In addition to providing discipline and support for the resolution efforts, the compliance management team needs to understand how the remediation of the audit and exam issues can
affect other aspects of the overall compliance program. Above all,
the compliance team’s involvement can help identify other areas
in the organization that could be exposed to similar or related
regulatory compliance risks.
Component 2: Root cause
and impact assessments
Whenever a compliance issue is identified, an
essential early step is to find the root cause of
noncompliance, as well as the business lines,
products, and services that are affected. Some
form of root cause identification typically is part of the audit
process, but the same type of analysis should be applied to all
compliance issues, even those that were reported by other sources.
Moreover, even in those instances where an audit report includes
root cause analysis, the compliance management team should
perform its own assessment of both the root cause and the potential impact of every compliance issue.
At first glance, such analysis might appear to be redundant,
particularly if internal audit or regulatory agencies have determined
a root cause. In fact, however, the compliance team’s independent
root cause analysis is essential to an effective compliance management effort as the complete picture of the issue might not have
been available to auditors or examiners.
For compliance management purposes, the objective of root
cause analysis is directly linked to impact assessment–that is, obtaining a comprehensive understanding of the issue. In other words,
in addition to drilling down to discover the true root cause of a
compliance issue, the team also must broaden its scope to identify
other related risks and liabilities across other products, services,
and lines of business. Such analysis is a prerequisite for developing
controls or solutions that will mitigate this risk going forward.
For example, if a mortgage loan audit reveals inadequacies in
the way that flood insurance requirements are identified, effective
compliance management demands that all other business lines,
even affiliates or subsidiaries, also be examined to determine if
similarly deficient calculation worksheets and checklists are being used elsewhere. Many compliance departments rely on some
form of spreadsheet system that cross-references where various
regulations affect each line of business or entity.
The compliance team’s impact assessment also should identify
any restitution to customers or other affected groups that might
be necessary. In addition to determining restitution stemming
from the original noncompliance, the compliance team also must
extrapolate the impact to identify remediation that could mitigate
noncompliant situations in other business functions that are affected by the same root cause. The compliance and legal teams
will need to coordinate closely to determine the most efficient
and effective methods for identifying, calculating, and communicating these impacts.
Component 3: Accountability
In all aspects of compliance management,
it is important that the compliance de-
partment does not operate in a bubble but
rather interacts with the board of directors,
senior management, and the various lines
of business on a regular basis to verify proper accountability.
Ultimately, compliance management should be an organization-
wide priority, with all lines of defense being held accountable
for their relevant roles in tracking, reporting, remediating, and
documenting compliance issues.
Effective governance holds all groups accountable to the specific action plans for which they are responsible, with clear lines
of reporting to the designated oversight group, which could be a
management-level compliance committee, a risk committee of
the board, or some other designated body.
When an audit or exam uncovers a compliance issue, a specific
documentation and tracking regimen usually must be followed.
In some instances, the compliance department might be directly
responsible for this formal tracking. In other cases, internal audit
or another risk function could be responsible. But even if audit and
exam issues are documented, tracked, and reported separately, the
compliance function should have visibility into the issues’ status
and verify that they are being handled effectively.
As noted earlier, this is not to suggest that the compliance
function should duplicate the documentation and reporting efforts of other involved groups. In fact, in many organizations, the
lines between the monitoring and audit functions often become
blurred. But by maintaining clear lines of communication with all
responsible parties, the compliance team can help avoid unnecessary redundancy while at the same time verifying that compliance
issues–regardless of their source–are adequately addressed.
In addition, this approach can enable the compliance function
to provide valuable consultation and collaboration support to
the business lines, internal audit, and even outside regulatory
agencies. While internal audit generally focuses on the adequacy of controls and periodic assessments, the compliance
function generally concentrates on ongoing monitoring–ideally
identifying noncompliant situations before they become audit
or exam issues.
The compliance and legal teams
will need to coordinate closely to
determine the most efficient and
effective methods for identifying,
calculating, and communicating