mba financial management€¦ · title: mba financial management author: x109446 created date:...
TRANSCRIPT
MBA Financial Management
Master Thesis
Topic:
Compliance Management Model in
a Captive Financial Services
Company for the German Market
Name: Sergio Benitez Martinez
Address: Bolzstraße 130 Apt. 44. 70806 Kornwestheim
Semester: SS 2010
Matriculation Number: 00806908
Examiner: Professor Dr. Victor J. Randall
Date: 07.09.2010
Barring Clause
This Master-Thesis includes
information that is not determined for the public.
The content may only be disclosed to third parties
with the written permission of the Author
and
Dr. Ing hc. F. Porsche AG.
III
Acknowledgement
I want to thank Professor Dr. Victor J. Randall for his encouragement and motivation to
learn in his financial management lectures about the topic risk management, as well as
his insightful feedback on the master thesis and his useful observations.
I also want to thank the Captive Financial Services Company in particular the Risk
Management Department that supported an intern whose communication language has
been a mix of English and German in order to improve the latter. The Risk Manager Chief
Officer, Ms. Glück, for having her support to develop this Master Thesis project to provide
the captive entity with a compliance management model. At last but not least, I want to
thank Mr. Knobbe for his professional and skilful support to develop the project, not only in
the structure strategy and overview of the project, but also in particular issues where the
point of view of an expert Risk Manager was always welcome and helpful to establish the
compliance management model.
Particularly of the Mexican culture, in any thankful note or thought is always the family,
which in this case a 9,637 Km distance is proven to be not far enough for receiving their
complete support, agüelita soy tu nieto!
Sergio Benitez Martinez
IV
Abstract
A Captive Financial Services Company needs to establish a compliance management
model that can be used in subsidiaries in order to simplify procedures and systems within
the entity. Thus a theoretical overview of compliance is developed to structure an integral
compliance model with theoretical background elements. The identification of
requirements is presented as ground base for the model and thus the model is presented.
The requirements are divided in external and internal. They describe the headquarters
and subsidiary market needs for the captive financial management entity. In terms of
regulations, a distinction is been made from national and international ones.
The model is developed and presented as a handbook. The main element is a compliance
process which involves process steps that integrates business values, internal
regulations, systems and organization. Other elements are a compliance risk control
matrix, added into the internal control system, and tools regarding compliance for a
captive financial services entity. All these elements provide a model within a compliance
management system. Consequently, the relation of tools makes the model practical,
dynamic and efficient.
V
Table of Contents
Executive Summary .......................................................................................................... 1
Introduction ....................................................................................................................... 3
1. Compliance Management ............................................................................................. 3
1.1 Definition of Compliance .......................................................................................... 4
1.2 Corporate Governance, Compliance Management, Enterprise Risk Management .. 5
1.2.1 Corporate Governance ................................................................................... 8
1.2.2 Compliance Management .............................................................................10
1.2.3 Enterprise Risk Management ........................................................................13
1.3 Compliance Management System ..........................................................................27
2. Requirements to Comply with in the case of a Captive Financial Services Company ...32
2.1 Captive Financial Services Company .....................................................................34
2.2 International level Requirements ............................................................................36
2.3 National Level Requirements ..................................................................................42
2.4 General Internal and External Requirements Frame ...............................................44
3. Compliance Management Model ..................................................................................47
3.1 Minimum External Requirements to Comply with Regulations ................................56
3.2 Model .....................................................................................................................57
IV. Conclusion..................................................................................................................67
References ......................................................................................................................70
Appendices ......................................................................................................................74
Appendix 1: COSO Framework Components, Subcomponents and Detail Description 74
Appendix 2: Applicability of Tools Used for Risk Assessment .......................................75
Appendix 3: MaRisk Table of Contents .........................................................................76
Appendix 4: Country Compliance Standards ................................................................77
Appendix 5: Compliance Management Survey .............................................................78
VI
List of Tables
Table 1: Governance Compliance Risk Processes ........................................................... 6
Table 2: US Effective Compliance Guidelines. .................................................................10
Table 3: Risk Management Definitions. ............................................................................16
Table 4: Components and Subcomponents of COSO Framework. ..................................17
Table 5: Laws, Conventions and Standards for Business Compliance. ............................28
Table 6: Standards Compliance Index. ............................................................................32
Table 7: Compliance Management Survey for Managed Business. .................................38
Table 8: Compliance Management Survey for Commission Business. .............................40
Table 9: Survey and Comment about the Headquarters Situation. ...................................42
Table 10: Responsibility Matrix of Core and Support Processes. .....................................59
VII
List of Figures
Figure 1: Financial Regulatory Compliance Concept......................................................... 4
Figure 2: General Compliance Elements. .......................................................................... 5
Figure 3: Isolated and Fragmented Governance, Risk Management and Compliance. ..... 6
Figure 4: GRC Model Elements View of OCEG . .............................................................. 7
Figure 5: Corporate Governance System. ......................................................................... 8
Figure 6: Compliance Fields . ..........................................................................................12
Figure 7: Compliance Maturity: 4 Phases. ........................................................................13
Figure 8: COSO Risk Management 3 Dimensional Matrix. ...............................................16
Figure 9: Relationships among Risk Management Principles, Framework and Process. ..19
Figure 10: Minimum Requirements for Risk Management Deloitte Schema. ....................21
Figure 11: Risk Management as an Integrated and Holistic System. ................................25
Figure 12: Structure of an Integrated Compliance Management System..........................29
Figure 13: Compliance Management System. .................................................................30
Figure 14: Automotive Company Group Structure. ...........................................................34
Figure 15: Process Development of the Compliance Management Survey. .....................37
Figure 16: Compliance Process Developed by Captive Financial Services Company. .....43
Figure 17: Internal and External Requirements. ...............................................................44
Figure 18: Captive Financial Services Company Current Maturity Status and Objective. .45
Figure 19: Compliance Management System Relationship of Components. ....................47
Figure 20: Model Process Development. .........................................................................49
Figure 21: Compliance Management System and 3 Level Process. .................................50
Figure 22 Group Steering Level Process Steps. ..............................................................51
Figure 23: Division Core Process Steps. ..........................................................................52
Figure 24: Business Unit Support Process Steps. ............................................................53
Figure 25: Compliance Management Process..................................................................55
Figure 26: Relevant Compliance Fields for the Captive Financial Services Company. .....56
Figure 27: Compliance Management Directive.................................................................58
Figure 28: Internal Controls for Compliance Management. ..............................................60
Figure 29: Risk Control Matrix. .........................................................................................62
Figure 30: Compliance Management Handbook Contents. ..............................................64
Figure 31: Compliance Management Level of Effectiveness. ...........................................65
VIII
Abbreviations
AktG Stock Corporation Act
AS/NZS Australia and New Zealand Standard
AT General Part
BaFin Federal Financial Supervisory Authority
BT Special Part
BTR Special Part for Risk
CCO Chief Compliance Officer
CEO Chief Executive Officer
CFO Chief Finance Officer
CM Core Process
CMS Compliance Management System
CoCo Canadian Institute of Chartered of Accountants
COSO Committee of Sponsoring Organizations of the Treadway
Commission
CRD Capital Requirements Directive
CS Steering Level
CU Support Process
EBEN European Business Ethics Network
ERM Enterprise Risk Management
ESP Audit Standard Draft
GRC Governing, Risk and Compliance
GWG Anti Money Laundering
HACCP Hazard Analysis and Critical Control Points
HAZOP Hazard and Operability Studies
ICAAP Internal Capital Adequacy Assessment Process
ICS Internal Control System
IDW German Institute of Auditors
ISO International Organization for Standardization
KonTraG Control and Transparency Legislation
KPMG Klynveld Peat Marwick Goerdeler (accounting firm)
KWG German Banking Act
MaRisk Minimum Requirements for Risk Management
MB Management Board
OCEG Open Compliance & Ethics Group
PwC PricewaterhouseCoopers
SEC Security Exchange Commission
SOX Sarbanes Oxley Act
IX
SREP Supervisory Review and Evaluation Process
WpHG German Securities Trade Act
1
Executive Summary
Compliance is an activity carried out by the enterprise on a regular basis, but in the last
years the importance increased, because of many financial scandals affecting third
parties. The banking and financial services sector requirements were enlarged, thus
increasing the importance for enterprises to integrate these new requirements to comply
with into their every day business operations.
The automotive industry has developed business units in the financial services sector in
order to provide the financial instruments to the customer to finance or lease the produced
vehicles. In this paper a model for compliance management is established for a Captive
Financial Services Company.
In this thesis the topic compliance is taken as compliance in the financial services
industry, because of the broad meaning it has in other industries. Also compliance has a
meaning regarding internal standards or company guidelines, policies, procedures, etc.
which this meaning is also incorporated in this paper.
In order to locate the topic compliance in the management environment of a company the
boundaries between corporate governance, risk management and compliance
management must be considered. Corporate governance sees for the interest of the
shareholders and builds a trust line between the management and the shareholders by
reducing the principal agent problem and including risk management and compliance in its
business model. In the case of risk management, three main sources are presented:
- MaRisk1 (Minimum Requirements for Risk Management in Germany),
- COSO2 framework (Committee of Sponsoring Organizations of the Treadway
Commission in US), and
- ISO 310003 (International Organization for Standardization).
Risk Management shall integrate compliance risks, i.e. operational risk concerning
compliance risks, reputational risk, and behaviour risk. Compliance management shall
incorporate its internal control system into the risk management.
Compliance management, according to its maturity, can be fragmented, implemented,
embedded or enhanced. In this case, the captive entity has already a compliance
1 Federal Financial Supervisory Authority, 2009.
2 Committee of Sponsoring Organizations of the Treadway Commission, 2004.
3 International Organization for Standardization, 2009a.
2
management, which is fragmented, i.e. without the integration of processes involved in
compliance. Therefore, the objective is to establish an effective model with a culture-
centric compliance and an integrated framework. In other words, compliance incorporated
in every day operational activities.
A compliance management model with a culture-centric compliance and an integrated
framework means that it comes out of a compliance system, i.e. every process, control
and reporting shall integrate the business values (philosophy, mission, vision and code of
ethics), detail regulations (guidelines, instructions, process), systematization (instruments,
communication and review), and organization (functional integration) of the automotive
group company. From the organizational structure a compliance process is develop for
the whole company. Every department such as legal, risk management, human
resources, internal audit, etc. shall take the process guidelines and procedures and
comply according to its own requirements. The main compliance process presented in the
organizational level of the system states the model components, e.g. directive creation,
training, sanctions, reporting. by this process orientation, the model presents a culture-
centric compliance with an integrated framework.
In order to build the model, the requirements are presented as international (for its
subsidiaries) and national (for the headquarters). Moreover, the general compliance topics
are stated as internal (policies, procedures, etc.) and external (money laundering, banking
supervision, etc.).
The compliance management model is carried out with a core process and support
process for the captive entity following the steering process compliance management of
the automotive company group. A directive is developed with the process steps
explanation, controls and the reporting. A responsibility matrix is proposed to explain
departments‟ tasks in the automotive group company. The internal control system for
compliance is integrated in the general control system of risk management. It includes a
risk control matrix with specific operational, reputational and behaviour risks that involves
any compliance threat.
The model is documented and stated as a compliance management handbook in order to
offer a practical, dynamic and efficient compliance management solution to the
headquarters and subsidiaries.
3
Introduction
New regulatory requirements for enterprises have raised the bar on compliance and
expanded the responsibility of risk management significantly. For this reason, enterprises
have increased their attention into compliance management. In this case, fundamentally
to identify the applicable requirements and to assess the risks and costs of non-
compliance against the projected expenses to achieve compliance.
The main compliance risks that enterprises are facing are not specific from an industry or
branch (e.g. operational misconduct, economical damaging acts and the breaking of
internal or external rules and regulations). Moreover, there are specific requirements for
Industries such as Financial Services Companies (e.g. risk management requirements).
Therefore, the establishment of a compliance management system by a financial service
company reflects the conscientiousness of its risk management to deal with this issue in
an effective manner and with a long term perspective.
In this study case, a compliance management model for a Captive Financial Services
Company with subsidiaries in 4 continents will bring grand benefit to comply with internal
and external requirements. The benefit is shared as well by establishing compliance
management in the near future in its subsidiaries, taking advantage of the know-how
already acquired.
1. Compliance Management
The compliance concept refers to obey or to conform to a rule, in this case, the objective
of this thesis is the compliance in a Captive Financial Services Company. Therefore the
concept of compliance here stated refers in specific to “financial regulatory compliance”
(see Figure 1). While compliance is a broad concept, regulatory compliance has a
reference to conform to every rule (parking places for handicap people, fire extinguisher,
back exits in buildings, safety regulations in workplace or environment, etc.). Therefore
compliance in this thesis will refer only to financial regulatory compliance, i.e. compliance
with laws, standards, policies, guidelines, procedures in relationship with the financial
topics within the company, in the financial services industry.
In order to ensure compliance, a company prepares all activities and processes to follow
the guidance of a regulation and then implements all measurements required to comply.
To do this in an effective manner the establishment of a Compliance Management System
is necessary, consequently a clear definition of Compliance as well as the distinction of
the limits and boundaries among Corporate Governance, Compliance Management and
4
Risk Management. These three terms can provide confusion in the compliance topic and
therefore the need to identify and distinguish them in the following chapters.
Compliance
Moral
Compliance
Physiology
Compliance
Medicine
Compliance
Psychology
Compliance
Regulatory Compliance
Guidelines
PoliciesStandards
Procedures
International LawsNational Laws
Financial
Regulatory
Compliance
Figure 1: Financial Regulatory Compliance Concept.
