No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

How the Chief Risk Officer’s Role is Changing in 2019

The Growing Need for Collaboration Between Risk and Compliance

by Brenda Boultwood
March 18, 2019
in Featured, Risk
two businesspeople with puzzle pieces as heads

The stakes are getting higher for CROs and compliance officers. Brenda Boultwood of MetricStream details why it’s increasingly imperative that risk and compliance professionals work hand in hand to address ongoing risks and strengthen organizational GRC efforts.

While risk and compliance functions have run on parallel tracks for years, 2019 is likely to witness a new level of synergy between the two groups as they collectively seek to help their organizations drive performance while preserving integrity.

Partnering in this effort will be the Chief Risk Officer (CRO) who, by virtue of his or her bird’s-eye view of organizational processes and hierarchies, is well-positioned to understand how compliance ties back to risk, where key issues or concerns might lie and how risk frameworks can be integrated with compliance to optimize value.

Some large banks have organizationally integrated their operational risk management functions with their regulatory compliance functions (or are in the process of doing so), but this is less important than understanding the synergies.

With that in mind, here are four specific areas where I believe the CRO can impact compliance in 2019:

1. “Operationalizing” Compliance Management

Regulatory compliance functions have long been staffed by lawyers and paralegals, who are likely to believe that each interaction with the business or external stakeholders is unique and depends on their specific expertise. Just as market, credit and operational risks were “operationalized” under Basel I, II and III, compliance and other types of enterprise risks can be brought into the same framework, consisting of identification, assessment, measurement and monitoring.

Essentially, compliance risks should be treated no differently, although they may be managed at a higher level of business process given the consistency in controls required to ensure compliance. As with market, credit and operational risks, compliance risks will be risk assessed, compliance events will be consistently captured and compliance risk levels will be monitored.

2. Applying the Operational Risk Management (ORM) Data Model to Regulatory Compliance

The Basel Committee of Banking Supervision (BCBS) 239 transformed the way banks manage risks and make decisions by instituting 14 broad principles around risk data aggregation and reporting. It’s a model that must be applied to data across functional groups, including regulatory compliance, IT and third-party management. The underlying idea is that a company’s ability to make effective decisions around business performance, growth or compliance is only as good as the quality of the data that drives those decisions.

For too long, many compliance functions — like their counterparts in risk — have focused primarily on process engineering, procedures and assessments to meet the required regulations. Yet with regulatory data volumes swelling, compliance has increasingly become a data science problem. New regulations, updated regulations, policies, control test results, compliance risks, issues, incidents, complaints and key compliance indicators are just some of the data types compliance officers have to manage. How do you structure all this information to form a clear, cohesive view of the organization’s true compliance posture at any given point in time?

This is where the CRO can help: by advocating for and even spearheading the implementation of an aggregated compliance data model based on BCBS 239 principles. For example, principle 3, Accuracy and Integrity, can be interpreted as building a single source of truth for compliance data with consistent, common taxonomies. Principle 6,  Adaptability, can be used to ensure that compliance data aggregation is flexible enough to adapt to the constantly evolving regulatory landscape as well as on-demand or ad hoc reporting requests. Principle 5, Timeliness, can help ensure that compliance data reports are kept up to date to reflect changing risks and regulations.

However, it is principle 4, Completeness, that I believe underlies the others. It requires that companies be able to capture, consolidate and map all relevant data (in this case compliance data) in such a way that stakeholders can effectively identify risk exposures and issues at various organizational levels.

The first step in putting together this data model is to build out the compliance universe, including compliance areas, standards, requirements, policies and controls. These data elements can then be mapped to the risk universe, including risk events, key risk indicators (KRIs), key control indicators (KCIs) and scenarios. Then comes the business universe, comprising processes, products, assets, functions, business lines, legal entities, industries and geographies. Rounding it off is the audit universe, consisting of audit entities, plans and findings.

The result of this data mapping is a tightly knit, cohesive and transparent framework with a common taxonomy that provides the business with an aggregated view of compliance that allows the organization to make better-informed decisions.

