This article discusses, at a very high level, the steps to achieving a unified compliance network (i.e., a target state compliance operating model).
What is a unified compliance network? It is a target state compliance operating model that enables you to appropriately identify, measure, assess, control, monitor, report, and escalate risk matters and ensure compliance with applicable statutes, regulations, and guidance.
A crucial step toward establishing a target compliance operating model is identifying and articulating sound practices for each component of your compliance program by leveraging regulatory guidance and industry expertise to identify target capabilities that are foundational to compliance risk management. Your target capability must reflect your firm’s size, complexity, strategic plans, and risk profile and align to regulatory expectations.
The following steps are designed to enable you to achieve a unified compliance network that is aligned with regulatory expectations (see Figure 1). While all the steps discussed below are crucial, the three critical elements that drive a unified compliance network are compliance risk identification, compliance risk assessment, and regulatory change management.
Step 1 – Governance and Oversight
Governance and Oversight are documented and rationalized Board and Management Committee structure, approved risk appetite, and clarity on roles, responsibilities, and accountability. This includes a framework to maintain governing documents (i.e., policies, standards, and procedures) as well as processes for ensuring governing documents meet regulatory and internal requirements and expectations.
Effective governance and oversight of your compliance management system is achieved when:
- Compliance function has appropriate stature within the firm,
- The compliance risk governance framework, with clearly defined roles, responsibilities, and accountability, is fully implemented,
- The risk appetite and annual compliance plan articulate the Board’s vision and provide appropriate guidelines for effective management of compliance risk for business units and compliance, and
- The compliance management system reporting highlights key compliance risks and issues to the Board and management.
Step 2 – Compliance Risk Identification and Assessment
Compliance risk identification and assessment is a critical foundational aspect of a unified compliance management system. It allows you to identify and aggregate risk, measure performance in comparison to risk appetite, and inform on all aspects of the compliance management system, including compliance monitoring and testing, training, and staffing.
A compliance risk identification and assessment program include a methodology for identifying compliance risk and for determining inherent risk, quality of risk management (i.e., control effectiveness), and residual risk ratings for your firm’s compliance risks.
In its end state, the assessment must be completed at a sufficiently granular level, must capture control information, and must be aggregated to provide a comprehensive view of how compliance risk is managed and mitigated across your firm.
Compliance risk assessment begins with the creation of inventories of applicable federal and state regulatory requirements and the mapping of applicable regulatory requirements and controls to products and services.
Step 3 – Risk-Based Monitoring and Testing
Monitoring includes ongoing review of activities to understand changes within the compliance risk profile, supported by formal testing of transactions, files or other data to determine if regulatory and internal requirements are being met.
Risk-based monitoring and testing is based on results of compliance risk assessment (specifically, residual risk ratings), testing results, identified issues, regulatory changes, new business activities, and regulatory feedback.
This includes a methodology for identifying root causes of issues and project discipline in tracking of action plans to completion, i.e., issue management.
Step 4 – Regulatory Change Management
Regulatory change management is a program to monitor, assess and manage the impact of changes, including new and changing laws and regulations; changes to technology systems; and new, modified, or expanded products and services.
In a unified compliance network, regulatory change management is linked to the risk assessment process. Monitoring for regulatory change is driven by the inventory of applicable laws and regulations developed during the risk identification and assessment process, and identified changes are fed back into the risk assessment program for assessment and to update the risk profile, as applicable.
Step 5 – Training
Risk and compliance training, administered to all affected employees and key service provider employees, is central to developing an appropriate understanding of management’s expectations of roles and responsibilities across your firm, including but not limited to: (1) identifying and assessing all relevant risks associated with their activities, (2) monitoring and reporting on those risks, (3) escalating information on risk issues and breaches, and (4) effectively managing risks. In a unified compliance network, training is linked to the material risks identified in Step 2.
Training should be integrated into your new hire onboarding process so that new employees promptly receive risk and compliance management training and they are aware early about management’s expectations regarding risk management. Training materials should be refreshed concurrent with changes in expectations (regulatory and/or internal).
Step 6 – Data and Reporting
These include processes and systems to maintain accurate risk and compliance data that allows for timely aggregated views on risk, tailored to the audience. This requires collaboration among the business, risk and compliance, and the technology functions. Reporting is linked to risk assessment results, includes identification of key risk indicators and key performance indicators, and provides key information and escalates significant compliance concerns to management and the Board.
Figure 1 – Unified Compliance Network
How Effective is Your Risk Management and Compliance Posture?
Are you ready to improve your compliance and risk management posture? Use this simple quiz as an opportunity to identify cracks in your risk management and compliance programs. This interactive self-assessment will help uncover areas of improvement.
After the quiz, you'll be given an opportunity to connect with one of our risk management experts. Are you ready to begin?