1.1 Definition of Compliance
The interest in compliance in the last 10 years increased because of governmental
pressure to avoid regulatory scandals, protect consumers, and streamline regulation:
- increased burden of regulation on firms from national and international regulators
and speed of regulatory changes,
- high profile regulatory scandals,
- adverse media coverage,
- capital markets pressure,
- reduced consumer confidence,
- loss of trust in products,
- loss of trust in the management‟s ability to put the customer first,
- complexity and speed of change in business, and
- margin pressure.
Additionally, companies need to implement and manage compliance in a smart way to
help the costs under control while maintaining profitability.
Companies are interested in responding effectively to these regulatory requirements. On
the other side the consulting companies provide general solutions so the enterprises
adapt them to their particularly industry. One of these consulting companies defines
compliance as follows:
5
“Compliance is a desired outcome, with regard to laws and regulations, internal policies
and procedures and commitments to stakeholders that can be consistently achieved
through managed investment of time and resources”4.
By this definition, it is an outcome that needs time and resources, i.e. it is not only a
matter of obeying a law but an economic issue that shall be managed.
Under the Compliance concept will comprehend the laws, regulations, policies,
procedures and standards that an enterprise has to face. In a more enhanced definition it
is possible to include the free choice selected duties as well as agreements, see Figure 2.
Compliance as a process in an enterprise, must establish the stakeholders‟ demands and
therefore the identification and prioritization of derived measurements, in addition to the
testing of the effective measurements to accomplish the demands, fix vulnerabilities and
to monitor all compliance activities continuously5.
Enhanced understanding of compliance - effective monitoring and management through compliance
Laws &
rules
Relevant
financial
standards &
Instruction of
implementation
Operational
standards &
Instruction of
implementation
Business
Conduct
standards
(Ethic, Cultur
and Norms)
Contracts
&
Obligations
Free choice
standards,
strategic goals &
Best practices
Figure 2: General Compliance Elements.
1.2 Corporate Governance, Compliance Management, Enterprise Risk
Management
Developments within corporate governance, compliance management and enterprise risk
management in the last years, result in considerable overlap, duplication and intersection
of activities. A multidisciplinary approach to address the challenges in these areas is
relevant. These developments obviously represent significant opportunities for those
involved in risk management. With this in mind, risk management's role should not be
underestimated and its potential future role needs to be fully considered and appreciated,
4 PricewaterhouseCoopers, 2004, p. 25.
5 PricewaterhouseCoopers, 2007a, p. 6.
6
and in the same manner the understanding of compliance management and its
relationship with corporate governance.
Thus, it is important to distinguish among corporate governance, compliance and risk
management. The rush to meet regulatory standards on risk and control has been a
reason for the overlapping functions in these areas. The following figure presents the
structure of these three processes in an isolated manner.
Governance
Compliance
Risk Management
Vision & ObjectivesSupervision
& Monitoring
Strategy
definition
Organization
& StructureGuidelines
Planning &
Risk-Taking
Monitoring &
Reporting
Identification &
DocumentationAnalysis Measures
PlanningMonitoring &
Reporting
Identification &
DocumentationTesting Improvements
Figure 3: Isolated and Fragmented Governance, Risk Management and Compliance6.
In order to establish a frame that includes the three concepts, it is relevant to establish the
main components of these concepts. In this case, one of the countries with a regulatory
frame for enterprise risk management and ethics and compliance is United States. In the
following table their components are introduced.
PwC Report According to COSO According to US Sentencing Commission
Governance Processes Enterprise Risk Management Processes Ethics and Compliance Processes
- Strategy and operation planning
- Risk management
- Ethics and compliance
- Performance measurement and monitoring
- Mergers, acquisitions and other transformational
transactions
- Management evaluation, compensation and
succession planning
- Communication and reporting
- Governance dynamics
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
- Monitoring processes
- Standards and procedures
- High-level oversight
- Due care in the delegation of authority and
responsibility
- Effective communication and training
- Monitoring, auditing and reporting
processes
- Consistent discipline
- Ongoing process improvement
Table 1: Governance Compliance Risk Processes.
6 PricewaterhouseCoopers, 2007a, p. 7.
7
Many theoretical papers and Consultant companies are taking the term GRC (Governing,
Risk and Compliance) trying to integrate them as one single frame for the enterprises.
This term also appears in academic papers, one of the reasons for mixing the three
activities is, because they share a large number of common objectives, so among them,
there is a high degree of intersection and overlapping. This approach tries to establish a
single management for Governance, Risk and Compliance. Thus, a holistic approach to
defend the interest of the stakeholders.
Important for compliance is to consider the integrated approach of GRC by a non profit
organization called Open Compliance & Ethics Group (OCEG) whose Chief Executive
Officer (CEO) Scott L. Mitchell is part of the task force of the Committee of Sponsoring
Organizations of the Treadway Commission. This organization provides a GRC Model
based on the topic compliance. Figure 4 explains GRC in the sense of a context in the
enterprise, an organization that includes the following steps: assessment, prevention,
detection, respond and monitoring. The information and documentation is the means for
this model.
Monitor & Measure
M1 - Context Monitoring
M2 - Performance Monitoring &
Evaluation
M3 - Systemic Improvement
M4 - Assurance
Context & Culture
C1 - External business Context
C2 - Internal Business Context
C3 - Culture
C4 - Values & Objectives
Organize & Oversee
O1 - Outcomes & Commitment
O2 - Roles & Responsibilities
O3 - Approach & Accountability
Assess & Align
A1 - Risk Identification
A2 - Risk Analysis
A3 - Risk Optimization
Prevent & Promote
P1 - Codes of Conduct
P2 - Policies
P3 - Preventive Controls
P4 - Awareness & Education
P5 - Human Capital Incentives
P6 - Stakeholder Relations &
Requirements
P7 - Risk financing / Insurance
Detect & Discern
D1 - Hotline & Notification
D2 - Inquiry & Survey
D3 - Detective Controls
Inform & Integrate
I1 - Information Mgt & Documentation
I2 - Int. & Ext. Communication
I3 - technology & Infrastructure
Respond & Resolve
R1 - Internal Review & Investigation
R2 - Third-Party Inquiries &
Investigations
R3 - Corrective Controls
R4 - Crisis Reponse & Recovery
R5 - Remediation & Discipline
O
A
C
IR
M
P
D
Figure 4: GRC Model Elements View of OCEG .
7 Mitchell, 2009, p. 22.
8
Moreover, it is important to consider that even though consulting companies and non-
profit organizations argue to have the tools, the know-how or the model to establish a
GRC in an enterprise it is based on their own experience and not as a requirement by law.
1.2.1 Corporate Governance
Corporate Governance refers to the structures and processes for the direction and control
of companies. It ensures that the Board of Directors is responsible for the pursuit of
corporate objectives and that the corporation itself conforms to the law and regulations
(compliance). Moreover, it is concerned with maintaining the balance between economic
and social goals and between personal and communal goals. Corporate governance is
the system by which business corporations are directed and controlled. 8
Moreover, one of the important reasons to have corporate governance is to reduce the
principal-agent problem, which states the problem of having a party that acts on behalf of
another party instead of its own. In other words, to seek that the management acts on
behalf of the shareholders maximization of value instead of fulfilling the direct objective
that increase the bonus of the management.
Corporate Governance System
Shareholders (General Meeting of Shareholders)
Managers (Executive Bodies)
Directors (Supervisory Board)
Report
Tra
spare
ncy
Pro
vide
Capital
Elect and Dismiss
Guide and Oversee Report and Answer to
Represent and Report
Figure 5: Corporate Governance System.
A simple corporate governance system is placed in Figure 5. It oversees for the reduction
of the principal-agent problem. The key part is the Supervisory Board that oversees the
corporate governance objectives of the entity.
8 R. K. Jain, P. Gupta, 2007, p.19.
9
In Germany, the first corporate governance act was the control and transparency
legislation (KonTraG) from 1998. Later on, looking for the improvement of corporate
governance in Germany, the Federal Ministry of Justice (Bundesministerium der Justiz)
conforms a government commission to develop a Corporate Governance Code for Best
Practice (Corporate Governance Kodex).
In July 19th 2002 in the Journal of Federal Laws (Bundesgesetzblatt) part I num. 50, it was
introduce in the Stock Corporation Act (AktG) in article 161. It states that the executive
board and supervisory board of exchange-listed companies shall declare once a year that
the recommendations of the Corporate Governance Code are being complied and which
of these are not being applied. This information should be available to shareholders.
The main elements of the Code are:
1) Foreword,
2) Shareholders and shareholders meeting,
3) Cooperation between the Managing Board and the Board of Directors,
4) Managing Board: it includes tasks and responsibilities, compensations, conflict
of interest and ethics,
5) Supervisory Board: it includes tasks and responsibilities, committees‟
formations, compensations, conflicts of interest and governmental control,
6) Transparency towards stakeholders, and
7) Reporting and audit of annual financial statements.
Moreover, the Corporate Governance Code in its line 4.1.39 states that the managing
board ensures that all provisions of law are abided by and works to promote compliance
also by group companies. In line 4.1.410 it states that the managing board ensures
appropriate risk management and risk controlling in the enterprise.
Thus, Corporate Governance oversees for the interest of the stakeholders, and by this it
includes, at least on the German corporate governance code, a reference to Risk
Management and Compliance without any explanation of them but contemplated as part
of best practice in a company.
9 Deutscher Corporate Governance Kodex, 2009, p.7.
10 Ibid. p.7.
10
1.2.2 Compliance Management
In Germany there are laws or codes that mention compliance e.g. the German Securities
Trade Act (WpHG) in its article 33 where it states the duties of the organization, and
explains the need of a compliance function. Nevertheless, there are no concrete
compliance guidelines.
Internationally, an effective compliance and ethics program guidelines is established by
United States Sentencing Commission Guidelines Manual §8B2.1 and it responds to the
Sarbanes-Oxley Act of 2002 section 805, as seen in Table 2.
1 Standards and procedures to prevent and detect criminal acts
2 a) The Board of Directors of highest level of governing authority should be aware and oversee of the content of the compliance
program
b) A high level person shall be assigned responsibility for the compliance program.
c) The person should have adequate resources, authority and direct access to the governing authority.
3 Personal included with good records and reputation
4 The highest level of governing authority should communication the standards and procedures periodically by conducting
training programs and the respective roles and responsibilities.
5 The organization shall ensure that the program is followed (Monitoring and auditing, periodically evaluation), and also a
publicized system where criminal conduct may be reported without fear of retaliation.
6 Promotion of the program with incentives and the establishment of disciplinary measures for criminal conduct and failing to
prevent or detec criminal conduct.
7 After a criminal conduct detected, the organization shall respond appropiately and prevent similar conduct, making the
necessary modifications in the program.
US Sentencing Commission Guidelines Manual (Effective Compliance and Ethics Program)
Standards and Procedures: Code of Conduct and Internal Control
Table 2: US Effective Compliance Guidelines.
This Effective Compliance and Ethics Program frame is focused in attempting to stop any
criminal conduct and not in financial aspects in an enterprise. To relate the term with
finance is important to establish, if there is a risk in not complying, there is an economic
factor behind that could carry a loss to the company.
Consulting companies establish compliance as a risk. “(Because of the image effect)…the
implementation of an appropriate compliance function must be considered associated with
reputational risk”. 11
Another definition by The Economist Intelligence Unit and PricewaterhouseCoopers of
compliance risk is: the risk of impairment to the organisation‟s business model, reputation
and financial condition (resulting) from failure to meet laws and regulations, internal
11
Ernst & Young, 2009, p.3.
11
standards and policies, and expectations of key stakeholders such as customers,
employees and society as a whole12.
The bank of international settlements published the following compliance risk definition:
the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank
may suffer as a result of its failure to comply with laws, regulations, rules, related self-
regulatory organisation standards, and codes of conduct applicable to its banking
activities. 13
In this document 14 10 principles are stated to describe the compliance function:
1) The Board of Directors is responsible for overseeing the management of the
bank‟s compliance risk.
2) The senior Manager is responsible for the effective management of compliance
risk.
3) The senior Manager is responsible for establishing and communicating a
compliance policy and reporting to the Board of Directors.
4) The senior Manager is responsible for establishing an effective compliance
function.
5) The bank compliance function should be independent.
6) Resources should be given so this function can be carried properly.
7) Managing effectively compliance risk by this function means:
a) Advice and inform management on compliance laws, rules and standards.
b) Guidelines and appropriate training.
c) Proactively identify compliance, measure and assess compliance risk.
d) Monitoring, testing and reporting according to internal risk management
procedures.
e) Statutory responsibilities (e.g. role of money-laundry officer) and liaison
with external experts
f) Compliance programme i.e. planned activities like the implementation of
specific policies and procedures.
8) The internal audit function should periodically review this compliance function.
9) Institutions should comply with the applicable laws and regulations in all
jurisdictions in which they conduct business, and consistent with local legal
regulations.
12 PricewaterhouseCoopers, 2004, p.9.
13 Bank of International Settlements. 2005, p.7.
14 Ibid. p. 9-16.
12
10) Specific tasks of the compliance function may be outsourced, but they must
remain subject to oversight by the head of compliance.
Also interesting in this document is that the focus is not on compliance, but in avoiding the
defined compliance risk by creating the compliance function, in other words, compliance
as part of risk management.
