- Our examiners will be looking to see if registrants have embraced “a culture of compliance [my emphasis],” including enterprise risk management, within their firms.
- A comprehensive approach to enterprise risk management is important for several reasons. For example, inattention to risk management can lead to seemingly minor corner-cutting on compliance issues which eventually snowballs into a serious problem for management and investors.
- And, without a commitment to good governance and risk management, silos can form and the interdependence between risk categories can be overlooked.
- How are the business units of an entity ensuring they are taking and managing risk effectively?
- Are key risk management, control and compliance functions structured and funded to be effectively embedded in the business process?
- How are senior managers ensuring effective oversight of enterprise risk management?
- And how is the internal audit process independently verifying and providing the board and senior management with assurance about the operating effectiveness of the risk management, compliance and control functions?
But more than just funding, compliance activities must be integrated into the ongoing operational processes of the business in order to be effective. The "whack a mole" approach to dealing with the most pressing compliance issue at hand simply won't suffice as we continue to operate in an environment where governmental agencies are committed to issuing new legislation and aggressively enforcing those and existing laws.
The question going forward won't be, "do you have a compliance program?" It will be, "how can you demonstrate your compliance program is effective?" So what are you doing in this area?