The 20 Rising Stars of Compliance 2007 - (Page 6) RISING STARS 20 COMPLIANCE invested the most in information technology, had two or fewer data losses or thefts a year. Conversely, more than 60% of organizations that did not emphasize good compliance, based on IT Policy criteria that included annual expenditures and personnel resources, reported 22 or more instances of data loss or theft. Helping to push the combination of risk management into compliance functions is the growing focus by regulators in the U.S. and countries such as the U.K on risk-based inspections. Because of this, in the U.K., it is more common for firms and banks to combine risk management and compliance functions. Lloyds TSB was one of the more notable and earlier examples. It made the combination in 2006. In the U.S., financial risk management has become more prominent following the new AML procedures and the Sarbanes-Oxley Act. Sarbox, passed in 2002, added new risk management control requirements. Callcott noted that some compliance requirements have an inherent risk management element to them simply because it is within certain rules. He says short selling is an example because compliance officers have to be aware of risks to firms when stocks are sold short and then remain unsettled for a certain period of time. However, these functions are still mostly separate amongst U.S. securities firms. A perfunctory search could not uncover a single incidence where risk management and compliance titles were joined, but that doesn’t mean compliance officers aren’t undertaking more of risk management role. “A chief risk officer should make sure that the company is not fighting yesterday’s battles,” Eichbaum said. There is a difference between tackling problems as they come versus having an understanding of where tomorrow’s battles will be fought. Risk management is concerned with anticipating the future. “It’s really coming from a whole different place than compliance,” she explained. “Compliance lives in the here and now.” THE SEC PROPOSAL In fact five of the largest firms have already integrated some risk functions into compliance due to earlier regulations. What’s new, in the SEC proposal is extending these risk requirements to about 500 broker-dealers. The proposal is part of a package of amendments the SEC proposed in March aimed at addressing concerns over risk assessment in the industry—such as how broker-dealers take customer account balances into consideration when calculating net capital. The SEC’s argument for the requirement is that failures in managing risks could impact the market. So they are suggesting pulling the next 500 largest firms into the pact. SEPTEMBER 2007 “It’s really coming from a whole different place than compliance. Compliance lives in the here and now.” cer, for example, is anticipating what will happen when credit tightens up, Eichbaum explained. Part of what the risk officer must assess includes how much risk to tolerate and questioning whether a firm is making decisions that are based on wrong assumptions. “Typically, risk management involves a credit risk,” Hardy Callcott, securities law partner at Bingham McCutchen in San Francisco noted. Most firms, he added, do not yet see that type of risk as part of the compliance function. Callcott pointed out that automation is adding some risk management functions to compliance. Anti-money laundering compliance and operational risk management, such as business continuity planning, are duties which have crossed over into compliance functions following the Sept. 11, 2001 attacks and the subsequent passage of the U.S. Patriot Act. AML compliance officers need software to track various data for the sole purposes of assessing money laundering and financial crime risk, such as tracing customer identifications to reviewing government watch lists of potential criminals. The AML function has long required a proactive approach to spotting risks, such as potential suspicious activity. Operational risk protects computer data from loss and theft, for which regulators require compliance policies and procedures. A study published in July 2007 by IT Policy Compliance, a research and consulting company in New York, reaffirmed that good operational risk compliance will mean less lost data. The study found that 96% of more than 1,500 companies across dozens of industries, including financial services, that 6 COMPLIANCE RISING STARS
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.