Thus, the compliance function can increase Shareholders Value because its strategic
function to prevent the possibilities of the payments of fees for not complying. Therefore,
even it has been taken in account as a cost center, it can also create value as a
controlling tool; i.e. as a business unit.15
After identifying compliance risk as an opportunity and as a tool for value creation, at this
moment is important to set up the term compliance in a deeply manner.
Hence, it is relevant to distinguish the different fields to comply to establish not only
general principles but also tools in a company to manage the compliance risk.
ComplianceEnterprise
Criminal Laws
Limited Liability Branch specific
regulations
Financial Accounting
Corruption
Anti-trust lawsData privacy
protection
Legal and
reputational risk
Internal Standards,
directives, etc.
Corporate Social
Responsibility
Corporate Governance Risk Management
Internal Control
System
Operational risk
IT Security
Interne Revision
Figure 6: Compliance Fields16
.
Once there is a distinction among the different fields to comply, as seen in Figure 6, a
compliance management can be established and beyond that a system to conform and
15
Ernst & Young, 2009, p.3.
16 Galliker, 2008, p. 3.
13
relate all points here established from corporate governance, laws and regulations
consistently.
In the particularly case of a Captive Financial Services Company, the biggest challenge is
to effectively implement a compliance management system and to implement it with its
international subsidiaries around the world.
It is possible to see the maturity of the compliance in a company with the schema below in
Figure 7 provided by a consulting company to measure the compliance perspective in a
company in order to create a standing that can be redirected towards a compliance
management system.
The maturity of Compliance is defined as 4 different phases17 :
The Maturity of Compliance
Enhanced
Embedded
Implemented
Fragmented
Compliance is culture-centric and framework-integrated. It is achieved as part of how business is done
and is inherently part of organizational culture. The enhanced state implies a change in mindset in
which compliance is performed not solely for the sake of complying with different laws but also to gain
business process improvement.
Compliance is process-centric. It is achieved in a fundamentally new way by building compliance
activities and procedures into existing business processes and technology so that business owners can
start to share responsibility for compliance.
Compliance is program-centric. It is achieved via the oversight of a new, overarching, stand-alone
program that oversees the hiring of dedicated personnel whose main focus is coordinating and
communicating the compliance activities.
Compliance is project-centric. It is achieved through disconnected and/ or inconsistently applied efforts
throughout the enterprise. Extensive coordination and work are required by a centralized project
management function.
Operations Compliance Finance
Figure 7: Compliance Maturity: 4 Phases.
1.2.3 Enterprise Risk Management
In the academic field there is a difference between Risk Management and Enterprise Risk
Management. The former, appears in 1956 with the article “Risk Management: a new
phase of cost control” by Russell Gallagher published in the Harvard Business Review
magazine, even though the idea appears since early writings from Henri Fayol in this text
book is conceptualized as a discipline. The latter appears in 1974 with the proposal of
Gustav Hamilton to use in the Swedish state company limited Statsföretag AB what he
called “risk management circle” describing the interaction of all elements of risk
17
KPMG, 2008, p. 3.
14
management process -assessment, control, financing and communication- making a
holistic approach of the term.18 .
In this thesis the term used is enterprise risk management in the sense of an integrated
risk management approach.
Before the definition of Enterprise Risk Management (ERM) it is imperative to state the
need of it. In the last couple of years ERM has become a regulatory need, the objective is
the increase of transparency, financial disclosures with more control requirements,
security and technology issues, business continuity, focus from rating agencies, and
regulatory compliance.
In a national level the regulatory need appears in the German Banking Act (KWG) §25a
where it states that an institution must have in place suitable arrangements for managing,
monitoring and controlling risk, including a proper business organization and an
appropriate internal control system.
The Circular 15-2009 of Banking Supervision from the Federal Financial Supervisory
Authority (BaFin) provides a framework for risk management based on the German
Banking Act. It refines the requirements for the outsourced activities and processes
pursuant KWG §25a. The circular aims to ensure the establishment of appropriate internal
governance structures. Moreover, the circular provides qualitative framework for the
implementation of articles 22 and 123 of the Directive 2006/48/EC.
On an international level the European Capital Requirements Directive CRD 2006/48/EC:
§22 “…competent authorities shall require that every credit institution have…
effective processes to identify, manage, monitor and report the risks it is or might be
exposed to, and adequate internal control mechanisms, including sound
administrative and accounting procedures”.
§123 “Credit institutions shall have in place sound, effective and complete strategies
and processes to assess and maintain… the amounts, types and distribution of
internal capital that they consider adequate to cover the nature and level of risks to
which they are or might be exposed. These strategies and processes shall be
subject to regular internal review…”
18
Kloman, 2003, p. 3-4.
15
Another mention of the term risk management appears in the Directive 2006/43/EC in its
article 41 section 2 about the audit committee. It states that this committee shall monitor
the effectiveness of the company internal control and risk management systems.
Because of recent accounting scandals, in the United States there is a federal law,
Sarbanes-Oxley Act of 2002 (SOX), section 404: management assessment of internal
control, that states that the commission, i.e. the Security Exchange Commission (SEC),
shall prescribe the rules which shall contain an assessment of the effectiveness of an
adequate internal control structure and procedures for financial reporting. The last part is
the most interesting one in SOX 404 because of the relationship of internal control
structure and procedures always to financial reporting. It is the reporting that this federal
law take as an opportunity to establish the requirements of an internal control inside the
enterprise. On August 2003 the SEC published a Final Rule19 to specify the internal
control mentioned. The SEC states in this rule that the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) framework satisfies their criteria and
may be used as an internal control evaluation20. On June 2007 the SEC published a
Guidance Regarding the Internal Control over Financial Reporting21 where comments its
consideration as suitable control frameworks the three following ones:
- COSO,
- Canadian Institute of Chartered Accountants (CoCo),
- Turnbull Report published by the Institute of Chartered Accountants in England
and Wales.
In this case, like in Germany, there is the need of a risk management by law and the
government provide the frameworks to use.
At last but not least there are also international standards like ISO/FDIS 31000:2009 Risk
Management Principles and Guidelines, IEC/FDIS 31010 Risk Management Assessment
Techniques and a well renowned standard from Australia and New Zealand, AS/NZS
4360: 2004. This last one was a pioneer which first edition came up in 1995. Even though
these standards do not comment the need of risk management, they provide a guide to
manage risk according to the importance of the topic in the last years.
19
SEC, 2003, p. 1-82.
20 Ibid. p. 12.
21 SEC, 2007, p. 1-77.
16
To define Risk Management using the commented sources it is presented the following
Table:
Risk Management Definitions: Sources:
“Enterprise risk management is a process, effected by an entity‟s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk
Committee of Sponsoring
Organizations of the Treadway
Commission, 2004; p.6
"the culture, processes and structures that are directed towards realizing potential opportunities whilst managing
adverse effects"
Australian/ New Zealand
Standard, 2004; p. 4
"coordinated activities to direct and control an organization with regard to risk"
International Organization for
Standarization, 2009a; p. 2
"the determination of appropriate strategies, as well as the establishment of appropriate internal surveillance
procedures. The internal surveillance procedures comprise the internal control system and internal audit. In
particular, the internal control s BaFin, 2009; p. 3
Table 3: Risk Management Definitions.
The COSO framework sets up the relevance of enterprise risk management as an
effective aid to the management of the entity and its risks, providing more value to its
stakeholders. Risk Management has an effect on the ability to implement its strategy and
achieve its vision or mission, as well as it helps management to select a strategy
consistent with the entity‟s risk appetite.
The COSO framework recognizes that an effective enterprise risk management can be
expected to provide assurance to achieve objectives related to the reliability of reporting
and to compliance with laws and regulations. This will depend on how well the entity‟s
related activities are performed. Subsequently establishes in the following 3 dimensional
schema the relationship among objectives, components and the organizational units of the
enterprise.
Event Identification
Risk Assessment
Objective Setting
Information & Communication
Monitoring
Risk Response
Control Activities
Entity
Leve
l
Div
isio
n
Busin
ess U
nit
OperationsStrategic
Subsid
iary
Compliance
Reporting
Internal Environment
Figure 8: COSO Risk Management 3 Dimensional Matrix22
.
22 COSO, 2004, p. 14.
17
In the front layer of this matrix cube, the 8 components of Enterprise Risk Management
are stated. In the upper layer the four main categories and one of them is compliance. A
fifth category is contemplated by the COSO framework called “safeguarding of assets”
that deals with prevention of loss assets and resources such as key employees. It‟s not
stated in the matrix because it is considered that few entities are using this category. The
right layer of the cube presents the organizational unit of the entity.
In the following table the Components present their subcomponents stating a more
precise risk management model where the four categories shall be taken in account in
each component and subcomponent. For a more detail view of this part of the matrix see
appendix 1: COSO Framework Components, Subcomponents and Detail Descriptions.
Internal Environment Objective Setting Event Identification Risk Assessment
- Risk management philosophy - Strategic Objectives - Events - Inherent and Residual Risk
- Risk Appetite - Related Objectives - Likelihood and Impact
- Risk Culture - Selected Objectives
- Board of Directors - Risk Appetite - Methodologies and Techniques
- ntegrity and Ethical values - Risk Tolerance - Event Interdependencies - Correlation
- Commitment to Competence - Event Categories
- Risks and Oportunities
- Organizational Structure
- Differences in Environment
Risk Response Control Activities Info. and Communication Monitoring
- Identify Risk Response - Integration with Risk Response - Information - Ongoing
- Types of Control Activities - Strategic and Integrated Systems - Separate Evaluations
- General Controls - Communication - Reporting Deficiencies
- Selected Response - Application Controls
- Portfolio View - Entity-Specific
- Factors influencing Strategy and
Objectives - Qualitative and Quantitative
Methods and Techniques
- Evaluate Possible Risk Response
- Human Resources Policies and
Practices
- Assignment of Authority and
Responsibility
- Management Philosophy and
Operating Style
Table 4: Components and Subcomponents of COSO Framework.
The COSO framework text presents different examples of compliance in each component.
The reason is that compliance management in the diversity of industries differ
significantly. Only in the objective setting state the compliance objectives as following:
“entities must conduct their activities, and often take specific actions, in accordance with
relevant laws and regulations. These requirements may relate to markets, pricing, taxes,
the environment, employee welfare and international trade. Applicable laws and
18
regulations establish minimum standards of behaviour, which the entity integrates into its
compliance objectives”.23
The Australian/New Zealand Standard and the International Organization for
Standardization processes will be taken as one, not only because the latter was based on
the former, but also for the single reason that the process is the same, this can be seen in
its corresponding sources24.
In the next figure the relationship between the principles, framework and process by the
ISO 31000:2009 is presented. Before explaining the relationship among them it is relevant
to state that the ISO Organization not only has elaborated the principles, framework and
process for risk management, but also inside the process of risk assessment. It has
introduced the ISO 31010:2009 which state the risk assessment techniques, in other
words the tools to face risk with its corresponding explanation (delphi, HAZOP, HACCP,
scenario analysis, event tree analysis, markov analysis, monte carlo simulation, bayesian
statistics and bayes nets).25 Even though the elucidation is quiet short, it tries to be
simple and as clear as possible. For a detail view and applicability of all the tools see
appendix 2: Applicability of Tools used for Risk Assessment.
The ISO 31000:2009 states Risk Management principles and guidelines in a simple but
complete manner. It also underlines the compliance function in its principles, framework
and process. The function of Risk Management enables an organization to comply with
relevant legal and regulatory requirements and internal norms. In its first principle in
Figure 9 is stated that compliance creates and protects of value. It contributes to the
achievement of objectives and improvement of performance in legal and regulatory
compliance. On its framework, the compliance topic is located in every step:
a) in mandate and commitment, management shall ensure legal and regulatory
compliance;
b) in design of framework for managing risk, establishing external reporting to comply
with legal, regulatory and governance requirements;
c) in implementing risk management, the organization shall comply with legal and
regulatory requirements;
23 COSO, 2004, p. 33.
24 Australian/New Zealand, 2004, p. 9 and International Organization of Standardization, 2009a, p. 14.
25 International Organization of Standardization, 2009b, p. 22
19
d) in monitoring and review of the framework, the periodically review whether the
framework, policy and plan are still appropriate, given the organizations‟ external
and internal context, including compliance in the context; and
e) in continual improvement of the framework, by improving a policy or plan26.
Com
munic
ation a
nd C
onsultation (S
takehold
ers
)
Establish the context
• Internal Context
• External Context
• RM Context
• Develop Criteria
• Define the Structure
Risk Identification
• What can happen?
• When and where?
• How and Why?
Risk Analysis
• Identify existing controls
• Determine consequences and likelihood
• Determine level of risk
Risk Evaluation
• Compare against criteria
• Set priorities
Treat Risks
• Identify options
• Assess options
• Prepare and implement treatment plans
• Analyse and evaluate residual risk
Monitor
and R
evi
ew
Treat Risks
Yes
No
Risk Assessment
Mandate and
Commitment
Design of
Framework for
Managing Risk
Continual
Improvement of
the Framework
Implementing
risk
management
Monitoring and
review of the
Framework
Principles Framework Process
a) Creates Value
b) Integral part of organizational
processes
c) Part of decision making
d) Explicity addresses uncertainty
e) Systematic, structured and
timely
f) Based on the best available
information
g) Tailored
h) Takes human and cultural factors
into account
i) Transparent and inclusive
j) Dynamic, iterative and responsive
to change
k) facilitates continual improvement
and enhancement of the
organization
Figure 9: Relationships among Risk Management Principles, Framework and Process .
