How To Understand And Understand The Risks Of Compliace

(1)

The Unique Alternative to the Big Four

®

A Valuable Tool to

Understand and Manage

Your Compliance Risks

(2)

management (ERM) programs. The solution?

An enterprisewide compliance risk assessment,

which provides the board of directors and

management with a strong framework to identify

risks across all compliance activities. A comprehensive

approach is more effective and cost-efficient,

(3)

A Valuable Tool to Understand and Manage Your Compliance Risks

The current times might be thought of as a “zero-tolerance era” for business. Criminal charges are being filed more frequently than in the past. Watching the mighty fall — a successful tastemaker like Martha Stewart, a once-lauded company such as Enron — never ceases to catch the public’s imagination. In this climate, even seemingly innocuous oversights in compliance can be whipped up by aggressive prosecutors and the media into reputation-damaging crises.

The current landscape compels companies to broaden their scope beyond narrow and legalistic approaches to compliance. To meet the expectations of regulators, an organization is well-advised to adopt a risk-based framework. An enterprisewide compliance risk assessment (EWCRA) provides a comprehensive evaluation of risks within relevant departments and across business lines.

The benefits include improved understanding of overall compliance risks by management and the board of directors, alignment of risk management activities with risks, and better monitoring and reporting of compliance risks, including aggregation of risks across the organization. EWCRA is a component of ERM, both of which can strengthen corporate governance.

Challenges

Regulators, reflecting the mood of the public and politicians, are less forgiving today. Large fines and headlines have stung some companies. But the larger price is less tangible: distraction from achieving strategic objectives such as mergers and acquisitions. Being in the regulatory doghouse can limit growth plans. Whereas compliance used to be relatively cut-and-dried, regulators now ask companies to begin with a thorough risk assessment. The management team is expected to understand the wide range of regulatory risks affecting the company, evaluate which parts of the overall business are more vulnerable to specific risks, and then devote greater attention to monitoring and mitigating areas of higher risk. Without a well-coordinated approach to compliance, important risks can and will fall through the cracks. Company executives are realizing the need for consistent, across-the-board methodologies to evaluate regulatory compliance and to prioritize risks. The majority of large U.S. companies have numerous frameworks, models, and controls to assess and monitor risks. The lack of a cohesive approach hinders a comprehensive view. As a result, chief compliance officers, executives, and directors lack a unified perspective of whether all significant lines of business and affiliate organizations are in compliance with a multitude of regulations.

In general, compliance functions have not reached the comparatively sophisticated approach that auditors employ. Many internal audit groups have used a risk-based methodology for a decade or more. A risk-based approach sets priorities and devotes a larger percentage of monitoring resources where needs are greater. In contrast, a “siloed” approach to compliance results in wasted effort and uneven quality. Gaps in regulatory compliance are more likely to appear when cookie-cutter approaches are used to address specific challenges.

(4)

www.crowechizek.com

The Solution

Compliance monitoring at many companies, for example, isn’t based on risk. In many cases, a compliance employee tests because he or she has systems in place to test. Addressing functions that present greater risk is usually not part of the job description. Company attorneys can and do provide valuable compliance guidance, but the legal team lacks a process orientation and technology skills to design improved risk-based systems. Because the level of regulatory scrutiny has risen, the demand for compliance talent with a risk-based focus has grown. A shortage of seasoned talent leads many companies to look outside to fill the gaps, and to help re-engineer regulatory compliance processes.

Solutions

Setting up an enterprisewide framework to manage compliance risks is one way to improve use of existing compliance resources. Risk assessment can be built into existing activities, thereby turning ad hoc processes into collaborative and sustainable workflows. The EWCRA framework (Figure 1) offers a comprehensive view of all compliance risks — no matter how complex the business lines or how far-flung the offices and employees. The framework encompasses:

Measuring an organization’s risk across all compliance activities; Operating as a tool to drive consistency;

Functioning as a common body of knowledge;

Aggregating risks across the entire organization, and reporting collectively on risks; and Providing senior executives with an integrated approach to prioritize higher and lower risks to the organization.

Figure : EWCRA Framework

n n n n n

Ri

sk

M

an

age

ment Infras

tru

ctu

re

Understand Environm ent Ass_ess C om pli_an ce Ris k Complian ceRis k Stra tegy Information and Communication Residual

Risks InherentRisks

Planned Risks Im ple_m en_{t R} esp onse /Con_trols Mo nit or

(5)

The framework is logically part of a larger framework for ERM. An organization may, for example, use EWCRA as a stepping stone to develop ERM, or

integrate EWCRA with existing ERM activities. Both EWCRA and ERM are ongoing processes intended to strengthen corporate governance.

