Section 1

Understanding the Basics

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Get Started with Compliance Fundamentals

Lay the foundation for growth with the core elements of an effective compliance program. From creating a top-notch Code of Conduct to understanding the role compliance plays in your organization, this is the place to learn the building blocks of compliance.

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Each compliance program is unique with disparate risks and various levels of maturity. Although there are a number of nuances determined by your company’s size, industry and location, there are still basic principles that are best practices across the board. In this section you’ll learn about the key skills every compliance professional should have as well as the general knowledge base effective compliance professional have and harness throughout their careers.

Just as there are key skills every modern compliance professional should possess, there are fundamental elements every effective compliance program should practice. This section will introduce you to those key components of a robust compliance program and provide the guidance you need to move your career and program to its next level of sophistication. 

The Puzzle of Risk Management: Fitting Together the C-Suite, Board and Internal Departments

Let’s find those corner pieces in our risk management puzzle. Gone are the early days of risk assurance where external audit firms inspect financial statements and corporate compliance officers work strictly on regulatory filings. Today, it takes a village working together. Here's how all the pieces fit.

Matt Kelly, Radical Compliance 02/15/2017

Let’s find those corner pieces in our risk management puzzle. Gone are the early days of risk assurance where external audit firms inspect financial statements and corporate compliance officers work strictly on regulatory filings. Today, it takes a village working together. Here's how all the pieces fit.

The Puzzle

While the Sarbanes-Oxley Act of 2002 birthed "compliance" as we know it today, the far more defining moment was the financial crisis of 2008 and all the regulatory change provoked by that transfiguring time. Today, virtually every participant in the corporate realm—regulators, investors, boards, employees, senior executives, internal auditors, external auditors, compliance officers, and others—are driving to a much broader goal of better risk management. The journey alone (never mind succeeding at that goal) will redefine risk assurance to its core.

We will begin with the beginning: how to work with your board to establish a basic structure of risk oversight, and what role compliance and internal audit functions play in that process.

The Most Important Principle of All

All a company's struggles with risk management can trace back to misapplying the concepts behind Principle 6 of the COSO 2013 Internal Control-Integrated Framework: "The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives." (The framework has 17 principles in total, and the first five focus on the control environment. Principle 6 is the first of four principles on risk assessments.)

If an organization fails at this first principle of risk assessment—and we mean that literally; Principle 6 is the first principle in the COSO framework's section on risk assessment—then all your later efforts will fall short, because the parties involved will not have a clear, uniform sense of the goals they are trying to achieve or the risks they should monitor while trying to achieve them. You may have different parts of the organization disagreeing about priorities (compliance versus internal audit, for example; or compliance versus the business units). You may end up with a risk that exists in the company, but is tied to no specific objective, so nobody has the responsibility to manage it.

Setting clear objectives according to Principle 6 has become more challenging in recent years. Again, blame the financial crisis of 2008 and the change in regulatory thinking that followed. Prior to that, boards had been galvanized by the Sarbanes-Oxley Act to focus on compliance. The Dodd-Frank Act and all it hath wrought, however, are driving boards to focus on enterprise risk management—through much more elusive concepts such as "culture risk" (a favorite of financial regulators like FINRA today), or compensation schemes that encourage reckless decisions.

As a result, you no longer can treat ERM like a mapping exercise—which you could do with compliance. ERM is more a governance exercise, and we still struggle to articulate who oversees what: the CEO, the compliance and legal teams, the board, the internal audit department, the business lines.

We do know some broad contours of how to get started. First, the board as a whole should review business objectives proposed by the CEO (and his or her lieutenants, such as the CFO or COO). In theory, the next step would be for the audit committee to ensure that the risks to achieving those objectives are somehow managed. Or to put it another way, the audit committee sets the risk management and compliance objectives that should be achieved to help the company achieve its business objectives.

Two important considerations arise here. First, the audit committee itself doesn't have to oversee risk management; it only needs to ensure that some part of the board or company does. For example, NYSE's Listed Company Manual states: "The audit committee is not required to be the sole body responsible for risk assessment and management, but...the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken." Second, our description above ignores the reality that most businesses are not in a position to "get started." They are already in motion, and don't have the luxury of pausing to set clear objectives, assess risk, and then move forward. They must do the job within the company's daily operations.

All of that makes for a complicated dance to achieve the aims of Principle 6.

Applying Principle 6 to the Three Lines of Defense

In one way or another, most audit and compliance professionals have come around to the wisdom of the Three Lines of Defense model for risk assurance developed by the Institute of Internal Auditors in 2013: the first line are the business operating units; the second line are oversight functions such as compliance, legal, IT, and HR; the third line is internal (or external) audit. Some may quibble about where the CEO and the board fit into this picture; others wonder whether internal audit could handle some second-line duties of compliance. But the fundamental concepts—that the operating units "own the risk," while various management functions help the operating units manage risk, and some independent group also confirms risk management plans are working—are well-understood now.

That is risk management in practice. We simply need to tie the delivery of risk management back to the goal of Principle 6, which is deciding how you want to manage risk in the first place.

This is a project where compliance and internal audit are well-suited to divide and conquer: compliance can talk with the CEO about the importance of establishing a modern risk assurance program; internal audit can have the same conversation with the board or audit committee. Why? The compliance department often deals with urgent problems: investigations into misconduct; business processes violating some regulatory standard; the potential for civil litigation. The internal audit function, meanwhile, is more often seen as the audit committee's man on the scene, plus the internal audit team already is (or should be) conducting an annual enterprise risk assessment.


Lock Icon Icon of the outline of a padlock. Write your reply...

Learned about risk management and how is it managed at the high level and how the goal can be achieved.

0 Responses
March 28, 2017, 11:59 a.m. Manjisha Ka Manjisha Ka

Great article! This is such a key component of any dialogue with my clients: shifting that mindset from one that is reactive to one that is proactive. It can feel like an uphill battle to simultaneously investigate and address known incidents while also formulating a strategy to identify instigating patterns for those incidents but the time spent will pay itself back exponentially -- for the board, for the organization and those tasked with managing the details on day-to-day incidents and risks.

0 Responses
March 28, 2017, 11 a.m. Cody Bland Cody Bland