Board Oversight of Risk and Compliance in a Changing Regulatory Environment

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

Amy Matsuo Richard Girgenti

By Amy Matsuo and Richard Girgenti

Amy Matsuo is a Principal and the National Leader of KPMG LLP’s Regulatory Risk Practice, which advises companies on enterprise-wide compliance, safety and soundness, broker/dealer, asset management, consumer compliance and other regulatory risk management issues. Amy also leads KPMG’s multi-industry compliance transformation solution and is on the firm’s Women’s Advisory Board. She has substantial experience leading and coordinating regulatory advisory engagements across an array of industries.

Richard Girgenti is a Principal in KPMG LLP’s Risk Consulting Group and a former Board Director for KPMG LLP where he Chaired the Ethics and Compliance Committee. He previously served as National and Americas Leader for KPMG’s Forensic Advisory Services. He has more than 40 years of experience conducting investigations and providing risk management and compliance services to clients in the public and private sectors.

The Trump administration has often stated that it plans to roll back regulations in an effort to create a more business friendly environment. Even if that comes to pass, boards of directors will continue to have their work cut out for them in safeguarding their company against regulatory and compliance risk. Indeed, the boards’ responsibilities may just have gotten more challenging.

While the current administration has said it is committed to reducing regulations by 75 percent (as reported in a Jan. 23 Business Insider article “ Trump: We’re going to `cut regulations by 75%’ and impose a `very major border tax’”) companies will face increasing regulatory demands, not merely at the federal level, but also at the state and global levels where it is likely that there will be more, not less, regulatory and enforcement activity.

With an uncertain and evolving regulatory landscape, and the ever increasing cost of compliance, boards need to be confident that the company operates in a safe and sound manner. They also need to remain vigilant that the business, risk and compliance functions are addressing current, as well as emerging, risks in a timely manner.

The Board’s Role

In addition to overseeing business strategy and performance, boards are responsible for ensuring that management is doing all that it can to manage risks. For example, recently the independent directors of Wells Fargo commissioned a review to examine the root causes of sales practices and associated management oversight.

To help ensure that management is adequately managing risks, boards should do the following:

  • (1) Play a key role in knowing and understanding the risks their company is facing.
  • (2) Challenge senior management by asking hard questions.
  • (3) Hold senior management accountable for addressing (or failing to address) identified risks in a timely and appropriate manner.
  • (4) Understand that corporate culture plays a critical role in preventing and appropriately responding to misconduct.

In fulfilling its responsibilities in a changing regulatory environment, there are a number of questions that a well-informed board needs to be asking:

  •  How is management tracking regulatory changes at the state, federal and global level, and adjusting its risk profile and compliance programs to adapt to emerging and shifting risks?
  •  Is management committed to and creating a culture of integrity and compliance throughout the company?
  •  Is management devoting sufficient resources, with the right tools and technology, to efficiently and effectively manage risk?
  •  How can we (the board) further support compliance accountability, and challenge processes and execution across the three lines of defense?
  •  Is the company’s governance structure (including the board, committees and senior leadership) equipped for the challenges of a changed regulatory environment?

Tracking Regulatory/Compliance Developments

In the current environment, it is possible that the Trump administration may deliver on its promise to ease regulations. And because of a more business-friendly environment, enforcement agencies, like the Securities and Exchange Commission (SEC) and Department of Justice (DOJ), may take a less proactive and aggressive posture with regard to corporate misconduct than we have seen in recent years.

However, while federal regulations may be reduced, they will not go away. And to the extent that regulations are reduced, a company will still need to check and see that its compliance processes are not outdated and costing more than they should. Further, while enforcement priorities may shift, the federal government will certainly remain committed to ensuring that misconduct is prosecuted.

Moreover, many states, including California and New York, are likely to fill any real or perceived gaps in federal regulations and enforcement. In many areas, ranging from investor and consumer protection to environmental and employment and labor law, states have overlapping or parallel jurisdiction.

What’s more, companies conducting business in foreign jurisdictions will need to keep abreast of changes in global regulations, especially considering the Brexit situation. They must also be attentive to increasing global enforcement efforts in places like the European Union, Latin America and Asia.

So keeping track of federal, state and global regulatory and legal obligations will become even more challenging to companies and their boards. To this end, the foundation of a more effective compliance programs will begin with:

  •  A formalized, and preferably automated, process for developing and maintaining an inventory of laws and regulations that impact the company, and
  •  An automated process that captures regulatory changes and trends, with the capability of adding to, discarding or modifying the inventory, and that allows a company to identify and fill any gaps in its internal controls, policies and procedures.

