The OCC said that it has directed its examiners and staff to cease screening banks for reputation risk which refers to the risk of potential scandals or any other type of negative publicity that can possibly emerge and negatively impact a bank’s business. The OCC expressed its disagreement with the examination as it placed too much judgmental and discretionary power in the hands of the examiners. Rather, it believes that more focus should be placed on more “transparent risk areas.”

“The OCC’s examination process has always been rooted in ensuring appropriate risk management processes for bank activities, not casting judgment on how a particular activity may fare with public opinion,” said Acting Comptroller of the Currency Rodney Hood. “The OCC has never used reputation risk as a catch-all justification for supervisory action. Focusing future examination activities on more transparent risk areas improves public confidence in the OCC’s supervisory process and makes clear that the OCC has not and does not make business decisions for banks.”

The OCC believes that by getting rid of reputation risk it will maintain strong risk management as well as fair customer treatment. The agency perceives the removal of such an risk assessment will ensure transparency and accountability within the OCC’s operations. According to the agency, the limitation of subjectiveness within the examination will enable the OCC to create a more effective regulatory environment.

OCC’s Move Receives Support From Banking Industry

This move has received much support from the banking industry. Financial Services Forum President and CEO Kevin Fromer called the OCC’s actions an “important step to create a more transparent and effective regulatory environment.” Greg Baer, president and CEO of the Bank Policy Institute added support to the agency’s actions in stating “Bank exams should be transparent and grounded in objective legal standards. This marks meaningful progress in refocusing oversight on material financial risk, rather than reputational risk, operational risk, corporate governance, vendor management and other matters that do not pose a material threat to safety and soundness.”

The OCC emphasized that while it is removing an aspect of the examination it will continue to regulate in a strict and efficient manner. “The removal of references to reputation risk from OCC handbooks and guidance issuances does not alter the OCC’s expectation that banks remain diligent and adhere to prudent risk management practices across all other risk areas,” according to its press release. “The OCC expects to complete its efforts to update its public documents in the coming weeks.”  

The post OCC Eliminates Reputation Risk Examinations for Banks appeared first on Compliance Chief 360.

 

Third-party risk is becoming increasingly expansive as organizations rely on a burgeoning network of external vendors to operate.  Fill out the form at right and hit “Submit” to get the report.

The current environment of heightened third-party software attacks and subsequent legislative response is elevating third-party risk management (TPRM) as an organizational priority. Modern organizations are increasingly focused on managing business risk to foster resiliency and trust, however, much of the risk that an organization contends with is not internal but stems from third-party relationships.

Research by the IDC found that third-party risk management is among the top considerations for strategic organizational risk management, ranking fourth in their Future of Trust Survey, behind IT security, data privacy, and operational risk. However, failure to secure third-party relationships can directly impact these other three areas.

Learn more about this emerging risk landscape, the results of the IDC survey, and what organizations can do to protect themselves in Beyond the Organization: Managing Risk and Compliance in Third-Party Relationships.

FILL OUT THE FORM AT RIGHT TO DOWNLOAD THE REPORT >>

Managing Risk and Compliance in Third-Party Relationships

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Business Email *

Company or Organization *

Business or Email

Job Title *

Address *

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

--- Select country ---AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland IslandsCountry

Phone (optional)

Submit

The post Managing Risk and Compliance in Third-Party Relationships appeared first on Compliance Chief 360.

ith the rise of AI and regulatory uncertainty, Chief Audit Executives (CAEs) are expected to face mounting pressure from the Board to address emerging risks and strengthen mitigation efforts. According to Gartner, a technological research and consulting firm, as AI has emerged as both a valuable business asset and a potential threat, CAEs are pressured by the board to provide assurance over risk management.

“2025 brings more high-profile risks and opportunities that are driving growing board focus on risk management, so CAEs need to be sure they are effective in helping the audit committee (AC) discharge its risk oversight responsibilities,” said Margaret Porter, Chief of Research in the Gartner Assurance Practice.

