Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  openpages regulatory_compliance dodd-frank sec | 0 Comments | 1,493 Visits
The following excerpts are taken from “Compliance, complexity and the need for XBRL: An interview with former SEC Chairman Christopher Cox”:
What are the key drivers of regulatory reform? Will Dodd-Frank really reduce systemic risk? Can better compliance processes drive better financial results?
In the weeks running up to the Vision 2011 and OPUS 2011 conferences, experts within IBM Business Analytics Financial Performance and Strategy Management posed these and other questions to Christopher Cox, a former SEC Chairman and keynote speaker at both events. Below is a transcript of that interview.
Looking forward into the next three years, what are some of the key drivers in the US that will be shaping regulatory and compliance reform? How are those different from the past five years?
The most significant characteristic of the time we are living in right now is the remarkable pace of change, both in legislation and in regulations governing corporate America, in particular the financial services sector.
Of course, the Dodd-Frank 2,300-page behemoth is well-known already to senior finance executives. But what is unknowable are the hundreds of rules that will be forthcoming under that legislation. The schedule called for in the statute has the bulk of the final rule makings scheduled for completion in the third quarter of 2011. It is very clear across the regulatory agencies that these deadlines are going to be largely missed.
As a result, not only will there be regulatory uncertainty on a continuing basis this year, but also for several years into the future. There are over 100 rule makings that have no statutory deadline at all. I think a significant share of even those that were expected to be completed earlier will also be rolled into the future. So during all of this time, senior Finance executives are going to have to be reading the tea leaves – not to mention the statute itself – to determine how to comply. And it isn’t just Dodd-Frank, of course, where we have all this legislative and regulatory ferment. The unprecedented rapid pace of chance in law and regulation and the continued uncertainty about what the government will do next pertains to the tax area as well. During the last year alone, Congress enacted no fewer than six major pieces of tax legislation – including the two “Obamacare” bills, the HIRE Act, the Education Jobs Act, the Small Business Jobs Act and, of course the year-end Tax Relief Act that temporarily extended the current tax rates.
That last piece of legislation bought us at least two years of tax certainty, but when it comes to long-term capital gains or any of the other rules governing the taxation of investment, two years are scarcely enough to permit long-term planning, and so the uncertainty continues.
That uncertainty about where financial, tax and regulatory policy are headed in turn creates a challenging environment within companies and within firms when it comes to shaping their response to regulatory and compliance changes. That’s the environment in which we find ourselves. Given the extent of this change and the predictable uncertainty that will continue for several years, it is very important that companies respond to this in ways that are exceptionally flexible.
How should Finance organizations prepare for this future regulatory environment in spite of uncertainties, particularly global companies that do business in multiple jurisdictions? What sustainable practices in their control and reporting processes and systems do they need to invest in to prepare for the future?
Being globally active, of course, only ramps up the uncertainty because the requirements from multiple jurisdictions are layered on the responsibility of senior Finance executives for U.S. compliance. It is nonetheless possible to synthesize thematically many of the global requirements, because at least topically, they have very much in common.
What is most important is that the different parts of a global organization can talk to one another and that the human beings who must extract information from the IT systems that collect and disgorge that information can rationalize it. In particular, companies that address these changes in ways that are adaptable and flexible will have a clear advantage. Companies that fail to manage the process in this way will likely find their companies non-compliant and their risk management practices called into question – not only by regulators, but also by their shareholders and their customers.
Do you think that the passage of Dodd-Frank will reduce systemic risk and improve stability in our financial services institutions?
Unfortunately, the Dodd-Frank Act failed to address several of the
most significant causes of instability in the financial system and
sources of systemic risk. The first is the status of the
This is particularly salient, as the conservatorships have required the GSEs to engage in practices that support housing at the expense of their financial well-being. Likewise, the government’s completely unjustifiable practice of keeping these two GSEs off the federal balance sheet, even as they are under government ownership, makes a mockery of financial reporting norms and honest accounting. Addressing this glaring omission in the Dodd-Frank Act remains a top priority of financial reform.