3. Integrating ORM Framework Components in Compliance

While traditional approaches to compliance have revolved around the enforcement of regulations and policies, the emphasis today is on risk: how to identify, assess and monitor compliance risks effectively.

The CRO can support this effort by bringing ORM best practices and frameworks to compliance. For instance, ORM risk assessments or risk-control self-assessments stipulated by Basel II should be used as a model for compliance risk assessments. Typically, that would involve building a comprehensive inventory of compliance risks, assessing inherent risks in terms of likelihood and losses, identifying and implementing controls, assessing and testing those controls and finally measuring the residual level of compliance risks.

Similarly, compliance deficiencies and incidents could be recorded and addressed based on the loss event management principles of ORM. It would mean logging compliance violations from various sources, tracing and investigating their root cause, implementing corrective action and finally tracking their progress to closure.

A centralized issue management mechanism can help by providing a single point of reference to capture and track compliance deficiencies across business departments, groups and operational geographies. Analytics can add further value by highlighting issue trends and patterns and enabling organizations to minimize overall compliance issues, rather than dealing with each one in isolation.

Key risk indicators can also be established for compliance in collaboration with the risk function; scorecards are another useful risk tool to weigh residual compliance risks and to provide metrics on the relative ranking of the control environment.

Many of these practices may already be operational in the compliance function. However, the CRO can further optimize their repeatability, efficiency and usefulness. For example, redundancies and duplication of effort can be minimized by facilitating greater collaboration, data exchange and re-use of risk information across compliance and risk functions. Likewise, risk communication and reporting can be strengthened by enabling a common, consistent risk and control language.

To bolster these efforts, it helps to have a common GRC platform that can provide a holistic view of risk and compliance data across the three lines of defense. With that level of visibility, stakeholders can better understand which compliance and risk areas they should be focusing their attention on and providing vigorous challenge to.

4. Strengthening Compliance Awareness, Identifying Trends

The CRO, in collaboration with compliance officers, can help establish a pervasive culture of compliance risk awareness across the enterprise. Training programs, for instance, can be organized to help employees understand the risk implications of noncompliance, as well as the importance of calling out red flags or suspicious behavior. Employee incentives and bonuses can be aligned with compliant behavior to strengthen accountability.

Another way the CRO can add value is by bringing a fresh perspective to compliance by raising questions and helping identify potential trends: What potential regulatory examination areas are likely to be investigated, and what documents will be requested? Based on compliance attestation data, can it be surmised that all GDPR data privacy requirements have been met by Legal Entity X?

These kinds of questions help teams refine compliance reports and arrive at a more accurate understanding of the organization’s compliance status. Analytics-based reporting tools and dashboards provide further value by enabling users to slice and dice compliance data from various parameters and swiftly draw out insights to support key findings.

Onward and Upward

Going into 2019, the stakes for both CROs and compliance officers are high. Escalating data breaches, geopolitical tensions, diminishing consumer trust, record-high regulatory fines – all legacy issues from 2018 are likely to extend into this year, making it imperative for risk and compliance functions to work together seamlessly toward strengthening governance, compliance and risk awareness.

The Chief Risk Officer will be a chief collaborator in this endeavor, bringing best practices from risk into compliance (and vice versa), strengthening communication between the two functions and ironing out any remaining inconsistencies or redundancies. These efforts will go a long way toward enabling the truly integrated GRC program that is increasingly becoming the hallmark of a successful, resilient organization.


Tags: Risk Assessment
Previous Post

Compliance Can Spark Joy, Right?

Next Post

Has the Road to Settlement Gotten Bumpier?

Brenda Boultwood

Brenda Boultwood

Brenda Boultwood is Senior Vice President of Industry Solutions at MetricStream, where she is responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies and strategic banking and financial services customers. Boultwood also currently serves on the Board of the Committee of Chief Risk Officers (CCRO).

Related Posts

svb_f

Risky Business: Important Lessons From SVB’s Demise

by Atul Vashistha
March 28, 2023

When all is said and done, it’s likely that Silicon Valley Bank’s failure will be traced back to one serious...

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

Next Post
bumpy road in black and white

Has the Road to Settlement Gotten Bumpier?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT