The Compliance Function within an Enterprise Risk Management Framework
Bruce A. Ortwine
General Counsel, Americas
Adviser, Global Legal and Compliance
Senior Executive Vice President
Sumitomo Mitsui Trust Bank, Limited
Class of 1981
Introduction: The compliance function plays a critical role within an enterprise risk management framework. It should be considered as “first among equals” among the other risk management participants (excluding internal audit), including the Chief Risk Officer. I will discuss all of this but first let’s talk about the compliance function itself.
- The Compliance Function
Chapter 8B2.1 of the DOJ Federal Sentencing Guidelines lists the components of an effective compliance and ethics program (a “CEP”).
The compliance function is one of those components; others are:
- established standards and procedures within an organization to prevent and detect criminal conduct;
- the organization has a sound governing structure, such as a Board of Directors, which is knowledgeable about the contents and operation of the CEP and exercises reasonable oversight with respect to the implementation and effectiveness of the CEP;
- the organization uses reasonable efforts not to include within its “substantial authority” any person whom the organization knows or should know through due diligence has engaged in illegal activities or other conduct inconsistent with an effective CEP;
- the organization communicates periodically and in a practical manner its standards and procedures and other aspects of its CEP through training and information dissemination to its governing authority, high-level personnel, substantial authority personnel, employees and, as appropriate, agents;
- the organization takes reasonable steps to ensure the CEP is followed, including monitoring and auditing to detect criminal conduct, evaluate the CEP’s effectiveness and a mechanism to report potential criminal activity without fear of retaliation;
- the organization has appropriate incentives and disciplinary measures to promote and enforce its CEP;
- if criminal activity is detected, the organization takes reasonable steps to respond appropriately and prevent further criminal conduct, including by making changes to the CEP.
The compliance function itself is delegated the day-to-day responsibility for the CEP. Compliance personnel should report periodically to high-level personnel and, as appropriate, to the governing authority on the effectiveness of the CEP. The board or other governing structure should give the compliance function adequate resources, appropriate authority, access to all books, records and employees, and direct access to the governing authority or appropriate subgroup.
An effective CEP can separate the company from a wayward employee and can protect it from potential governmental prosecution in the event an employee has violated a criminal law and, in so doing, the CEP.
- The Enterprise Risk Management Process and Framework
The enterprise risk management process results in a comprehensive framework, or structure, through which an enterprise manages its risk exposures. Management of risk is not the same as elimination of that risk.
An enterprise is a consolidated organization (parent, subsidiaries, and affiliates).
- Risk Management Process
An enterprise risk management process assesses the risks that an enterprise faces and generally entails the following steps: identification of risks, measurement of risks, identification of gaps between the identified risks and existing controls and mitigation of the risks, and continuous monitoring.
Risk Identification: The first step is to identify the risks. A few things to keep in mind about risk identification:
- It is difficult to identify ALL types of risk. The first attempt at a risk assessment will almost certainly miss a few. That’s OK. Risk assessments are never perfect and need to be rethought and updated periodically (e.g., annually and when a significant change in the enterprise occurs).
- The types of risks the enterprise faces depend in part on its activities. Some risks are constant (compliance is one of them, along with legal, operational, information security, reputation, etc.).
- Other risks are industry-specific. For instance, a bank faces risks such as credit, liquidity, market and model risk. A coal mining company may not face some of those risks but may face environmental, political, price fluctuations and other risks.
Risk Measurement: Once the list of risks has been developed, each identified risk goes through a process of evaluation to determine its level of potential harm to the enterprise. This process can take a number of different formats, can be heavily quantitative or more qualitative. Here is one example.
- Risk A is identified.
- What is the likelihood that Risk A will occur (from highly unlikely to almost certain)?
- If Risk A does occur, what impact will it have on the enterprise (from small to catastrophic)?
- Can Risk A be controlled and, if so, how? Can it be eliminated from ever occurring and, if so, how? Can it be prevented from occurring on a day-to-day basis and, if so, how? If it cannot be eliminated or prevented, can it be detected through monitoring if it does occur? Can employees be otherwise trained and informed about what to do if Risk A occurs?
You will notice each of those controls is listed in an order of descending effectiveness.
Identification of Gaps and Risk Mitigation: Based on the results of this process, what controls should be in place to eliminate, prevent, detect, and train employees about or otherwise mitigate Risk A that are not currently in place? How much time and at what expense to the enterprise would it take to put into place each type of control? Given the nature of Risk A, is it practicable or feasible to consider a particular type of control, or can something almost as effective at a significantly reduced cost or a significantly shorter timeframe for implementation be considered instead?
Risk management then is a balancing act (potential cost of risk vs. potential cost of control against its effectiveness).
Based on the result of this analysis an “action plan” for corrective actions is put into place.
Continuous Monitoring: Once the corrective actions have been implemented they must be continuously monitored to evaluate their effectiveness in eliminating, preventing, controlling or otherwise mitigating Risk A.
Continuous Management Reporting: Throughout this entire process, the persons involved (risk managers, Chief Risk Officer) should report on a regular basis to both senior management and the Board of Directors so that they, in turn, can fulfill their obligations of exercising corporate governance and oversight of the process.
- Enterprise Risk Management Framework
The risk management process results in an enterprise risk management framework (“ERMF”), in which virtually all parts of the enterprise play a role, from its board of directors (or equivalent governing body) to its non-exempt (hourly) employees. The risk management framework requires buy-in and leadership from the board and senior management.
The conventional literature suggests that an ERMF should have three components or so-called “lines of defense:” first line, second line and third line. The first line is comprised of the business units whose activities create the risk (“risk owners”). The risk owners/first line of defense not only create the risk but also have the obligation to effectively manage that risk.
Conventional literature also states that the second line is comprised of those areas which independently monitor and manage the risk created by the first line (Chief Risk Officer, risk managers, compliance), and that the third line is internal audit, which independently assesses the effectiveness of the first and second lines of defense.
- The Compliance Function within the Enterprise Risk Management Framework
Compliance plays a critical role within an overall enterprise risk management framework. Not only is compliance a core category of risk that is applicable to any organization, no matter what its particular activities are, but it is also a function that should independently monitor and test the adequacy and effectiveness of the second line of defense risk functions, including those of the Chief Risk Officer. The monitoring and testing functions of compliance with respect to the second line of defense functions should result in findings and recommendations as to how the risk management functions, including those of the Chief Risk Officer, may be improved.
Compliance should also, of course, monitor and test the first line of defense areas to assess the adequacy and effectiveness of their policies, procedures and practices in controlling the identified risks.
In these respects, the compliance function is akin to the internal audit function, which, in addition to auditing the adequacy and effectiveness of the first and second lines of defenses, independently assesses the adequacy and effectiveness of the compliance function. Ideally, internal audit should be able to leverage the findings and recommendations of compliance to be able to make its own findings and recommendations concerning overall ERMF improvements. Constant communication, cooperation and coordination between these two important functions are required.
A chief difference between compliance and internal audit is that the compliance function’s monitoring and testing of the first and second lines is more thorough, timely and more frequent (e.g., monitoring is continuous, testing may take place twice annually) than those of internal audit, which may take place only annually.
Conclusion: To be effective, the compliance function must be independent, with reporting lines that bypass senior management to the Board or other governing structure, and have adequate resources and authority within the organization. Within an enterprise risk management framework, compliance’s role is different than the risk management function’s, including the Chief Risk Officer, in that compliance should independently evaluate the overall adequacy and effectiveness of the functional roles of the risk managers and the Chief Risk Officer. Compliance should work closely with internal audit to ensure the success of that framework.