Next in importance is the inadequacy of bank capital and liquidity standards. Dodd-Frank did not adequately address the obvious failure of the Basel standards in the financial crisis. Those standards continue to create powerful incentives for asset concentration in mortgages and a reliance on credit ratings, and of course both of those had a role in generating the mortgage bubble that led to the financial crisis.
So the short answer to that question would be “No.”
Correct. I’d also say that Dodd-Frank has given the Financial Stability Oversight Council a strong incentive to protect competitors rather than to protect competition, which might take market share from the dominant firms. The systemically important designation implies government readiness to support those firms in a crisis, perversely encouraging more risky behavior despite the more stringent capital and other requirements and thus deepening moral hazard.
Can you discuss some of the best practices for boards of directors with regard to risk oversight? Do you think that changes in proxy disclosure with regard to risk governance has had an impact on risk management practices?
Yes. In 2010, the SEC added requirements for proxy statement discussion of a company’s board leadership structure and its role in risk oversight. Now companies are required to disclose in their annual reports the extent of the board’s role in risk oversight, and they’re required to address such topics as how the board administers its oversight function, the effect that risk oversight has on the board’s processes, and whether and how the board or one of its committees monitors risk. That increased focus on risk management has had considerable and very earnest take-up across the corporate community.
There are several types of actions that companies and their appropriate committees have been taking to step up their focus on risk management. Without question, they are spending more time with management, and isolating the categories of risk that the company faces – focusing on risk concentrations and interrelationships, the likelihood that these risks might materialize, and the effectiveness of the company’s potential mitigating measures.
Many companies have created risk management committees. Financial companies, of course, that are covered by Dodd-Frank must have designated risk management committees, but boards of other companies have carefully considered the appropriateness of a dedicated risk committee, and many of them have found it prudent to create one. In other cases, boards have delegated oversight of risk management to the audit committee, which is consistent with the New York Stock Exchange rule that requires the audit committee to discuss policies with respect to risk assessment and risk management.
For large-cap companies that have a Big Board listing, that has continued to be another way to address these heightened concerns. I think boards are carefully bearing in mind that different kinds of risks may be better-suited to the expertise of different kinds of committees, so they may not always wish to stovepipe responsibility for risk in a single committee.
Above all, best practices today are focused on the fact that regardless of how the board subdivides its responsibilities, the full board has the responsibility to satisfy itself that the activities of its various committees are co-ordinated and that the company has adequate risk management processes in place.
It’s a fascinating world. I can see why if you’re a controller or CFO it’s an exciting but intense place to be.
I think that’s absolutely right. All of these changes we’ve discussed – in particular in the US – mean that we are entering an era of unprecedented demand on companies’ governance, risk, and compliance processes and IT infrastructures. I think that companies have dealt with regulatory changes over the past half-century largely incrementally. They’ve made adjustments to their enterprise-wide systems as needed to comply with what have been modest changes from year to year. But given the enormous scope of changes in these forthcoming new regulations, companies will find it necessary to find a comprehensive and holistic approach to at least regulatory reporting – and, in my view, their management control as well.
Companies have traditionally relied on different processes to gather enterprise data to help management run the business on the one hand, and to gather data in order to satisfy regulators, on the other. In part, that was sustainable because the information that regulators were requiring was historical and post-facto. But things are rapidly changing under these new frameworks. Regulators including the SEC are now requiring information that is risk-based and predictive. While that is a big change, it’s also a significant silver lining in that this will align the process of collecting and gathering information more closely with what management needs. That means that CIOs should be looking for ways to integrate their regulatory and their management reporting processes. For that reason, regulatory reporting doesn’t have to be viewed as sheer cost, or necessary evil. Instead, there can be significant efficiencies and productivity gains for the enterprise by merging the requirements of management and regulatory data gathering processes.
This convergence will also allow companies to restructure their data in a way that will feed predictive analytical systems. That, in turn, can lead to an improvement in both risk management at the board level, and risk-based decision-making processes at the management level.
