SEC Chairman Mary Shapiro succeeded where her two predecessors had failed in gathering a 3-2 vote in favor of the rule which was divided along party lines as both Republican members objected. While this is a win for investor groups who now have increased influence over board make-up, there are no provisions in the rule for smaller, individual investors who own less than 3% of the stock and have held the stock for less than 3 years.

One thing that is certain, the new rule reflects the anger and backlash of shareholders who feel that boards of directors were not acting in the shareholders’ best interest when taking highly leveraged and risky positions that led to the 2008 financial meltdown. As Rick Stenberg pointed out in his recent blog, this indicates a clear trend toward increasing shareholder power and of companies and their boards ‘opening channels of communication with shareholders.’ As these channels are opened, an information architecture that provides full transparency into risk exposure and enables information sharing will help to fill the communication gap between the Board and shareholders.

As the Dodd-Frank rulemaking proceeds in the coming years, reacting to each new rule and regulatory requirement with siloed technology and resource investments will clearly not be effective. The financial crisis of 2008 highlighted the interdependency of risks across an enterprise (credit, market, operational) which need to be managed holistically rather than in traditional silos. A siloed approach limits an organization’s ability to streamline risk and compliance processes and reduce costs. It also obscures the opportunity to integrate risk and compliance to gain a comprehensive view of the firm’s risk exposure.

Gordon Burnes commented in a recent blog post that “as companies put in place this information architecture to surface enterprise risk exposure, thinking about interdependencies will be critical to reduce cost.” I’ve worked with numerous OpenPages customers who are actively managing multiple risk and compliance programs on a single framework. The impetus behind these initiatives varies from the need to review enterprise risk and control performance at executive and Board-level meetings, to Federal regulator demands, to the need to simplify and rationalize risk and control assessments. A large, OpenPages financial services customer recently completed the convergence of risk assessments across all risk and compliance programs with the explicit intention of monitoring risk exposure across their business.

Moving forward as new Dodd-Frank requirements emerge, financial services institutions will require a converged information architecture that supports multiple risk and compliance initiatives on a single framework. An integrated risk and compliance framework can reduce the disparate databases and reporting structures, while at the same time meeting internal and external reporting requirements more efficiently. Whatever risk disciplines are significant within your firm, the goal should be to integrate them within a single framework that produces a holistic view of your risk landscape, while meeting the needs of regulatory agencies.

blog post

The Financial Stability Oversight Council is a new regulatory body created by the law that is tasked with monitoring and regulating companies that are deemed by the Council to be “systemically important.” The Council has the authority to instruct the Federal Reserve to impose new requirements on systemically important companies such as increased capital and liquidity levels as well as disclosing risk practices, regulatory gaps and resolution plans or “living wills.” In its role as systemic risk monitor, the Council will collect risk data from various sources including Federal and State financial regulatory agencies and the newly created Office of Financial Research (OFR) – which will among other things be responsible for collecting data from financial services companies.

The Dodd-Frank law also calls for a Risk Committee to be established by all public, non-bank financial companies, as well as all public, bank holding companies with over $10B in assets under management. Supervised by the Board of Governors of the Federal Reserve, the Risk Committee will be held responsible for enterprise-wide risk management oversight and practices, and be required to include “at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”

To meet these requirements for risk exposure data, financial services institutions need an information architecture that provides full transparency and reporting for the Board, Risk Committee and potentially the OFR. If you’re looking to develop an information architecture that will meet the requirements of Dodd-Frank and new regulations to come, here are a few things to consider:

1. Create a central platform to pull all of the different data elements together and maintain the relationships between elements (RCSA, Loss Events, KRIs, Issue Management, Policy Management, etc.)

2. Establish a common taxonomy and library for policies, processes, risks, controls, regulatory requirements and other key data elements

3. Integrate multiple areas of risk (operational, compliance, strategic, etc.) to provide aggregated analysis and full reporting of all risks across the enterprise

But there’s another way in which Goldman seems to have dodged a bullet. While other companies have had to accept a government appointed monitor working inside the organization, Goldman won’t be subject to such meddling. In my mind, avoiding this kind of intrusive interloping is just as big, if not more so, than the manageable size of the fine – especially for a firm as sophisticated as Goldman Sachs.

