Getting started: enterprise-wide challenges

By Linda Wolosz April 19, 2007

The preceding papers in this series highlighted the need for compliance departments to change the way they engage with management and organise their work. These articles reviewed the increasing regulatory demand and the regulatory acceptance of risk-based compliance programmes that operate enterprise-wide.

We described the challenge compliance professionals face to: identify risk themes; assess and score the impact of these risks; create measures for their work around these risks; assist management in setting risk targets; and establish risk mitigation plans to aid in endeavours to meet these targets. There is a growing sense of urgency in the industry to mature the compliance function so that it can take its rightful place in presenting an effective, real-time risk report card to management.

This segment of our series will turn to the "enterprise-wide part of that challenge". It will provide some ideas on how to create a compliance infrastructure and processes that facilitate efficiency, rigor and risk reporting across product, country and legal entities. Further articles will then get to current best practice in the nuts and bolts of any compliance programme. They will cover topics such as policies and procedures, monitoring and surveillance.

All firms of any complexity need to build compliance programmes that strike a balance between the centralised decisions about how to protect the firm-wide brand and what that means for implementation in diverse locations, legal entities and product lines.

This article illustrates the steps that firms typically employ to put this balance into place. These steps include: mapping the firm; determining the compliance organisation structure; building the compliance programme; creating corrective action plans; supplying the risk assessment, with changes based upon compliance programme results; and making this a continuous process.

Mapping your organisation

The design of a firm-wide compliance programme will differ among organisations of varying sizes and complexities. Attributes that contribute to these structural decisions might include topics such as the homogeneity of geographic location, management, product offerings, processing methods, systems and regulatory oversight.

The compliance infrastructure in a community bank with a few local branches and limited product offerings can be different in size and complexity when compared with a bank holding company with businesses involving banking, securities, and insurance entities that span national and international locations. Not only do these examples differ in geographic and product coverage, the regulatory regimes for the latter will involve laws and regulations from an array of authorities, adding complexity.

Compliance professionals' familiarity with the firm's organisational structure, business offerings, risk profiles and control environments can be increased by sharing ideas with areas responsible for financial, credit, market and operational risk management as well as internal audit and legal functions.

Federal Reserve governor Susan Bies noted at the American Bankers Association annual convention in October 2006: "The Federal Reserve expects banking organisations to have in place an infrastructure that can identify, monitor, and effectively control the compliance risks that they face. Needless to say, the infrastructure should be commensurate with the nature of the organisation's compliance risk….

"Managers should be expected to evaluate the risks and controls within their scope of authority at least annually. An enterprise-wide compliance-risk management programme should be dynamic and proactive. It should assess evolving risks when new business lines or activities are added, when existing activities and processes are altered, or when there are regulatory changes."

Armed with a definitive map of the organisation, compliance can begin to make decisions about how best to structure the compliance department and define the compliance programme.

Determine the compliance structure

The compliance department structure and the compliance programme should be based upon what it is you want to control. Superimposing the compliance risk assessment on the firm's organisation helps define what to control and where to control it.

The board and senior managers direct the firm by setting the tone. Similarly, corporate compliance moulds the basis of the global compliance programme while providing the flexibility to implement appropriate and integrated programmes at local levels. A typical compliance organisation might look something like:

Compliance policy should be clear, consistent, well communicated and should emanate from the top of the organisation. Putting a global policy into action may require unique local procedures, depending upon the laws and regulations in varying locations. For example, a global policy on the compliance risk theme "Treating customers fairly — suitability" might be exactly the same for all geographic areas and business units but the implementation will vary because of different rules issued by various regulators, for example, the UK's Financial Services Authority versus the Securities and Exchange Commission in the US. Further, the specific laws and regulations within a country might differ between industries. Specific regulatory guidance for the securities and banking industries may well be different.

Compliance management has choices in setting the levels of decision making between the central and decentralised units. A template is "something that serves as a master or pattern from which other similar things can be made". Corporate compliance can create templates for each risk theme, which include certain indelible requirements for the programme, e.g., identifying laws and regulations, assessing the regulatory impact, issuing policies and procedures, training, monitoring, investigation and corrective action.

These directives ensure that certain basics are implemented in a common way. The more centralised environment will have most if not all specifications preset in the templates with the expectation that local units will implement what is dictated. The other end of the spectrum is the centralised unit defining the template with minimal requirements allowing significant design by local units. Structures can exist anywhere along the continuum between the two extremes.

The compliance structure is not complete without building a reporting process so that information about:

• Changes in laws and regulations.
• Changes in amendments to policy and procedures (driven from external regulatory events or internal business strategy decisions).
• Training accomplishments.
• Monitoring and testing results.
• Corrective action plan statuses can be accumulated and disseminated to those who need to know.

