Strengthen Your Core: Are You Getting the Most from Your Compliance, Operations, Risk, and Enterprise Support Functions?

Article excerpt

In setting objectives for or evaluating the performance of CEOs, most often the measures are about strategic direction, market share, revenues, profit margins, assets, new products, and similar growth indicators. Rarely would you see the question, "How do you know you are getting the most from the company's investment in its Compliance, Operations, Risk, and Enterprise (CORE) support functions?"

If you really believe the adage "You get what you measure" (regardless of whether the measure is qualitative or quantitative), how can boards of directors justify not considering CORE support functions when determining how to compensate CEOs and other business unit executives? Stated simply, the behaviors of CEOs and other senior business executives will depend on the measures applied in setting their compensation and evaluating their performance.

The costs of not having a robust risk management and compliance system can be high. Take, for example, the case of the one trader at French bank Societe Generale who made unauthorized trades that resulted in a $7.2 billion loss, despite a compliance system that was supposed to prevent this. Moreover, a lack of risk management procedures at financial institutions may have been at the root of the current economic crisis. This means that regulators will now be focused on CORE controls at financial institutions.

Legislation and Regulation: The CEO's Responsibility

In the aftermath of Enron and WorldCom, as well as industry-wide investigations of mutual funds, investment banking, investment research, and insurance, the financial services industry has had to cope with an unprecedented level of legislation and regulation. The intent is to correct corporate misconduct and force accountability higher up in the organization. Such legislation and regulations include the Sarbanes-Oxley Act of 2002 (SOX); Securities & Exchange Commission (SEC) Rules 38a-1 and 206(4)-7 of the Investment Company and Investment Advisers Acts of 1940, respectively; National Association of Securities Dealers (NASD) Rule No. 3013; and the Dodd-Frank Wall Street Reform and Consumer Protection Act. No matter the legislation and regulation, chief executive officers and chief compliance officers (CCOs) are expected to:

* Create policies, procedures, and processes to ensure that employees operate within all legal and regulatory boundaries;

* Ensure that the company communicates--and applicable employees understand--the policies and procedures that set forth the corporate principles of behavior;

* Design and operate a risk management and compliance program that accomplishes the stated compliance objectives;

* Monitor that the company follows policies and procedures; and

* Exercise oversight and testing of compliance programs to certify that the program is working effectively.

In addition, the Basel II accord (and now Basel III) and the Markets in Financial Instruments Directive (MiFID) are examples of regulatory drivers of a similar nature that affect non-U.S. companies and U.S. companies with international operations. Adding to the international breadth of recent regulations, companies in many countries are adopting rules similar to SOX. In the March 12, 2007, issue of U.S. News & World Report, for example, Ethiopis Tafara, director of the SEC's office of international affairs, explained that SOX-type reforms had been undertaken in all major international capital markets, which is one reason for their maturation.

Moreover, during the recent near meltdown of the financial markets, we witnessed:

* The disappearance of such prominent firms as Bear Stearns and Lehman Brothers;

* Government rescues of and/or assistance to American International Group (AIG), Citigroup, Bank of America Merrill Lynch, and General Electric, as well as two major automobile manufacturing companies (General Motors and Chrysler); and,

* The discovery of major Ponzi schemes at wellknown hedge funds. …