There is, however, an annual requirement for filing a certificate, for three years, that Goldman is in compliance with the terms of the settlement. Of considerable interest is that the certificate is to be signed by the firm’s general counsel or global head of compliance. Some pundits are saying this makes eminent sense, while others take the position that it should be the CEO or board, who are ultimately responsible for ensuring compliance, to be putting their signature on the dotted line. In any event, all this puts more of a spotlight on chief compliance officers and compliance programs. One former chief compliance officer reportedly said the SEC “seems to be attempting to elevate importance of the chief compliance officer role,” while an active compliance chief says the settlement shows that compliance officers “are becoming true C-suite level executives.”

There’s a lot going on here, and we can expect to see the focus on compliance officers ratcheting up further going forward.

© Steinberg Governance Advisors, Inc. 2010. The information presented here does not constitute legal or any other type of professional advice. Companies are encouraged to consult legal counsel concerning their responsibilities for legal and regulatory compliance.

It is clear that a major theme of the legislation is greater transparency into risk exposure across the financial system.  Basel II can be faulted for taking an institutional approach to risk management, and the financial crisis of 2008 clearly revealed gaps in the way regulators assessed and managed risk across institutions.  This wave of regulatory rulemaking will try to address those gaps, and, in fact, Treasury Assistant Secretary Michael Barr in a recent speech at the Chicago Club made several references to Basel III, an indication that regulators worldwide will be coordinating on liquidity and capital standards to manage systemic risk.

Regardless, regulators worldwide will still be collecting risk exposure data from institutions.  As a first step, institutions can put in place an information architecture that can quickly an accurately serve up risk exposure information, and all financial services institutions need to work on this.  The Dodd-Frank law, for instance, creates a Financial Stability Oversight Council that will have the authority to instruct the Federal Reserve and other agencies to collect all sorts of risk exposure data.  Most companies know where their current gaps are; these need to be addressed immediately.

The scope of the rulemaking also suggests that we’re going to be in a very dynamic regulatory environment for a long time.  As such, covered companies would do well to make sure this information architecture can adapt to change over time.  Implementations of static frameworks for regulatory compliance could be obsolete before the project is finished! Any solution must be able to adapt and extend over time.

Finally, as companies put in place this information architecture to surface enterprise risk exposure, thinking about interdependencies will be critical to reduce cost.  Inevitably, there will be much overlap between the information requests from different regulatory agencies.  Your ability to handle these requests, as well as those from the business, with a minimal set of reports will save you time and resources.  An integrated risk and compliance framework can reduce the disparate databases and reporting structures.  Of course, you may not be able to consolidate everything onto a single, integrated system, but thinking about pairwise combinations is a good start.

It all starts with what the company is looking to achieve through cloud computing and whether the investment is worth the risk. For example, will the application hosted in the cloud be customer facing and subject to strict regulatory standards? If so, then the risk assessment should include the probability and impact of events such as a data breach or unplanned downtime.

Once the risk assessment has been completed and the investment decision has been made, then a comprehensive due diligence exercise should be conducted. Some vendors may suggest simply relying on their SAS 70 report from their external auditing firm rather than performing a due diligence exercise. While SAS 70 reports are useful, they are not specific to the relationship between the two companies. It is imperative that the following areas are examined in relation to a company’s current information security policies and overall operating expectations.

1. Organizational and Human Resource Security
2. Access Control
3. Asset Management
4. Physical and Environmental Security
5. Operations and Change Management
6. Disaster Recovery and Business Continuity
7. Privacy
8. Regulatory Compliance

Like any other partnership or outsourcing agreement, the time to address potential risks and issues with cloud computing is at the very beginning of the relationship. By doing so, both the company and the vendor will benefit from the opportunity to understand each other’s expectations. It will also serve as the foundation for a successful cloud computing solution.

