Enterprise Risk Management: Captain Kirk Confronts the Final Frontier

When faced with the regulatory mandate to incorporate or improve your organization's enterprise (or enterprise-wide) risk management (ERM) process, we can sometimes feel like a Klingon confronting Tribbles. To succeed with ERM within our organization, we must instead adopt the attitude expressed by Captain James Kirk in the'Day of the Dove episode: "There's another way to survive. Mutual trust...and help."

Several years ago, the federal banking regulators set off on a mission to bring Enterprise Risk Management (ERM) to the forefront of financial institution governance expectations. In the ensuing years, state insurance regulators have joined the mission through the National Association of Insurance Commissioners (NAIC) Own Risk and Solvency Assessment (ORSA) model act. The topic continues to get considerable attention in recent regulatory guidance, including Federal Reserve Board (FRB) supervisory letters 12-7 and 08-8. The Federal Reserve Bank of Chicago (FRB-C) devoted considerable attention to the topic at its 2011 conference.

What appeared to be a distant risk management galaxy in the late 1990s has certainly become an oft-discovered governance imperative for financial institutions. As a financial industry executive, you know that you have been charged with the responsibility “to boldly go where no man has gone before.” Much like the voyage of the storied U.S.S. Enterprise, your voyage has taken you to strange new worlds as you have sought to develop or improve your ERM model.

When you have set out to build a robust risk management infrastructure to integrate, coordinate and facilitate forward-looking risk management throughout the enterprise, you invariable have encountered (or will encounter) skeptics. Captain Kirk addressed this challenge in the 'A Private Little War' episode: "The only solution is...a balance of power. We arm our side with exactly that much more. A balance of power...the trickiest, most difficult, dirtiest game of them all. But the only one that preserves both sides."

But make no mistake about it—ERM is not optional and is here to stay. Thus, we often will find ourselves educating senior leadership colleagues and independent directors about ERM, in parallel with obtaining the necessary data to build, enhance, and report upon our ERM model. ERM cannot simply become a once-and-done exercise that ends up on a binder on your credenza.

Building a culture around ERM involves acclimating leadership throughout the organization to a continuous reporting system that identifies and addresses emerging risks. Strategic initiatives and ongoing business planning are evaluated in light of current and emerging risks and incorporated into analysis and leadership and board decision-making. ERM becomes a discussion item on at least a weekly basis within the leadership team, and a standing agenda item for your board, often through an ERM committee. Reports are designed to be condensed, accurate and meaningful for decision-making.

Internal Audit and Compliance play key roles in the ERM process. The periodic review and validation of the model through targeted risk assessments must be conducted under the direction of the organization’s senior leadership to support the organization’s risk appetite.

Occasionally, Captain Kirk and his officers would find themselves enmeshed in a scene from Earth's pre-space travel history, yet the episode always ended with our beloved travelers safely back aboard the U.S.S. Enterprise. As your ERM model and methodology evolve, it is likely that the organization will also never return by the way that it arrived, because external variables will continually infiltrate the ERM model. Most notably, your organization’s ERM will remain under the scrutiny and be subject to the recommendations of your prudential regulator. There simply is no going back.

Continue to be the evangelist for sound enterprise risk management in your organization, devoting yourself to encouraging, educating and embracing your colleagues as you faithfully fulfill the ERM governance role entrusted to you. Much like Kir, may you live long and prosper in your role.

Forecasting the Digital Future: Avoiding a “Friend Request” from the FTC

The regulatory burden upon corporate social media strategy was further increased when the Federal Trade Commission (FTC) issued its revised .com Disclosures guidelines on March 12, 2013 (http://ftc.gov/os/2013/03/130312dotcomdisclosures.pdf). The original guidelines had been published in 2000, long before “dot com,” “smartphone,” and “social media” became household terms. This highly anticipated revision of the original document had been underway since May 2011, and appears to have been closely timed with the recent FFIEC social media rulemaking.

Guidelines are often drawn from successful FTC administrative actions against violators. While guidelines do not carry the weight of formal law, guidelines do define norms that will often trigger subsequent FTC regulatory investigations, and thus must be regarded by industry within the advertising risk management framework. That being said, the FTC admits that there is no set formula for a clear and conspicuous advertising disclosure. Don’t you relish ambiguity amidst federal regulation and potential for fines?

The FTC reiterates that general principles of advertising law apply online, but new issues arise almost as fast as technology develops and new issues have arisen concerning space constrained screens and social media platforms. No one would deny that most organizations intend for all of their advertising to fairly and accurately portray their products and services.

