Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News February 6 & 13, 2012 Issue

Compliance and Enterprise Risk Management

Whatís the first step in building your compliance program? You must first define the risks presented by your business. Only through an accurate risk assessment can a successful compliance program be tailored to mitigate and manage those risks.

The dayís lead-off panel tackled the issues of enterprise risk management and its role in compliance.

Once risks are identified, then the type of risk must be identified, said Legg Mason chief risk officer Joe Carrier. Is it operational risk? Is it strategic risk? First you define the risk, then you can define risk management, he said. We take the Committee of Sponsoring Organizations ("COSO," www.coso.org, a group providing thought leadership on enterprise risk management) definitions and adapt them to our environment. Then itís about getting everyone within the organization on the same page.

AllianceBernstein independent compliance officer Philip Kirstein agreed. It is very important that everyone both inside and outside the organization gets "married up" with the goal, meaning that clients understand, too.

The enterprise interest in getting it right is critical, said SEC Denver Regional Office associate director Kevin Goodman. "Weíre not into not taking risk, weíre into taking risks in a right, smart, conscious way," said Carrier.

It is important to determine a good structure and process to follow, said OCIE associate director (in charge of adviser examinations) Andrew Bowden. Think about the appropriate allocation of firm resources to risk management.

Ask yourself whether youíre avoiding silos and gaps, whether youíre promoting free thinking and collaboration among your people, said Goodman. As CCO, are you making sure there are no needless obstacles between you and the people who report up to you?

Senior management is a part of the process.

The CEOís role cannot be overstated, said Kirstein. It is important that the CEO really communicate verbally and in other ways how much they "buy in" to compliance and internal controls.

I look at enterprise risk management across the spectrum, said Carrier. There are 20-person firms and 500-person firms, both can work equally well for their circumstance. It is largely about intent and meeting the spirit of accomplishing risk management.

How do smaller firms tackle risk management and compliance?

In the scenario of a smaller firm it is important to go back to the basics, said Kirstein. To the extent you have the right people, which is very important, the question becomes whether you can create appropriate checks and balances. For example, one person is responsible for the work and another checks the work, and vice versa, he said.

To the extent you can set up independent units, try to do that, said Goodman. Donít put too many roles on one person. Where the staff sees firms getting into trouble is where the legal/compliance function doesnít understand what risk management is doing. The goal is a structure where the risk management function flows into the legal and compliance function, he said.

There are four components of good risk management, said Bowden:

  • Accurately identify your risks.
  • Communicate risks effectively.
  • Adopt policies and procedures to adequately manage the risks.
  • Test to make sure the policies and procedures are being implemented and are working.

Good risk management means looking at things like key man risk that donít fall within a rule or regulation. If you only have one person, my advice is you better go out and get a really good person, someone with the experience and authority to do the job right, said Bowden.

What are effective risk identification practices, and how does a CCO set reasonable expectations for the function?

Be dynamic with your list, said Kirstein. Ensure the risks youíre mitigating are current risks Ė new products, market developments (the European crisis, for example), performance risk, operational risk, regulatory risks, and shareholder or investor complaints regarding performance are all examples of current risks.

Thereís no one system for identifying risk, said Carrier. Thereís information and itís always a feel, a business sense. Thereís a saying, "he that defends everything defends nothing." Risk management involves strategic assessment and strategic deployment of resources. "Iím not going to pull a little girl from in front of a train every day, or run around the firm making sure that absolutely nothing bad happens, thatís not realistic," said Carrier.

We started with a nine-square matrix, he said. I should be able to put key metrics of firm operation in one of the squares. We could chase data all day and not get an effective process. One thing we found over time is that the firmís key risks and the key measures of those risks really donít change over time. Once you identify the keys, then you begin to know where to go and how to dig deeper because you build perspective.

After 9/11, folks asked what failed? The FBI? The CIA? It was none of those, he said. What happened was a failure of imagination. We never thought a scenario like that could happen. Donít be captivated by what you have, said Carrier. Think about what you donít have.

The staff has seen a certain smugness in compliance programs that has created a false confidence, said Goodman. Now the staff is seeing conversations across firms that are self-critical and more and more firms are asking what might happen if it doesnít work.

Think about what information you want to collect, said Bowden. Think about what information youíre not collecting and how you want to fill any gaps. Look over time, try to spot trends.

You have the data, itís just a manner of using it and how.

"Like water will find cracks, problems will find weaknesses in your organization," said Bowden.

This is a fiduciary business, said Kirstein. We are fiduciaries, clients come first. That message has got to be pounded home. At every opportunity, deliver that message to your enterprise. Kirstein said he often refers to a 1992 speech by former SEC Chairman Arthur Levitt, when Levitt was talking about an action involving a rogue employee at Salomon Brothers.

There isnít a set of rules in the world that canít be broken. It doesnít mean the firm is bad, but it will show the firmís character in how it responds. "The firms that do the right thing consistently get rewarded," he said. Youíve got to ferret out the errors, correct them, and own up.

If a problem involves wrongdoing, said Goodman, consider whether "ill intent" is involved. If a CCO finds a bad actor, that situation must be addressed really strongly to send a clear message, he said.

Some final advice.

Besides the COSO frameworks and guidance, a really good resource on risk management is "The Risk Intelligent Enterprise," put together by Deloitte, said Carrier. It has something for compliance, legal, internal audit, the board Ė everyone.