Five Crucial Risk and Compliance Considerations During the Trump Administration

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

Companies Need to Create a Holistic Ecosystem for Threat Management
Kelly Watson

By Kelly Watson

Kelly Watson is the National Service Group Leader of KPMG’s U.S. Risk Consulting Practice, leading a team of partners and professionals who provide the risk and compliance insights organizations need to protect themselves and grow.

Whether through executive order, agency rulemakings, Congressional Review Act votes and other legislation to date, the Trump administration and congressional majority leaders have made clear their intention to jettison or rewrite a number of financial, consumer and environmental regulations.

As Neomi Rao, administrator of the White House Office of Information and Regulatory Affairs, stated in a July 19 Bloomberg article, the White House effort is “reducing the overall regulatory burden on the American people.”

The ultimate impact of these moves remains to be seen, but even if a federal or state regulation is repealed or revised, the related controls within a company’s compliance structure should stay in place. While we operate in a budget-conscious corporate culture, an investment in effective compliance is critical. In fact, the removal of controls could cost the business much more in the long run than the cost of executing those controls.

It Not Only Takes a Village, It Takes an Enterprise

It’s no revelation to suggest that risk assessment and mitigation should be a primary concern across the enterprise, not only for those whose functions reside across the proverbial three lines of defense (management, the compliance function, and internal audit). In the C-suite, from front office to back, and in the boardroom, risk and compliance must be top-of-mind.

The global financial crisis may essentially be in the rearview mirror, but the lessons (hopefully) learned must endure. The failure to foresee and address the oncoming turbulence is largely attributable to flawed corporate governance frameworks and inadequate board oversight. In this dynamic, internal audit is critical. As a discipline, an impactful internal audit team will help solidify overall internal controls and enhance the risk management process.

As reported in KPMG’s U.S. CEO Outlook for 2017, 77 percent of CEOs said they are focusing on scenario planning rather than specific risk factors. This includes determining how to employ emerging technologies such as artificial intelligence and cognitive automation to improve risk management and compliance effectiveness.

In this very fluid environment creating and sustaining value for the enterprise, as well as for clients and shareholders, is a critical albeit challenging undertaking. For team members charged with protecting the company’s intellectual capital, sensitive data and reputation, it is a tremendous responsibility. Determining the key focus areas is equally challenging.

Top Five Considerations for Risk and Compliance Officers

Risk and compliance professionals in highly regulated industries contend with myriad issues, some born of external developments—regulatory matters, the general geopolitical environment—others that are purely internal—business strategy, employee conduct.

Following are five areas on which we believe the risk and compliance community should concentrate:

1. Don’t Miss the Compliance Forest While Chopping Down the Trees

See the big picture. At the highest level, staying on top of a deep and rapidly evolving list of global regulations is complicated for even the most experienced compliance officers. For maximum effectiveness, we urge companies to minimize the often disconnected operational structure under which many critical functions now operate. Eliminating the siloed nature of HR, legal, finance and others and integrating them within the broader organization will, in our view, improve coordination, consistency, productivity and accountability for all stakeholders—employees, contractors and third parties.

We also advise companies to consider an investment in process automation. In particular, developing a compliance dashboard to encompass such activities as regulatory change management, investigations and reporting, as well as testing, monitoring and assessment will result in real-time efficiencies.

Finally, we encourage the design and implementation of a formal set of risk and compliance standards. Formalizing these criteria will inform ongoing enhancements and should guide compliance officers in identifying and understanding program gaps. A continual effort to improve the program, including regular monitoring and a focus on root cause analysis, is a must.

2. Recognize Internal Audit’s Critical Role in Regulatory Change Management

A clear understanding of the regulatory climate and any upcoming changes is essential—particularly in highly regulated industries like banking, insurance, utilities and pharma/health care. If the internal audit team does not have the ability to identify, assess and respond, they will not be able to meet the expectations of key internal stakeholders, such as the board and senior management, or external stakeholders, such as the regulators and shareholders.

Compliance should be a prominent part of any risk-based internal audit plan. If compliance appears to be playing a more ancillary role, the audit committee and senior leadership should challenge internal audit to explain why.

Even if certain high-visibility, high-impact regulations are repealed (Dodd-Frank, the fiduciary rule, among others), the existing controls and processes that keep organizations in check vis-à-vis these rules need to remain in force. Internal audit is there to communicate the potential performance-based trade-offs between eliminating controls, which would ostensibly save money, and the business and reputational impact of removing these controls.

Internal audit may not be a revenue center, per se, but this function adds immeasurable value, providing a wide and deep view of an organization’s governance, risk management and operational practices. It is uniquely positioned to identify and provide objective counsel on a variety of issues impacting efficiency, effectiveness and financial performance. Indeed, according to a recent KPMG survey, for which more than 400 CFOs and Audit Committee chairs were interviewed, one of the key ways internal audit should and can add value is by offering insight into emerging risks, like cybersecurity. To that end, the survey found that more than a third of the respondents want internal audit’s informed perspective and guidance on emerging risks, but only 5 percent actually receive it today. That’s a gap that needs to be filled.

3. Innovate Around Cybersecurity

Cybersecurity, not surprisingly, remains a big focus for the C-suite, not only as a strategic risk, but also as an opportunity for innovation, as the wave of solutions utilizing artificial intelligence, biometric authentication, blockchain technology and other methodologies indicate. This is particularly prevalent among executives in the most highly regulated sectors, such as financial services and health care.

