Enterprise Compliance Risk. AIBA June 14, 2012 Presented by: Jack Sonnenschein

Size: px

Start display at page:

Download "Enterprise Compliance Risk. AIBA June 14, 2012 Presented by: Jack Sonnenschein"

Robyn Evans
8 years ago
Views:

1 Enterprise Compliance Risk Management Program AIBA June 14, 2012 Presented by: Jack Sonnenschein 1

2 Agenda Regulatory Expectations Enterprise Compliance Risk Management Program Risk Assessments Monitoring and Three Lines of Defense 2

3 Regulatory Expectations Compliance Risk Management Programs and Oversight at Large Banking Organizations (FRB SR08-8, Basel) Organizations should implement a firmwide Compliance Risk Management and Oversight Program Establish processes to manage and oversee compliance risk across an entire organization Formalize this process into a compliance program that identifies, assesses, controls, measures, monitors, and reports compliance risks and provides compliance training Compliance Monitoring and Risk assessments are the foundation of an effective compliance monitoring i and testing program Responsibilities of the Board of Directors and Senior Management Independence of Compliance Staff 3

compliance program that identifies, assesses, controls, measures, monitors, and reports compliance risks and provides compliance training Compliance Monitoring and Risk

4 Enterprise Compliance Risk Management and Oversight Program Policies & Procedures Reporting & Escalation Risk Assessment Communication Leadership Engagement Monitoring & Training 4

5 Compliance Oversight Create a disciplined Compliance process to periodically assess, monitor, review and report on key business compliance metrics to: Compliance Oversight of frisk kassessments and dbusiness Self lf Business Self Key Risk Business Self Early Warning Issue Indicators Information Management Control Assessment Design and Detection and Control Reliability Residual Risk Reliability Escalation Risk Library Mandates Sub Mandates Requirements Risk Statements 5

Risk Business Self Early Warning Issue Indicators Information Management Control Assessment Design and Detection and

6 Compliance Risk Assessment Compliance Risk Assessment Program Risk Assessment Considerations Risk Assessment Risk Assessment Action Items Environment Inherent Risk Amex Risk Residual Risk Laws & Regulations New Products New Customers New Countries New Legal Entities Monitoring & Results Regulatory Events Enforcement actions Fines Reports Expectations Magnitude of loss due to regulatory violation Likelihood of occurrence of regulatory violation ense: Amex Framework ree Lines of Defe gulatory Th Reg Business Self Compliance Monitoring & Internal Audits Control Assessment Regulatory Requirements / Risk Control Identification Bu siness Manag ement Compliance Close control gaps or reduce residual risk Remediation plans and oversight Interim compensating controls Risk acceptance Prioritize / adjust Business Self Pi Prioritize ii /Adj Adjust Compliance Remediation Oversight & Reporting Sustained through annual refreshes and continuous monitoring of environment, inherent and residual risks to ensure risk mitigating actions are taken in a timely, effective, and efficient manner 6

violation Likelihood of occurrence of regulatory violation ense: Amex Framework ree Lines of Defe gulatory Th Reg Business Self Compliance Monitoring & Internal Audits Control Assessment Regulatory

7 Compliance Risk Assessment and Action Plans are developed to track remediation of gaps Ongoing refresh of Legal Risk Baseline Inherent Risk Risk statements are related to business processes Risk Definition Residual Control Risk Assessment Compliance Oversight of Business Self & Monitoring Independent Compliance Global Compliance Risk Baseline Risk Assessments are refreshed for material changes and the results of & Monitoring 7

Residual Control Risk Assessment Compliance Oversight of Business Self & Monitoring Independent Compliance

8 Three Levels of Defense & Interaction WHO does WHAT to provide assurance TO Lower IAG 3 Internal Auditing Internal Audit Audit Committee Officers Group Reliance ECRM C&E MCO LoBCO Business 1 2 BST Oversight Control Validation Reliance Horizontal Reviews Quality Assurance Control Country Unit Program Reviews Reliance Process Level Business Self Extent of Focus KRI & Metrics Monitoring Issue Escalation Enterprise Governance Parent Co. Regulator (US Fed.) Chief Compliance Officer CLT Entity & Market Market Regulator Country Executive Team Market Risk Committee Regional Compliance LoB Compliance Business Executive Leadership Operations Leadership Higher Reliance can be placed on existing testing activities where it is appropriate and where the applied testing standard meets ECRM policy guidelines. 8

Escalation Enterprise Governance Parent Co. Regulator (US Fed.

9 Enterprise Compliance Risk Management and Oversight Program Policies & Procedures Reporting & Escalation Risk Assessment Communication Leadership Engagement Monitoring & Training 9

10 10

11 11

Infrastructure Ontario Enterprise Risk Management Program. National Executive Forum Yellowknife, NWT May 2013

Infrastructure Ontario Enterprise Risk Management Program National Executive Forum Yellowknife, NWT May 2013 Background Government Risk Management Agency Oversight The Memorandum of Understanding with