Most of the time CAEs only get less than 30 minutes with audit committees and are therefore forced to maximize their limited time. During these meetings, CAEs should prioritize highlighting risk trends, root causes, and systemic governance issues. Meanwhile, they can hand out supplemental materials in order to provide an understanding of the background information.

AI Risks

According to Gartner, AI risks can take on many forms, including behavioral risks, transparency risks, and security and data risks:

• Behavioral risks are related to the ways algorithms and IT systems can misbehave in their performance, such as by creating inaccurate or biased results, providing outdated information or not complying with scoping requirements.
• Transparency risks are related to model explainability and disclosure of AI involvement.
• Security and data risks are related to the ways in which accidental or intentional leakage or misuse of personal or confidential information can impact the enterprise.

“While most audit leaders accept it is important to cover key AI risks in the next 12 months, less than a quarter feel confident in their ability to do so,” said Porter. “To increase their confidence in providing assurance over complex AI risks, audit should collaborate with assurance partners to assess and prioritize AI risk coverage needs.”

To better support the organization in managing and assessing AI risks, Gartner experts recommend internal audit work with legal, compliance, and risk teams to:

• Get organized for AI accountability and define enterprise practices
• Discover and inventory all AI used in the organization
• Revisit and implement AI data classification, protection and access management
• Implement technical controls to support and enforce policies
• Conduct ongoing governance, monitoring, validation, testing and compliance throughout the whole process.  

The post CAEs to Face Rising Pressure with the Emergence of AI appeared first on Compliance Chief 360.

 

Vendor risk assessment and vendor risk management are crucial aspects of any business, especially in today’s interconnected world. Fill out the form at right and hit “Submit” to get the report.

As companies increasingly rely on third-party vendors for various services and products, it becomes essential to assess and manage the risks associated with these relationships. A robust vendor risk assessment program can help organizations identify potential risks, mitigate them, and ensure the security and compliance of their vendor network. In this comprehensive guide, we will dive deep into the world of vendor risk assessment, covering everything from the basics of vendor risk management to best practices for third-party vendor risk assessments and steps to take in case of a vendor breach.

FILL OUT THE FORM AT RIGHT TO DOWNLOAD THE REPORT >>

The Complete Guide to Vendor Risk Assessment

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Job Address Email

Business Email *

Company or Organization *

Job Title *

Address *

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

--- Select country ---AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland IslandsCountry

Phone (optional)

Submit

The post The Complete Guide to Vendor Risk Assessment appeared first on Compliance Chief 360.

igital disruption and climate change have emerged as the two fasting-growing risk areas for organizations across industries, according to a new report.

Based on feedback from more than 3,500 internal audit leaders around the world, global risk levels for digital disruption and climate change are projected to increase 20 percent and 16 percent, respectively, over the next three years, outpacing other risk areas. The research was conducted by the Institute of Internal Auditor’s Internal Audit Foundation for its latest Risk in Focus report.

Despite the growing intensity of these risks, most audit plans do not currently prioritize them, the study found. In fact, neither digital disruption nor climate change were named among the top five areas where internal audit functions allocate the most time and effort, with both ranked in the lower half of audit priorities. Globally, internal audit functions focus predominantly on cybersecurity, governance and corporate reporting, and business continuity, indicating a gap between evolving threats and current areas of attention.

“Our latest research tells us cybersecurity, business continuity, and human capital continue to hold the top three spots in risk ratings. However, respondents anticipate significant changes as risks related to climate change and digital disruption accelerate in the coming years,” said Anthony Pugliese, president and CEO of the IIA. “To ensure both short-term success and long-term sustainability, organizations and their internal audit functions must adapt risk management practices to keep pace with the changing risk landscape.”

Risk in Focus offers a comprehensive view of the current global risk landscape and how it is expected to evolve in the coming years. Because threats are expected to rise steeply for technological advancements and climate change, the 2025 reports focus on leading practices for mitigation of these risks.