About Christopher Cox, Former Chairman, United States Securities and Exchange Commission (SEC)
Beginning in 1988, when he was elected to the House of Representatives, Christopher Cox established a record of legislative accomplishments that elevated him to the top of the Congressional leadership. His wide range of expertise in a variety of complex issues gives him the ability to take the long view of the economic future, predicting both the actions of Congress and the effects those actions will have on the marketplace. The author of the Internet Tax Freedom Act, which protects Internet users from multiple and discriminatory taxation, Cox held leadership positions ranging from chairmanships on committees and taskforces overseeing everything from budget process reform and policy to homeland security and financial services. During his tenure as chairman of the Securities and Exchange Commission, he continued this fight for justice and transparency in the world of investing.
An Accomplished Lawmaker and Reformer. During his seventeen years in Congress, Cox served in the majority leadership of the U.S. House of Representatives. He authored the Private Securities Litigation Reform Act, which protects investors from fraudulent lawsuits, and his legislative efforts to eliminate the double tax on shareholder dividends led to legislation that cut the double tax by more than half. In addition, he served in a leadership capacity as a senior member of every committee with jurisdiction over investor protection and U.S. capital markets, including the Energy and Commerce Committee, the Financial Services Committee, the JointEconomic Committee, and the Budget Committee.
An Advocate for Investors. At the SEC, Cox focused on the enforcement of securities law enforcement, bringing a variety of groundbreaking cases against market abuses such as hedge fund insider-trading, stock options backdating, and municipal securities fraud. He also helped turn the Internet into a secure environment, free of securities scams, and he worked to halt fraud aimed at senior citizens. As SEC chairman, he was one of the world’s leaders in the effort to integrate U.S. and overseas regulatory policies in this era of global capital markets, making international securities exchanges safe, profitable, and transparent. As part of an overall focus on the needs of individual investors, Cox reinvigorated the SEC’s initiative to provide important investor information in plain English, championing the investor’s right to a transparency. His reforms included transforming the SEC’s system of mandated disclosure from a static, form-based approach to one that taps the power of interactive data to give investors qualitatively better information about companies, mutual funds, and investments of all kinds.
In 1994 Cox was appointed by President Clinton to the bipartisan commission on entitlement and tax reform, which published its unanimous report in 1995. From 1986 until 1988, he served in as senior associate counsel to President Reagan. From 1978-1986, he specialized in venture capital and corporate finance with Latham & Watkins. Cox received an M.B.A. from Harvard Business School and a J.D. from Harvard Law School, where he was an Editor of the Harvard Law Review.
We know the banks and related mortgage service organizations have been under fire for their role in the financial system’s near meltdown and ensuing foreclosure fiasco. JPMorgan Chase’s CEO Jamie Dimon reportedly owned up to taking some responsibility, saying “Some of the mistakes were egregious, and they’re embarrassing . . . but we made a mistake, and we’re going to pay for that mistake.” The 50 state attorney generals and the SEC, among others, are pushing for changes in how the banks and services operate, and there’s little doubt changes are coming.
The sea of blue suits at the OpRisk North America conference being held in New York City this week provides a stark contrast to the cold rain falling in Times Square. The conference kicked off with a keynote address from Mitsutoshi Adachi, director and deputy division chief at the Bank of Japan. Mr. Adachi, who also serves as chair of the SIG Operational Risk Subgroup for the Basel Committee, noted that his travel plans had to be moved up a few days in order to account for the continued travel delays out of Japan.
His keynote highlighted a recent report published by the Basel Committee on Banking Supervision titled “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches” which found that “Operational risk capital for non-AMA banks is higher than for AMA banks, regardless of the exposure indicator used for scaling.” Mr. Adachi also noted in his address that AMA firms showed “only modest increases in losses during the financial crisis period.” Certainly not an unexpected result but what was telling was his finding that for the period of 2008 to 2009 (during the financial crisis), operational risk losses for all banks were “2 to 3 times fold” compared with the previous Basel Committee internal loss data collection period of 2005 – 2007. Mr. Adachi declined to field a question on which business lines contributed the most to the losses, per his obligation to keep such information confidential.
