Enterprise Risk and Compliance Management (ERM/CMS) Programs
Our team of former regulators, risk officers, and compliance officers help you build, strengthen, and examine your Compliance Management System (CMS) or Enterprise Risk Management (ERM) programs and frameworks
We help you assess, design, build, and mature your ERM Framework and Compliance Management System in the manner most appropriate to your institution, your regulatory environment, and your organization’s readiness.
- Implement, embed, and mature the three lines of defense model (3LOD) for risk and compliance accountability
- Assess the adequacy of the risk and compliance resources, tools, and expertise across your organization
- Advise on and support the implementation of appropriate risk and compliance tools and capabilities that support organizational innovation, improve efficiency, and enhance the integration and adoption of your ERM/CMS Programs
- Provide strategies and processes to establish and reinforce a strong risk and compliance culture and key risk and compliance principles such as: Authority, Accountability, Engagement, Transparency, Escalation, Proactive/Preventative, Self-Identification, and Self-Monitoring
- Effective Board and Management Committee structure and composition
- Board Composition related to applicable risk and compliance experience and expertise
- Enterprise-wide and standardized process for the development, oversight, updates and use of Policies and Procedures including:
- Design, documentation, implementation, and maturity roadmap for your organization’s Compliance Program and Enterprise Risk Management Framework and related policies and procedures
- Effective risk and compliance reporting and analytics, including key risk and performance metrics and appropriate Management and Board visibility and oversight
- Qualitative and quantitative risk assessment methodologies, including:
- Process-based risk and control inventory
- Reporting taxonomy
- Inherent and residual risk
- Assessment of control effectiveness based on control type and results of available detective measurements
- LOD effective challenge
- Aggregate business line, function, and organizational risk profile and heat mapping
- Linkage to the issue management process for remediation of control weaknesses
- Linkage the change management process for ongoing risk assessment updates
- 1LOD control effectiveness self-monitoring and quality control programs
- Identification of key controls
- Automated monitoring techniques
- Frequency
- Oversight and escalation
- 2LOD risk and compliance testing programs, including:
- Annual risk assessment and annual plan
- Design and implementation of the testing program, tooling, and reporting
- Oversight and escalation
- 3LOD/Independent Audit program, including:
- Annual risk assessment and annual plan
- Design and implementation of the audit program, tooling, and reporting
- Board level oversight and escalation
- Chief Internal Auditor role, reporting structure, and best practices to protect independence
- Oversight of outsourced Audit programs
- Change program design that:
- enables informed risk acceptance and strategic planning
- is preventative
- establishes clear accountability across all lines of defense
- encompasses all applicable risk types
- Inventory and tracking of change events including strategic, product/services, regulatory, and industry, with their relative risk
- Change related risk assessment methodology that
- considers all applicable risk types
- includes risk significance methodology
- captures requisite risk mitigations and internal controls
- is integrated with and impacts to related risk processes (risk assessment, monitoring and testing, training, reporting, etc.)
- Change management roles and responsibilities
- Change management reporting, oversight, and governance
- Change management training
- Change management materials including policies, procedures, and templates
- Post-implementation validation testing
- Design of enterprise-wide Issue Management, covering:
- Transparency on risk issues
- Segmentation by risk significance
- Informed prioritization
- Root Cause Analysis
- Early or self-identification of issues
- Monitoring of remediation efforts
- Issue management sources
- Issue risk rating methodology
- Definition of roles and responsibilities for
- Identification, investigation, development of corrective action plans
- Independent review and challenge of root cause and action plans
- Implementation of corrective action plans
- Validating issues across all lines of defense
- Standardized protocols for reporting issues, conducting root cause analysis, establishing corrective action plans, assigning ownership and accountability, remediating issues, closing issues, changing due dates, and validating the effectiveness of issue remediation
- Issue management reporting, escalation standards, oversight, governance, and training
- Consideration of customer harm that may be related to identified issues and standard protocols for how related escalation, self-reporting, and restitution should be integrated into the corrective action planning
- Integration of issue management with related risk processes including risk assessment, monitoring and testing, training, and independent audit
- Develop institution’s Risk Appetite Framework (RAF) with related risk specific triggers and tolerances
- RAF Trigger monitoring and reporting
- Development and testing of key Risk Appetite scenarios and integration with stress testing, capital and liquidity planning, contingency planning, and resolution planning
- Defined roles and responsibilities, oversight, and governance related to the development and approval of and changes to the RAF and results of scenario testing
- Assessment of applicable regulatory compliance risks and related significance and integration with regulatory change management process to ensure timely updates and enhancements
- Training content development
- Annual training plan and deployment planning
- Determination of appropriate audiences for and frequency of training
- Processes for monitoring training completion, key metrics, and reporting
- Training oversight and governance
- Development of job-specific and in-person training curriculum
- Advise on training content development and program management tools and design
- Scope of regulatory agencies
- Examination readiness and self-assessment
- Exam management process including key roles, responsibilities, and governance
- Exam request, follow-up, and deliverable management process
- Exam submission protocols and quality review process
- Examination response and remediation
- Regulatory relations best practices
- Legislative relations best practices
Our Experts
Brendan Mulvey
Senior Managing Director, Regulatory Compliance, Mortgage, and Operational and Enterprise Risk Management Solutions
Laura Huntley
Managing Director, Regulatory Compliance, Mortgage, and Operations Solutions
Maya Wilson
Managing Director, Regulatory Compliance, Mortgage, and Operational and Enterprise Risk Management Solutions
Mike Scarpa
Managing Director, Regulatory Compliance, Mortgage, and Operations Solutions
Lynne Johnston
Senior Director
Cathy Lemieux
Regulatory Advisor, Former Federal Reserve Bank
Ready to Talk?
We work with you to understand your needs, so we can tailor our approach to your engagement. Learn more when you connect with our team.
Related Services
Fair and Responsible Banking
Fair and Responsible Banking
We partner with financial institutions to promote ethical, transparent, and socially responsible banking practices, driving positive impact for all stakeholders.
Monitoring, Testing, and Audit
Monitoring, Testing, and Audit
We provide advisory, co-sourced, and out-sourced testing services to ensure compliance with regulatory requirements and best practices.
Cards and Payments Products and Services
Cards and Payments Products and Services
We build, assess, remediate, and implement operational and compliance risk management programs
Operational Excellence
Operational Excellence
We support your drive for operational excellence and help you manage non-financial risks
Data Governance
Data Governance
We can improve your bottom line, as well as your regulatory compliance, with our formal, systematic approach to measuring and uplifting Data Governance.