Keeping Pace with Digital Disruption

Approximately 39 percent of survey respondents worldwide ranked digital disruption as a top five risk, with that number expected to jump to 59 percent in three years. For North America, these figures are even higher at 48 percent and 70 percent, respectively. Furthermore, respondents worldwide expect digital disruption to rise from the fourth to the second highest ranked risk area in three years.

Artificial intelligence (AI) has introduced new risks to track, especially related to cybersecurity, according to 75 percent of respondents. AI has also impacted many other risk areas, including human capital, fraud, communications, reputation, and more.

AI is a particular focus for internal audit leaders concerning technology-related risks. Specifically, challenges include upskilling and adopting new tools, as well as global disparities in access to and knowledge of emerging technology.

Climate Regulations Driving New Risks

Climate-related risks are currently ranked relatively low, but they are expected to rise substantially soon. About one in four (23 percent) of global respondents view climate change as a top five risk today. However, nearly 40 percent of respondents anticipate it will reach the top five in the next three years, climbing from 13^th place to 5^th.

Globally, roundtable participants agree that sustainability reporting and compliance requirements are the primary drivers for boards, management, and internal audit functions to allocate resources to climate change. The report revealed significant regional differences in climate-related risk perceptions. For instance, 33 percent of European audit leaders and 30 percent of Canadian audit leaders rate climate change as a top five risk, compared to 9 percent for U.S. audit leaders. Despite the U.S. position, North American respondents expect ratings for climate change as a top 5 risk will double from 13 percent to 27 percent in three years.

“While climate change has long been recognized as a growing risk for organizations, these findings reveal the extent to which climate-related risks are expected to surge in the near term,” said Pugliese. “It is imperative for organizations, stakeholders, and internal audit leaders to objectively assess the short-term and longer-term risks to their organizations beyond basic compliance with regulations.”

Extreme weather can cause supply chain disruptions, higher operational costs, flooding, famine, and more. Some consumers and investors are calling on organizations to implement more sustainability initiatives. These sustainability initiatives, however, must be reported accurately to avoid greenwashing and reputational damage.

Regional Risk Differences

The study also explored regional differences in the risk landscape through roundtables and separate Risk in Focus reports for Africa, Asia Pacific, Europe, Latin America, the Middle East, and North America. These regional reports outline proactive steps that organizations and audit leaders across industries can take today to mitigate threats and embrace opportunities.

Embracing artificial intelligence and emerging technologies will be critical, as well as prioritizing upskilling, technology-oriented training, and recruitment to manage these risks effectively.

“The IIA has strongly advocated for internal audit functions to take a more strategic advisory role to better serve organizations and stakeholders,” said Pugliese. “The Risk in Focus findings underscore the importance of agile collaboration and partnership among internal audit functions, boards, and management to stay ahead of emerging threats and improve understanding of potential risk exposures.”  

The post New Report Identifies Fastest Growing Risks for Companies appeared first on Compliance Chief 360.

With risks constantly changing and driving new compliance requirements, compliance programs must be able to respond to changes with agility. This highlights the importance of incorporating a continuous monitoring approach. Fill out the form at right and hit “Submit” to get the report.

NIST defines continuous monitoring as: “Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This enables an organization to quickly pivot and respond strategically as new compliance requirements come into scope. Compliance programs are often developed with short-term goals in mind; for example, complying with an industry standard. However, compliance is not stagnant. Without scalable policies and procedures in place, no matter how well-conceived your program is, decentralization will ultimately hinder the growth and scalability of your program as time goes on.

A strong continuous monitoring foundation can help enable an organization to pivot as new requirements come into scope. Learn seven steps to incorporate continuous monitoring into your compliance program at any stage, including a checklist of key metrics to track.

FILL OUT THE FORM AT RIGHT TO DOWNLOAD THE REPORT >>

7 Steps to Incorporate Continuous Monitoring in Your Compliance Program

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Business Email *

Company or Organization *

Job Title *

Address *

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

--- Select country ---AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland IslandsCountry

(optional) Business Job

Phone (optional)

Submit

The post 7 Steps to Incorporate Continuous Monitoring in Your Compliance Program appeared first on Compliance Chief 360.

