Stay current on changes and developments in corporate law with a wide variety of resources and tools.
By Kelly Watson
Kelly Watson is the National Service Group Leader of KPMG’s U.S. Risk Consulting Practice, leading a team of partners and professionals who provide the risk and compliance insights organizations need to protect themselves and grow.
Whether through executive order, agency rulemakings, Congressional Review Act votes and other legislation to date, the Trump administration and congressional majority leaders have made clear their intention to jettison or rewrite a number of financial, consumer and environmental regulations.
As Neomi Rao, administrator of the White House Office of Information and Regulatory Affairs, stated in a July 19 Bloomberg article, the White House effort is “reducing the overall regulatory burden on the American people.”
The ultimate impact of these moves remains to be seen, but even if a federal or state regulation is repealed or revised, the related controls within a company’s compliance structure should stay in place. While we operate in a budget-conscious corporate culture, an investment in effective compliance is critical. In fact, the removal of controls could cost the business much more in the long run than the cost of executing those controls.
It’s no revelation to suggest that risk assessment and mitigation should be a primary concern across the enterprise, not only for those whose functions reside across the proverbial three lines of defense (management, the compliance function, and internal audit). In the C-suite, from front office to back, and in the boardroom, risk and compliance must be top-of-mind.
The global financial crisis may essentially be in the rearview mirror, but the lessons (hopefully) learned must endure. The failure to foresee and address the oncoming turbulence is largely attributable to flawed corporate governance frameworks and inadequate board oversight. In this dynamic, internal audit is critical. As a discipline, an impactful internal audit team will help solidify overall internal controls and enhance the risk management process.
As reported in KPMG’s U.S. CEO Outlook for 2017, 77 percent of CEOs said they are focusing on scenario planning rather than specific risk factors. This includes determining how to employ emerging technologies such as artificial intelligence and cognitive automation to improve risk management and compliance effectiveness.
In this very fluid environment creating and sustaining value for the enterprise, as well as for clients and shareholders, is a critical albeit challenging undertaking. For team members charged with protecting the company’s intellectual capital, sensitive data and reputation, it is a tremendous responsibility. Determining the key focus areas is equally challenging.
Risk and compliance professionals in highly regulated industries contend with myriad issues, some born of external developments—regulatory matters, the general geopolitical environment—others that are purely internal—business strategy, employee conduct.
Following are five areas on which we believe the risk and compliance community should concentrate:
See the big picture. At the highest level, staying on top of a deep and rapidly evolving list of global regulations is complicated for even the most experienced compliance officers. For maximum effectiveness, we urge companies to minimize the often disconnected operational structure under which many critical functions now operate. Eliminating the siloed nature of HR, legal, finance and others and integrating them within the broader organization will, in our view, improve coordination, consistency, productivity and accountability for all stakeholders—employees, contractors and third parties.
We also advise companies to consider an investment in process automation. In particular, developing a compliance dashboard to encompass such activities as regulatory change management, investigations and reporting, as well as testing, monitoring and assessment will result in real-time efficiencies.
Finally, we encourage the design and implementation of a formal set of risk and compliance standards. Formalizing these criteria will inform ongoing enhancements and should guide compliance officers in identifying and understanding program gaps. A continual effort to improve the program, including regular monitoring and a focus on root cause analysis, is a must.
A clear understanding of the regulatory climate and any upcoming changes is essential—particularly in highly regulated industries like banking, insurance, utilities and pharma/health care. If the internal audit team does not have the ability to identify, assess and respond, they will not be able to meet the expectations of key internal stakeholders, such as the board and senior management, or external stakeholders, such as the regulators and shareholders.
Compliance should be a prominent part of any risk-based internal audit plan. If compliance appears to be playing a more ancillary role, the audit committee and senior leadership should challenge internal audit to explain why.
Even if certain high-visibility, high-impact regulations are repealed (Dodd-Frank, the fiduciary rule, among others), the existing controls and processes that keep organizations in check vis-à-vis these rules need to remain in force. Internal audit is there to communicate the potential performance-based trade-offs between eliminating controls, which would ostensibly save money, and the business and reputational impact of removing these controls.
