Ask Ed Bell about energy trading and risk management (ETRM) technology and he’ll likely bring up his days with Enron back in the early 1990s. Bell—now a principal at Houston-based technology...
Waking Up To Compliance Risk
Do you know what your legal exposure is?
application of controls can be high, medium, or low. High risks have the potential to result in significant exposure to regulatory fines and penalties, costly business impacts, or significant damage to reputation. High risks require immediate action. Medium risks have the potential to result in serious but limited exposure to regulatory, business, or reputational injury. Medium risks require close attention. Low risks have the potential for a modest regulatory, business, or reputational impact, and, therefore require only routine action. However, low risks should not be ignored. It is possible that a low residual risk will become a medium or high risk over time, which is why these risks need to be periodically reviewed and appropriate action needs to be taken.
3. Manage Identified Risks
After compliance risks have been identified and prioritized, the effectiveness of the control environment needs to be tested by subjecting controls to hypothetical yet plausible risk scenarios to determine whether they are robust enough to manage a range of risk variations. Scenario analysis assesses the effectiveness of internal controls to manage risk variations caused by one or more events, e.g., a blackout, or volatile spot-market prices.
The results of this analysis will facilitate a determination of whether compliance risks are being managed properly through various approaches, including risk avoidance, and risk acceptance coupled with mitigation ( e.g., training, internal controls). If there is a high probability that a risk activity will result in a severe compliance violation, a company likely will avoid the activity altogether. However, most risk activities are managed through various internal controls to prevent violations of law ( e.g., separation of duties and functions will minimize conflicts of interest; a management information system that ensures transparency in reporting will reduce the incidence of fraud and misstatement in financials; ethics training will drive integrity in decision making).
4. Audit and Monitor Control Effectiveness
Organizations must audit and monitor internal controls put in place to prevent and detect violations of law. The separation of functions between departments that develop controls (business process owners) and the departments that audit controls is critical to validate the effectiveness of controls. Internal audit departments periodically must evaluate the effectiveness of compliance controls, which includes developing protocols for periodically testing controls. Internal audit departments also must regularly review exception approvals by type and frequency in determining the effectiveness of policies and mitigating controls. For example, waiving conflict of interest rules to allow senior executives to have a stake in an off-balance sheet entity that does business with the company could weaken controls designed to safeguard company assets and business opportunities, and protect against fraud and other improper activities.
In addition to internal audit departments, various other departments also audit and monitor compliance with internal controls. For example, law departments audit and monitor for violations of law in business areas they counsel. Likewise, human-resource departments audit and monitor for violations of various employment laws.
Business-process owners responsible for internal controls need to be held accountable for keeping controls up to date and effective. A control that is effective today could