(The news
featured below is a selection from the news covered in the Federal Securities
Report Letter, which is distributed to subscribers of the Federal
Securities Law Reports.)
Fed Official Says
Enterprise-Wide View Fosters Adequate Controls
Full-service financial firms
offering a wide array of products must take an integrated enterprise-wide
approach to risk management in order to improve internal controls, in the view
of Federal Reserve Board Governor Susan Schmidt Bies. In remarks at a recent
Bond Market Association seminar, Gov. Bies said that the Committee of Sponsoring
Organizations of the Treadway Commission, or COSO, is in the process of
finalizing an enterprise-wide risk management framework under which managers
will annually evaluate the risks and controls within their scope of authority
and report the results to the chief risk officer and the audit committee.
Once risks have been identified
and evaluated as to their potential impact on the organization, she continued,
management will determine the effectiveness of existing controls and develop and
implement additional appropriate mitigating controls where needed. Moreover, the
effectiveness of these controls must be evaluated independently soon after the
control structure is established so that any shortcomings can be identified
promptly and corrected. Risk assessments initiated early in the planning process
can give the firm time to implement mitigating controls and conduct a validation
of the quality of those controls.
Gov. Bies emphasized that strong
internal controls and good governance require that these assessments be done by
an independent group. It is a weakness in controls when management delegates
both the development and the assessment of the internal control structure to the
same risk management, internal audit, compliance, or legal division. Line
management has the responsibility for identifying risks and ensuring that the
mitigating controls are effective, she explained, and the assessments should be
done by a group independent of that line organization.
An enterprise-wide compliance
program looks at and across business lines and activities of the organization as
a whole to consider how activities in one area of the firm may affect the legal
and reputational risks of other business lines and the enterprise as a whole. It
considers how compliance with laws, regulations, and internal policies and
controls should be enhanced or changed in response. As a result, noted Gov. Bies,
compliance is conducted on a comprehensive, holistic basis and not in silos
where risks are considered in isolation.
Since the ability to assess risks
across the enterprise depends heavily on the quality and timeliness of
information, posited the Fed official, the compliance function must ensure that
controls and procedures capture the appropriate information to allow senior
management and the board to better perform their risk management functions. In
this context, she continued, the enterprise-wide compliance function should look
at what is being reported to the board, the audit committee, and senior
management regarding new or changed controls. There must be an effective
mechanism for reporting control failures. Importantly, the compliance function
should have a direct line to the general counsel through which it can report
concerns and needed improvements to controls.
More broadly, Gov. Bies said that
a culture of compliance should be established by the "tone at the top"
of the organization as senior management moves from thinking about compliance as
a cost center to considering the benefits of compliance in protecting against
legal and reputational risks that can have an impact on the bottom line. The
board and senior management must demonstrate their commitment through their
individual conduct and their response to control failures. Similarly, the
message and corresponding conduct should empower line staff to elevate ethical
or reputational concerns to appropriate levels of management without fear of
retribution.
Finally, Gov. Bies said that
internal audit must review the enterprise-wide compliance program to determine
if it is accomplishing the firm's stated objectives, and if it is adequately
staffed, in light of growth, changes in the firm's business mix, new customers,
strategic initiatives, and reorganizations. Internal audit should evaluate the
firm's adherence to its own compliance and control processes and assess the
adequacy of those processes in light of the complexity and legal and
reputational risk profile of the organization.
To do this, reasoned Gov. Bies,
internal audit must be staffed with personnel who have the necessary skills and
experience to report on compliance with financial institution policies and
procedures. Internal audit should test transactions to validate that business
lines are complying with the firm's standards and report the results of that
testing to the board or audit committee.
|