In the process as is shown in Figure 9 the compliance function presents the relationship of
its sub processes. In establishing the external part of the context must include the legal
and regulatory environment, whether international, national, regional or local. In the
internal part of it, the standards, guidelines, models, as well as the contractual
relationships. In risk assessment because it is a technical part of the risk assessment
there is no mention of compliance, but as explained before there is a standard developed
for this part of the process. Appendix 2 shows the techniques usually used for each part of
this process (i.e. risk identification, risk analysis and risk evaluation). In risk treatment
there is the balancing of cost of compliance with regard to legal, regulatory and other
requirements such as social responsibility and the protection of the natural environment.
In the monitoring and review, detecting changes in the external and internal context
26 International Organization of Standardization, 2009a, p. 8-13.
27 International Organization of Standardization, 2009a, p. vii.
20
include compliance. Recording of process for the traceability of the risk management
activities take in account legal regulatory and operational need of it28.
In the national regulations as stated before, the Circular 15-2009 of Banking Supervision
from the Federal Financial Supervisory Authority (BaFin) provides a framework for risk
management, which is specific to the financial services industry. There is no process or
specific schema provided by the document because it is written by a public institution. The
consulting companies, like Deloitte and KPMG, have created a schema. In the case of
Deloitte it focuses more on the financial sector leaving aside the detailed insurance
industry issues, which in the case of a Captive Financial Services Company are helpful for
an easier explanation.
Before presenting a general schema of the Risk Management provided by the Federal
Financial Supervisory Authority (BaFin), which is called Minimum Requirements for Risk
Management or MaRisk because of its acronym in German language, it is important to
establish the aim of the text. The Circular 15-2009, ensures the establishment of
appropriate internal governance structures, including in it the participation of the
supervisory body to perform its duties properly. Therefore the circular provides a flexible
framework for risk management for institutions mentioned in the German Banking Act
(KWG), i.e. a general schema but no process. In this case Risk Management takes into
account the risk bearing capacity, the determination of appropriate strategies, as well as
the internal surveillance procedures, i.e. the internal control system and internal audit.
Two key elements stated in Basel II, Second Pillar Supervisory Review Process, and
contained in MaRisk are the Internal Capital Adequacy Assessment Process (ICAAP) and
the Supervisory Review and Evaluation Process (SREP) which are also stated in the CRD
2006/48/EC, article 123 for the former and 124 for the latter.
In MaRisk the internal control system covers the rules regarding the organizational and
operational structure and the processes for identifying, assessing, treating, monitoring and
communicating risks29.
The structure presented in Figure 10 explains the relationship of the topics contained in
the Circular 15-2009, for the complete table of contents of the circular see appendix 3:
MaRisk Table of Contents. The relationship is the following, in the square darker frame of
28 International Organization of Standardization, 2009a, p. 14-21.
29 Federal Financial Supervisory Authority, 2009, p. 3.
21
figure 10 (given by the general parts (AT - because its acronym in German) AT 3 -upper
side-, AT 8 und 9 -lower side-, AT 6 -left side-, and AT 5 -right side-), in the upper side the
responsibility of the management board. This part states that the Management Board
(MB) is responsible for the organization and further development, which includes
overseeing all material aspects of risk management, i.e. the risk management system
should allow them to assess and limit risk.
Personnel (AT 7.1)
Technical Facilities and Ralated
Processes (AT 7.2)
Contingency Plan (AT 7.3)
Resources (AT 7)Risk Management (AT 4)
Risk Bearing
Capacity (AT 4.1)
- Overall Risk Profile
- Risk Taking PotentialRisk Strategy (AT 4.2)
Business Strategy (AT 4.2)
Internal Surveillance Procedures
Internal Control System (AT 4.3, BT 1) Internal Audit (AT 4.4, BT 2)
Organizational and Operational
Structure (AT 4.3, BT 1)
Organizational and Operational Structure
for the Lending and Trading Business (BTO)
Lending and Trading Business (BTO 1 & 2)
Risk Management
and Controlling
Processes
(AT 4.3.2,
BTR 1, 2, 3 & 4)
Duties (AT 4.4, BT 2.1)
Generla Principles (AT 4.4, BT 2.2)
Planning and Conducting Audit (BT 2.3)
Reporting Obligation (BT 2.4)
Reaction to Findings (BT 2.5)
New Products or New Markets (AT 8) Outsourcing (AT 9)
Org
aniza
tionalG
uid
elin
es
(AT 5
)
Docum
enta
tion
(AT 6
)
Overall Responsibility of the Management Board (AT 3)
Count
erpa
rtyRisk
Market Price Risk
Opera
tiona
l RiskLiquidity
Risk
Business
Activities
Figure 10: Minimum Requirements for Risk Management Deloitte Schema30
.
On the left side of the frame is the AT 6 Documentation part which state that control and
monitoring reports must be kept up to date as well as a 2 year time line for the retention of
records.
The right side of the schema is the AT 5 Organizational Guidelines, which is directly
related to compliance. Firstly, the institution shall present the organizational guidelines,
i.e. manuals, work documentation or workflow procedures of the business activities in an
appropriate and clear manner to the employees in writing and communicating it to the
direct responsible. Moreover, the information that the guidelines must contain:
a) rules and operational structure, assignments of tasks, the decision-making
hierarchy and responsibilities,
30 Deloitte & Touche GmbH, 2009, p.1.
22
b) rules on identifying, assessing, treating, monitoring and communicating risk,
c) rules for the internal audit,
d) procedures for material outsourcing, and the last one
e) rules to ensure compliance with statutory provisions and other requirements.
The lower left side of the frame AT 8 New products or New Markets states that a plan
must be settled before commencing business activities related to new products, markets
or distribution channels. It must be based on the result of the risk content analysis for
activities mentioned. This plan has to describe the consequences of the activities on risk
management. In the case of lending transactions or trading activities a test phase must be
carried out. The lower right side AT 9 Outsourcing describe the outsourcing of activities or
processes related to the execution of financial services or banking transactions that
otherwise is performed by the institution itself. Exceptions to these are occasionally
external procurement, or services done typically by another institution that either de facto
or for legal reasons are not done by the institution. MB functions must not be outsourced,
i.e. planning, coordination, controlling as well as explicitly assigned by regulations.
Inside this dark frame from Figure 10, on the top centre part the business activities are
being surrounded by four main risks:
1) Market price risk: the risk of losses in on and off-balance sheet positions arising
from movements in market prices. The risks subject to this requirement are the
risks pertaining to interest rate related instruments and equities in the trading
book and the foreign exchange risk and commodities risk throughout the bank31.
2) Operational risk: the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events. This definition includes
legal risk, but excludes strategic and reputational risk32.
3) Liquidity risk or funding liquidity risk: is the risk that the firm will not be able to
meet efficiently both expected and unexpected current and future cash flow and
collateral needs without affecting either daily operations or the financial condition
of the firm. Also important the distinction of market liquidity risk which is the risk
that a firm cannot easily offset or eliminate a position at the market price
because of inadequate market depth or market disruption33.
31 Basel Committee on Banking Supervision, 1996, p. 1.
32 Basel Committee on Banking Supervision, 2004, p. 137.
33 Basel Committee on Banking Supervision, 2008, p. 1.
23
4) Counterparty risk or counterparty credit risk34: the potential that a bank borrower
or counterparty will fail to meet its obligations in accordance with agreed terms35.
These four risks are mentioned along the MaRisk text. Moreover, in the inside frame right
part, the AT 7 Resources is presented and states that the staff of the institution shall be
based in quantitative and qualitative terms of the internal operational needs, business
activities and risk situation. The institution shall take the suitable measures to cover the
staff with the knowledge, experience, competencies and responsibilities required to fulfil
their duties. The technical facilities and related processes resources must be based on the
institution‟s operational needs, business activities and risk situation. The IT systems and
data integrity, availability, authenticity and confidentiality shall be based on the standards
IT protection manual and ISO 17799 for international security. In case of an emergency,
provisions shall be made for time-critical activities and processes, i.e. contingency plan
which include the business continuity and recovery plans. In case these activities are
outsourced the external service provider shall have a contingency plan.
Hitherto, the explanation of the schema in Figure 10 has reach all the parts excluding AT
4 General requirements for risk management and any of the special parts (BT) for its
acronym in German language. The reason for that is to observe in the schema that the
biggest part of the schema is related to AT 4 and its corresponding special parts.
MaRisk AT 4 General requirements for risk management is the main part of the minimum
requirements that deals with the four types of risks. It is divided in four and the first part is
in the left top part of the schema inside the dark frame. This part is AT 4.1 Risk-bearing
capacity which state that material risk as well as correlated material risk shall be covered
by the risk taking potential at all times. This is an input for the determination of risk
strategies. Under the four risks in the centre top part the AT 4.2 Strategies is located. To
elaborate the strategies, the objectives and plans should be taken in account as
established in the business strategy. The MB defines a business strategy and a consistent
risk strategy. Inside the dark frame of Figure 10, on the lower left part the AT 4.3 Internal
Control System is located with its special parts or BT. In here it is specified that the
institution shall set up the regulations regarding the organisational and operational
structure, and establish the processes for identifying, assessing, treating, monitoring and
communicating risks. For the four risks presented in this schema MaRisk states a special
34 MaRisk mention counterparty risk and BIS mention counterparty credit risk, in the text are taken as the
same term. 35
Basel Committee on Banking Supervision, 1999, p. 1.
24
part for risk (BTR) for further explanation. Inside AT 4.3 it is considered as internal control
system the BTO Requirements for the organisational and operational structure in the
lending and trading business. At last but not least, the AT 4.4 Internal Audit with BT 2
Special requirements for internal audit. The internal audit duties shall cover all institution‟s
activities and process based on a risk-oriented approach. Its general principles are
autonomy and independence in the performance of its duties. The planning must be
approved by the MB and taking into account the appropriate intervals for conducting the
audit. Auditing has to be performed annually, if particular risks exist. The reporting
obligation specifies that it shall include a description of the subject of the audit and the
findings, including any planned measures where appropriate. The last part of the audit is
the appropriate audit reaction in terms of appropriate response in time and any open
issues shall be informed to the MB in the next overall report.
For the COSO and ISO 31000 the process are stated in its original documents, the case
of MaRisk is different because it has been written by a public institution which means that
no figure was included avoiding interpreting mistakes. The consulting firm Deloitte
presents in the schema what is very similar to a process. In this case all starts with the
business activities of the enterprise, these are surrounded by the four main risks
established by MaRisk, and Risk Management is the first interacting agent with these risks
taking in consideration the resources of the enterprise. In a second level is the dark frame
of the Figure 10 which involves actions related to standardize a criteria for Risk
Management.
Until this point it has been discussed three main definitions and explanations of risk
management by the following sources: COSO, ISO 31000 and MaRisk. The first two
sources are focused on the detailed frame of Risk Management and the third one in a
more practical manner in the minimum requirements to perform risk management in the
financial services industry. Therefore, the first two sources keep the compliance function
within their particular frames. In the case of MaRisk the overview presentation and
explanation of it correspond to the fact that any German Captive Financial Services
Company must comply with these regulations, in the case of this thesis the chapter 2.3
presents the national requirements for compliance.
Once the legal need for risk management had been stated as well as the definition and
explanation of three relevant sources, it is important to establish, at least in theory, what is
defined as a risk management effective system to relate the mentioned sources in a
systemic frame. Romeike and Finke present the following figure to introduce a risk
management integrated system where the definition of an effective risk management is
25
given by two variables; firstly, reporting or management power, and second, its analytic
power.
In the Figure 11 the relationship between the variables, management power and analytic
power is described. The diagram presents a four zone area where the levels of effective
risk management are considered as follow:
1) Reactive Measurers,
2) Reactive Managers,
3) Proactive Measurers, and
4) Integrated /Holistic Risk Management.
Analy
tical P
ow
er
Frequency,
severity & other
statistical analyses
Automated
prompts for
actions
Reporting / Management Power
Risk workflow
management
(Incident) Loss
Database
Proactive RMIS (Info System)
ProbabilitySimulation Tools, based in
Monte Carlo Simulation
Economic capital
allocation
Data trending &
scaling
Loss data
collection
MS Excel,
Access etc.
Causal modeling and
simulation
Risk
identificationRisk and
audit issue
tracking
Risk and
control self-
assessment
Reactive
MeasurersReactive
Managers
Integrated / Holistic
RMProactive
Measurers
Figure 11: Risk Management as an Integrated and Holistic System36
.
On the horizontal axe it is possible to relate to the models of COSO, ISO 31000 and the
schema from MaRisk, but the tools to present the reporting most of the times are valuated
in an enterprise according to time and cost against the utility of the result, i.e. the simple
the tool for the appropriate measure, the better. From the three sources it is the ISO
31010 that presents the different mathematical tools with a simple explanation to serve as
a guide for the analytical power according to the interest of the enterprise, in any case, the
mathematical tools are available to any risk management framework. A particular case
that relates the analytical power is the measurement of operational risk by Basel II
36 Romeike and Finke, 2003, p.294.
26
according to the advanced measurement approach. Its first step is a loss database whose
analytical power is almost none. It is an historical description of losses, but the next steps
increase the analysis enhancement with a scenario analysis, business environment and
internal control factors in the case that modelling and simulation can be performed.
Moreover, even though a system can be located in the integrated holistic zone, a risk
management system has its limitations as stated by COSO, “human judgment in decision-
making can be faulty and breakdowns can occur because of such human failures as
simple error or mistake. Additionally, controls can be circumvented by the collusion of two
or more people, and management has the ability to override the enterprise risk
management process, including risk response decisions and control activities”37. The
limitations of risk management consist of the relationship among risk, people, future and
uncertainty.
