When the Trump Administration entered the White House the expectations were that the approach to regulation would be vastly different the President Obama's.
But chief risk officers and chief compliance officers need to keep their focus on issues beyond the immediate political landscape.
FEI Daily Managing Editor Olivia Berkman recently discussed these issues with Kelly Watson, the National Service Group Leader of KPMG’s Risk Consulting Practice, about keeping a long-term perspective of compliance risk and the results gleaned from the firm’s recent CEO Outlook report.
Olivia Berkman: Organizations need to focus on becoming more agile in the face of regulatory changes. How are most organizations managing risk today and what changes will they have to make to become better prepared?
Kelly Watson: While most organizations understand and appreciate the need for automation to improve the efficiency and effectiveness of their compliance and risk management programs, many are reluctant to invest in this automation until they have further clarity resulting in a continued reliance on a lot of manual compliance processes. Some are launching pilot programs to automate compliance and risk activities, however they are still at the beginning of their journey.
The shifting U.S. and global political landscape has brought continued expectations of regulatory and policy change. Companies need to remain vigilant that their business and risk and compliance functions are addressing current, as well as emerging, risks in a timely and efficient manner.
Companies must be agile in the face of this regulatory change in terms of how they are rethinking their business models and keeping abreast of international and external changes and the associated risks. It is critical that the skills, roles and responsibilities within the organization and the technology and data architecture are adapted to this changing landscape.
This said, the foundation of a more effective compliance program should eventually entail:
- A formalized, and automated, process for developing and maintaining an inventory of laws and regulations that impact the company.
- An automated process that captures regulatory changes and trends, with the capability of adding to, discarding or modifying the inventory.
- A robust process and data architecture which can allow for regulatory obligation mapping to the companies’ policies and procedures, as well as internal controls.
- A mechanism to link regulatory change with robust compliance program areas like risk assessment, monitoring and testing and issues management.
Berkman: Out of the five risk areas mentioned in the research, which will require the most attention from CFOs and other financial executives?
Watson: Of the risks areas we highlighted, focusing on the larger compliance picture should top the chief financial officer’s agenda. What this means is that a focus on board and senior management accountability and employee and business conduct, coupled with enhanced capital and more technology choices, is driving an opportunity for investment in data and technology enhancements that will increase integration and automation, and improve the responsiveness of processes to risks and changes. The CFO should focus on the larger compliance picture when considering opportunities to leverage automation to improve efficiency and responsiveness for regulatory filings. Increasingly, we are seeing an intersection between the data needed to report financial information publicly and that required for regulatory filings and internal risk management activities. An efficient and effective data governance program is a critical component to ensuring the integrity of this data.
Berkman: How can boards prioritize which compliance efforts to focus on?
Watson: In fulfilling its responsibilities in a changing regulatory environment, there are a number of questions that boards should be focusing on:
- How can the board further support and prove critical the challenge of compliance accountability, and challenge processes and execution across the company’s three lines of defense (management, the compliance function, and internal audit)?
- Is the company’s governance structure (including the board, committees and senior leadership) equipped for the challenges of a changed regulatory environment?
- How is management tracking regulatory changes and adjusting its risk profile and compliance programs to adapt to emerging and shifting risks?
- Is management committed to and creating a culture of integrity and compliance throughout the company?
- Are the right tools and technology being devoted to the efficient and effective management of risk?
- The board should evaluate whether it has members with necessary in-depth expertise in certain key risk areas (i.e. cyber security). If not, the board should consider whether to add specialists that possess such expertise or to consult with outside specialists on an ad hoc basis when these areas require particular attention.
Berkman: How will internal audit play a role in the effort to prepare for regulatory changes?
Watson: Internal audit should understand upcoming regulatory changes so that it can assess its company’s readiness to address them. As part of the objective of the third line of defense, internal audit should assess the organization’s processes to recognize and react to regulatory changes. The inability of organizations to recognize and react appropriately to regulatory change presents significant risk – accordingly, assuming internal audit is executing against a risk-based plan, key compliance areas should be included in the internal audit plan.
Internal audit should use a risk-based planning process, which should incorporate key emerging risks, including emerging risks from potential or future regulatory changes.
Even if certain regulatory requirements are repealed, internal audit has a responsibility to understand the trade-offs between eliminating controls and the impact of their elimination on business performance. Simply because a requirement is repealed, doesn’t mean the related controls should be removed. The removal of controls could costs the business much more in the long run than the costs of executing these controls. Internal audit should have a point of view and should share it on the elimination of controls with key stakeholders, including the Audit Committee.•