Unfortunately, most companies rely upon manual and patchwork processes for tracking regulatory change. In a recent KPMG survey, “The compliance journey: Boosting the value of compliance in a changing regulatory environment,” most CCOs noted that the process for managing regulatory change is an area in need of improvement. Specifically, only 22 percent of CCOs surveyed know whether there’s a process in place for the board to review regulatory changes and just 27 percent strongly agree that the compliance function has a change management process in place. Less than a third of those surveyed said they had a change management process in place to identify and incorporate changes in laws and regulations. And over 60 percent were unsure whether their technology infrastructure was adapted to align with regulatory change.

These findings should raise alarms for boards and spur them to focus on ensuring that management is adequately addressing the risks created by regulatory change.

Ensuring a Culture of Integrity and Compliance

Culture is perhaps the most challenging, and most critical, component for creating an effective compliance program and achieving organizational integrity. For most organizations, culture is the “soft stuff”—the hard to define and measure component of a compliance program.

In the KPMG survey of CCOs, strengthening governance and culture was one of their top three challenges. Yet, nearly 40 percent of respondents did not know if, or disagreed that, their lines of business management took ownership of the compliance culture and agenda. Nearly one-third said they either didn’t know, or in fact, their respective companies did not communicate conduct and culture lessons across their organizations.

These are not results that boards can afford to neglect or ignore.

When evaluating the effectiveness of a company’s compliance program, regulators are increasingly focused on whether the organization has a strong culture for integrity and compliance. Their finding can have a significant impact on whether they decide to file charges against a company, and the extent of the sanctions they’ll impose for corporate misdeeds.

Nearly every guidance issued by regulators references the importance of culture, whether they’re promulgated by the DOJ, the Financial Industry Regulatory Authority, the various stock exchanges, or any one of dozens of other agencies. Regulatory authorities universally view culture as an overarching control against misconduct.

For example, recently issued guidelines by the DOJ focus extensively on culture (see “Evaluation of corporate compliance programs” issued by the DOJ’s Criminal Division). The guidelines raise questions about the “words and actions” of top management, how senior leadership has modeled proper behavior and communicated the company’s position when misconduct is identified, and whether adequate guidance and training has been provided to key gatekeepers.

Here are some questions that should guide the board’s discussions with the CCO and senior management:

  • (1) Does the company have a process for measuring and benchmarking culture?
  •  If so, how does it measure and benchmark? Are surveys, workshops or group sessions used? What are the results?
  •  Are internal and external data used to measure changes over time within the company and provide comparisons to others in similar industries?
  •  Are external chat lines and blogs monitored?
  •  How is effectiveness of corporate culture programs determined?

  • (2) How does the company promote a culture of integrity within the organization?
  •  Does senior management issue communications that promote culture? If so, what types?
  •  How are culture lessons embedded in training?
  •  Is there a unifying sense of purpose with the company? If so, what is it?

  • (3) Are employees willing to raise issues when they see inappropriate behavior?
  •  Who was aware of incident(s) of misconduct?
  •  Were they silent or did they raise their hand?
  •  Did their supervisors and managers respond appropriately?
  •  Are employees reporting incidents of misconduct internally, or to outside regulators? If they report to outside regulators, is there something about your corporate culture that’s responsible?

Advocating for Right Resources and Technologies

Inevitably, regulators will ask whether the compliance function has adequate resources and appropriate technologies to track and report key performance indicators (KPIs) so it can ensure that programs are operating effectively. Without the right resources and technology, compliance can’t be expected to do its job effectively in today’s business environment.

Nearly every component of the compliance function—from gathering and analyzing regulations, to monitoring and testing, to reporting and investigations, to managing third-party risk—is data driven. Critical compliance data resides throughout the company—in procurement, HR, finance, operations and elsewhere. Compliance must be able to access this data with the right platform in order to analyze it and generate meaningful and useful reports.

Cognitive technology and robotic automation are some of the key technology innovations that can augment the manual processes and human judgments required to transform the compliance function. Harnessing these advancements can allow compliance to move from retroactive to real-time and predictive analytics, turning its efforts from rearview mirror exercises to ones that are forward looking.

While compliance would clearly benefit from the innovations in data capture and analysis that are being used in the operational and finance side of the business, it lags behind far too often. That’s because the compliance and risk functions are frequently—and unfortunately—viewed as cost centers.

The better view is that significant investments in technology for the risk and compliance functions are not just warranted, they’re essential. These investments will generate substantial returns in terms of direct compliance cost savings, as well as fines and penalties that will be avoided or reduced. This ultimately leads to a stronger fiscal foundation for the company and better alignment with a board’s mandate.

In today’s rapidly changing environment, a board’s role in managing risk and compliance has never been more challenging. Yet, there are sensible measures that a well-informed board can take to effectively meet these challenges while, at the same time, helping the company meet its business objectives.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law