Finally, in a survey developed by PricewaterhouseCoopers38 to more than 400 senior
executives in financial services, the following statements were given as the limitation or
challenges of risk management:
a) Focus on regulators: it is believed that risk management success depends
on its effective regulatory compliance.
b) Lost value creation potential: effective risk management burnishes their
reputation with customers and shareholders, enables sustainable
investment, delivers better management data and allows for more
competitive pricing, but probably in the following years, once the regulatory
heat fades, risk management attention will decline.
c) Disconnect between risks and capabilities: even though there is
effectiveness in handling classic sources of uncertainty like credit risk and
market risk; other types of risks like business risk, reputational risk and
people risk are weakness in risk management.
d) Disengagement by the business: risk management is not enough involved
with the crucial strategic decision of the business.
In the same survey39 the senior executives answer the following question “What, in your
judgement, are the most important objectives of the risk management function?” And the
first three reasons are to identify new and emerging risks, to measure and monitor risk
37 COSO, 2004, p.88.
38 PricewaterhouseCoopers, 2007b, p.3.
39 PricewaterhouseCoopers, 2007b, p.20.
27
and to communicate key risk to the executive teams. The reason that involves the
ensuring of regulatory compliance is located in 8th place, even though the senior
executives accepted that the departments are focused on regulators, i.e. its compliance.
1.3 Compliance Management System
A compliance management system is an organization wide tool that links legislative,
standards and business rules to organization policies and processes. The objective of
such a system is to promote a self sustaining level of operations that manages the
appropriate internal and external compliance.
By external compliance means the regulations or standards that entities must follow, i.e.
the game rules. All entities from a certain industry or in general are governed by these
rules, the government or a public organization made them public. In the case of internal
compliance it means the organizational directives, policies, instructions and procedures
that only the parties of the individual entities must follow.
For an effective Compliance Management System (CMS) it not only depends on the right
architecture of the system, but also of the elements already given by certain institutions to
performed an effective compliance management. In other words, it is important to start by
complying with what institutions demand in a compliance management.
In chapter 1.2.2 Compliance Management the mention of two institutions were given and
their proposals for effective compliance. The U.S. Sentencing Commission Guidelines
Manual with the Effective Compliance and Ethic Program and the Bank of International
Settlements with the Compliance Function publication. The compliance management
system proposed in this thesis takes the proposals of this institutions as main benchmark
as well as other sources mentioned by the European Business Ethics Network association
(EBEN) giving as a result of this Table 5.
It is clear that risk management frames mentioned in chapter 1.2.3 are included. This
section is not only about compliance management, it is about integrating compliance in
the business model of the entity. In order to be integrated in the core processes of the
entity, a compliance management system shall appear from the business values of the
enterprise (i.e. philosophy, mission, vision).
28
1 Anti-corruption laws
2 Relevant criminal law codes (fraud including bidding fraud, extortion, illegal insider trading, money laundering,
embezzlement, document, forgery, betrayal of secrets, etc.)
3 EU Anti-Bribery Law (EUBestG)
4 OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions
5 Foreign Corrupt Practices Act (FCPA)
6 UN Convention Against Corruption (UN CAC)
7 Act Against Competition Restraints
8 German Corporate Governance Code
9 OECD Guidelines for Multinational Enterprises
10 UN Global Compact
11 ICC Rules of Conduct and Recommendations on Combating Extortion and Bribery
12 World Economic Forum, Partnering Against Corruption Initiative (PACI): Principles for Countering Bribery
13 Transparency International/ Social Accountability International: Business Principles for Countering Bribery
Transparency International: “A-B-C of Corruption Prevention” and “Checklist for „Selfaudits‟ to Prevent Corruption in
Companies”
14 World Bank, Department of Institutional Integrity: Voluntary Disclosure Program, Protocol 7, II . “Guidance in
Revising and Improving the Compliance Program”
15 European Bank for Reconstruction and Development (EBRD): “Fraud and corruption – definitions and guidelines for
private sector operations”
16 Basel Committee on Banking Supervision. "Compliance and the compliance function in banks"
17 United States Sentencing Guidelines: “Effective Compliance and Ethics Program” (§8B2.1)
18 Open Compliance and Ethics Group (OCEG): OCEG Guidelines “Red Book”
19 Committee of Sponsoring Organizations of the Treadway Commission (COSO): COSO Enterprise Risk Management
Framework
20 Australian Standard (AS) 8002-2003 – Organizational Codes of Conduct, and Australian Standard (AS) 2860-2006
– Compliance Programs
21 ValuesManagementSystem ZfW of the Users‟ Board for Values Management (AfW – Anwenderrat für
Wertemanagement).
Table 5: Laws, Conventions and Standards for Business Compliance.
Wieland, Josef40 explain a CMS as a compliance management integrated in the Business
Model which starts since the business values and strategy of the enterprise and develops
itself as detail regulations to perform a systematization of the compliance function that
carries on into the organization of the entity. On the other side, the author explains the
compliance organization i.e. the relationship between the Compliance Department with
the others and the general process. Figure 12 explains the first relation of the compliance
management with the business model.
In the first level, bottom up, compliance is located as part of the business values in order
to provide value to the stakeholders, i.e. to be integrated in the value creation of the entity,
and therefore in the philosophy, mission, vision, code of ethics, etc. The second level is
the detail regulation inside the enterprise like the guidelines, instructions and procedures
that canalize the objective of the first level to rules. The third level is the systematization of
all the outputs of the detail regulations level by different tools, communication process and
the controlling of it. The fourth and last level is related to the organization of the entity, i.e.
40 Wieland, 2010.
29
responsibilities according to hierarchy, a special committee or officer to carry out the
compliance activities, as well as the compliance functional integration.
Organization
Ethics and Compliance Office
Compliance Task Force
Supervisory Board
Board of Directors
Management
Functional Integration
(Procurement, Personal
Management Revision)
Systematization
Instruments Communication ReviewIntranet platform
Documentation of Value
Management and Compliance
Management
Whistle Blowing System
Training
Audit
Monitoring
Controlling
Detail Regulations
Guidelines, Instructions, Process. E.g. Code of Conduct, Code of Ethics, Guidelines for the acceptance of gifts,
Guidelines for Procurement, Agency-Agreements, Personal Selection Procedure.
Business Values
Basic Values
Corporate Governance CodeMission, Vision, Values Code of Ethics
Figure 12: Structure of an Integrated Compliance Management System41
.
Wieland42 states that in the operative part of the CMS the integration of compliance as a
Compliance Department or compliance officer shall portray the business values
established in Figure 12. In this case the other departments consider the compliance
organization as seen in Figure 13 as a services function in which the cooperation with the
other departments shall be hand in hand to perform an effective compliance.
In Figure 13 coming out of the Compliance Department, the process to fulfill the
compliance management in the entity is shown. On the group level are the main steps of
the steering compliance management: the compliance monitoring and the goal setting, the
monitoring of the system, the monitoring of the infractions and any organizational measure
derived from it, the management sanctions, the consulting and reporting.
41 Figure 12 is based in: Wieland, 2010, p. 22 and the ZfW, 2010, p. 14.
42 Wieland, 2010, p. 25.
30
In the case of a Captive Financial Services Company, the fact that it belongs to a group
shall depict this part in a higher level that involve any company within the group, and not
only to the financial services. The division and business unit level shall pertain to each
company of the group, therefore being more specific.
Compliance Management System
Compliance Management Compliance Organization
Business ModelLeadership
Responsibility
Compliance
DepartmentLegal
Internal
Audit
Risk
ManagementHR
Enterprise
Security
Business Unit
Support Process
Division
Core Process
Group
Steering level
Monitoring and
Compliance
Goal Setting
System
Monitoring
Monitoring
Infractions
& Measures
Derived
Steering
Sanctions
Consulting of
Management
and Working
Project
Management
Reporting
Directive
Creation
Risk
Identification
and Scanning
Training
and
Concept
Awareness
Topics of
Prevention and
Consulting
Process
Monitoring
and
Measurements
Reporting
and
Escalation
Directives
Management
Compliance
Instruments
Training
Platform
Whistle
Blowing &
Audit
Investigation Communication
Figure 13: Compliance Management System43
.
The core process on the division level consist of the creation of the compliance directive.
Risk management provides a risk identification. Training is supplied and prevention and
consulting taken into account. The process is monitored and carried out on any process
measurements derived from it. The last part is the reporting.
The support process on the business unit level is a more detailed and operational one. In
the case of a captive financial services this process shall permeate the whole entity, i.e.
because the business activity of the captive financial services is a single one, it does not
need different support process. That means the core and support process are developed
by the Captive Financial Services Company. In this case the directive management is the
first step, following the compliance techniques, the specific training, the whistle blowing
and audit, as well as the investigation and communication.
43 Based on Wieland, 2010, p. 25, and the needs of a Captive Financial Services Company.
31
The compliance management system is an integrated compliance in the value
management of the entity that develops itself into the different levels from the strategy to
every day operations.
32
2. Requirements to Comply with in the case of a Captive
Financial Services Company
In order to put chapter one into practice, it is necessary to state the game rules, either
external as internal to develop in chapter 3 a compliance management model that can be
used as a standard later on in subsidiaries of the company. Therefore, this chapter is
build-up to state the requirements to establish a model that the Captive Financial Services
Company applies to its headquarters as well as all its subsidiaries.
Before the diagnosis of the compliance management and the compliance organization on
an international and national level are aboard, it is important to mention the level of
compliance standards that countries have. The reason to do this is to understand how far
or close can the general model be from an optimal point of view. The model is planed
mainly for the German market, so it is important to present how effective are the
compliance requirements in this market in comparison with others in order to determine, if
the model will lack of requirements that could be necessary in the future by their
authorities. Once the differences are stated between the German market and the most
relevant ones according to the presence of subsidiaries of the Captive Financial Services
Company, an assessment needs to be carried out to analyse the differences in the local
requirements.
Standards:
-International Financial Reporting Standards
-Principles of Corporate Governance
-International Standards on Auditing
-Anti-Money Laundering/ Combating Terrorist Financing Standard
-Core Principles for Effective Banking Supervision
-Core Principles
for Effective
Banking
Supervision
Australia 62,0 80,0
Italy 58,0 80,0
Canada 50,0 100,0
Spain 48,0 80,0
France 42,0 80,0
Germany 42,0 80,0
Switzerland 42,0 80,0
United States 36,0 80,0
Russia 36,0 30,0
Japan 24,0 0,0
Table 6: Standards Compliance Index44
.
44
Indices from the Financial Standards Foundation in: http://www.estandardsforum.org/compare_countries.
33
The Financial Standards Foundation, whose goal is to monitor and report a country's
economic, financial, and political conditions, has developed a measure or an index to do
so according to standards and the compliance of each country to each standard. The
intention is to develop a tool for companies to depict an assessment of the countries to
carry on business in these. The foundation has developed 12 standards in which they
evaluate according to a grade considering its compliance, the macro economy, the
financial markets and the financial regulations and supervision. For a detail description of
the standards and the evaluation of the particular standard Core Principles for Effective
Banking Supervision see appendix 4: Country Compliance Standards.
The German market is located with 42 points out of 100 in the case of the standards that
are related with compliance by companies. The other standards not mentioned are
country or government specific (e.g. monetary policy). On the right side of Table 6 is the
standard index of banking supervision documented and it is interesting to see that Japan
has an index value of cero while Canada has one hundred. The reason for this is that the
foundation finds insufficient information to grade Japan (i.e. no public information to
assess its level of compliance or intention to comply). The evaluation of the standards
takes into account the 25 different principles provided by this foundation like “strict „know-
your-customer‟ rules and high ethical and professional standards” or “adequate internal
controls”.
Germany is located on the tenth place of the General Standards Compliance Index and in
relationship with the captive financial services subsidiaries‟ markets it is close to the
average. The difference between this market and a market whose index is one hundred,
like Canada, are being taken into account in chapter 3 for the compliance management
model. The assessment of the difference is in accordance to the principles given by this
institution.
Moreover, in chapter one the concepts of corporate governance, compliance management
and enterprise risk management have been taken in its general concept, i.e. not industry
specific (with the exception of MaRisk). The topic compliance is the only one taken, as it
was defined at the beginning, as financial compliance. In this chapter the distinction is
clear. All requirements mentioned are those that have an effect on a Captive Financial
Services Company in Germany.
34
2.1 Captive Financial Services Company
In the auto financing market there are four main players: captive financial services
companies, banks, credit unions and other financial services companies. In this market
the role of the captives has grown more among the concurrence.
A Captive Financial Services Company is an entity that is usually owned by the parent
company, in the automotive industry. In this industry the main reason is to finance the
consumer purchases from the parent company.
Automotive
Company Group
Auto
Manufacturer
Financial
Services (FS)
Other
Business Units
FS SubsidiariesSubsidiaries Subsidiaries
Figure 14: Automotive Company Group Structure.
Figure 14 presents a general valid automotive company group structure which shows the
ownership of different business units involved in the auto industry, e.g. manufacturing,
financial services and other business units (e.g. consulting).
The financial services business unit is in charge of providing the consumer the finance
instruments to purchase, lease or rent the vehicles. The means to do this can be by
leasing, retail financing or hire purchase. Other services provided can be insurance and
credit cards. Additionally, wholesale services can be offered. Captive financial services
companies owned by a manufacturer offer several advantages. They are well positioned
to implement fast one stop service in terms of the financing, insurance, and other financial
services. Captives have also remarketing experience that translates into favourable
leasing rates. These companies receive financial support from the parent company as
capital infusion, credit lines, loans, special commitments or as exclusive subvention
programs.
