I'm reviewing a lot of Risk Management material for Sarbanes-Oxley, FDICIA, Risked based exams, etc. The common thread in all of these is the importance of the "tone from the top."
It makes me want to puke because the tone I see at the top is one that doesn't want to be bothered with "silly rules." The only time these guys get religion is when a regulator slaps 'em with a hefty CMP and makes each board member sign and MOU or C&D.
But who gets caught in the cross-fire? Compliance Officers who are just trying to make sure their shop is doing the right thing.