What needs to be known varies between business units and organisational levels. The ability to serve the right complement of information to the right management, especially the identification of areas where risk exceeds management's risk appetite, is the critical goal of the compliance function and needs to be set with input from the firm's management. Reporting levels can exist at many points in the organisation as the figure below demonstrates:

The compliance programme

Decisions are required to populate the details of the programme framework (identifying laws and regulations, assessing the regulatory impact, issuing policies and procedures, training, monitoring, investigation and corrective action). As the compliance programme is fed from the compliance risk assessment, programme components should be linked back to the assessment ensuring that priorities by the assessment are actualised in the programme. This association should be evidenced and available for review by a third party, including regulators.

The templates designed during the structuring of compliance, whether the product of centralised, decentralised or a combination, form the basis of the compliance programme in each of the following critical functions:

• Being able to keep track of the universe of laws/regulations, policies and procedures in a complex organisation is a critical task in managing the compliance function. It becomes an important topic in maintaining the compliance programme.
• Documentation supporting decisions about if or how the legislation affects the firm. Regulators will expect to see opinions provided by compliance, legal and the business units.
• A rigorous compliance programme will include written policies and procedures that are periodically reviewed and updated as internal businesses and external regulatory requirements change. Modifications need to be supported with strong audit trail and versioning information as well as and clear records of communicating revisions to the appropriate personnel in the firm.
• Regulators depend upon management, often through the compliance department, to ensure that employees have been trained on topics appropriate to their jobs. Training can take various forms including well-controlled distribution of policies and procedures, online or classroom lessons, and proficiency testing. Regardless of the training method, evidence of these activities including attendance records, training materials, and effective dates are both good business practices and critical regulatory defences.
• Intrinsic to the risk assessment process discussed in the previous papers, the compliance plan should identify what should be monitored and how often. The goal is to ensure with a level of confidence that personnel throughout the firm are in compliance with applicable laws, regulations and firm policies. Monitoring can fall into a few categories: daily routing surveillance as in evaluating actual detailed transaction data for suspicious AML activity against expected patterns; periodic sampling of a universe for the existence of predefined attributes as in the review of a selection of customer files for the collection and validation of customer identification attributes in line with the firm's account opening and customer information practices; and while less formalised, opportunities to advise business on new products, certain transactions, or responding to queries provides input to compliance on current events in the business subject to monitoring.
• Investigation to determine the cause of the problem should be undertaken. Determination should be made as to the validity of the testing measure and the accuracy of the policy/ procedure driving the monitoring. Evaluation should determine if the problem is specific to a person or localised situation or if there is a larger systemic concern. The corrective action suggested should take the results of these investigations into account.

The results of monitoring and investigation tasks should be documented so that evidence of the results is available for review by management and third parties such as regulators. This documentation will ultimately provide the detailed support to management reports reflecting the picture of compliance risk.

Corrective action plans

In the earlier papers in this series we exemplified the setting of risk appetite for suitability. Once managers set the appetite, compliance used monitoring results to help score the probability of failure in this area. It then mathematically combined this probability with the impact of failure then compared the appetite to the assessment result.

When compliance monitoring efforts reveal risk exposures that exceed management's risk appetite, corrective action plans are needed to align the exposure with the appetite. Corrective action plans should target the weakness and direct remediation to the appropriate level of the firm. In a complex organisation this might be a particular geographic location, legal entity or business unit.

Earlier in this paper we illustrated how templates can be used to define the structure of the compliance department by setting the division of control between centralised and decentralised compliance units. We included a basis for the corrective action plan in the set of templates. The template must take into account at what level the business sets its risk appetite so that appropriate comparisons to compliance risk assessment results can be achieved.

Closing the loop

This series began with a question, are compliance departments a risk management function? Regulators are constantly looking to the compliance department to provide risk-based information to management to help them make better business decisions that minimise reputational risk.

The second instalment expanded upon the components of a successful compliance risk model. The components included: identification of risk themes, assessment and scoring of the impact of these risks, creating measures for compliance work around these risks, helping management to set risk targets, and establishing risk mitigation plans to aid in endeavours to meet these targets.

This paper focused on how to create a compliance infrastructure and compliance processes that facilitate efficiency, rigor and risk reporting across product, country and legal entities. Our road map included:

• The need to know the firm, its businesses, and the risks within those businesses.
• The benefits of working with the business units and other support functions.
• One way to think about structuring a compliance department.
• The need to create and document the compliance programme which includes: legislative tracking; maintenance and dissemination of compliance policies and procedures; providing compliance training for employees; testing for ongoing compliance with laws, regulations and firm policy; and creating and monitoring corrective action plans.
• Ongoing discussion with business units about current business issues and trends.

This process does not end with a static compliance structure and programme. Constant change both within the business and imposed by external forces require a continuous review and modification cycle where the risk assessment feeds and is fed by the results of each part of the compliance programme.

The next paper in our series will be devoted to rules, policies and procedures. We will look at how compliance departments manage the constant change of regulation and control the dissemination of this information to those in the firm that need know.

Author Biography:
Linda Wolosz is a Compliance Specialist in the Financial Services practice at QUMAS with expertise in risk-based monitoring and compliance.