SEC Director’s Speech on Compliance, Ethics and Enterprise Risk Management

The Securities and Exchange Commission’s (SEC) Director of the Office of Compliance Inspections and Examinations, Carlo V. di Florio, talked about compliance, ethics and enterprise risk management during his speech at the National Society of Compliance Professionals (NSCP) National Meeting in October 2011. He addressed how standard setters and other organizations are recognizing the importance of ethics pertaining to effective compliance and enterprise risk management (ERM).

The Relationship between Ethics and ERM

Ethics are involved in good business practices. They ensure good customer service, maintenance of the company’s reputation, attraction of the best employee base and business partners. Good ethics also develop a good “tone at the top” and corporate culture which are essential when implementing an effective ERM.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) addressed the role of ethics in ERM by stating:

“An entity’s strategy and objectives and the way they are implemented are based on preferences, value judgments, and management styles. Management’s integrity and commitment to ethical values influence these preferences and judgments, which are translated into standards of behavior. Because an entity’s good reputation is so valuable, the standards of behavior must go beyond mere compliance with the law. Managers of well-run enterprises increasingly have accepted the view that ethics pays and ethical behavior is good business.”

ERM emphasizes the importance of ethics in enterprise governance, risk, and compliance (GRC) systems. In addition to COSO, a number of organizations such as the Ethics Resource Center (ERC) and the Open Compliance and Ethics Guidelines (OCEG) have issued frameworks to implement effective ERM systems.

The ethics and integrity of an organizations’ leaders affect “the design, administration, and monitoring” of the ERM program particularly in financial services institutions. This is highlighted in the principles developed by the Basel Committee on Banking Supervision.

The Ten Elements of an Effective Compliance and Ethics Program

The following elements are important in an effective compliance and ethics program. The U.S. Federal Sentencing Guidelines (FSG) uses them to “integrate ethics into the elements of an effective compliance and ethics program that would be considered as mitigating factors in determining criminal sentences for corporations.”

  1. Governance. The board of directors and senior management should set an good tone at the top and provide adequate resources for corporate compliance and ethics programs.
  2. Culture and values. The culture and values of the organizations should promote ethical behavior and accountability.
  3. Incentives and rewards. Incentive and compensation scheme should encourage and reward ethical behavior while penalizing misbehavior.
  4. Risk management. The organization should effectively identify, assess, mitigate and manage compliance and ethics enterprise risk.
  5. Policies and procedures. An organization needs adequate policies and procedures to manage its ethics and compliance programs.
  6. Communication and training. Employees should be trained to understand their roles and responsibilities in the organizations’ ethics and compliance programs. The programs need to be equipped with a robust communication system.
  7. Monitoring and reporting. Continual monitoring of entity wide issues should be complemented with adequate reporting to management.
  8. Escalation, investigation and discipline. The organization should have a system that allows confidential and anonymous reporting of anomalies which result in appropriate disciplinary action.
  9. Issues management. Any issues that come to the organization’s attention should be evaluated to consider the root causes and necessary and timely resolutions.
  10. An on-going improvement process. The organization’s system needs to allow for continual improvement and benchmarking of best practices in its ethics and compliance programs.

The Relationship of Compliance and Ethics with Enterprise Risk Management

The elements above are also important in an organization’s broader governance and enterprise risk management system. An organization needs to properly delineate the different roles and responsibilities when addressing ethics, compliance or ERM.

  1. The business. This is considered the first line of defense. It is responsible for assuming and effectively managing risk in line with the risk appetite and tolerance levels agreed upon by the board and senior management.
  2. Key support functions. These are part of the second line of defense. Examples are the compliance and risk management functions. They set the necessary risk, ethics and compliance programs in the organization.
  3. Internal Audit. As the third line of defense, Internal Audit provides independent verification and assurance of the effectiveness of the organization’s controls.
  4. Senior management. It is the responsibility of fourth line of defense to develop a proper culture and leadership tone that reinforces ethical behavior, compliance and effective enterprise-wide risk management.
  5. The board. The board of directors oversee that management are properly administering their roles to maintain ethical

The above roles and responsibilities are not only important in ethics, compliance and ERM programs but also in other functional risk management areas such as investment risk, market risk, credit risk, operational risk, funding risk and liquidity risk. The financial crisis showed how important organizations should coordinate all these functions to effectively manage its entity-wide risks. Each of these functions can develop risks which results in huge negative impacts of the organization.

Click below to read the speech.

Link: U.S. Securities and Exchange Commission (SEC)

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2011-10-17