Complying with advertising law within the four corners of a typical print advertisement or within the storyboards of a video advertisement present a more limited range of challenges. The digital marketing frontier has introduced an infinite number of complex issues, including the more rapid evolution and retirement of technology hardware and software platforms. For example, many of us have become familiar with the rise of Apple and Android apps, even as app makers have decreased or eliminated the creation of BlackBerry apps.

Against this backdrop, the FTC places the burden of understanding and complying with the technological limitations of burgeoning online and mobile platforms upon the advertiser. Compliance monitoring and periodic internal audits should be embedded into your social media risk management strategy.

The major takeaways from this revised guidance as they apply to social media are:

·         The FTC Act’s prohibition on “unfair or deceptive acts or practices” encompasses online advertising, marketing, and sales.

·         Required disclosures must be clear and conspicuous.

·         If an ad is viewable on a particular device or platform, any necessary disclosures should be sufficient to prevent the ad from being misleading when viewed on that particular device or platform.

·         If a particular platform does not provide an opportunity to make clear and conspicuous disclosures, then that platform should not be used to disseminate advertisements that require disclosures.

The prescriptive and restrictive nature of the FTC’s guidance requires advertisers to develop and test advertisements across the rapidly-evolving landscape of mobile devices, including tablets and smartphones. Ignorance of emerging technologies will provide no corporate defense to an FTC-initiated action in light of the explicit expectations expressed in the March 2013 guidelines.

The guidelines are well-written and provide a robust appendix of sample advertisement do’s and don’ts. But social media strategists will need to maintain a constant technological vigilance as new web-enabled technologies come to market. Otherwise, don’t be surprised if you receive a “Friend Request” from a new friend at the Federal Trade Commission and learn an entirely new definition of “clear, conspicuous, and proximate”.

Strength and Sustainability: Collaborative Compliance Amidst Complexity

I simply do not have all of the answers. There, I have said it.

My simple statement sums up the collective admission of Compliance, Audit and Ethics professionals globally. The annual proliferation of domestic and international regulatory requirements continues to proceed at an ever increasing rate. When only a decade or two ago, a chief compliance officer might likely have understood the details of all regulatory responsibilities within his/her realm, many of us have now grown accustomed to reliance upon specialized colleagues to identify the details of specific branches within our own compliance universe. At least two easily recognizable trends have led to this reality: global commerce and systemic failure.

Global commerce has both driven and benefited from technological and economic advances throughout history. Progressing beyond the steamships that replaced clipper ships, the internet built upon the initial success of the transoceanic cables laid long ago. While local trade rules and customs remain, the international Law of the Sea has been joined by International Free Trade Agreements and transcontinental legal structures, most notably the European Union, where supranational legal structures both supplant and co-exist with domestic laws and regulations.

Systemic failures that have led to financial crises within nations as diverse as Greece, Ireland, Japan and the United States have resulted in the now-familiar remedies of International Monetary Fund austerity measures, the Third Basel Accord, and Dodd-Frank  Wall Street Reform and Consumer Protection Act, to name a few examples. Regulators have sought to eliminate pathways to fraud, largess and market manipulation widely blamed for the global crises by promulgating lengthy and complex regulatory solutions.

Compliance professionals who once may have laid claim to comprehending and administering compliance programs involving an entire continent or nation have succumbed to a level of regulatory complexity that makes such independent mastery incomprehensible. Even for those of us who oversee primarily domestic compliance programs, international influences are now omnipresent in Dodd-Frank, the Bank Secrecy Act, FCPA and the U.K. Bribery Act of 2010.

At the end of the day, Compliance, Audit and Ethics professionals are exactly that—professionals. We do not simply throw our hands up and decry the unfairness of increasingly complex regulatory requirements. True to our nature, we seek to understand as much as possible about our responsibilities to fulfill those compliance requirements in conjunction with our organization’s core mission and objectives. But our inquiries and information gathering must extend beyond our own individual knowledge and planning. Today’s increasingly complex regulatory environment requires us to collaborate with colleagues both within our organizations and beyond.

I would propose that now is the time to build stronger, more sustainable Compliance Programs through intelligent collaboration. It must not be viewed as a sign of ignorance or laziness when we humbly and actively partner with fellow Compliance, Audit and Ethics professionals to ascertain best practices. Likewise, we must continue to embrace the business line leaders within our own organizations to build collaborative compliance solutions that fulfill our regulatory responsibilities without unnecessarily impeding daily operations and long-term strategies.

Effective Regulatory Compliance…we may not each be able to do it alone, but we can certainly do it more constructively together.