by Phyllis L. Harwell, LFI/LBO and Complaints Manager, Board of Governors of the Federal Reserve System
"The current environment certainly presents some fundamental challenges for banking institutions of all types and sizes. Their boards of directors and senior management, who bear the responsibility to set strategy and develop and maintain risk management practices, must not only address current difficulties, but must also establish a framework for the inevitable uncertainty that lies ahead. Notably, the ongoing fundamental transformation in financial services offers great potential opportunities for those institutions able to integrate strategy and risk management successfully, and I will argue that survival will hinge upon such an integration in what I will call a 'strategic risk management framework.' " 1
Former Governor Randall S. Kroszner, "Strategic Risk Management in an Interconnected World," at the Risk Management Association Annual Risk Management Conference, Baltimore, Maryland, October 20, 2008, and the National Conference on the Securities Industry, New York, New York, October 30, 2008.
On October 16, 2008, the Board of Governors of the Federal Reserve System issued a policy on "Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles."2 The policy recognizes compliance as a risk for which the principles of sound risk management apply to all banking organizations. It endorses the principles set forth in Basel's April 2005 paper entitled "Compliance and the Compliance Function in Banks" and clarifies Federal Reserve expectations regarding compliance risk management and oversight at certain large, complex banking organizations. While the policy focuses on banking organizations with $50 billion or more in consolidated total assets, smaller entities will find the policy helpful when designing their compliance risk management programs.
The new compliance risk policy highlights and expands upon three key areas noted in the Basel paper: independence of compliance staff, compliance monitoring and testing, and responsibilities of the board of directors and senior management. This article highlights the policy's key principles.
Compliance staff should be independent of the business lines for which they have compliance oversight. Accountability should exist between corporate compliance staff and compliance staff in the business lines. Compliance staff in the business lines should either directly or indirectly report to corporate compliance. In addition, the ultimate authority for compliance matters, compliance staff, and budgeting should reside with corporate compliance to avoid conflicts of interest.
The scope and frequency of monitoring and testing should be based on a comprehensive risk assessment. These risk assessments should be completed for all business lines and staff functions such as human resources, information systems, or other areas responsible for ensuring compliance with applicable laws and regulations, as appropriate. The risk assessments should be based on the overall compliance risk associated with a particular business activity and should consider the inherent level of risk, as well as the controls in place to mitigate the risks. If compliance testing is performed solely by the internal audit function, areas with higher compliance risks should not be adversely affected by overall lower risk ratings of an audit entity.
The board and senior management should ensure that all employees understand the importance of compliance through performance management, compensation, and even disciplinary action, when necessary. The board should ensure that appropriate incentives and compensation are in place to effectively implement the compliance program. In addition, the board should ensure that the corporate compliance function has a prominent status within the organization. Senior management should communicate and reinforce the compliance culture established by the board.
As former Federal Reserve Governor Randall Kroszner stated, institutions must be able to integrate strategy and risk management successfully. Likewise, institutions must be able to integrate compliance risk management, including consumer compliance risks, into their strategy and ultimately their daily operations. Compliance risk management, unlike other types of risks such as market and credit risk, is not easily quantified, a fact that often makes it difficult to monitor and provide adequate reports to senior management and the board of directors.
Nonetheless, many larger financial institutions have created models to manage and quantify compliance risks as evidenced through supervisory oversight. The models differ among the institutions with regard to compliance risk management and oversight, compliance independence, monitoring activities, and testing activities. While models were in varying degrees of maturity, none rose to the level of "better practices and expectations" in their totality; however, two important elements of a successful compliance management program stood out: a culture of compliance and a firm-wide risk management approach.
Culture of Compliance. A successful compliance risk management program starts at the "top of the house." The board and senior management set the tone of compliance for the organization. They must convey a culture of compliance not only in words but also in actions. Culture is also evidenced by the organization's risk appetite, the stature of corporate compliance, the emphasis on full compliance, the compensation of compliance staff, and the penalties for noncompliance, to name a few.
Firm-Wide Risk Management. An effective firm-wide risk management program includes aligning risk appetite and strategy, enhancing risk response decisions, reducing losses, and identifying and managing risks across business units or entities. It became evident following the recent economic events that institutions with a firm-wide risk management approach and independent risk management functions fared somewhat better through the economic crisis.
Many financial institutions are engaging in cost-cutting in this tough economic environment. This sometimes results in a reduction in staff in the control functions such as corporate compliance and internal audit. It is important to gauge when reductions are warranted, such as the sale of a business line, versus when the reductions could result in a lack of adequate monitoring and testing and independent oversight. In some cases greater reliance is placed on internal audit to test for compliance if layoffs occur in corporate compliance. As previously mentioned, if compliance testing is performed solely or primarily by the internal audit function, higher risk areas of compliance should not be adversely affected by overall lower risk ratings of an audit entity. In addition, many institutions are outsourcing some compliance functions. All outsourced functions must be closely monitored in the same way institutions monitor any other third-party vendor relationships. The ultimate responsibility for compliance rests with the institution and cannot be delegated to a third party.
In conclusion, a financial institution should establish and promote a strong culture of compliance and implement a firm-wide compliance risk management program. Even during troubling economic times, it is equally or more important to promote compliance enterprise-wide and ensure that the program is effectively executed by all employees. Cutbacks and cost-cutting measures in the short term could ultimately cost the institution more and lead to greater reputational risk in the long term. Specific issues and questions should be raised with the consumer compliance contact at your Reserve Bank or with your primary regulator.
Complete Issue (4.16 MB, 24 pages)
Kenneth Benton, Editor
Copyright 2014 Federal Reserve System. This material is the intellectual property of the Federal Reserve System and cannot be copied without permission.
Links with the orange box icon () go to pages outside of the website.