks effective corporate governance and oversight, the key players in an effective CCP cannot adequately perform their respective functions. The two are symbiotic.
Each function should be fully independent from the organization’s management, including its senior management, and have a direct reporting line to its board of directors (or a designated board committee.) The role of each function is briefly explained.
Section I: Legal Department Responsibilities:
The responsibilities of an organization’s Legal Department with respect to a CCP include the ongoing identification of all laws and regulations that apply to the organization, summarizing them in an appropriate document (a “Compliance Manual”), and communicating them to all employees, in particular the Chief Ethics and Compliance Officer (the “CECO”). The Compliance Manual serves as the starting point for the development of a corporate compliance risk assessment (a “CCRA”), and all relevant corporate compliance-related policies and procedures within the organization.
All changes made to the Compliance Manual should be documented and communicated to all employees in a timely manner.
Depending on an organization’s size and structure, the General Counsel may be in charge of compliance or may be the person to whom the person in charge of compliance reports.
The responsibilities of an organization’s Legal Department also include keeping apprised of all existing and emerging risk management-related regulations and developments, supervisory releases, announcements, enforcement actions, best practices and other publications, and to provide advice and assistance to the organization’s board of directors, senior management, CECO, Chief Risk Officer, and other relevant persons, concerning the organization’s enterprise risk management framework, of which corporate compliance is a critical component. (See a previous posting, “The Corporate Compliance Function in an Enterprise Risk Management Framework”).
Section II: An Organization’s Regulatory Compliance Department (“RCD”) Responsibilities
The RCD has the direct, day-to-day responsibility for overseeing and supporting the implementation of an effective and sustainable CCP and in controlling risks that may transcend business lines in the organization. The RCD Manager, who should also be the organization’s designated CECO, should have a direct reporting line to both the organization’s senior management and its board of directors or designated board committee (e.g., audit, compliance or risk management).
Specific roles of the RCD in the overall CCP include the following:
i. Overall Corporate Compliance Responsibilities
- Preparing and updating the organization’s periodic corporate compliance risk assessment (the “CCRA,” discussed in subsection ii(1) below);
- Based on the results of the CCRA, identifying both current and emerging risks and gaps between those risks and existing controls (discussed in subsection ii(1));
- Based on the results of the CCRA, developing and implementing both an annual corporate compliance testing program (“Test Plan”) and an ongoing monitoring program of specified activities (discussed in subsection ii(2) below);
- Investigating regulatory compliance and risk management-related issues (“Reported Issues”) reported by employees (discussed in Section III of Part One of this posting);
- Based on the results of investigations that it conducts, escalating a Reported Issue to senior management and recommending appropriate corrective actions, which may include without limitation, contacting an appropriate governmental agency (police, FBI, etc.), disciplinary action, enhanced training and communication of CCP standards and enhancements to the existing CCP;
- Participating in the ongoing compliance training program for employees;
- Having direct lines of communication to all employees and direct access to any records or files necessary to carry out its function, including without limitation, for performance of compliance testing and monitoring and investigation of all Reported Issues; and
- Providing advice and assistance to senior management and the board (or designated board committee) in the management of the corporate compliance risks faced by the organization.
ii. A Few Specific RCD Responsibilities in a CCP:
- Corporate Compliance Risk Assessment: The CCRA is intended to reflect the accurate and complete identification and measurement of all risks that apply to the organization. The risks are identified through all laws and regulations that are identified in the Compliance Manual. The CCRA serves as a critical tool to also identify gaps between identified risks and existing controls and ways in which those gaps may be eliminated, reduced, or otherwise managed. The CCRA results determine the scope and frequency of compliance testing and monitoring. Each risk is assigned an “Owner,” a department, section or identified individuals having primary responsibility for the management of the risk. The scope of the CCRA should be as broad as possible and should also consider risks that are not current but are emerging risks, such as a law that has been passed with a delayed, future implementation date, a merger or acquisition that has been agreed to with a future “Closing Date,” or an activity that the organization plans to engage in at a future point. The CCRA should be intended to be as flexible and adaptive as required in order to keep pace with changing business activities and attendant risks.
- Corporate Compliance Testing: Based on the risks and gaps identified in the CCRA, the RCD should develop its annual Test Plan. The Test Plan identifies those activities of the organization that require periodic compliance testing and the scope and frequency of such testing. Compliance testing is necessary to validate that key assumptions, data sources and procedures used in measuring and monitoring risks can be relied upon on an ongoing basis and that controls are working as intended. A member of the RCD should conduct a compliance test of each identified activity and prepare a written report based on the results of the test; the report should include findings and recommendations for enhancements to existing controls in order to eliminate, reduce or otherwise manage each risk and gap that is identified during the compliance test. Essentially, though more comprehensive, the Test Plan is similar to an internal audit plan and a compliance test is similar to an internal audit.
- Ongoing Monitoring: Also based on a number of factors, including the risks and gaps identified in the CCRA, the RCD should conduct ongoing monitoring of specified activities of the organization. Two examples of activities requiring monitoring are gifts and entertainment provided to employees (anti-corruption and bribery laws) and personal securities trading by either all employees or those identified as having access to confidential information (insider-trading laws).
Section III: Risk Management Function
Closely connected to an organization’s CCP is an effective enterprise risk management (“ERM”) framework. An effective ERM framework should consider all categories of risk that the organization faces, the universe of which will depend on its particular business activities, and to develop appropriate risk assessments, corrective action plans and continuous monitoring. This function is more fully discussed in a previous posting, “The Compliance Function in an Effective Risk Management Framework.”
Section IV: Internal Audit Responsibilities and Relationship with RCD:
Internal Audit provides independent testing of the effectiveness of the organization’s CCP through its ongoing audits. In carrying out this function, Internal Audit should develop a “relationship” with RCD, which reflects the complementary roles they play in connection with the organization’s CCP and which includes the following:
- RCD prepares a CCRA that follows the categorization of laws and regulations contained in the Compliance Manual. The results of the CCRA, in turn, determine the resulting scope of compliance testing and monitoring as well as compliance training (both general and targeted) for employees.
- Internal Audit independently prepares its Internal Audit Risk Assessment based on its own methodology. Its risk assessment determines its own internal audit test plan.
- Generally, the audit of the CCP encompasses testing for supervision and monitoring of all applicable rules and regulations governing the organization’s activities, as well as testing for compliance with internal policies, procedures and industry best practices. The objective is to ensure that these documents accurately reflect the current regulatory environment. The effectiveness of the RCD and CECO is also evaluated, including the assessment and actual implementation of testing, monitoring and training.
In conclusion, an effective CCP, essential to an effective corporate governance and oversight framework, requires the active and cooperative involvement of each of the above functions. The independence of each of these functions cannot be overemphasized, as each must strive to accomplish organizational compliance with applicable laws and regulations with the cooperation of both the board of directors and senior management. Independence is especially required if any member of management stands in the way of achieving an effective CCP and, in turn, an effective corporate governance and oversight framework. Full cooperation among the board, senior management and all functions are essential to achieve an effective corporate government and oversight framework.