Thoughts from Compliance Week '09 Day 1
Compliance Week remains the highlight of GRC events throughout the year. As one Tweet states at the beginning of the conference: “dougcorneliusStarting the “Davos” of compliance.”
Sure there are many events I enjoy for networking and catching up with others. However, Compliance Week is one of the few events I attend that actually stretches me intellectually. This has a lot to do with the format. I have low expectations for most conferences as vendors have invaded and product pitches remain the same. Compliance Week remains one of those conferences that holds vendors at bay and requires practitioners to present (though vendors may present alongside practitioners). Granted, there is an occasional presentation that is a poorly disguised product pitch – according to the Twitter traffic (#CW2009) this is the case with Oracle co-presented session Proactive Risk and Compliance Strategies for Uncertain Times (NOTE: I did not attend this session).
Much of the general conference discussion focused on the value of risk management and control in difficult economic times. There was also a lot of discussion taking place on Senator Schumer’s (D-NY) Bill S.1074 which would require new corporate governance standards involving a board risk committee to oversee the establishment and evaluation of risk management in the organization.
Other thoughts and perspectives I noted throughout the day . . .
- SEC Commissioner Louis Aguilar’s opening keynote was thought provoking on The Regulatory Agenda was thought provoking. While supporting regulatory reform and a new financial regulation I also saw caution in too quickly consolidating the 5 U.S. financial regulators that are specialized and focus. Rolling things up without proper forethought may cause regulatory oversight to become too generic. How do we strike the right balance of regulatory oversight remains a common thought with me as I pondered the presentation. Consider Commissioner Aguilar’s statement “Government currently helps keep us safe from things like exploding toasters but not from disastrous mortgages.”
- The Paisley and Computershare session Implementation Case Study—Embracing a Common, Integrated Approach to Audit, Risk and Compliance was a good overview of the value in times of economic turmoil that integrated GRC processes deliver efficiency and support collaboration. In fact, much of the conference chatter was focused on value and return from solid risk and compli
ance processes. - PricewaterhouseCoopers and Schering Plough did an excellent session on privacy – Integrated Compliance Frameworks for Privacy, Security and Identity Theft Prevention. However, from my experience most corporate compliance departments do not pay enough attention to privacy. Privacy has grown in stature within many organizations, but it still plays second fiddle to other compliance and risk issues in most firms I come across. My prediction is that we will continue to see privacy compliance concerns grow over the next few years as well, as risk from litigation and brand damage, that will bring privacy to a more prominent role in corporate compliance programs. The presenters advocated a build a program to the highest common denominator – which is much like the 80/20 perspective that I have recommended in building a baseline that gets you most of the way their across jurisdictions and realize there will be some areas of the world where exceptions abound and privacy is managed differently in some aspects. PwC also promoted an integrated framework for privacy – however still more discussion needs to be had on integrating the integrated frameworks with a common backbone (or Rosetta Stone) such as OCEG’s Red Book 2.0.
- The Starting an ERM Program from Square One session presented by Eastman Kodak was a good risk management starter kit. I would state, from the presentation, that Eastman Kodak has implemented a slightly above average ERM program. Say a 3.25 on a maturity scale of 1 to 5. The missing element is a focus on value of ERM and alignment of risk management to corporate performance management. Too many ERM programs miss the mark as they are focused on avoiding the nasty and fail to realize that organizations take risk all the time to make money. Maximizing return and optimizing corporate value is what the most mature ERM programs are about. The presentation did a good job at pointing out the drivers for ERM including: NYSE listing requirements, SEC disclosures, Standard & PoorsERM evaluations, USSC requirement for risk assessment for potential wrong doing, insurance impact, as well as fiduciary obligations.
- The final session I attended of Day 1 was the KPMG and Office Depot session on Tone at the Top and In the Middle—Enhancing Regulatory Compliance through Your ERM Program. This was the best non-keynote session of the day. It provided the most mature view of ERM with a focus on value and impact on corporate objectives and performance. It was then brought to a practical compliance point by showing FCPA compliance through an ERM perspective.