Gartner predicts that by 2025, over 50% of major enterprises will use AI and machine learning to perform continuous regulatory compliance checks, up from less than 10% in 2021. This illustrates how dynamic the current GRC landscape is and how vigilant teams must be to prepare for further shifts. Fill out the form at right and hit “Submit” to get the report.

This report presents the key trends in GRC for 2024, highlighting the dual need to adapt to rapidly changing regulations while maintaining the highest standards of ethical conduct across industries.

The emphasis this year is on several pivotal areas: the impact of Artificial Intelligence (AI) on regulatory and ethical frameworks, increased demands for data privacy and protection, and the expanding scope of Environmental, Social, and Governance (ESG) criteria. Each of these areas presents distinct challenges and opportunities for GRC professionals, demanding new approaches to secure.

As organizations prepare to tackle these challenges, the report aims to equip GRC professionals with the knowledge and tools needed to navigate the complexities of the modern regulatory and operational environment. In this report, you’ll learn:

• AI in GRC: Its impacts, challenges, and the road ahead
• GRC in the new data privacy landscape
• The expanding reach of ESG and sustainability in GRC
• Data-driven compliance as the new foundation in GRC
• The close relationship between compliance and cybersecurity
• Ways to maintain compliance in remote workplace

Are Your GRC Frameworks Future-Proof? - Download

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Title Name Company

Business Email *

Company or Organization *

Job Title *

Address *

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

--- Select country ---AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland IslandsCountry

Phone (optional)

Submit

The post Are Your GRC Frameworks Future-Proof? appeared first on Compliance Chief 360.

The ISC’s objective is to strengthen the cohesion between federal, state, and local agencies, enhance opportunities to collaborate on cases to protect investors, provide insight and guidance across the ecosystem to those who may not frequently operate in this space, and create an outlet to combat financial fraud.

The ISC launched with representatives from more than 100 departments and agencies, including federal agencies, state offices of attorneys general and state police, and local police departments and sheriff’s offices.

“The Interagency Securities Council will help front line investigators stay abreast of emerging threats and fact patterns to protect their communities from securities fraud, while supporting the efforts of federal, state, and local law enforcement partners across the country,” said Gurbir Grewal, Chair of the ISC and Director of the SEC’s Division of Enforcement.

“As financial frauds become more complex, investors benefit from the government – at all levels – working together and sharing information to protect and inform the public,” said Cristina Martin Firvida, the SEC’s Investor Advocate.

About the Interagency Securities Council

The ISC is open to law enforcement and regulatory agencies, and members participate in discussions with experts on emerging threats, hear from investigators conducting and supervising investigations, and explore case study examples of agencies employing innovative approaches to combat financial fraud. The ISC also serves as an opportunity to connect and share information with the larger law enforcement community that less frequently deals with securities law violations, such as police/sheriff departments and tribal- and military-community law enforcement.  

The post SEC Launches Cross-Agency Enforcement Council appeared first on Compliance Chief 360.

The penalties resulted from the Citi’s failure to resolve its “longstanding” risk management, data governance and internal controls deficiencies at the bank. The OCC said Wednesday that Citi failed “to meet remediation milestones and make sufficient and sustainable progress towards compliance with the 2020 order,” adding that it has amended the order“to ensure Citibank prioritizes the remediation work, including through the allocation of sufficient resources.”

In 2020, the OCC stated that Citi’s risk management policies and internal safeguards had been insufficient for a bank of its size and complexity for several years. The agency also criticized the bank’s senior leadership for providing “inadequate” oversight to ensure these issues were promptly addressed.

The OCC identified shortcomings in Citi’s infrastructure for risk control, data management, and compliance, noting that these flaws had, in some instances, “contributed to violations of law and regulations.” In the two years leading up to the 2020 enforcement action, the OCC fined Citi tens of millions of dollars for issues related to fair lending, flood insurance, and foreclosure holdings.