Indeed, KPMG’s 2017 U.S. CEO Outlook found that chief executives place cybersecurity near the top of their overall concerns. Although we absolutely share this risk-centric concern, we advise companies to also keep cybersecurity clearly in mind as a product development consideration.

As Greg Bell, KPMG’s Global Co-leader of Cyber Security, remarks in the report, “You need to have a cyber program that strategically links to where the business is going. It should be aligned with business growth and customer trust.”

According to the Identity Theft Resource Center (ITRC), the number of U.S. data breaches as of June 30 hit a half-year record high of 791, an increase of 29 percent over the same period in 2016. ITRC estimates the number of breaches could reach 1,500 for the year, which would represent a 37 percent annual increase over 2016, which saw an all-time record high of 1,093.

Of course, no data-intensive industry is insulated from a cyberattack, but two sectors of particular interest to cybercriminals come immediately to mind because of the value of the data these companies collect:

  • Financial Services. With financial relationships going increasingly mobile, attention to and spending on cybersecurity is increasing rapidly among banking, insurance and investment companies. KPMG recently hosted an IT Risk Management Share Forum with some of the largest New York-based financial firms. Most are focused on managing the current regulatory environment and recent regulatory changes and enhancing existing programs to make them more efficient and insightful. The discussion appears to be in the realm of “business as usual,” with an emphasis on maintaining and/or enhancing current cyber risk programs rather than transforming this response to these threats. We would urge companies to explore all avenues and potential safeguards, both existing and emerging.
  • Health Care. According to ITRC’s mid-year report, the health-care sector accounted for nearly 23 percent of all data breaches. Over the past year, there have been at least a dozen publicly reported ransomware breaches for hospitals and more than 90 percent of hospitals suffered a breach in the past two years per the Institute for Critical Infrastructure Technology, a Washington, D.C.-based cybersecurity think tank. KPMG’s 2017 Cyber Healthcare & Life Sciences Survey found that 47 percent of health-care providers and health plans surveyed said they had instances of security-related HIPAA (Health Insurance Portability and Accountability Act) violations or cyber-attacks that compromised data compared with 37 percent in KPMG’s 2015 survey. While medical devices have been used in health care for years, the related security and controls have only recently become a focus. Events like the Wannacry attack in May of this year, which affected at least 150 countries, according to CNBC, and the 2015 Anthem breach, which exposed the data of nearly 80 million patients, highlight the importance of cybersecurity for this sector.

4. Global Terrorism Underscores Need for Proactive Anti-Money Laundering (AML) Programs

The fight against terrorism and terrorist financing remains a priority at both the federal and state levels.

In the states, regulators are considerably more engaged in this area than ever. For example, the New York Department of Financial Services (NYDFS) now requires a company’s board or a member of senior management to certify that automated systems used to detect money laundering or sanctions breaches are working effectively. NYDFS and local law enforcement may even hold compliance or business leaders personally accountable for program failures.

Foreign banks, especially those that recently established a presence in the U.S., and non-bank financial institutions continue to see enhanced scrutiny. With less mature AML and sanctions programs, many of these players require assistance to satisfy regulatory requirements. Similarly, newer participants in this market that are not directly connected to a regulated financial institution, like Fintech companies, are also receiving greater significant attention. New regulations focusing on this small but growing segment of the financial sector could be forthcoming.

In this space, emerging technologies such as intelligent automation and artificial intelligence are being utilized to improve the efficiency and effectiveness of AML and sanctions enforcement work currently done manually by employees who, in many cases, are inexperienced and/or inadequately trained.

5. Risk From Outside the Organization

In the post-financial crisis economy the operating infrastructure of many companies has evolved to an outsourcing model characterized by contract workers, managed services and other third-party arrangements. This, Bell notes, “disperses risk across a vast network that lives outside of the enterprise.” A stout cybersecurity program is essential to manage these new supply chain risks.

In 2016, the International Organization for Standardization (ISO) released the first international standard—ISO 37001—designed to help organizations prevent and detect bribery and corruption across their global supply chains. ISO 37001 builds upon other forms of existing anti-bribery controls, including the U.S. Sentencing Guidelines, the FCPA Resource Guide, the U.K.’s Ministry of Justice Bribery Act Guidance and the OECD Good Practice Guidance.

ISO 37001 provides guidance on how to implement 10 core anti-bribery principles. It also provides guidance in other areas such as the scope of an anti-bribery management system, how to conduct a bribery risk assessment, roles and responsibilities of the governing body and management, awareness and training, and third-party due diligence.

Be Prepared

Legend holds that Robert Baden-Powell, an English soldier and the founding father of youth scouting, coined the motto “Be prepared” in 1907. Good advice for scouts, great advice for risk and compliance officers.

The point is, what the Trump administration ultimately does regarding regulations remains unclear at this point, but risk and compliance officers must meet that uncertainty with resolve and confidence. CEOs are focused on holistic scenario planning, rather than individual or hypothetical risks. One day it may be cybersecurity, the next day it may be outsourcing risk, and the day after that something else. The broad threats and overlapping responsibility across organizations means vigilance must become part of the DNA of company culture.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law