The EWCRA framework was designed to reinforce the ERM integrated model developed for the Committee of Sponsoring Organizations of the Treadway Commission (COSO). While the COSO ERM framework has eight components, the EWCRA framework has six key elements. For more about the COSO ERM model, visit http://www. crowechizek.com and download “Compliance Overload Drives Interest in ERM.” Here is a closer look at each of the key EWCRA components:

Step One: Understand Environment

Lack of understanding can lead to inefficient use of limited compliance resources. Understanding an organization’s culture requires assessing numerous internal and external factors. What is the organization’s cultural view of compliance? How does that view affect strategic planning and management activities? Answering these and other questions leads to explorations of the interaction of EWCRA with organizational structure, customers, products and services, technology, and human resources.

Step Two: Assess Compliance Risk

This step allows the management team to identify events and potential effects on the ability to meet strategic objectives. The extent of influence (Figure 2) is measured on perpendicular axes: significance and likelihood. The impact is measured through a combination of qualitative and quantitative methods, and becomes increasingly precise as the EWCRA process matures.

The assessment first is performed based on the inherent risks of noncompliance with regulations (i.e., without consideration of the impact of existing controls). Starting this way identifies particular controls most likely to ensure compliance. The assessment then can be performed again, this time giving consideration to the design and operating effectiveness of key controls. Reassessment yields residual risk to the organization. The hope is that, while inherent risks might be rated high initially, residual risks are reduced.

(6)

www.crowechizek.com Figure : Targeting Areas of High Risk

Step Three: Compliance Risk Strategy

Not all risks — including compliance risks — have equal “weight” or importance. Once a risk assessment is completed, management decides on a strategy to respond with resources appropriate to manage the risk. Basically, there are four broad responses: avoidance, sharing, reduction, and acceptance of risk. Each of these strategies results in differing responses to managing risk.

Because of prohibitive economics, not every risk can or should be guarded against. Reducing risk to zero probably means spending too much, and reducing, if not eliminating, profitability. Thus, the well-known saying, “no risk, no reward.”

Step Four: Implement Response/Controls

What is the process that helps ensure that management responses to individual risks are carried out? Controls help make processes more effective by enabling key aspects to continue operating.

Managers need to balance the cost of controls with the benefits to be derived. For example, more critical risks usually require automated and preventive controls. On the other hand, manual or detective controls may be used for areas of reduced risk.

Risk — High

Risk — Moderate Risk — Very High

Risk — Moderate Risk — Low to

Moderate Risk — High

Risk — Low to Moderate

Risk — Low Risk — Moderate

6 8 9

3 5 7

1 2 4

Low Moderate High

Likelihood

Si

g

n

ifi

ca

n

ce

Lo w M od er at e H ig h One goal is to identify high risks that belong in the top right section.

(7)

Step Five: Monitor

Monitoring occurs through evaluations by independent internal and third parties (which would include testing of actual compliance), self-assessment, and management oversight. Additionally, monitoring identifies deficiencies within the control environment that management needs to address. Monitoring activities need to be aligned with level of risk.

Step Six: Information and Communication

The final step ranks high in importance to the lasting and successful implementation of the EWCRA process. Corporate reporting provides a big-picture perspective for the ERM program, management, board of directors, and audit committee. Information and communication ideally promote the need to review the EWCRA process continually and make refinements. The regulatory environment is never static.

Tangible, Intangible Benefits

Companies stand to benefit by establishing comprehensive programs to manage compliance across the enterprise. An enterprisewide approach is more likely to keep important risks from slipping through the cracks. In addition, EWCRA enables companies to share the language of risk assessment that regulators are adopting. Having a flexible and comprehensive compliance framework enables organizations to anticipate emerging regulatory issues, stay ahead of enforcement expectations, and avoid reputational damage. EWCRA can help companies avoid fines and penalties, but the larger gains are intangible. Preservation and strengthening of company reputation is a clear advantage for any organization, particularly given today’s era of minimal tolerance for regulatory and ethical shortcomings.

Contact Information:

n

Rick Julien can be reached at

630.586.5280 or [email protected].

n

Todd Richards can be reached at

(8)

PML6041 Crowe Chizek and Company LLC is a member of Horwath International Association, a Swiss association (Horwath). Each member firm of Horwath is a separate and independent legal entity.

Accountancy services in the state of California are rendered by Crowe Chizek and Company LLP, which is not a member of Horwath. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2006 Crowe Chizek and Company LLC