(The news featured below is a selection from the news covered in the Federal Securities Report Letter, which is distributed to subscribers of the Federal Securities Law Reports.)

Fed Official Says Enterprise-Wide View Fosters Adequate Controls

Full-service financial firms offering a wide array of products must take an integrated enterprise-wide approach to risk management in order to improve internal controls, in the view of Federal Reserve Board Governor Susan Schmidt Bies. In remarks at a recent Bond Market Association seminar, Gov. Bies said that the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, is in the process of finalizing an enterprise-wide risk management framework under which managers will annually evaluate the risks and controls within their scope of authority and report the results to the chief risk officer and the audit committee.

Once risks have been identified and evaluated as to their potential impact on the organization, she continued, management will determine the effectiveness of existing controls and develop and implement additional appropriate mitigating controls where needed. Moreover, the effectiveness of these controls must be evaluated independently soon after the control structure is established so that any shortcomings can be identified promptly and corrected. Risk assessments initiated early in the planning process can give the firm time to implement mitigating controls and conduct a validation of the quality of those controls.

Gov. Bies emphasized that strong internal controls and good governance require that these assessments be done by an independent group. It is a weakness in controls when management delegates both the development and the assessment of the internal control structure to the same risk management, internal audit, compliance, or legal division. Line management has the responsibility for identifying risks and ensuring that the mitigating controls are effective, she explained, and the assessments should be done by a group independent of that line organization.

An enterprise-wide compliance program looks at and across business lines and activities of the organization as a whole to consider how activities in one area of the firm may affect the legal and reputational risks of other business lines and the enterprise as a whole. It considers how compliance with laws, regulations, and internal policies and controls should be enhanced or changed in response. As a result, noted Gov. Bies, compliance is conducted on a comprehensive, holistic basis and not in silos where risks are considered in isolation.

Since the ability to assess risks across the enterprise depends heavily on the quality and timeliness of information, posited the Fed official, the compliance function must ensure that controls and procedures capture the appropriate information to allow senior management and the board to better perform their risk management functions. In this context, she continued, the enterprise-wide compliance function should look at what is being reported to the board, the audit committee, and senior management regarding new or changed controls. There must be an effective mechanism for reporting control failures. Importantly, the compliance function should have a direct line to the general counsel through which it can report concerns and needed improvements to controls.

More broadly, Gov. Bies said that a culture of compliance should be established by the "tone at the top" of the organization as senior management moves from thinking about compliance as a cost center to considering the benefits of compliance in protecting against legal and reputational risks that can have an impact on the bottom line. The board and senior management must demonstrate their commitment through their individual conduct and their response to control failures. Similarly, the message and corresponding conduct should empower line staff to elevate ethical or reputational concerns to appropriate levels of management without fear of retribution.

Finally, Gov. Bies said that internal audit must review the enterprise-wide compliance program to determine if it is accomplishing the firm's stated objectives, and if it is adequately staffed, in light of growth, changes in the firm's business mix, new customers, strategic initiatives, and reorganizations. Internal audit should evaluate the firm's adherence to its own compliance and control processes and assess the adequacy of those processes in light of the complexity and legal and reputational risk profile of the organization.

To do this, reasoned Gov. Bies, internal audit must be staffed with personnel who have the necessary skills and experience to report on compliance with financial institution policies and procedures. Internal audit should test transactions to validate that business lines are complying with the firm's standards and report the results of that testing to the board or audit committee.