He concluded by saying that “the Basel Committee finds it even more important to engage with the industry” moving forward. Looking forward to the Plenary address “Reforming U.S. financial markets: reflections before and beyond Dodd-Frank.”
Unless you’ve escaped to a remote island with no communication capability, you know about the serious issues facing banks and mortgage generators and service companies surrounding the foreclosure fiasco. For background, you might want to refer back to my October 15 blog which outlines some of the problems stemming from shortcomings in risk management and related internal control.
Chief audit executives do a lot of things really well, adding value to the companies they serve. What is especially interesting is how well many, especially CAEs of larger companies, gain information and insight through networking. Many are involved with their peers in industry or geographically based discussion groups, sharing through blogs, conferences, and internet-based information exchanges. And of course there’s still the opportunity to communicate via email or text or pick up the phone to talk with a valued colleague.
We had the opportunity to host a panel on operational risk at GARP this week in New York. The panel, “Using Operational Risk Management to Gain Competitive Edge”, included moderator Christopher Donohue, Managing Director, Research and Educational Programs, (GARP), and panelists Marcelo Cruz, Global Head of Operational Risk Management and Metrics, Morgan Stanley, Patrick McDermott, Senior Director, Enterprise Operational Risk, Freddie Mac, and Mairtin Brady, Head of Operational Risk Management, TIAA-CREF, as well as me, Gordon Burnes.
At the beginning of the the panel, McDermott outlined the basic set of questions that operational risk managers have to answer:
- What can go wrong?
This is a great way to frame the essence of an operational risk manager’s job, and those new to the discipline will do well to make sure that their program covers off on these fundamental questions.
This was an interesting panel in that each panelist represented a different perspective on managing operational risk programs. The starkest contrasts were between Cruz, representing the quants, and McDermott, representing the value and importance of qualitative information. Cruz took particular issue with scenario analysis but did acknowledge the limitations of models as expressed in confidence levels. It’s clear that there’s a wide range of practice in the industry on this topic, with some banks relying heavily on scenarios to model their capital, others relying more on internal data.
All panelist agreed that the operational risk function is on its ascendancy and is increasingly being brought to the table to weigh in on strategic matters, such as acquisitions or new product launches. One of the key takeaways was that operational risk information can help businesses better define their risk profile, allowing business managers to make better decisions about where to invest, and where to focus mitigation efforts.
When organizations choose to shift their corporate mission and redefine organizational goals, it is vital that they carefully evaluate the potential risks and fallout from redefined core value propositions and tactics. A case in point is Toyota—a company that has built its reputation on the quality of its product, but in recent years focused its sights on profits.
Or more to the point, was he thinking at all? We’re talking about Rajat Gupta, operating at the highest echelons of multinational business, who finds himself charged by the Securities and Exchange Commission with illegally passing inside information to Raj Rajaratnam, the Galleon Group founder about to go on trial on charges of insider trading. Mr. Gupta, a Harvard Business School graduate and former head of McKinsey & Co., has been a board member of the likes of Goldman Sachs, Proctor & Gamble, and American Airlines.
Fueled by a global audience that is desperately looking for disclosure in the wake of the economic crisis and mature digital computing technologies that make it more and more difficult to contain sensitive information, WikiLeaks has emerged as a viable new threat to data security.
Until now the United States government has been the central target of WikiLeaks attacks, however, with WikiLeaks founder Julian Assange’s recent claim to be ready to release corporate secrets in early 2011, organizations everywhere are faced with a looming risk management challenge that is not likely to dissipate anytime soon.
Experts agree, and Assange himself has suggested, that the information that will be leaked is more likely to consist of internal communications between executives and other employees rather than the personal data protected by privacy compliance laws. However, the threat of any kind of exposure means that corporations need to tighten data security and evaluate areas of potential vulnerability.