Captives have gained market share over the concurrence because they benefit from
manufacturer-funded subvention efforts, have adequate low-cost asset back securities
35
funding and supportive customer relationship management strategies from parent
companies45.
The potential downside of being part of a parent company is that the organization sales
volume is directly affected by the downturn in the parent‟s business. The influence of the
parent company affects directly the captive company and the main goal settings are done
by the parent company. In the same manner the problems of the parent company as a
bankruptcy filing may result in diminishing the asset quality of the captive as well as the
funding or even that creditors pursue captive assets.
Examples of captive auto financial services companies are Porsche Financial Services,
General Motors Acceptance Corporation, Ford Motor Credit Company, Mazda Credit
Company, Volkswagen Financial Services, Toyota Motor Credit Corporation, etc. In all
cases it is a business unit of the manufacturer.
In terms of advantages for the customer of the Captive Financial Services Company is
that the loan is given at the moment of purchase and often without any down payment.
The reason is the structured finance by the financial services company. This means it is
possible to receive lower rate loans than banks. Additionally, it could be possible to obtain
an approval easier than with a bank if the customer has poor credit records because the
remarketing risk is lower for the Captive Financial Services Company as the vehicle is of
the parent company. The interplay between sales goals and risks is documented in the
credit policies.
In terms of disadvantages for the customer is that sales agents may include additional
unwanted features in order to increase their commission; in terms of customer credit
responsibility the fact that a person with poor credit records can receive a loan may be
harmful in the long run.
Moreover, in the case of a captive financial services entity with subsidiaries in other
countries the interest of a model that later on can be used in its subsidiaries is well
justified. For purposes of this particular Captive Financial Services Company the following
countries are taken into account: US, Canada, Great Britain, Italy, Japan, France, Spain,
Australia, Russia and Switzerland.
45 Brown et al., 2005, p. 3.
36
A Captive Financial Services Company must comply with the financial services
regulations, at an international and national level. The objective of this thesis is the
establishment of a model for its compliance management, i.e. not only to fulfil the financial
regulations requirements, but to build a compliance management to fulfil these
regulations. In order to do so the first step is the identification of the requirements of the
international markets, as well as the national one. The second step is the identification of
the organizational compliance process already applied by the management of the
international subsidiaries mentioned before, thus in chapter 3 the theoretical elements
mentioned according to a Captive Financial Services Company‟s needs are put into
practice.
For the identification of the steering requirements and the organizational compliance
process applied a survey was sent to the subsidiaries. For the specific questions applied
in the survey see appendix 5: Compliance Management Survey.
Chapter 2.2 establishes the international requirements, according to the international
markets, to set up an efficient compliance management process.
2.2 International level Requirements
As mention in chapter 2.1 a survey was applied to the subsidiaries to find out the
requirements of the entities. In order to have a diagnosis of the compliance management
and the important inputs for the compliance management system, the results are divided
according to the business model applied in the markets.
The captive financial services entity applies two different business models in its
international subsidiaries:
- Managed business, which means that the respective Captive Financial Services
Company in the specific market finances the assets and carries them on its books.
The significant risks associated to the business are borne by the respective
financial services entity. The operational contract management is done by the
financial services entity but the complete process, or parts thereof, can be
outsourced to external service providers and operated on behalf of the financial
services entity.
- Commission business, where the service provider, typically a well-established
local bank, finances the assets, carries them on its books, and bears the
associated risks. The service provider shall, upon consultation with and in
accordance with instructions of the financial services entity, develops and makes
available the captive company branded financial products to the dealers and retail
37
customers in the corresponding country. The service provider pays a commission
to the captive financial services entity for using the brand, that enables the market
access, and distributing the financing products via the authorized dealers as sales
channel.
The survey was developed according to Figure 15 and its main purpose was a tailored
tool for the requirements of the Captive Financial Services Company, as well as its
subsidiaries.
Design of the Compliance
Management Survey
Survey Tested in
the German Market
Distribution of Survey
to all Markets
Feedback from the Markets
Telephone Interviews with Markets
Documentation of
the Survey Results
Analysis of Legal / Special Topics
Process Comment
• Design of templates and email text.
• Appropriate changes made according
to results
• Distribution per email.
• Discussed in the markets and partly
with the importer.
• 2 Weeks after the distribution.
• Controlling and Monitoring purposes
Figure 15: Process Development of the Compliance Management Survey.
The survey is divided in two parts, governance and organization. The governance part
considers the regulations to comply, the trend perceived and if an internal control system
is required. This level considers what it is mentioned on chapter 1.2.1 corporate
governance in reference to the compliance of regulations and 1.2.3 enterprise risk
38
management contemplating in the regulations an internal control system, which in this
case the direct question is given to see if the topic compliance needs of a control system.
The organization part establishes an actual status of the compliance management
process in order to identify the differences with the compliance management system
established in chapter 1.3. At the end of the results given by the subsidiary a general
comment is stated to underline these differences.
USA & Canada Great Britain Italy Japan
To which
- Laws,
- Licences and
- Standards
does the subsidiary need to comply to?
- Privacy, Consumer
Protection and Retail Sales
Finance.
- 63 (US) & 5 (CA) state
licences.
- Federal agencies and
State Banking Dept. rules,
regulations and guidance.
Consumer Credit Act 2006
"Standard License"
Consumer Credit Act
(Lending Money), Financial
Services and Markets Act
2000,Directive 2005 60
EC European Union,
Directive 2006 70 EC
European Union, Notice
MLR8 - Preventing Money
Laundering and Terrorist
Fina
Banca d'Italia Requirements
D.Lgs. 385/ 93 Art. 107,
D.Lgs. 209/ 05 Art. 109,
Basel 2 Pillar 3, Directive
2005 60 EC European
Union de, Directive 2006
70 EC European Union, Anti-
money Laundering (AML)
and Combating the
Financing of Terrorism
(CFT) Legal Fra
- Installment sales loan,
road trucking vehicule and
Money lending.
- Insurance, Lending money
and Employee licences.
- Government guideline.
- Act on the Prevention of
Transfer of Criminal
Proceeds (Law No. 22 of
2007)
Are any new laws, license
requirements or standards expected in
the next 2 years?
Yes Yes Yes Yes
Is an Internal Control System required? Yes, but no specific control
system required
Yes Yes Yes
Which employee is responsible for the
Compliance Management?
Shared duties between
CEO/ CFO and Legal
Department (no CCO)
Managing Director CEO/ CFO CEO
How is the compliance management
process structured?
- Alert system to identify
new laws.
- Legal department advices.
- Operations department
implement.
- Identification and
assessment of new
requirements, measures
implementation, review and
monitoring.
- Process defined
according to government
guideline.
- Banca d'Italia Reporting
- Process defined
according to government
guideline.
How are new laws or requirements
identified?
PBS Legal Department - annual Compliance
Survey
- ad hoc
- annual Compliance
Survey
- ad hoc
- Collection and exchanging
data with an insurance
company and other
importer.
Which compliance policies exist? Yes, embedded in
Management Directives
Yes, CM directive (draft). Yes, CM directive (draft)
and draft Model 231/ 2001.
The government guideline.
Is the compliance topic discussed in
any committee?
Yes, Management and
Operational committees
Yes, Internationally, with the
Board and among
departments.
Yes, Internationally, with the
Board and among
departments.
Yes, Meetings with the
importer.
How is CM integrated into the internal
and external information system?
According to Management
Directive
According to mentioned
policies.
According to mentioned
policies.
According to mentioned
policies.
Evaluati
on
RM Comment CM is done according to
external requirements.
CM is done according to
external requirements.
CM is done according to
external requirements.
CM is done according to
external requirements.
Acronyms:
Subsidiary
Go
ve
rna
nce
Org
an
iza
tio
n
ICS: Internal Control System; CM: Compliance Management; BaFin: German Financial Supervisory Authority; CCO: Chief Compliance Officer; CFO Chief Financial
Officer; CEO: Chief Executive Officer; RM: Risk Management; PFSD: Captive Financial Services Company
Table 7: Compliance Management Survey for Managed Business.
In Table 7 the results of the survey and risk management comment for the international
managed businesses are documented. The order of the markets is USA and Canada,
Great Britain, Italy and Japan. In the governance level, the first question establishes the
legal requirements frame of the specific market. For analytical reasons the general
distinctions to take in account in order to present a model are the following: the USA and
39
Canada require licences hold by the company for their business activities in a state level,
not in a general national level.
These two markets have a Common Law Legal System which establishes an independent
state and federal legal systems only being overruled by the Federal Supreme Court.
Therefore, the different licence requirements per state give notice of the importance to
consider the state level in the requirements of a subsidiary market. Moreover, in the case
of Italy, it is the market with more detailed requirements‟ demands from its central bank
(Banca d‟Italia), aligned with international regulations in this case Basel 2, which give
reference to the importance in taking into account trends. This means the inclusion of
prevention and consulting topics into the compliance management system, and in the
survey an inclusion of the future requirements‟ expectations.
The following questions in the governance level which state the new requirements
expected and the need of an internal control system are responded positively by all
managed business subsidiaries. It reassures the establishment of the compliance model.
On the organization level it is identified the person responsible for compliance which in all
cases it is in the highest level of the hierarchy. The compliance process structured is in
general terms the following: identification of requirement needs, measures taken, review
and monitoring. In the particular cases of Italy and Japan the government guidelines are
followed. In this case for a compliance management model the government requirements
shall be included in the compliance process.
In the case of the identification of new requirements the markets use different methods.
USA and Canada use a particularly alert system and its Legal Department. The alert
system gives notice of any new requirement for the company. Great Britain and Italy uses
a survey tool and Japan an agreement for exchange information to update any new
regulation requirements. Even though the topic flexibility in terms of different market
regulations, the model objective is the standardization for the improvement and better
management of the compliance of the Captive Financial Services Company. Therefore a
consideration of the different government requirements shall be put in place in the
compliance organization from the integration of components of the compliance
management system.
A compliance policy already exists in all mentioned markets including in Italy and Japan a
government guideline. The compliance topic is discussed in all markets with the exception
of Japan, and the integration of the compliance management into the information system
40
is done according to the policies or directive from each captive financial services entity. In
this case the development of the compliance management is done separately by each
entity with its individual needs loosing collective experience from other entities.
Finally, in Table 7 a comment from risk management is presented. The importance of the
comment of the department is the consideration of the compliance risk from a financial
services group point of view. In general terms there is compliance management in every
managed business market, but done according to external requirements from market
regulations or common practices in the industry.
France Spain Australia Russia Switzerland
To which
- Laws,
- Licences and
- Standards
does the subsidiary need to comply to?
-Stock market laws.
-According to Stock
market laws.
-none.
-Corporation, Tax, Health
& Safety regulations,
Labour, Data protection.
-No license required.
'-Spanisch GAAP.
-Corporation, Tax,
Corporate Good
Governance Laws;
Privacy, Fair Practices,
Customer Identification
Process, NCP Acts; Anti
Money Laundering Rules;
and Criminal Code of
Conduct.
-Legal entity and trading
name.
-IFRS Standards.
-Customer rights law.
-No license required.
-Russian GAAP and Audit
Standards.
-Consumer credit, Money
Laundrey and Unfair
competittion laws.
-Banking licences.
-none.
Are any new laws, license requirements or
standards expected in the next 2 years?
No Yes Yes No No
Is an Internal Control System required? No No No Yes No
Which employee is responsible for the
Compliance Management?
General Manager General Manager General Manager Managing Director General Manager and
External party (operative
business outsourced to
bank)
How is the compliance management
process structured?
-Continuous Monitoring
with legal and Consulting
Firm.
-Info. reception for diff.
sources.
-Evaluation with legal and
RM.
-Application.
-Business Governance,
monthly meeting,
scanning of information
sources of
requirements.
-Not one per se.
-Monitoring and
Identification of new
requirements as well as
discussion.
-External party is
member of a council
which includes
compliance topic
meetings and ist
headquarters supplied
the required policies.
How are new laws or requirements
identified?
- Done by an external
party
- Done by an external
party
- Done by an external
party
- Done by an external
party
- Done by an external
party
Which compliance policies exist? Internal group policies. No Dealer Bulletins No No
Is the compliance topic discussed in any
committee?
No Yes Yes Yes Yes with external party.
How is CM integrated into the internal and
external information system?
None According to Data
Protection Law.
In different sources, not
as a whole.
Depends of the
requirement.
Done by external party.
Evaluati
on
RM Comment CM is done by external
support.
CM rely mostly on
external support.
CM is developed in a
basic level.
CM is done according to
circumsances, without a
written process.
CM is done by external
party.
Acronyms:
Go
ve
rna
nc
eO
rga
niz
ati
on
Subsidiary
ICS: Internal Control System; CM: Compliance Management; BaFin: German Financial Supervisory Authority; CCO: Chief Compliance Officer; CFO Chief Financial Officer; CEO: Chief
Executive Officer; RM: Risk Management; PFSD: Captive Financial Services Company
Table 8: Compliance Management Survey for Commission Business.
Table 8 presents the results and risk management comment from the international
commission businesses. The order of the markets is the following France, Spain,
Australia, Russia and Switzerland. In the governance level the law requirements are not
equal as in the managed business therefore the laws mentioned are less. Only Spain and
41
Australia foresee in the next 2 years new requirements. In the case of an internal control
system only Russia considers it necessary. In reference to this level the answers concur
with the type of business model which in this case the main risks are carried out by an
external party.
