The Securities and Exchange Commission is bent on “elevating” the role of compliance by “underscoring that it is not a responsibility that stops at the desk of the CCO,” and firms with senior management and boards that fail to properly support compliance functions will face the most scrutiny, Carlo di Florio, director of the SEC’s Office of Compliance Inspections and Examinations, told investment advisor and investment company officials Tuesday.
At the 2012 Compliance Outreach Program National Seminar held at SEC headquarters in Washington, D.C., di Florio said that the name of this year’s compliance event was “slightly altered” from previous year’s “CCO Outreach” to “Compliance Outreach,” so the SEC could “broaden the dialogue to include not only CCOs but also other key executives–[such as] board members, management, chief risk officers, CFOs, internal audit and business unit leaders–because we feel that all of you together” help to ensure compliance with securities laws.
Di Florio said that by “engaging senior management and the board at various points in the examination process, our goal is to elevate the role of compliance. Strong risk management controls, including a solid compliance program, are a key responsibility of everyone in a regulated entity, but the right culture and tone at the top are especially the responsibility of senior management and the board.”
He went on to say that a chief compliance officer “who does not have the full support and engagement of senior management and the board is not going to be effective, and there is nothing that we want more than to help CCOs to be effective.” The SEC, he warned, “will focus most intently on firms where we sense that senior management and the board are not setting the appropriate tone and are failing to support key risk and control functions with adequate resources, independence, standing and authority.”
A corporate culture that “reinforces ethical behavior” di Florio continued, “is a key component of effectively managing risk across the enterprise. Nowhere should this be more true than in financial services firms today, which depend for their existence on public trust and confidence to a unique degree.”
An effective risk governance framework includes three critical lines of defense, di Florio said, which are in turn supported by senior management and the board.
- The business is the first line of defense responsible for taking, managing and supervising risk effectively and in accordance with laws, regulations and the risk appetite set by the board and senior management of the whole organization.
- Key support functions, such as compliance and ethics or risk management, are the second line of defense. They need to have adequate resources, independence, standing and authority to implement effective programs and objectively monitor and escalate risk issues.
- Internal Audit is the third line of defense and is responsible for providing independent verification and assurance that controls are in place and operating effectively.
Senior management, di Florio said, “supports each of these levels by reinforcing the tone at the top, driving a culture of compliance and ethics and ensuring effective implementation of risk management in key business processes, including strategic planning, capital allocation, performance management and compensation incentives.” The board of directors, he added, “is ultimately responsible for setting the tone and the top and ensuring an effective culture of risk management across the organization.”