Internal audit may not be a revenue center, per se, but this function adds immeasurable value, providing a wide and deep view of an organization’s governance, risk management and operational practices. It is uniquely positioned to identify and provide objective counsel on a variety of issues impacting efficiency, effectiveness and financial performance. Indeed, according to a recent KPMG survey, for which more than 400 CFOs and Audit Committee chairs were interviewed, one of the key ways internal audit should and can add value is by offering insight into emerging risks, like cybersecurity. To that end, the survey found that more than a third of the respondents want internal audit’s informed perspective and guidance on emerging risks, but only 5 percent actually receive it today. That’s a gap that needs to be filled.
Cybersecurity, not surprisingly, remains a big focus for the C-suite, not only as a strategic risk, but also as an opportunity for innovation, as the wave of solutions utilizing artificial intelligence, biometric authentication, blockchain technology and other methodologies indicate. This is particularly prevalent among executives in the most highly regulated sectors, such as financial services and health care.
Indeed, KPMG’s 2017 U.S. CEO Outlook found that chief executives place cybersecurity near the top of their overall concerns. Although we absolutely share this risk-centric concern, we advise companies to also keep cybersecurity clearly in mind as a product development consideration.
As Greg Bell, KPMG’s Global Co-leader of Cyber Security, remarks in the report, “You need to have a cyber program that strategically links to where the business is going. It should be aligned with business growth and customer trust.”
According to the Identity Theft Resource Center (ITRC), the number of U.S. data breaches as of June 30 hit a half-year record high of 791, an increase of 29 percent over the same period in 2016. ITRC estimates the number of breaches could reach 1,500 for the year, which would represent a 37 percent annual increase over 2016, which saw an all-time record high of 1,093.
Of course, no data-intensive industry is insulated from a cyberattack, but two sectors of particular interest to cybercriminals come immediately to mind because of the value of the data these companies collect:
The fight against terrorism and terrorist financing remains a priority at both the federal and state levels.
In the states, regulators are considerably more engaged in this area than ever. For example, the New York Department of Financial Services (NYDFS) now requires a company’s board or a member of senior management to certify that automated systems used to detect money laundering or sanctions breaches are working effectively. NYDFS and local law enforcement may even hold compliance or business leaders personally accountable for program failures.
Foreign banks, especially those that recently established a presence in the U.S., and non-bank financial institutions continue to see enhanced scrutiny. With less mature AML and sanctions programs, many of these players require assistance to satisfy regulatory requirements. Similarly, newer participants in this market that are not directly connected to a regulated financial institution, like Fintech companies, are also receiving greater significant attention. New regulations focusing on this small but growing segment of the financial sector could be forthcoming.
In this space, emerging technologies such as intelligent automation and artificial intelligence are being utilized to improve the efficiency and effectiveness of AML and sanctions enforcement work currently done manually by employees who, in many cases, are inexperienced and/or inadequately trained.
In the post-financial crisis economy the operating infrastructure of many companies has evolved to an outsourcing model characterized by contract workers, managed services and other third-party arrangements. This, Bell notes, “disperses risk across a vast network that lives outside of the enterprise.” A stout cybersecurity program is essential to manage these new supply chain risks.
In 2016, the International Organization for Standardization (ISO) released the first international standard—ISO 37001—designed to help organizations prevent and detect bribery and corruption across their global supply chains. ISO 37001 builds upon other forms of existing anti-bribery controls, including the U.S. Sentencing Guidelines, the FCPA Resource Guide, the U.K.’s Ministry of Justice Bribery Act Guidance and the OECD Good Practice Guidance.
ISO 37001 provides guidance on how to implement 10 core anti-bribery principles. It also provides guidance in other areas such as the scope of an anti-bribery management system, how to conduct a bribery risk assessment, roles and responsibilities of the governing body and management, awareness and training, and third-party due diligence.
Legend holds that Robert Baden-Powell, an English soldier and the founding father of youth scouting, coined the motto “Be prepared” in 1907. Good advice for scouts, great advice for risk and compliance officers.
The point is, what the Trump administration ultimately does regarding regulations remains unclear at this point, but risk and compliance officers must meet that uncertainty with resolve and confidence. CEOs are focused on holistic scenario planning, rather than individual or hypothetical risks. One day it may be cybersecurity, the next day it may be outsourcing risk, and the day after that something else. The broad threats and overlapping responsibility across organizations means vigilance must become part of the DNA of company culture.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)