The Compliance Function within an Enterprise Risk Management Framework
Bruce A. Ortwine
General Counsel, Americas
Adviser, Global Legal and Compliance
Senior Executive Vice President
Sumitomo Mitsui Trust Bank, Limited
Class of 1981
Introduction: The compliance function plays a critical role within an enterprise risk management framework. It should be considered as “first among equals” among the other risk management participants (excluding internal audit), including the Chief Risk Officer. I will discuss all of this but first let’s talk about the compliance function itself.
Chapter 8B2.1 of the DOJ Federal Sentencing Guidelines lists the components of an effective compliance and ethics program (a “CEP”).
The compliance function is one of those components; others are:
The compliance function itself is delegated the day-to-day responsibility for the CEP. Compliance personnel should report periodically to high-level personnel and, as appropriate, to the governing authority on the effectiveness of the CEP. The board or other governing structure should give the compliance function adequate resources, appropriate authority, access to all books, records and employees, and direct access to the governing authority or appropriate subgroup.
An effective CEP can separate the company from a wayward employee and can protect it from potential governmental prosecution in the event an employee has violated a criminal law and, in so doing, the CEP.
The enterprise risk management process results in a comprehensive framework, or structure, through which an enterprise manages its risk exposures. Management of risk is not the same as elimination of that risk.
An enterprise is a consolidated organization (parent, subsidiaries, and affiliates).
An enterprise risk management process assesses the risks that an enterprise faces and generally entails the following steps: identification of risks, measurement of risks, identification of gaps between the identified risks and existing controls and mitigation of the risks, and continuous monitoring.
Risk Identification: The first step is to identify the risks. A few things to keep in mind about risk identification:
Risk Measurement: Once the list of risks has been developed, each identified risk goes through a process of evaluation to determine its level of potential harm to the enterprise. This process can take a number of different formats, can be heavily quantitative or more qualitative. Here is one example.
You will notice each of those controls is listed in an order of descending effectiveness.
Identification of Gaps and Risk Mitigation: Based on the results of this process, what controls should be in place to eliminate, prevent, detect, and train employees about or otherwise mitigate Risk A that are not currently in place? How much time and at what expense to the enterprise would it take to put into place each type of control? Given the nature of Risk A, is it practicable or feasible to consider a particular type of control, or can something almost as effective at a significantly reduced cost or a significantly shorter timeframe for implementation be considered instead?
Risk management then is a balancing act (potential cost of risk vs. potential cost of control against its effectiveness).
Based on the result of this analysis an “action plan” for corrective actions is put into place.
Continuous Monitoring: Once the corrective actions have been implemented they must be continuously monitored to evaluate their effectiveness in eliminating, preventing, controlling or otherwise mitigating Risk A.
Continuous Management Reporting: Throughout this entire process, the persons involved (risk managers, Chief Risk Officer) should report on a regular basis to both senior management and the Board of Directors so that they, in turn, can fulfill their obligations of exercising corporate governance and oversight of the process.
The risk management process results in an enterprise risk management framework (“ERMF”), in which virtually all parts of the enterprise play a role, from its board of directors (or equivalent governing body) to its non-exempt (hourly) employees. The risk management framework requires buy-in and leadership from the board and senior management.
The conventional literature suggests that an ERMF should have three components or so-called “lines of defense:” first line, second line and third line. The first line is comprised of the business units whose activities create the risk (“risk owners”). The risk owners/first line of defense not only create the risk but also have the obligation to effectively manage that risk.
Conventional literature also states that the second line is comprised of those areas which independently monitor and manage the risk created by the first line (Chief Risk Officer, risk managers, compliance), and that the third line is internal audit, which independently assesses the effectiveness of the first and second lines of defense.
Compliance plays a critical role within an overall enterprise risk management framework. Not only is compliance a core category of risk that is applicable to any organization, no matter what its particular activities are, but it is also a function that should independently monitor and test the adequacy and effectiveness of the second line of defense risk functions, including those of the Chief Risk Officer. The monitoring and testing functions of compliance with respect to the second line of defense functions should result in findings and recommendations as to how the risk management functions, including those of the Chief Risk Officer, may be improved.
Compliance should also, of course, monitor and test the first line of defense areas to assess the adequacy and effectiveness of their policies, procedures and practices in controlling the identified risks.
In these respects, the compliance function is akin to the internal audit function, which, in addition to auditing the adequacy and effectiveness of the first and second lines of defenses, independently assesses the adequacy and effectiveness of the compliance function. Ideally, internal audit should be able to leverage the findings and recommendations of compliance to be able to make its own findings and recommendations concerning overall ERMF improvements. Constant communication, cooperation and coordination between these two important functions are required.
A chief difference between compliance and internal audit is that the compliance function’s monitoring and testing of the first and second lines is more thorough, timely and more frequent (e.g., monitoring is continuous, testing may take place twice annually) than those of internal audit, which may take place only annually.
Conclusion: To be effective, the compliance function must be independent, with reporting lines that bypass senior management to the Board or other governing structure, and have adequate resources and authority within the organization. Within an enterprise risk management framework, compliance’s role is different than the risk management function’s, including the Chief Risk Officer, in that compliance should independently evaluate the overall adequacy and effectiveness of the functional roles of the risk managers and the Chief Risk Officer. Compliance should work closely with internal audit to ensure the success of that framework.