In the organization level the person responsible for compliance is also in the highest level
of the hierarchy, in some cases because of the type of business model it is done by the
only person responsible for the market. This business model has the advantage that the
number of personal required to manage the subsidiary can be reduced to one person. The
responses about the compliance management process, in general terms are by
monitoring, identifying discussing and implementing. Switzerland focuses more on the
external party because it is a one person responsible commission business.
The identification of new laws by this business model is done completely by an external
party, in most of the cases there is no compliance policies even though the compliance
topic is mentioned in committees.
The last question of the organization level depicts the differences among subsidiaries as
well as the need of a standardized compliance management in order to manage, in an
efficient manner, the compliance requirements for all subsidiaries and headquarters. The
answers are diverse, rather there is no integration of the compliance management into the
information system and it is done by an external party or depends on the requirement.
This means that the integration is done at the moment there is a need without any
prevention or trend analysis.
The risk management comment states that in most of the markets it relies on external
support. In the particular case of Australia it is mentioned the policies and internal rules of
the group company that are involved in compliance, but it is left a side the external
requirements.
The answers from the survey in both business models present the following results:
1) In terms of governance there is a particular legal frame for each market, but the
topics are similar, e.g. money laundering, information protection, financial
supervision according to international organizations.
2) The topic is relevant for all subsidiaries and an internal control system is
required by most of the subsidiaries.
3) Policies are in progress and the integration of the compliance management in
the information system is done according to their own experience.
42
The subsidiaries of the Captive Financial Services Company have develop a compliance
management according to particular needs which increase the relevance of a model to
achieve an effective compliance management within the group.
2.3 National Level Requirements
According to the national requirements the survey throws the following results as seen on
Table 9. The survey is the same as the one applied to the international subsidiaries
mentioned on chapter 2.2, attached as appendix 5.
Germany
To which
- Laws,
- Licences and
- Standards
does the company needs to comply to?
- Data Protection, Customer Credit Protection, MaRisk and Anti Money
Laundering.
- No license required.
- IFRS.
Are any new laws, license requirements or
standards expected in the next 2 years?
Yes
Is an Internal Control System required? Yes
Which employee is responsible for the Compliance
Management?
General Manager Risk Management & Controlling.
How is the compliance management process
structured?
- Identification and assessment of new requirements, measures
implementation, review and monitoring.
How are new laws or requirements identified? PFSD and PAG GR anually update and regularly analyzed with Financial
Services references.
Which compliance policies exist? Yes, CM directive (draft) and BaFin Notification policy.
Is the compliance topic discussed in any
committee?
Yes, Internationally, with the Board and among departments.
How is CM integrated into the internal and external
information system?
According to mentioned policies.
Evaluation RM Comment A CM is established in fragmented activities.
Acronyms:
CM: Compliance Management; PAG GR: Porsche Group Legal Department; BaFin: German Financial Supervisory Authority.
Headquarters
(It carries credit and residual value risk).
Governance
Organization
Table 9: Survey and Comment about the Headquarters Situation.
In the case of the Headquarters it is also a managed business which means it carries out
the credit and residual value risk. In terms of Governance the main laws that involve
compliance are the Data Protection Law (Bundesdatenschutzgesetz), Customer Credit
Protection (Verbraucherkreditgesetz), MaRisk and Anti Money Laundering (GWG)46.
There are no license requirements and the standards followed are the International
Financial Reporting Standards whose adoption by the European Union is stated in the
46 The Institute of Auditors in Germany (IDW) has developed an Audit Standard Draft (EPS) called Principles
of Proper Testing of a Compliance Management System (IDW EPS 980). Changes can be made until
01.10.2010, for that reason it is not included in this thesis, but is has been taken into account as possible
requirements in the near future. The draft includes as reference for a compliance management system most of
the compliance organizations written in this thesis (e.g. OCEG, COSO, US Sentencing Commission).
43
Regulation (EC) No 1606/2002, article 3. In terms of requirements or standards expected
in the next years it is contemplated additional MaRisk requirements from the Federal
Financial Supervisory Authority (BaFin). In terms of an internal control system, it is a
constraint stated by the MaRisk which has been done by the Captive Financial Services
Company headquarters, therefore regarding compliance it is required the inclusion of
compliance risks.
On the Organization‟s level on Table 9, because of the size of the Captive Financial
Services Company the main responsibility of compliance is delegate to the General
Manager of the Risk Management and Controlling Department. It also has a process
according to compliance needs.
Analysis of
Legal
Requirements
Assessment of
Legal
Requirements
Preparation and
Presentation of
Work Packages
Implementation
of Work
Packages
Results review
• Identification of law,
standard or guideline
as well as issuer to
comply
• Identification of the
degree of obligation
• Identification of the
objective (reason) for
the new requirement
• Identification of the
information required
• Benchmark on
companies already
complying
• Definition and
planning of activities
and responsabilities
• Organization of task
by departments /
personal involved
• Establishment of a
process to comply
• Integration of the
new requirements
into the IKS system
• Process development
• Reporting the
information in the
corresponding format
• Verification of the
result.
• Comparison of the
result with the
information already
reported
• Information
deliverance in
corresponding format
Continuous
Monitoring
• Monitoring of
changes in
compliance laws
• Monitoring of new
laws, standards,
guidelines (relevant
institutions)
• Monitoring of trends
and analysis
• Identify if the
requirement or part
of it is already
reported
• Evaluation of the
information or tools
needed to comply
with the
requirements as well
as training and
external advisors
• Evaluate time to
comply vs
complexity of the
requirement
Figure 16: Compliance Process Developed by Captive Financial Services Company.
The compliance management process stated in Figure 16 is practical and fulfils basic
compliance requirements. The first process step is the analysis of legal requirement that
leads to the identification of the regulation, importance, reason to comply and information
required. The next step is the assessment of the relevance of the requirement in terms of
time, information, tools, training and external advisors. The third step is the measures
taken, including the project management. The fourth step is the implementation phase.
The fifth is the review of results and the last step is the continuous monitoring including
trends on the topic.
For the identification of the new requirements the Captive Financial Services Company
works together with the Legal Department of the parent company. Additionally, there is a
directive draft that integrates the compliance organization and states the incorporation of
the information system. Regarding compliance management within the Captive Financial
44
Services Group there is no compliance management system that backs up a model for the
group, it is more a process that can be adapted in the other subsidiaries.
The results of the international requirements and the ones of the national level establish
the need for a model in the Captive Financial Services Company that integrated into a
compliance management system within the automotive company group to provide the
proper, effective and efficient compliance management for the Captive Financial Services
Company.
2.4 General Internal and External Requirements Frame
The international and national requirements establish the needs of the Captive Financial
Services Headquarters and its subsidiaries. The fact of referring in this part to internal and
external requirements is in the sense of the internal structure of the compliance
management and the external environment to comply with.
Automotive
Company
Group
Business Unit
Subsidiaries
Directive
s,
guid
elin
es,
polic
ies,
pro
cedure
s,
inte
rnal contr
ol sys
tem
…
external requirements
Cross Process
Active Bribery
Corruption
Fraud, Unfaithful
Theft, Embezzlement
Conflict of interests
Report Manipulation
Abuse of Information
Specific Process
Product Compliance
Trade Compliance
Competition Regulation
Capital Market Law
Taxes
Corporate Law
Labor Law
Business Obligations
Data Protection
Money Laundering
Banking Supervision /
Specific Financing
internal requirements
Figure 17: Internal and External Requirements.
Figure 17 presents the internal requirements to establish a compliance model and the
external requirements to comply with. In the internal ones it is stated from the written
directive until the internal control system inside the automotive company. In the external
ones the compliance fields that affects all business units of an auto company. It is
important to remark that not all the topics are relevant for a Captive Financial Services
Company. Thus in a reference to efficiency the relevant topics to comply shall be taken
into account in order to have an efficient internal control system with a pragmatic
presentation, that facilitates a model for subsidiaries.
45
In this overview of internal and external requirements to build up a compliance
management model and the fact that organizational compliance from the Captive
Financial Services Company and its subsidiaries is already stated the question.
Consequently, the question is how to pass from the current status of the compliance
management of the Captive Financial Services Company to the optimal compliance
maturity as seen on Figure 7 with the four phases of compliance maturity. In Figure 18 it is
depict the objective in order to reach in chapter 3 a model that in praxis shall develop a
compliance culture centric (as defined in Figure 18) and framework integrated in the
business unit of the company from a project centric one (as defined in figure 18).
FragmentedFragmented ImplementedImplemented EmbeddedEmbedded EnhancedEnhanced
Compliance is
culture-centric and
framework-
integrated. It is
achieved as part of
how business is
done and is
inherently part of
organizational
culture.
Operations Compliance Finance
Compliance is
project-centric. It is
achieved through
disconnected
and/ or
inconsistently
applied efforts
throughout the
enterprise.
Compliance
Maturity
Captive
Financial
Services
Company
Status
Current Objective
Figure 18: Captive Financial Services Company Current Maturity Status and Objective.
In order to achieve to transfer from a fragmented to an enhanced compliance
management the following measures must be taken in account:
1) The model must be part of a compliance management system in which every
part of the process and compliance organization has been incorporated. The
components are business values (mission, vision and philosophy of the
enterprise), detail regulations (guidelines, codes of ethic and conduct,
instructions, procedures related to obligatory and freewilling compliance), the
adequate instruments, communication, review; and the functional integration to
develop compliance in the company, i.e. task force, committees and compliance
chief office.
2) An integral process that includes the steering compliance management, core
process compliance and support processes from the automotive company group
division to the subsidiaries of business units in order to standardize not only the
46
processes of a business unit with its subsidiaries but also among business units
with a steering process from the automotive company group division.
3) Regarding efficiency there are many topics included in compliance management
as seen on Figure 6, thus is pertinent to establish which ones are relevant and
non relevant in the business unit financial services.
4) An internal control system for compliance is mandatory, but because of
regulatory demands the Captive Financial Services Company has already an
internal control system implemented. Therefore the inclusion of the compliance
risk and necessary controls to perform an enhanced compliance management
shall be added to the general internal control system.
The following chapter presents the practical part of the model. In order to achieve this goal
in chapter one states clear the theory of how to develop a compliance management
system with the environment relationship of corporate governance and enterprise risk
management, chapter two states the comparison of the current status of the compliance
by the Captive Financial Services Company and its goal as well as the requirements to
achieve the goal. It is in the final chapter that is developed the compliance management
model for the Captive Financial Services Company.
47
3. Compliance Management Model
In this chapter the compliance management model is presented. Firstly, the compliance
management system relationship between the parent company and the other business
units are developed, and then, the liaison between this system and the model. The model
is carried on from a system perspective that starts in the business philosophy and ends in
the process description of the model. Therefore, the model is integrated into the
compliance management system of the Captive Financial Services Company.
In order to understand the difference between the system and the model it is important to
keep in mind that the compliance management system starts at the business values or
philosophy of the enterprise passing through the directives and policies, instruments until
the delivering of the process, tools and reporting for compliance. In other words, it takes
into account all the components or characteristics that are particular of the automotive
group and the Captive Financial Services Company. Moreover, the model starts with the
process, providing the tools, controls and reporting to comply. The model is an output of
the whole compliance management system. Therefore it can be done only considering the
needs of the captive entity.
Division (core process)
Communication
Instruments
Review
Business Values
Monitoring
Detail Regulation
Business Values
Group (steering level)
Strategic
Business Unit (support process)
Organization
Com
plia
nce
Depart
ment
Legal
Inte
rnalAudit
Ris
kM
anagem
ent
Hum
an R
esourc
es
Ente
rprise S
ecurity
Figure 19: Compliance Management System Relationship of Components.
Figure 19 presents a three dimensional schema showing the relationship between
components of the compliance management system. On the front face of the three
dimensional schema it is presented the vertical structure of the system. This starts from
bottom up with the Business Values of the enterprise. In the case of the Captive Financial
Services Company are six principles about the enterprise, technical, people, performance,
48
perspective and environment. The second layer is the Detail Regulation meaning for the
enterprise the guidelines stated of the parent enterprise and of the own captive entity. In
these are presented the procedures and rules to be developed by the business of the
company. Therefore any process done by the company must be taken into account in
order to perform an efficient compliance management model without repeating activities.
The third layer represents the Instruments, which in this case is done by internet for the
principles of the Captive Financial Services Company and intranet for the detail
regulations, and for all other activities by internal systems as in the following chapter 3.2 is
presented. The fourth layer is the Communication one, where the training and whistle
blowing system are integrated for the information flow. The fifth layer is the Review
component where the audit has an important role to monitor the functional integration of
the compliance management. In the case of the Captive Financial Management Company
entity the Risk Management Department developed a controlling function, and an Internal
Revision procedure is developed for all activities, like compliance management. The last
layer is the Organization one. It involves the responsibilities of the management and the
Board of Directors. In the case of the Captive Financial Services it states a set of
management rules disposition and responsibilities of these two parties. The duties of the
compliance chief officer are located also in this layer, which are included to the chief risk
manager. The reason is that the compliance risks are added into the internal control
system monitored by the Risk Management and Controlling Department.
On the lateral side of the schema, starting from left to right, the departments that are
related to compliance are presented. It is important to understand that even though the
responsible for compliance management is a department, in the case of the Captive
Financial Services Company it is integrated in the risk management and controlling one.
