Integrating Corporate Compliance Programs into Enterprise Risk Management Programs

Transcription

1 Integrating Corporate Compliance Programs into Enterprise Risk Management Programs Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Presenters Rick Moyer, CIA Senior Associate Vice President and Chief Risk Officer, Stanford University Mike Somich Director, Baker Tilly Retired Executive Director, Office of Audit, Risk and Compliance, Duke University 2 1

2 Objectives Understand an ERM process and the way a compliance program fits into it Explore the structure of an ERM program and comparing it to a mature compliance program Identify the places where risk tolerance enter into decision made when developing a compliance program and ways a current program could begin to mature 3 Compliance Programs Federal Sentencing Guidelines > Provides outline for an effective compliance program > Not prescriptive on how it should be designed > Must determine how meeting guidelines fits into institution organization > Must decide how institution will effectively meet the guideline based on size of institution o If large research institution, program will need to be more detailed and specific o If a smaller institution, rigor may be focused on a few key compliance risk areas with other focus at a high level > One size does not fit all 4 2

3 Compliance Programs Elements of the Federal Sentencing Guidelines > Prevent and detect criminal conduct > Management informed of program > Insure engagement of employees in ethical conduct > Communicate standards to board, senior leaders, managers and employees > Monitor; evaluate program periodically; hot line > Enforce program; consequences > Remediate problems 5 Develop Framework Four Levels of Participation Governance Program Design and Management Risk Ownership Audit 6 3

4 Organizational participation - Governance Usually assigned to Audit Committee (AC) Must understand program Annually review program Board Must oversee program Annually approve high risk items Receive reports on monitoring plans Involved in overseeing significant governmental investigations and institution response 7 Organizational participation - Governance Administrative report of the Chief Compliance Officer (CCO) Approves suggested program changes annually and recommends approval to AC Senior Leaders Oversees the management of the program Reviews recommendation of high compliance risk items, Approves and recommends AC approval Receives reports of monitoring activities before reported to AC Involved with significant investigations to insure institutional perspectives are considered 8 4

5 Organizational participation Program Development and Management Program Framework Design (Could be performed by committee before CCO is hired) Providing umbrella over the decentralized compliance activities on campus Defines responsibilities of those managing a compliance activity Compliance managers have a dotted line to CCO Chief Compliance Officer Leads annual compliance risk assessment process Oversees monitoring activities of compliance managers Presents results of monitoring activities to senior leadership and AC Manages process of government investigations 9 Organizational participation Risk Ownership Each compliance risk has an owner and manager Compliance risk owner Compliance risk manager One of the senior leaders of the institution Has the ability to set the risk tolerance on the risk for the institution Education Risk assessment Monitoring Reporting Remediation 10 5

6 Organizational participation Audit Function Department (vertical) Audit Function performed by Internal Audit Responsibility to IA based on risk Reports delivered to senior leaders, AC Compliance process (horizontal) Specific grants (focused) 11 Compliance Programs - Conclusion > The previous slides highlight responsibilities > The design and extent and depth of procedures will be based on risk, size, culture > Annual reassessment of framework allows changes to be made to respond to changes in federal grants, law changes, institutional changes > One size does not fit all 12 6

7 Enterprise Risk Management (ERM) Types of risk assessments: Strategic Operating Financial Compliance 13 ERM organizational responsibilities Board Full board aware of the ERM process Assigns oversight to AC Annual approval of management recommendation of risk management process for the next year Option to report strategic risks to full board rather than AC Receives annual assessment of strategic risk If reported to AC, then the report of strategic risk goes to full board annually Could alternate presentations each year 14 7

8 ERM organizational responsibilities Answer question who can set risk tolerance? Identify risk owners Who can make an institutional decision on risk tolerance? Identify risks that have the largest potential impact on the organization Senior Leaders President, as ultimate risk owner, makes presentation to the AC (or full board) of strategic risks Oversee the risk assessments of operating, financial and compliance ensuring the annual risk management process is followed Oversee the assessment of mitigation strategies and approve changes 15 ERM organizational responsibilities Lead risks assessments of their area of responsibility Report assessment results to the senior leadership Vice Presidents (operational, financial, compliance) Risk Managers Lead the review of the mitigation strategies Recommend changes in mitigation strategies Once approved, implement changes in mitigation strategy Manage the risk day to day 16 8

