It’s refreshing that the SEC is willing to work one-on-one with senior leadership at some of the largest financial firms in an effort to help those organizations stay in compliance. It’s encouraging that the SEC is also taking the approach that corporate culture, especially a culture of ethics, goes a long way to drive compliance.
Carlo di Florio, who runs the Office of Compliance Inspections and Examinations for the SEC, has made mention of an integrated approach to GRC numerous times in the recent past, and that’s even more encouraging. A blog posting on Reuters’ Financial Regulatory Forum quoted di Florio as saying, “’The culture of compliance is an elusive concept and a real challenge’ but it has a huge impact on how ethically a company performs.”
According to the post, “the SEC will consider how compliance fits into the broader risk-governance framework of the firm…. A firm that operates though discrete silos is not going to be as effective as one where there is dialog by these units with management.” That’s the very goal of integrated GRC.
The OCIE has already been working with a number of banking brokerages and other financial firms, meeting with their boards in an effort to better understand the risks and to help regulate better risk management practices without, literally, breaking the bank. In addition to looking at corporate policies, the OCIE also examines the policy management process to make sure that keep up with corporate changes.
Di Florio is also an advocate of top-down communication as well as training that emphasizes roles and responsibilities with the firm.
The SEC is also concerned about how an organization analyzes its compliance data to see that policies are really effective. “A monitoring and testing program shows how seriously a firm takes compliance and integral to this is an escalation process for any findings, and a strong internal whistleblower program.”
Using a case management system also has value in the eyes of the SEC examiners as a way to show due diligence in your compliance program. If the SEC believes your investigatory practices work, they aren’t as liable to get involved in the investigation themselves.
Seems the SEC and di Florio are covering all the appropriate bases. If your bases are covered, you won’t have to worry when the examiners come for a visit.