Citi CEO Jane Fraser said in a statement that there are areas where Citi hasn’t made progress quickly enough, despite progress in other areas such as simplifying the firm and addressing the consent orders. Fraser added that Citi has “intensified” its focus on data quality management over the last several months.

“We will get these areas where they need to be, as we have done in other areas of the transformation. As we’ve said from the beginning of this multi-year effort, we’re committed to spending what is necessary to address our consent orders, as our agreement with the OCC demonstrates,” Fraser said.

Federal Reserve Finds Citi’s Remedial Efforts To Be Inadequate

The Federal Reserve revealed that its assessment of Citi’s compliance program resulted in the discovery of “significant ongoing deficiencies … with respect to various areas of risk management and internal controls, including for data quality management and regulatory reporting, compliance risk management, capital planning and liquidity risk management.”

The Fed added that when evaluating Citi’s remediation efforts related to the 2020 order, the agency found that the bank’s progress in executing its plan to enhance its data quality management program inadequate.  

PHOTO BY ANTONIO VERNON, USED UNDER CC BY-SA 3.0

The post Citi Fined by OCC and Federal Reserve for Risk Management Failures appeared first on Compliance Chief 360.

While these elements are important for the board to understand, the actual compliance presentation at board meetings often misses the mark by failing to showcase the proactive work that a compliance team is doing. Compliance officers are often not effectively demonstrating how they are aligned with the evolving and innovative strategies of their business, industry, and environment.

Compliance officers occupy a unique vantage point in their companies. They have unparalleled visibility into almost every facet of an organization’s operations. This allows them to understand the workings and interplay between technology, ever-evolving regulations, and day-to-day business practices. In my experience, the most engaging board presentations are the ones where the compliance officer can articulate what the compliance department is proactively doing to address emerging phenomena, discussing both the risks and the mitigation strategies in place. It positions the compliance officer as a strategic partner, not one who impedes progress.

This proactive approach not only progresses the compliance agenda at the highest levels of the organization, it also directly aligns with the expectations of the U.S. Department of Health and Human Services – Office of Inspector General (HHS-OIG), Department of Justice (DOJ), Securities and Exchange Commission (SEC), and other relevant regulators.

Next, we’ll consider five key topics compliance officers should be actively discussing with their boards in 2024. We’ll explore how to move beyond reactive reporting and demonstrate your role as a strategic partner. While we’ll focus on the life sciences sector, many of the topics are relevant to all compliance functions.

1 Digital Enablement
Digital enablement continued to increase in importance during in the first six months of 2024. Artificial Intelligence and Machine Learning (AI/ML) are revolutionizing drug development and clinical trials by enabling the analysis of vast amounts of data and accelerating the discovery of new treatments. AI/ML algorithms can identify patterns and predict outcomes, aiding in the selection of potential drug candidates and predicting patient response to treatments. By optimizing trial design, AI/ML can improve the efficiency of clinical trials, leading to faster and more accurate results. Outside the life sciences sector, AI is quickly inhabiting nearly every aspect of the organization, raising endless possibilities for innovation and efficiency, while also unveiling several complex risks.

Drug Discovery

• AI/ML algorithms are being used to analyze vast amounts of data from genomics, proteomics, and other sources to identify potential drug candidates and predict their efficacy and safety.

Clinical Trial Design

• AI/ML can be used to optimize clinical trial design, such as identifying the most appropriate patient population, optimal dosing levels, and predicting potential adverse events.

Trial Data Analysis

• AI/ML can be used to analyze clinical trial data more efficiently and identify potential safety signals or trends, allowing for faster course correction and improved drug development outcomes.

Similarly, AI/ML is transforming the way nearly all companies approach commercial activities. Using predictive analytics, AI/ML can assist companies in identifying potential customers, creating personalized marketing strategies, and predicting future market trends.

Content Personalization

• AI can generate personalized marketing materials, such as email content, website landing pages, and social media posts, tailored to the specific needs and interests of customers and other stakeholders.