Unfortunately, WikiLeaks has highlighted a liability that persists across all corporations and government agencies that technology and compliance measures alone simply cannot contain: the human factor. The increasing number of compliance and regulatory mandates that have been put in place in recent years have not proven enough to combat the risk posed by employees leaking sensitive information.
A recent poll by Harris Interactive reports that only 9% of companies have adequate crisis protocols in place to protect themselves from a potential onslaught. In this period of uncertainty, with virtually all large enterprises under the WikiLeaks radar, it is vital that organizations devise an adaptable enterprise risk management strategy to identify and manage areas of weakness without sacrificing business performance.
Just as a sharp increase in regulatory compliance mandates has created a necessary shift in industry risk management tactics, so has WikiLeaks spawned the recognition of new vulnerabilities that face companies in the modern digital age. The organizations that are well prepared to assess and mitigate against untested threats, like the one posed by WikiLeaks, are those that combine deep domain expertise with powerful and flexible tools to analyze and weigh the probability and cost associated with any given challenge.
Last week we announced the availability of OpenPages version 6.0, which marks a major milestone in the evolution of the GRC market-from convergence to insight. It also represents the completion of the first phase of our technical integration with IBM. And, the new release will help prepare our customers for managing through regulatory change in the post-Dodd-Frank environment.
In the wake of Dodd-Frank passage, Chris McClean of Forrester Research commented that there are nearly 200 regulatory changes still on the U.S. federal agenda that span industry verticals such as finance, healthcare, and consumer protection.
As regulatory pressures continue to mount, organizations that adopt a more practical regulatory management approach across the enterprise will be able to react quicker to regulatory change and decrease costs and complexity while gaining valuable insight into the risks that could affect corporate performance in the form of legal action, fines and penalties, or a decline in company/brand loyalty.
The recently announced OpenPages 6
Policy and compliance management software is playing and increasingly important role in the business by allowing companies to easily communicate changes in laws and regulations and enable quicker reactions by the business.
My last posting spoke to one of COSO’s two recently issued guidance reports on enterprise risk management. The first provides approaches for getting started on an ERM initiative, and while it’s based on good intentions and provides useful information, especially to smaller companies, in Olympic games terms with only two entrants, that report gets the silver. The second report, Developing Key Risk Indicators to Strengthen Enterprise Risk Management – How Key Risk Indicators Can Sharpen Focus on Emerging Risk wins the gold – by a good margin.
Today we announced the availability of OpenPages 6.0. This release represents a significant new phase in the evolution of GRC and provides organizations with the insight needed to drive business outcomes as well as the ability to manage effectively through the changing regulatory environment. We’re also excited to have completed the first phase of technical integration with IBM with the release of AIX support.
The GRC market developed out of the tactical, departmental deployment of SOX and other compliance and risk management solutions. Companies realized that they could leverage their control testing and risk assessment activities across multiple different oversight functions by consolidating their risk and compliance efforts on a common technology platform. Indeed, we’ve seen very strong ROIs for Enterprise GRC platforms, ROIs driven by this efficiency. The next phase in the evolution of GRC is about insight, using the GRC data to help drive business outcomes.
COSO recently released reports providing guidance in two areas related to risk management. One is Embracing Enterprise Risk Management – Practical Approaches for Getting Started, which suggests ways in which companies, especially smaller ones, can begin a risk management initiative with the objective of ultimately moving to an ERM process. It puts forth “keys to success” in terms of a number of “themes,” beginning with being sure to have support from the top. Theme 2 is building on incremental steps, which includes implementing key practices to gain immediate and tangible results. Theme 3 continues with focusing first on a small number of “top” risks, and theme 4 is leveraging existing resources by utilizing the capabilities of the chief audit executive, chief financial officer or other executive as a catalyst to begin the initiative.
A recent client discussion reminds me of an article I came across a few years back with important implications for dealing with risk – or rather a risk that materializes into a major problem. The article, “What Organizations Don’t Want To Know Can Hurt,” focuses on events surrounding the College Board when it learned of extensive errors scoring its SAT tests, and provides a good example of not to do.