Ross Marrazzo is Managing Partner of Treliant. He is also responsible for the firm’s Corporate & Regulatory Compliance and Global Financial Crimes Compliance services areas. Ross has over 34 years of domestic and international experience in the design, oversight, and assessment of corporate and regulatory compliance, Anti-Money Laundering/Bank Secrecy Act,…
The pressure is on the compliance team to deliver the right information in the right way to support decision-makers. Maintaining a robust governance structure is a cornerstone of effective oversight, setting the stage for proper compliance with regulatory requirements and expectations. Priorities are not always in perfect alignment, however. Committees must focus vertically on their missions, but must also communicate horizontally across the organisation. To ensure data quality, risk models must be rigorously governed and validated, but must also be refreshed or even discarded if circumstances dictate. Supervisory requirements must be adhered to and also expected to change. Interactive risk dashboards have become the state of the art in compliance and risk management reporting, and they must be designed with the needs of the bank in mind. Compliance professionals can thrive by monitoring and understanding regulatory change, keeping communications channels open with examiners, and managing the compliance department through metrics. Helping senior management and boards to navigate the various options available to them will provide for a more compliance intelligent senior management and board. This paper discusses how right-sizing management and board reporting is important to an effective governance structure. Strengthening board reporting is not an isolated exercise; it must be part of a broader drive to foster and support compliance-savvy leadership.
One of the perennial, vexing issues for compliance and risk managers is determining how much reporting to the board and senior management is enough. Effective oversight is one of the fundamental principles for establishing an entity’s tone at the top1 and is the core responsibility of a board of directors. But it is impossible to achieve effective oversight without a proper flow of useful and understandable information.
Nevertheless, the meaning of ‘enough’ is not a settled matter when it comes to board reporting. As a result, the Goldilocks principle can never be far from the minds of compliance and risk professionals. Long, complex reports that are difficult to digest? Too much. Superficial or incomplete reports? Too little. Getting the balance ‘just right’? That is the elusive goal.
Complicating the fundamental challenge of striking a balance, the volume and type of information a bank’s board and senior management actually want may differ from what supervisors expect them to receive. Supervisors may even differ among themselves. Boards and senior management may have a sudden, pressing need for new reporting, but then not ask for it again. Expectations — those of the supervisors as well as the bank’s leadership — can shift from time to time.
And, inevitably, the economy endures ups and downs, banks are buffeted by setbacks and the regulatory pendulum swings. The financial crisis of 2007 to 2008 triggered a dramatic increase in supervisory expectations and unleashed a wave of new regulatory requirements.
The financial crisis also coincided with a push by regulators to increase the independence of the compliance function, which in most large banks had historically reported to the legal department. A defining development was the Fed’s Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles, known as FRB 08-8.2.2 This ‘supervisory letter’ provided guidance on the elements of an effective and independent compliance function, among other things. It took some of its foundational attributes from the US Organizational Sentencing Guidelines,3 which are designed to eliminate disparities in federal sentencing for felonies and serious misdemeanours. All risk and compliance officers should take time to familiarise themselves with these guidelines, issued by the US Sentencing Commission.
The byproduct of an era of regulatory ‘tough love’ for banking organisations was an increased blurring of lines of responsibility between directors and management. Both the Fed and the Treasury Department pledged in 2017 to address this. On 3rd August, 2017, the Fed issued proposed guidance on supervisory expectations for boards of directors.4 On 4th January, 2018, the Fed proposed guidance that would clarify supervisory expectations related to risk management for large financial institutions.5
Thus, the rules of the engagement between boards, senior management and compliance teams appear to be settling down once again as the pendulum returns to the middle. This may be the ideal time for banks and other financial organisations to refine their approach to board reporting. The starting point for compliance is to determine what information they already have access to and should be capturing, focusing on known risk indicators.
For example, banks should not only understand and track customer complaint information, but should learn to think of this information as a treasure trove of insights into how to improve customer satisfaction. Similarly, the output from anti-money laundering (AML) monitoring tools can help with more than risk management. It can also be a data mining tool to help banks better understand product and service use by customers and enable sales staff to forecast customer needs.
With proper planning, banks can be sure that they are gathering the right data, ensuring data accuracy and validating models that use the data. By taking these steps, they can improve the quality of information they provide to senior management and boards, striking a balance between high-level insights and the details needed for decision-making on major issues.
In this paper, we review the current regulatory environment and best practices in senior management and board reporting, examine the importance of elevating the data quality of board reports, discuss how to be an advocate for compliance and offer action steps for improved reporting.