If your company would like to learn more about performing a cloud computing risk assessment and due diligence exercise, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

• Say on pay: Shareholders now will get to vote on whether they’re satisfied with executive compensation. And the same holds for so called “golden parachutes” related to such transactions as sales or mergers of the company. While these are only non-binding advisory votes, compensation committees and full boards will certainly think twice before continuing with compensation voted down by the company’s owners – which parties also vote on whether sitting directors should be re-elected going forward. As such, we can expect to see boards more receptive to views of shareholders, especially major ones, on executive compensation programs.
• Additional executive compensation disclosures: Public companies also will need to provide more detail about how executives pay relates to the company’s financial performance. Additionally, disclosure will be required of the ratio of the CEO’s total compensation to the average of all other workers’ median total pay. There’s little doubt that shareholders will be focusing closely on this information and reacting to it in the voting process.
• Elimination of broker discretionary voting: Now stock exchanges will extend beyond the current NYSE rules, to now prohibit discretionary broker voting in board elections as well as executive compensation and other significant matters. Because brokers typically voted in favor of company initiatives, shareholders will have more say in what transpires.
• Proxy access: Perhaps most significant, the SEC is authorized to allow shareholders to use proxy materials to nominate their own directors. While we don’t know exactly what the SEC will do in this regard, we can expect that shareholders will have a greater say in who sits in the boardroom.

These of course are just some of the elements of the new law, which impact ultimately will be determined by numerous studies to be undertaken and regulations to be issued. One thing, however, is clear. Shareholder authority continues to grow, and companies and their boards will continue the trend of opening channels of communication with shareholders.

© Steinberg Governance Advisors, Inc. 2010. The information presented here does not constitute legal or any other type of professional advice. Companies are encouraged to consult legal counsel concerning their responsibilities for legal and regulatory compliance.

Best practice dictated by the Institute of Internal Auditors requires an independent quality assessment of the IA function at least once every five years. A more frequent assessment may be considered if significant changes have occurred to impact how the IA function performs its responsibilities – e.g. change in IA leadership and/or oversight, change in IA methodology, significant merger and/or acquisition, etc.

The quality assessment should address the following objectives:

1. Assess the effectiveness of an IA function in providing assurance and consulting services to the board, senior executives, and other interested parties. This includes the adequacy of the IA activity’s charter, goals, objectives, policies and procedures as well as the IA activity’s contribution to the organization’s governance, risk management and control processes.
2. Assess conformance to the Institute of Internal Auditors’ Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (“Standards”) and provide an opinion as to whether the IA activity generally conforms to all.
3. Identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit Executive (“CAE”) and staff for improving their performance and services and promoting the image and credibility of the internal audit function.

In addition, a well-designed quality assessment will include an evaluation of the following key IA function elements:

1. The expectations of the IA activity expressed by the board, executive management, and its other “customers” (i.e., management of operational and support units).
2. The entity’s control environment and the CAE’s audit practice environment.
3. The focus on evaluating enterprise risk, assessing organizational controls, and including aspects of the governance process in audit plans to assure that audit activities add value to the enterprise.
4. The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the strategic objectives of the entity as a whole.
5. The International Standards for the Professional Practice of Internal Auditing.
6. The mix of knowledge, experience, and disciplines among the staff, including staff focus on process improvement and value-added activities.
7. The tools and techniques employed by the department, with emphasis on the use of technology.

The final key element is often one that typically receives the least focus, but can yield the greatest benefit to the IA function and the company as a whole. By automating the IA management processes such as scheduling, planning, workpaper preparation, reporting and issue follow-up, IA functions can dramatically increase their ability to perform their responsibilities in concert with a company’s operation and risk profile. OpenPages’ Internal Audit Management solution is a great example of a solid platform that can support a high quality IA function.

If you are interested in learning more about conducting an IA quality assessment for your company, please email us at NavigateSuccessfully@WheelhouseAdvisors.com.

The Huffington Post is reporting that, “a team of Goldman Sachs analysts predicted in a Tuesday research note that the legislation will annually cost Bank of America about $4.4 billion, Citi about $3.7 billion, JPMorgan about $5.3 billion, Morgan Stanley about $900 million, and Wells Fargo about $2.2 billion.”

The bill seems certain to pass the final Senate vote later today and Obama is ready to sign it. The ultimate impact on the risk and compliance management market is yet to be determined, but one thing is for certain, the era of deregulation is officially over.

While the geographies and industries may differ, it is clear that across the globe, companies have a common objective to improve business performance through reduced risk exposure and better allocation of resources.

See press release for more detail.