Sales Optimization

• AI can analyze sales data with healthcare professionals (HCPs) and Healthcare Organizations (HCOs) to prioritize them based on likelihood of Rx conversion, helping sales teams focus their efforts on the most promising opportunities.

Sentiment Analysis

• AI can analyze patient and caregiver feedback and social media conversations to identify trends and potential issues, allowing for proactive customer service and reputation management.

Action Items: Compliance officers should be proactive in establishing robust data governance policies, collaborating with the AI/ML team to mitigate potential algorithmic bias, and working across the company to develop a comprehensive compliance framework for AI/ML use. When communicating with the board, keep them informed about how you are tracking with the company’s AI/ML initiatives, highlighting the potential benefits and associated risks. Discuss the steps your compliance team is taking to mitigate these risks, including partnering on data governance policies, bias mitigation strategies, and adherence to regulatory frameworks.

2 The Talent Shuffle
The life sciences industry in 2024 presents a tale of two realities. While a wave of innovation is fueling growth for some, established players are resorting to cost-cutting measures, leading some companies to institute major layoffs. These same forces are impacting companies in just about every industry.

Cost Cutting: Life sciences companies often face the need to reduce costs to remain competitive. We’ve seen several announcements thus far this year:

• Pfizer – $4 billion cost-cutting by end of 2024 + $1.5 billion over next 3 years
• Bristol Myers Squibb – 2,000 employees impacted by layoffs
• Bayer – reduced headcount by 1,500 employees
• Takeda – 641 workers impacted by layoffs

Talent Retention: Retaining talented employees contributes to the long-term success of the company. Companies are using a variety of mechanisms to attract and retain talent. These include: highlighting the company’s unique mission and culture; innovative compensation models; hybrid work arrangements; upskilling programs; wellbeing offerings; Diversity, Equity, and Inclusion (DEI) focus; and commitment to career development.

Depending on the stage of a company’s product lifecycle and market, different strategies may be implemented. Some life sciences companies may focus on cost-cutting, while others prioritize talent retention. In certain cases, companies may simultaneously pursue both objectives.

Action Items: Compliance officers need to be proactive as the employee landscape shifts. With new hires and role changes, a crucial focus should be on providing targeted training and education on role-specific compliance requirements. However, this isn’t the only concern. Compliance officers should also identify areas where existing controls may become inadequate or even disappear entirely due to staffing changes. The compliance officer should inform the board about these potential control gaps and propose solutions, such as increased monitoring or adjustments to existing processes and controls. More importantly, these changes may necessitate a revision of the company’s risk assessment. If key personnel with deep operational and compliance knowledge depart or controls are weakened, the overall risk profile of the company can shift significantly. The compliance officer should work with relevant departments to re-evaluate the risks, identify new vulnerabilities, and update the risk assessment accordingly.

3Decentralized Clinical Trials
Decentralized Clinical Trials (DCTs) are a growing trend in the pharmaceutical industry. These trials leverage technology to collect data remotely, reducing the need for in-person visits. This allows for greater patient participation, especially from geographically dispersed populations or those with mobility limitations. Examples include telehealth-based trials using video conferencing, wearable devices collecting health data like heart rate and activity levels, and mobile apps for patient-reported outcomes and communication.

However, DCTs also raise compliance concerns. Data security and privacy require robust security measures, clear data governance policies, and strong encryption protocols. Patient privacy is another consideration, as remote data collection necessitates carefully adapted informed consent procedures to address potential coercion or undue influence. Finally, regulatory bodies are still developing guidelines for DCTs, creating some uncertainty for companies.

Action Items: To navigate the evolving DCT landscape, compliance officers must stay informed about changing regulations and develop clear policies for ethical conduct in DCTs. This includes adapting informed consent procedures for the remote setting, implementing robust patient data protection protocols, and establishing clear communication channels to address patient concerns. Compliance officers should be proactively informing their boards on how the compliance program is helping the company leverage the benefits of DCTs while minimizing risks and maintaining ethical practices.