THE REGULATORY ENVIRONMENT
While there are a number of supervisory releases discussing senior management and board responsibilities, the key compliance-centric release that has defined senior management and board obligations for the past decade is FRB 08-8. This release applies to large banking organisations, but organisations of all sizes have used the guidance for their compliance programme framework.
The guidance, however well intended, arrived at a time when supervisory expectations were rising dramatically in response to the financial crisis. By 2014, the Office of the Comptroller of the Currency, which regulates national banks, had introduced a new touchstone for gauging board effectiveness: Did the board provide a ‘credible challenge’ to bank management’s decision-making?6
Even as banking organisations accepted new concepts and adhered to new standards, their common refrain was that the lines between board and management responsibilities were rapidly becoming blurred. Information overload was compounding the problem. Despite the Fed’s best intention of providing guidance on effective compliance programmes and their governance, banking organisations reported confusion among senior management and boards over their governance roles. Should the board step into senior management’s shoes by expecting to be more broadly informed of risk management processes? Or should the board stick to its knitting and focus on core responsibilities, such as guiding strategy, overseeing management and establishing risk tolerance?
Confusion and uncertainty have implications for compliance departments. Unanswered questions complicate the compliance department’s role in providing a ‘just right’ mix of information in the form of reporting to the board and senior management.
The new administration of President Donald J. Trump signalled its intention to begin streamlining board responsibilities in a report issued by the US Treasury Department in June 2017. ‘The duties imposed on Boards are too voluminous, lack appropriate tailoring, and undermine the important distinction between the role of management and that of Boards of Directors,’ said the report, ‘A Financial System That Creates Economic Opportunities: Banks and Credit Unions.’ It continued, ‘A significant shift in the nature and structure of Board involvement in regulatory matters could be made with little or no increase in risks posed to the financial system.’7
Meanwhile, to address rising concern, the Fed undertook a broad-based review of its existing regulations and guidance through, among other things, discussions with senior management and boards of financial institutions. As previously noted, on 3rd August, 2017 and 4th January, 2018, the Fed issued proposed guidance that would clarify expectations related, respectively, to corporate governance and risk management for large financial institutions.
The proposed guidance provides insight into how the Fed would view and supervise board performance at the large banking companies that are subject to it — those with assets of US$50bn or more. (Banks with less than US$50bn in assets will be addressed through subsequent guidance, although the Fed cited existing guidance for those institutions.) The proposed guidance identifies an effective bank board as one that maintains five attributes:
(1) Set clear, aligned, and consistent direction regarding the firm’s strategy and risk tolerance.
(2) Actively manage information flow and board discussions.
(3) Hold senior management accountable.
(4) Support the independence and stature of independent risk management and internal audit.
(5) Maintain a capable board composition and governance structure.
The Fed argued that greater clarity regarding supervisory expectations ‘could improve corporate governance overall, increase efficiency, support greater accountability, and promote compliance with laws and regulations.’ The Fed noted that its review of board effectiveness showed that ‘boards often devote a significant amount of time satisfying supervisory expectations that do not directly relate to the board’s core responsibilities.’8
Nevertheless, the long awaited guidance quickly met criticism. Sheila Bair, a former chairman of the Federal Deposit Insurance Corporation, told The New York Times that the guidance was flawed because it left too much discretion to bank management to determine which issues to raise with the board of directors. ‘Leaving to management the decision to share supervisory findings with the board strikes me as problematic,’ Ms Bair said. ‘I think bank examiners feel their findings have more weight with management when the board is also in the loop.’9
Fed officials defended the approach. Speaking in August 2017 at a banking conference hosted by the Fed Bank of Chicago, then Governor Jerome Powell said, ‘We do not intend that these reforms will lower the bar for boards or lighten the loads of directors. The intent is to enable directors to spend less board time on routine matters and more on core board responsibilities.’10
Powell, who became Chairman of the Fed in February 2018, is likely to continue to champion the effort to recalibrate the responsibilities of directors and management. So, too, is Fed Vice Chairman for Supervision Randal Quarles, who has said adjusting the Fed’s approach to supervision is among his top priorities.11
BEST PRACTICES IN GOVERNANCE AND REPORTING
Supervisory changes are coming, and banking organisations are well advised to begin now to retool their processes to improve the flow of useful information to their boards of directors. Effective reporting is a cornerstone of risk management and thus the lifeblood of a well-informed board. At its simplest, the goal of any report to the board and senior management is to ensure that they know of and understand the risks and control environment of their organisation. In other words, they know where the risks are and will not be surprised.
