Insight from the SEC

Image via WikipediaIn preparing for a presentation I have coming up, I ran across a speech SEC Chairman Mary Shapiro gave on March 23, 2011 to the Securities Industry and Financial Markets Association's (SIFMA) Compliance and Legal Society Annual Seminar. While her remarks were certainly aimed at the financial industry, I found them to be relevant to all compliance professionals. Here are just a few snippets for your consideration:

• Our examiners will be looking to see if registrants have embraced “a culture of compliance [my emphasis],” including enterprise risk management, within their firms.
• A comprehensive approach to enterprise risk management is important for several reasons. For example, inattention to risk management can lead to seemingly minor corner-cutting on compliance issues which eventually snowballs into a serious problem for management and investors.
• And, without a commitment to good governance and risk management, silos can form and the interdependence between risk categories can be overlooked.
  

Further, she elaborated that going forward, their examiners intend to focus on understanding how risk management is embedded in key business processes and decision-making at a number of levels. They will be asking questions such as:

• How are the business units of an entity ensuring they are taking and managing risk effectively?
• Are key risk management, control and compliance functions structured and funded to be effectively embedded in the business process?
  
• How are senior managers ensuring effective oversight of enterprise risk management?
  
• And how is the internal audit process independently verifying and providing the board and senior management with assurance about the operating effectiveness of the risk management, compliance and control functions?
  

These comments resonated with me, because this is also what I am hearing from our most forward-thinking clients and from industry analysts. The compliance function is growing up - and it needs to be funded appropriately in order to be effective. Tom Fox, a recognized expert in the FCPA, retells a great anecdote he heard from a former prosecutor: When told by a company identified as violating a compliance regulation that they properly fund the compliance effort, the prosecutor would simply ask, "how much did you spend last year on paper clips/Post-It notes?" If greater than the funding for the compliance department/function, the company would inevitably find itself in more trouble.

But more than just funding, compliance activities must be integrated into the ongoing operational processes of the business in order to be effective. The "whack a mole" approach to dealing with the most pressing compliance issue at hand simply won't suffice as we continue to operate in an environment where governmental agencies are committed to issuing new legislation and aggressively enforcing those and existing laws.

The question going forward won't be, "do you have a compliance program?" It will be, "how can you demonstrate your compliance program is effective?" So what are you doing in this area?