4ESG Considerations
Environmental, Social, and Governance (ESG) factors continue to remain important for investors and stakeholders. Boards are discussing how to integrate ESG principles into their corporate strategy and demonstrate their commitment to sustainability and social responsibility. Boards are facing challenges in this space.

Lack of Standardized Regulations

• Currently, there’s no single, overarching set of ESG regulations globally. Different countries have varying regulations and reporting and disclosure requirements, making it complex for companies with international operations.
• Action Item: Compliance officers must stay updated on these diverse regulations to ensure adherence across all markets.

Greenwashing Concerns

• Regulatory bodies are increasingly scrutinizing ESG claims to prevent “greenwashing,” where exaggerated information is presented about a company’s sustainability efforts.
• Action Item: Compliance officers should be working cross-functionally and sharing with the board how the company’s is ensuring its ESG reporting is accurate, transparent, and verifiable to avoid potential penalties and reputational damage.

Consumer Protection

• Consumer protection regulations are evolving to address misleading environmental claims in marketing.
• Action Item: Compliance officers must collaborate with commercial teams, corporate affairs, and their PRC committees to ensure all ESG-related messaging is accurate and substantiated.

Cybersecurity Risks

• The increasing collection and use of ESG data introduces new cybersecurity risks.
• Action Item: Compliance officers need to work with IT and other groups gathering data in the organization to implement policies and robust data security measures to protect sensitive ESG information from breaches or misuse.

5 Economic and Geopolitical Headwinds
The life sciences industry is continuing to face several disruptive macro forces in 2024. Beyond the ongoing challenges of scientific advancement and regulatory compliance, boards of directors are grappling with a complex economic and geopolitical landscape. This is across all industries, not just life sciences. The war in Ukraine, ongoing tensions between major powers, and escalation in the Israeli-Palestinian conflict are creating significant supply chain disruptions, potentially impacting research collaborations and access to critical resources. Coupled with a persistent inflationary environment, boards are strategizing on how to navigate these economic headwinds. This could involve cost-cutting measures (previously explored), investigating alternative sourcing options, or even raising prices to maintain profitability.

Action Items: For compliance officers, these disruptions present unique challenges. Inflationary pressures may incentivize corners being cut, potentially impacting quality control measures or adherence to Good Manufacturing Practices (GMP). Compliance officers should be informing the board about potential risks associated with cost-cutting measures, as well as the potential legal and reputational consequences of non-compliance. Additionally, compliance officers should be prepared to advise the board on navigating the complexities of a shifting geopolitical landscape. This could involve ensuring robust due diligence on new suppliers and research partners, mitigating the risk of sanctions violations, and helping the business ensure continued access to critical resources.

From Reactionary to Proactive

Compliance officers have a golden opportunity to continue to transform their role. By proactively tackling the aforementioned topics and demonstrating a strategic grasp of the industry’s evolving landscape, they can become invaluable partners to their boards. This shift transcends mere reporting. Instead of simply reacting to events, compliance officers can anticipate risks, propose solutions, and actively align with the company’s strategic goals. This proactive approach will only strengthen their compliance program.

Key Takeaways

• Compliance officers must align with board priorities to truly become a strategic partner.
• Compliance officers should discuss with the board how they are helping mitigate digital enablement risks, including partnering on data governance, adherence to regulatory frameworks, and bias mitigation strategies.
• High turnover weakens controls, raising risk. When the employee landscape shifts, compliance officers need to identify gaps and refresh risk assessments.
• Compliance officers need to ensure their programs are adapting for decentralized clinical trials (DCTs).
• Compliance officers must continue to advise the board on responsible ESG reporting and navigating sanctions and supply chain risks.

Amy Pawloski, CCEP, CFE, PMP (amy.pawloski@strategicversatility.com) is the president of Strategic Versatility LLC a healthcare compliance consulting practice in Phoenixville, Pennsylvania.

The post The Top Five Boardroom Issues Compliance Officers Should Be Discussing appeared first on Compliance Chief 360.