Section 1

Understanding the Basics


Get Started with Compliance Fundamentals

Lay the foundation for growth with the core elements of an effective compliance program. From creating a top-notch Code of Conduct to understanding the role compliance plays in your organization, learn the building blocks of compliance.


Each compliance program is unique with disparate risks and various levels of maturity. Although there are a number of nuances determined by your company’s size, industry and location, there are still basic principles that are best practices across the board. In this section you’ll learn about the key skills every compliance professional should have as well as the general knowledge base effective compliance professional have and harness throughout their careers.

Just as there are key skills every modern compliance professional should possess, there are fundamental elements every effective compliance program should practice. This section will introduce you to those key components of a robust compliance program and provide the guidance you need to move your career and program to its next level of sophistication. 

The Puzzle of Risk Management: Fitting Together the C-Suite, Board and Internal Departments

Let’s find those corner pieces in our risk management puzzle. Gone are the early days of risk assurance where external audit firms inspect financial statements and corporate compliance officers work strictly on regulatory filings. Today, it takes a village working together. Here's how all the pieces fit.

Matt Kelly, Radical Compliance 02/15/2017

Let’s find those corner pieces in our risk management puzzle. Gone are the early days of risk assurance where external audit firms inspect financial statements and corporate compliance officers work strictly on regulatory filings. Today, it takes a village working together. Here's how all the pieces fit.

This is a project where compliance and internal audit are well-suited to divide and conquer: compliance can talk with the CEO about the importance of establishing a modern risk assurance program; internal audit can have the same conversation with the board or audit committee. Why? The compliance department often deals with urgent problems: investigations into misconduct; business processes violating some regulatory standard; the potential for civil litigation. The internal audit function, meanwhile, is more often seen as the audit committee's man on the scene, plus the internal audit team already is (or should be) conducting an annual enterprise risk assessment.

In truth, most CEOs and boards are quite receptive to talk about enterprise risk management and building a better risk assurance system. The trick is bringing them (and other relevant voices in the company) together to talk about risk assurance productively. The group will want to accomplish three main goals:

Declare what the business objectives are;
Declare what the risk and compliance objectives are;
Create a blueprint of who "takes point" on risk assurance day-to-day.

Consider the different priorities that different groups will have in this conversation. For example, the CEO might declare a business objective of "increase return on equity by 10 percentage points in the next three years." Boards, however, with their duties to investors who want no surprises in share price, might come to the table with an objective of "minimize unexpected earnings volatility." The goal should be to create a risk assurance function that achieves both objectives—or more precisely, a risk assurance function that lets the CEO achieve his business objectives within confines of the board's risk management objectives.

Some elements of that risk assurance function might be dictated to you. All registered investment advisers, for example, must have a compliance program, according to the SEC Office of Compliance Inspections & Examinations. All companies listed on the NYSE must have an internal audit function. Some of the duties those compliance officers and internal auditors should perform will be spelled out in relevant listing standards or agency regulations. Those are all facts of life for a large organization that must be accepted and even embraced.

The broader concern for a company, however, is this: How do you scope the duties of compliance and internal audit functions so they can usefully contribute to achieving those goals of Principle 6?

The keys to that answer are independence and authority: the more each function has, the better each function can find specific risks and assign them back to business objectives—which then forces the first line of defense (the business units) at least to consider those risks, even if solutions to managing them aren't clear. If compliance and internal audit can provoke those conversations, the organization's risk assurance function is moving in spirit of Principle 6. And Principle 6 itself moves in the direction that regulators today (and just about everyone else) want to go: toward comprehensive, enterprise-wide risk management.


After the Spirit Moves You

The details of scoping that independence and authority—whether to have a charter for each function; who reports to whom; how often each function briefs the board, and so forth—will vary enormously from one company to the next. In subsequent papers we will touch on some of those details, such as how compliance and internal audit can avoid duplicating effort, and how to take a risk management framework and build it into a "feedback loop" to help compliance and audit fulfil their missions.

For now, the parting lessons of this paper can be summed up as:

Today's regulatory climate has shifted from a compliance-driven mindset ("Have we ticked all the boxes? Yes? Good, we're done.") to a risk management-driven mindset ("How can we ensure as best as possible that we avoid all unpleasant surprises?").
Heed the concept behind COSO Principle 6: state business objectives clearly enough that the risks in achieving those objectives can be managed.
Build a risk assurance function that is based on independence and authority for those in the second and third lines of defense who have daily responsibility for managing and monitoring those risks.


Artboard 1Write your reply...

Learned about risk management and how is it managed at the high level and how the goal can be achieved.

0 Responses
March 28, 2017, 11:59 a.m. Manjisha Ka Manjisha Ka

Great article! This is such a key component of any dialogue with my clients: shifting that mindset from one that is reactive to one that is proactive. It can feel like an uphill battle to simultaneously investigate and address known incidents while also formulating a strategy to identify instigating patterns for those incidents but the time spent will pay itself back exponentially -- for the board, for the organization and those tasked with managing the details on day-to-day incidents and risks.

0 Responses
March 28, 2017, 11 a.m. Cody Bland Cody Bland