Skip to content
 

The Real Role of Compliance: Corporate Governance

There have been several times in the last three decades when the ethical behavior of financial institutions has been the center of attention. The most recent concern is triggered by the behavior of non-financial institutions, starting with Enron.

Financial institutions are built on trust. Customers expect high ethical standards from their financial institutions. The Comptroller of the Currency has stressed that customer trust is a bank's most important asset. Most recently, Federal Reserve Board Governor Susan Bies delivered a strong message on corporate governance.

Bies chose ABA's National Regulatory Compliance Conference to deliver a strong message on compliance and corporate governance. The message began with the title: "Strengthening Compliance through Effective Corporate Governance." She set the tone of her message with references to Enron, Worldcom, and HealthSouth. Her question and challenge was: "what were the underlying deficiencies in the internal control processes of these companies that rendered their governance practices ineffective."

Compliance is all about internal control processes. Bies clearly understands that. She referred to the companies named in scandals as having lost their ethical compass. One of the questions that Bies believes every company should ask itself when making decisions is whether the company's reputation will be tainted if word of the actions became public?

The Treadway Commission
Formed in 1985, the National Commission on Fraudulent Financial Reporting, also referred to as the Treadway Commission, generated a report that has become the standard for measuring internal controls. This report provides the basis for most discussions of internal controls and can also be seen as the genesis of risk management.

Bies suggested that revisiting the Treadway Report should be a regular activity for financial institutions. It is a way of re-assessing internal controls and checking the accuracy of the ethical compass.

Compliance Risk Management
Governor Bies outlined four essential elements to a compliance risk management program. First are director and senior management responsibilities. This, she stressed, is more than a list of responsibilities. Moreover, the responsibility of the board and senior management for maintaining effective controls cannot be delegated.

Bies illustrated the ways in which director and management responsibilities must be exercised in order to achieve effective corporate governance. First, the directors and senior management set the tone for compliance in the organization. They have to give more than lip service to the issues. Directors should receive "periodic reports" on the compliance program and on emerging issues. With this information, the board should take actions that give vitality to the compliance program. Bies suggests that the directors should play a role in the design of the compliance program.

The board should also ensure that the compliance program plays a significant role in both strategic plans and product development. Compliance should not be something that is retro-fitted to products, reorganization, and similar decisions. It should be a part of the design and decision-making process.

Directors, states Bies, have the responsibility for overseeing the internal control processes so that they can reasonably expect their directives to be followed. Ultimately, the board is responsible for seeing to it that responsible, skilled, ethical people are hired. Bies also points out that directors should not relax on this responsibility after the hiring decision. Directors have a continuing responsibility to ensure the integrity of management.

Finally, the board and senior management should ensure that the compliance program has the resources it needs, including resources for training of both compliance staff and line staff. The skills and involvement of all staff, from the top down, are essential for a successful program.

Structure
Governor Bies acknowledged that there is no single prototype for a compliance program. But an element that is essential, no matter what the program design, is that compliance officers have access to all operational areas and to the board of directors. This access enables the compliance officer to identify weaknesses, especially those that cross management lines of responsibilities, to report these findings to the board, and to design solutions.

Responsibilities should be clearly defined. The internal controls, on which the compliance program relies, should be the responsibility of line management.

Scope
No compliance program can remain static, because change, from regulations, products, and markets, triggers the need for change in the compliance program. Bies recommended that the board should review and adjust the compliance program at least annually.The compliance program should also be flexible enough to adapt quickly to changes as they occur. This flexibility includes the ability to reallocate resources throughout the year as needs change.

Audits
Bies recommends that the internal audit function perform independent reviews of the effectiveness of the compliance function. This audit should evaluate reports, training, corrective action, implementation of changes, and adequacy of resources.

To ensure independence of audits, the audit function should report directly to the board of directors or its audit committee without the reports being influenced by management.

Sarbanes-Oxley
Bies stated that the message of Sarbanes-Oxley is that each player identified as essential to an effective compliance program must understand and fulfill that role. She explained that the FRB has been looking into the management reports on internal controls for institutions that had significant breaks in controls. The common denominator, she stated, was that these institutions had put the internal controls on auto-pilot. This cannot work. In each of the cases, the FRB found that management was content with the loss of vigor in the process and the external auditor was content simply to collect a fee. In her words, "this is totally unacceptable."

Admonitions
Bies left the audience with several warnings. First, don't assume that what was good enough in the past will be good enough in the future. The compliance officer must be vigilant in keeping the board and senior management aware of change and the risk associated with change.

Second, look to exceptions that you find. Examine where and how these exceptions are identified and what weaknesses they may reflect. An effective manager will also look at the productivity and findings of staff to assess the staff's diligence and skills.

Finally, do not send mixed messages. Send consistent, strong messages for compliance. Confusing or conflicting messages weaken both the message and the compliance program.

ACTION STEPS

  • Take a hard look at your organization and the decisions it has made in the past two years. Consider what you see and determine the direction of your organization's ethical compass.
  • Compare your budget request with what was approved. What does this say about your institution's attitude toward compliance?
  • Review recent audits and examinations to determine what they reflect about your compliance program and its role in the organization.
  • Look at the last several decisions made by your institution to develop new products or redesign existing products? What is the primary motivator for the decisions and what does this say about your institution's ethical compass?
  • Consider what you can do to encourage your institution and its staff to find value in the compliance program.
  • Brief senior management on the concerns expressed by Governor Bies and others.
Copyright © 2003 Compliance Action. Originally appeared in Compliance Action, Vol. 8, No. 7, 7/03

First published on 07/01/2003

Filed under: 
Compliance
Filed under compliance as: 
Audit
Board of Directors
Currency
Directors
Examinations
Federal Reserve
FRB
Internal Controls
IT
Management
Reporting
Sarbanes-Oxley
Training

Report a problem with this page

Search Topics