9 Frequency of reporting Annual Periodic Biannual > Strategic Risk best practice > Compliance considered necessary under Federal Guidelines > Based on the organization s desire > Some consider annual appropriate > Pro constant process > Con takes significant time and the changes in a year are often not significant > Pro better use of resources > Con something may happen in two years > Mitigate this con by holding meeting with CRO (or equivalent) and VP to discuss whether changes to heat map have occurred. If so, they are reported to the senior leadership with plans to address. 17 Compliance vs. ERM Outside Guiding Principles Compliance Federal Sentencing Guidelines Guidance not prescriptive Interpretation of what fits organization ERM None, rating agency expectations Guidance not prescriptive Interpretation of what fits organization 18 9

10 Compliance vs. ERM Board s Role Compliance Understand program Oversee program Assign oversight to Audit Committee Annually review and approve program Approve high risk compliance items Receive monitoring reports on high risk items ERM Understand program Oversee program Assign oversight to Audit Committee Annually review and approve ERM process Receive report of strategic risks Board or a committee monitors strategic risks 19 Compliance vs. ERM Senior Leaders (SL) Compliance CCO reports administratively to SL Approves program changes annually Receives recommendation of high risk items and approves Receives monitoring reports ERM CRO reports administratively to SL Approves annual ERM plan Receives risk assessments of operational, financial and compliance people Receives reports on mitigation strategies and recommendations for changes 20 10

11 Compliance vs. ERM Vice Presidents/Compliance Risk Managers Compliance Leads risk assessment in this area Reports results to SL Leads review of mitigation strategies Recommends changes to mitigation strategies Implements changes to mitigation strategies Manages the risk day to day ERM Education Risk assessment Monitoring Reporting Remediation 21 Observations If you adopt the COSO model, since compliance is a level of risk, it would be logical that the structure for compliance would parallel ERM. However: > Common practice is they are not developed at the same time > History is hard to break > Both ERM and compliance programs often do not define senior leader role and responsibility > Decentralized environments > Difficulty in defining who manages what 22 11

12 Benefits of coordination > Board responsibility consistent and defined > Senior Leader involvement defined Definition of risk owners and setting institutional risk tolerance Encourages them to be more engaged in the processes > Aligns risk manager responsibilities Whether ERM risk manager Or compliance risk manager Consistent across the institution > Overall Improves culture; makes it more consistent Involves more people in decisions earlier More points of view considered Risk considered in decisions at all phases of decision making 23 Maturing a compliance program using risk > Early stage of compliance program Define formal program Identify risk owners Compliance risk managers o Identify what is being done o Identify what should be done o Teach those who do to make work consistent > Infancy stage 24 12

13 Maturing a compliance program using risk > Each compliance manager assesses risk (impact and probability > Chief Compliance Officer and others evaluate responses and recommend to SL top ten compliance risks > These are the requirements we have to meet; we have to do well; we cannot accept errors > Look at process managing these areas Using resources to mitigate areas of greatest risk Tighten processes to mitigate risk Assure process controls in place to detect errors Monitor > Moving forward in maturity 25 Maturing a compliance program using risk > Senior Leaders receive reports of monitoring results; understand the program > Over time, less time needed to talk about these routine items > Discussion morphs to emerging compliance issues/risks > Example - Institutional Conflict of Interest > Number of meetings can decrease > Breadth of committee can increase > Increasing maturity 26 13

14 Maturing a compliance program using risk Delivering value > Many compliance processes developed by middle management > Generally risk adverse > Processes over-engineered > Opportunity With SL input on risk tolerance in place Sync process with risk tolerance, reducing burden to researchers Align monitoring activity with risk tolerance > Reaching a high level of maturity Addressing issues of noise in the organization Aligning resources used with risk Involving those affected by the problem in the solution Opens productive discussions on other issues that can benefit the institution 27 Q&A 28 14

15 Contact information MIKE SOMICH DIRECTOR RICK MOYER, CIA SENIOR ASSOCIATE VICE PRESIDENT AND CHIEF RISK OFFICER