The compliance department leadership should start by making senior management and directors familiar with the proposed new guidance. This informal process of sharing the information to help surface any concerns and identify needed changes, including spending, lays the groundwork for acceptance. The compliance leadership should also involve line-of-business supervisors to ensure that compliance and reporting plans meet their expectations.
Summaries and reports can help to streamline discussion of issues, while excessive detail bogs down the board. The challenge for compliance is to strike a balance by recognising the importance of delivering good and reliable summary data and key metrics to the board of directors. There is, unfortunately, no simple formula for ‘getting it right’, because the method, level and content of reporting has to be tailored to each governance level. But there are principles that compliance can follow to maintain a robust governance process and ensure compliance with regulatory requirements and expectations.
- It all begins with structure. Compliance executives need to define the governance structure they require in order to effectively manage and report on compliance risks. Each committee’s responsibilities need to be clearly defined in the committee charter. The proposals provide guidance on senior management and board oversight responsibilities. Sub-committees of the risk or management committee focusing on specific disciplines — such as for consumer compliance, fair and responsible banking, suspicious activity and transaction reporting, Bank Secrecy Act and AML, and Office of Foreign Asset Control compliance — are the norm. Ultimately, one or more senior management committees must report to the board.
- Peer committees cannot work in silos. Board committees should communicate horizontally to ensure cross-discipline risks are effectively managed and mitigated. For
example, the chair of the liquidity committee should be talking to the chair of the risk committee about salient points that come out of meetings. One valuable practice is to ask committee staff to flag prominently in their reports anything they see that might be relevant to other committees. One might think this is happening at the board-level meeting, but that is not always the case.
- Access is important. Compliance executives must have access to senior management and their boards in order to be able to be effective in their roles and in reporting. Having someone else carry the message or having compliance reporting buried in a wide-ranging report is not the optimal method for communicating to the top of the organisation. Chief risk officers need to ensure compliance executives have their face-time with senior executives and the board. While summaries are valuable, crucial reporting details should not be sanitised or shortened in favour of streamlined reporting. It is a balancing act, which leads to the next point.
- Too much or too little. Tailoring the level of reporting to each committee is important in order to prevent under-reporting or, on the flip-side, information overload. Risk specific committees, such as those overseeing fair and responsible banking practices, need to get into the minutiae on the corresponding risks, so they need detailed information and metrics; however, only key risks arising from this area should be reported to the board. Information overload is something that regulators will criticise, because they perceive that when senior management or board committees get too much information, they fail to focus on the key risks. Reporting should be detailed enough for senior management and the board to understand the health of the compliance programme and key risks, while not being so granular as to skew the important information or message the compliance executive needs to communicate. Targeted key risk indicators and key performance indicators are an excellent way to help provide a lens into the crucial aspects of the control environment.
- Become a salesperson. The compliance team can support senior management and the board by helping to create the proper governance structure and reporting to enable them to perform oversight and meet their obligations. Compliance can provide senior management and the board with reporting options that are within the parameters of their oversight roles and on which compliance can deliver. Involving them in the process increases their willingness to buy into the reporting and understand how to interpret it. Equally important is transparency with supervisors. The compliance team must keep them informed and ask them for feedback.
- Self-identified and regulatory issues. Summaries, lists and matrices can be extremely valuable in reporting. The organisation should have a process and procedure for consolidating and reporting in a cohesive manner for the entire organisation on self-identified issues through first, second and third line of defence operational processes, self-assessments and testing, as well as regulatory issues such as matters requiring immediate attention and matters requiring attention (MRIAs and MRAs). It is also important that target dates are monitored by the appropriate committees and that any overdue corrective actions are justified by a sound rationale. Corrective action timelines may need to be extended; however, the original target dates cannot be changed. Finally, the Fed proposal contains specific requirements for regulatory issues that constitute sound oversight practice. Even before the proposal is adopted, compliance professionals should be familiar with these provisions.
- Self-assessment. Boards should maintain a robust self-assessment process. The self assessment should not simply be a check-the-box exercise, but rather a critical look in the mirror on the effectiveness of the board and qualifications of board members.
Almost every report starts with data. The banking organisation’s executives and board are relying on compliance to provide data-driven information they need to make decisions on compliance risk management. Data quality is crucial, because invalid data and assumptions can lead to incorrect decisions. Flawed decisions, in turn, lead to financial losses and regulatory consequences.
Model governance and model validation are the backbone of data quality and the tools utilising the data. Model governance is the framework for overseeing the bank’s use of tools and data, including making sure that only authorised persons can change data parameters. Validation is the process of determining how the models are working. Maintaining a list of all the models in use and documenting assumptions, calculations, data sources and business uses is a best practice.
Most banks have some level of outsourcing and the list of regulatory guidelines affecting third-party vendors has grown steadily. Depending on the activities each vendor performs, the guidelines that apply to them will vary, making it challenging to centralise oversight. Whether oversight responsibilities are centralised or delegated to lines of business, banking organisations must have a coherent and effective vendor management programme to make sure all vendors adhere to rigorous standards, including their handling of bank and customer data. The head of the banking organisation’s vendor management programme is an important partner to the compliance department. Time is well spent by undertaking a cooperative effort to maintain a vendor inventory, ensure appropriate contracts are in place, and develop vendor performance scorecards that reflect business goals, client experience, and risk and compliance considerations.
ADVOCATE FOR THE COMPLIANCE TEAM
Compliance departments are often viewed as revenue drains. This is unfortunate, because a properly positioned compliance department can be a revenue protector. Banking organisations that have an effective compliance risk management framework in place can mitigate regulatory and reputational risk that otherwise could materially affect revenue.
Selling the compliance department is an important aspect of managing it. Staffing is a large expense for any organisation. It is not surprising that management would expect solid justification before authorising new positions and filling vacancies, or even maintaining existing staff levels. Compliance officers do not always have experience in building the business case for adding resources, but they can learn effective methods for doing this. Just as salespeople have metrics to manage their books of business, compliance departments need metrics on work volume to ensure that senior management and the board fully understand the work they are engaged in to manage compliance risk and their staffing needs.
Metrics are also valuable in discussions with regulators to assure them that the compliance department is covering the appropriate compliance risks and is appropriately staffed. There are several methods for reporting compliance staffing needs to management and the board, but the best method is to follow a time approach. Every audit has a list of staff assigned along with the hours required to complete the testing assigned to them; tradespeople price their jobs based on time to complete. These approaches can be adopted by compliance.
Management and board reporting metrics can be used by a compliance officer for managing their department productivity, too, in addition to providing important data on staffing and training needs. Metrics can be manual or system-driven. Most manual information will be derived from hours spent by compliance staff on work related to policy, procedure and process work. Most system-driven information will be derived from tools used by the compliance department. For example, AML case management tools can be used to track alert review times.
WHAT TYPE OF REPORTING MAKES SENSE?
Interactive risk dashboards have become state of the art in compliance and risk management reporting, and with good reason. The goal of reporting is to capture relevant information and data that executives and directors can use to make decisions. In other words, effective reporting should foster insight. Risk dashboards work by harnessing tools and technology to make data visual. Through data visualisation, compliance professionals can help decision-makers grasp difficult concepts, observe patterns, and make informed choices.
But what goes into a dashboard? Straight narrative is dense and is therefore the least efficient way of presenting reports to a busy board and management team; however, a jumble of charts with no words to knit them together is not much better. Effective dashboards integrate text, images and numbers, containing enough explanatory text to help the reader understand what they are seeing.
Uncluttered design helps make a dashboard useful. The data visualisation pioneer, Edward Tufte, introduced the term ‘Chart-junk’ to describe the ‘graphic paraphernalia’ such as over-busy grid lines and excessive data points that can hinder, rather than aid, comprehension of statistical reports.12 In developing dashboards, compliance professionals should strive to include data that have a specific purpose and convey facts more effectively than a basic tabular or narrative format.
Heat maps — which use colour to show activity — can be very useful. In AML, they are commonly used to track the number and aging of alerts and cases and the number and type of suspicious activity reports (SARs) files. In lending, they are frequently used to track delinquencies.
There is, unfortunately, no one-sizefits- all approach to reporting. Financial institutions are not all cut from the same cloth, so their business models and experience must be factored into their reporting systems. The breadth and scope of reporting required of a particular institution will depend on factors such as specific laws, regulations and guidance to which it is subject, its unique mix of business activities and the existence of any enforcement actions. For example, it is expected that senior management and the board will receive some level of information on SARs, but how much will vary widely depending on the bank’s client profile.
Striking the right balance — providing enough detail, but not too much — is a perennial challenge. One way to crack the code is to focus on two broad categories: ongoing key risks and outlying risks. Report findings should be linked to the company’s risk tolerance measures. For example, what would it take for a key performance indicator or a key risk indicator to turn red? That information can be calculated and worked into the financial institution’s metrics.
Utilising the information in reports can also help financial institutions track their staffing needs. For corporate compliance programmes and compliance management systems, metrics such as number of proposed and new laws published, number of meetings attended and number of policies or procedures revised, with relevant time frames noted, are a valuable tool. Tracking these items is a way to tally the work conducted by the compliance department and to calculate the staffing needs to support the work.
Compliance professionals have often been caught in the middle as expectations evolve regarding the appropriate role of boards of directors. As board responsibilities are recalibrated, the compliance department too must strike a new balance by rethinking how much board reporting is appropriate and necessary, and how it can best be delivered. And compliance must redouble its efforts to ensure that its reporting is tested for accuracy and validity.
Being effective at a time of change requires effort, dedication, and f lexibility. Compliance professionals can thrive in this environment by adhering to a few priorities:
- Monitor and understand regulatory change. Compliance professionals should familiarise themselves with the Fed proposals and help their board and senior management understand the potential impact, positive or negative. Make the board and senior management aware of the changes, so they understand the crucial nuances between the board and senior management responsibilities. Start discussing actual reporting by offering thoughts on scope and form, and asking for their expectations. Continuously assess board reporting effectiveness. Do not stagnate.
- Start talking to examiners now about how they might apply the new guidelines once they are adopted. This is the best time for compliance professionals to check whether they are in sync with their supervisors’ line of thinking and share their own observations. It is entirely appropriate to share professional observations on how the banking organisation is preparing and ask for feedback. Banking organisations can show examiners their new reporting packages and ask for feedback. Most examiners will be pleased to be part of the process as it will make their jobs easier in the long run.
- Periodically assess the governance structure, the responsibilities of each committee and reporting to each committee. Consider whether the structure is effective in covering the risks of the organisation and that the scope of reporting to each committee is commensurate with the needs consistent with its charter. Think about the organisation as a pyramid, with reporting becoming more concise and focused when it is intended for the top tiers.
- Manage the compliance department through metrics. Identify information and data that are available in order to track workload, productivity and resource needs. Every compliance department inevitably has to go to senior management for either additional staffing or to defend staffing levels. Workload metrics are powerful in supporting staffing needs, particularly when productivity factors are tied to them.
- The work is not over once a compliance department has built a governance structure, identified reporting needs, built reports and used reports to keep the various governance committees informed. Source data for reporting must be tested regularly for accuracy, validity and relevance. If data integrity is flawed, flawed decision-making is inevitable. Remember: garbage in, garbage out.
There are many ways for compliance professionals to be effective in reporting to senior management and boards regarding the health of compliance programmes. Right-sizing management and board reporting is important to an effective governance structure. Helping senior management and boards to navigate the various options available to them will provide for a more compliance-intelligent senior management and board. The goal should be to provide the right level of information, nothing more or less.
Notes and References
(1) Committee of Sponsoring Organizations of the Treadway Commission (COSO) (March 2012) ‘Enhancing board oversight: Avoiding judgment traps and biases’. COSO is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
(2) Federal Reserve Board, Supervisory Letter SR 08-8, 16th October, 2008. While this letter applies to compliance risk management programmes and oversight at large banking organisations with complex compliance profiles, institutions of all sizes can use the guidance for their framework.
(3) United States Sentencing Commission, Organizational Sentencing Guidelines. These guidelines are used by US, law enforcement (eg, Department of Justice) in determining fines and penalties in the prosecution and sentencing of public and private organisations.
(4) Federal Register, Vol. 82, No. 152, pp. 37219–37227, 9th August, 2017. This guidance provides more detailed guidance on board oversight expectations.
(5) Federal Register, Vol. 83, No. 8, pp. 1351–1362, 11th January, 2018. This guidance provides more detailed guidance on risk management expectations in general and provides additional colour to the board oversight expectations enumerated in the guidance of 9th August, 2017.
(6) Federal Register, Vol. 79, No. 176, pp. 54518–54549, 11th September, 2014. ‘Credible challenge’ is the fifth expectation identified.
(7) US Treasury Department (June 2017) ‘A financial system that creates economic opportunities: Banks and credit unions’.
(8) Federal Register, Vol. 82, No. 152, p. 37219, 9th August, 2017.
(9) Morgenson, G. (2017) ‘The Fed wants to make life easier for big-bank directors’, The New York Times, 11th August.
(10) Chiarito, B. (2017) ‘Fed’s Powell says new rules for bank directors don’t lower the bar’, Reuters, 30th August.
(11) Heltman, J. (2018) ‘Fed details planned changes to large banks’ risk management,’ American Banker, 5th January.
(12) Edward R. Tufte’s (1983) The Quantitative Display of Visual Information (Graphics Press, Cheshire, CT) is a classic book on statistical graphics, charts and tables, and the first of four volumes in a series.
As appeared in Journal of Financial Compliance