Thus, following the values set by every single department develops its own compliance
activities and reports. In other words it is the responsibility of the Compliance Department
to set the rules, information, means, training and whistle blowing system for compliance,
but it is the Legal Department the one that will comply according to its needs, in the same
way all other departments (e.g. Accounting Department with financial statements, IT
Department with systems‟ security and human resources according to law demands). All
departments are involved in the compliance management from the business values until
the organization layer where the process is developed.
The process is presented on the top of the cube, with the three levels on the upper side of
the schema: group, division and business unit. Every department is related to the process
on its own level. In the case of the Captive Financial Services Company the departments
are integrated from the division level. It is important to understand that the fact that the
49
captive entity has its own departments with relation to the parent company is not only for
being a business unit, but because the specific requirements that a financial industry
company has. In the particular case of the Captive Financial Services Company it is only
the Human Resources Departments that is carried on by the parent company. The
schema presents the relationship of the compliance management system, and the upper
part the process in which the model is developed.
Figure 20 states the procedure taken in order to develop the model. After stating clear the
compliance management system, the model shall be developed so the Captive Financial
Services Company and its subsidiaries follow it. The first step has been the theoretical
overview of compliance management. The second step has been the integration of the
compliance management headquarters proposal which is the steering level of compliance
management. The third step is the evaluation and integration of the specific requirements,
i.e. the model review according to the theory and the particular needs of the Captive
Financial Services Company. The fourth and last step is the development of the core and
support part of the process of the compliance management. The objective of the thesis is
the development of the model. It is the company that shall carry on the implementation.
Analysis of the Theoretical View
of Compliance Management
Headquarters Compliance
Management Project Model
Model review & Integration
of specific requirements
Captive FS Entity defines
Core and Support Process
Process Source
• Thesis and Auto Company
Group Project
Model Implementation • Captive Financial Services
Company
• Adaptation of Wieland
Model* to the captive
financial services entity
* Model in Figure 12 & 13
Comment
Figure 20: Model Process Development.
50
For the theoretical view the Wieland compliance management system47 is taken as a
guide for the compliance management process that sets up the model for compliance
management by the Captive Financial Services Company. From the headquarters group
company is taken the steering level process in which the parent company states the main
process and the responsible of it, at this level, is the department Compliance
Management. On the other side, it is the other business units that will develop the core
and support process. In other words, there is a group approach standards to be fulfil by
the division and business unit levels. In the case of the division, it takes care of specific
requirements, in the case of the captive entity of banking requirements. In a division and
business unit level the core and support processes are developed.
Business Unit
Support Process
Division
Core Process
Group
Steering level
Compliance Management System
Compliance Management Compliance Organization
Business ModelLeadership
Responsibility
Compliance
DepartmentLegal
Internal
Audit
Risk
ManagementHR
Enterprise
Security
Compliance Management System
Compliance Management Compliance Organization
Business ModelLeadership
Responsibility
Compliance
DepartmentLegal
Internal
Audit
Risk
ManagementHR
Enterprise
Security
CS1. Monitoring Compliance Landscape CS2. Target Setting „Compliance“ (Incentive System)
CS3. Monitoring System
CS4. Monitoring Offenses CS5. Creation Organizational Measures
CS6. Steering Sanctions
CS8. Management Reporting
CM1. Directive Creation
CM3. Set up Training and Content Awareness for Target Groups and Frequency
CM4. Specific Topics of Prevention and Consulting
CM5. Process Monitoring
CM2. Risk Identification and Scanning
CM6. Creation of Process Measures
CM7. Reporting and Escalation
CU1. Directives Management
CU2. Compliance Systems (Methodology, Technology & Tools)
CU3. Training Platform
CU4. Whistle Blowing & Help Desk CU5. Audit
CU6. Investigation
CS7. Management Consulting and Project Management
CU7. Communication
CS1. Monitoring Compliance Landscape CS2. Target Setting „Compliance“ (Incentive System)
CS3. Monitoring System
CS4. Monitoring Offenses CS5. Creation Organizational Measures
CS6. Steering Sanctions
CS8. Management Reporting
CM1. Directive Creation
CM3. Set up Training and Content Awareness for Target Groups and Frequency
CM4. Specific Topics of Prevention and Consulting
CM5. Process Monitoring
CM2. Risk Identification and Scanning
CM6. Creation of Process Measures
CM7. Reporting and Escalation
CU1. Directives Management
CU2. Compliance Systems (Methodology, Technology & Tools)
CU3. Training Platform
CU4. Whistle Blowing & Help Desk CU5. Audit
CU6. Investigation
CS7. Management Consulting and Project Management
CU7. Communication
Figure 21: Compliance Management System and 3 Level Process.
Figure 21 presents the main process from which in chapter 3.2 the compliance model is
carried out. The slightly differences between the theoretical system and the one taken by
the Captive Financial Services are located on the process steps names. These are stated
47 see Figures 12 and 13.
51
according to the particular needs of the captive entity or the steering compliance process
taken from the parent company.
Figures 22, 23 and 24 present the process steps of the company according to its
corresponding level, the whole process is located within the compliance management
system. In order to have an identification of process steps with relation to its level an
acronym is given (based on the German abbreviation), steering level (CS), core process
(CM) and support process (CU). The process steps description is the following:
CS1. Monitoring
Compliance
Landscape
CS2. Target
Setting
“Compliance”
(Incentive
System)
CS3. Monitoring
System
CS4. Monitoring
Offences
CS5. Creation
Organizational
Measures
CS6. Steering
Sanctions
CS7.
Management
Consulting and
Project
Management
CS8.
Management
Reporting
CS1. Monitoring
Compliance
Landscape
CS2. Target
Setting
“Compliance”
(Incentive
System)
CS3. Monitoring
System
CS4. Monitoring
Offences
CS5. Creation
Organizational
Measures
CS6. Steering
Sanctions
CS7.
Management
Consulting and
Project
Management
CS8.
Management
Reporting
Figure 22 Group Steering Level Process Steps.
Group Steering level (CS).
CS1. Monitoring Compliance Landscape: a risk analysis overview in the company is
carried out, about the relevant laws to comply, as well as the monitoring of
legal developments. Any changes within the compliance management system
in the group or in the environment are being adapted.
CS2. Target Setting “Compliance” (Incentive System): the target setting and the
guidelines for compliance is performed. Compliance activities are inserted into
the incentives system (goals for departments and employees relating them to
bonuses).
CS3. Monitoring System: compliance sensors are defined, e.g. supervision control
tools. An initialization and evaluation of the system is tested. It includes the
evaluation of infractions.
CS4. Monitoring Offences: preliminary assessment of the evidence violation is
established and if necessary, it is commissioned an investigation.
CS5. Creation Organizational Measures: initialization and monitor of the
corresponding investigations. These are directly related with the offences
monitoring. The offences are defined in the Civil Code of Germany.
CS6. Steering Sanctions: adequate sanctioning is given followed up by the process
improvement; the sanctions can be from oral reprimand until dismissal on
justified grounds.
52
CS7. Management Consulting and Project Management: development of the
compliance management process, rules, tools and external whistle blowing.
Support to the optimization of the compliance core process and exchange of
experience networking engagement with other divisions.
CS8. Management Reporting: control compliance reporting in the group and
regulatory reporting.
CM1. Directive
Creation
CM2. Risk
Identification and
Scanning
CM3. Set up
Training and
Content Awareness
CM4. Specific
Topics of
Prevention and
Consulting
CM5. Process
Monitoring
CM6 Creation of
Process Measures
CM7 Reporting and
Escalation
CM1. Directive
Creation
CM2. Risk
Identification and
Scanning
CM3. Set up
Training and
Content Awareness
CM4. Specific
Topics of
Prevention and
Consulting
CM5. Process
Monitoring
CM6 Creation of
Process Measures
CM7 Reporting and
Escalation
Figure 23: Division Core Process Steps.
For all the Division Core Processes were defined its process owner and support, as well
as the assignments, competencies and responsibilities. The importance is to have a
traceability of the process aim, committees, inputs, outputs, operating expenses of each
process.
Division Core Process (CM).
CM1. Directive Creation: The group company normally sets the rules of how to
create a directive. Here it is regulated in which format, minimal contents and
how often reviews have to be prepared for a directive, in this case, for the
Compliance Management Directive. All group directives are provided in the
intranet platform. The Captive Financial Services has described the structure
of the directive in the following MaRisk regulations, AT 5 Organizational Rules,
in a Risk Management Handbook.
CM2. Risk Identification and Scanning: in order to have a documented compliance
risks, these risks are included in the risk matrix developed to comply with the
minimum risk management requirements. The risk matrix exists for all core
processes and is updated yearly and ad hoc. Specific legal changes are
tracked through the compliance management survey (see appendix 5) and
documented in the internal control system.
CM3. Set up Training and Content Awareness: training documents are created for
all required topics by the process owner and the information is created as a
presentation. The information is used in a classroom training session and
printed for employees as a reference. The new employees are trained
53
according to their job description, and regular training sessions are planned for
all other employees according to specific needs or as updates. External
seminars are given additionally to support the internal training.
CM4. Specific Topics of Prevention and Consulting: implementation of specific
preventive controls in the core and support process and consulting support
(i.e. internally and outside consultants) given to each particular department
that shall comply with a regulation.
CM5. Process Monitoring: Supervision and review of internal processes by the
Captive Financial Services Company. Non compliance is evaluated and
measures defined to achieve compliance.
CM6. Creation of Process Measures: optimization of the corresponding processes
where a need for change was detected or in response to a violation occurred.
CM7. Reporting and Escalation: compliance topics are reported in the meetings of
department managers, Board of Directors and with the management of the
parent company. Additionally, regular reporting to the Compliance Department
of the parent company is carried out and reports are discussed in the
compliance council meetings. The Captive Financial Services Company
ensures the communication of any violation to relevant committees and
responsibilities.
CU1. Directives
Management
CU2. Compliance
Systems
(Methodology,
Technology and
Tools)
CU3. Training
Platform
CU4. Whistle
Blowing and Help
Desk
CU5. Audit CU6. InvestigationCU7.
Communication
CU1. Directives
Management
CU2. Compliance
Systems
(Methodology,
Technology and
Tools)
CU3. Training
Platform
CU4. Whistle
Blowing and Help
Desk
CU5. Audit CU6. InvestigationCU7.
Communication
Figure 24: Business Unit Support Process Steps.
Business Unit Support Process (CU).
CU1. Directives Management: management and publication of guidelines. All
Captive Financial Services Company directives are review biannual and are
updated, if necessary. The captive entity process for the review of existing
directives is as follows:
- The directives manager is responsible for the directives review kick-off
that is carried out twice a year, fiscal year basis.
- The results of the review are presented during the department
management meetings with the CEO and CFO, and in this meeting the
54
approval is given for changes in requirements and the implementation
of the time line.
- Priority 1 changes to existing directives are implemented during the
following 4 weeks and presented in the next department manager
meeting.
- Priority 2 changes to existing directives are implemented during the
following 5 months.
- Priority 3 changes to existing directives are implemented during the
following 11 months.
- New directives that need to be discussed during the department
manager meetings will be added to the next meeting.
Moreover, if a change is urgently needed then it shall be done. These
changes can occur, because process improvements, legal requirements, etc.
exist. The required changes are controlled and deviations are indicated by a
traffic light dashboard. This system is used for the review of existing
directives, creation and updates given.
CU2. Compliance Systems (Methodology, Technology and Tools): the required
methodology, technology and tools are developed and continuously improved
to meet the compliance management requirements. Examples for these tools
are the compliance management survey, filing system for legal documents,
risk matrix, control documentation and reporting.
CU3. Training Platform: the captive entity provides for the employees the
compliance management training infrastructure. This means that trainings
are organized and carried out. All participants are documented and all
captive entity training documents are stored on the central drive to which all
employees have access. A training feedback is given to verify the training of
the staff.
CU4. Whistle Blowing and Help Desk: the captive entity compliance chief officer is a
contact point for employees and non employees. Preliminary assessment of
questions and hints are carried out, if necessary, questions and hints are
routed to its corresponding complier or authority.
CU5. Audit: execution of compliance system audits, conducting audits on
compliance topics and special investigations.
55
CU6. Investigation: special investigations can be executed and are supported by a
team. The team members can be employees from the captive entity and the
parent company.
CU7. Communication: information flows about compliance management. E.g. email
to captive entity employees and presentations at dealers‟ meetings.
Figure 21 integrate all process steps in the compliance management system schema. As
been written above, it is the Compliance Department that provides the process in the last
layer of the system, but is the Captive Financial Services Company that provides the core
process and support process. The figure presents the process as flowing chart in which
the process steps are carried out from the beginning of the compliance until the end. The
process steps that are followed by another one mean that after that step the next process
starts without stopping the former one, i.e. it is just to describe that one step is followed by
the other. E.g. the CS1 monitoring compliance landscape is needed in order to perform a
CS2 target setting and the anchorage in the incentives system, or after the CU4 whistle
blowing and help desk comes the CU5 audit and CU6 investigation.
The compliance management process involves the automotive group company and the
division level as well as the business units. In Figure 25 explains the parts of the process
relationships within the company. In other words, how the steering for the compliance
management is developed within the group by the auto company group level, in which the
relevant steps are presented from the risk landscape until the management reporting.
Moreover, the core and support processes are shown here that are being handle by the
division and business unit level.
Automotive
Group
Company
Financial
Services
Auto
ManufacturerOther
SubsidiariesSubsidiaries Subsidiaries
Steering Process
Compliance
Management
Core Processes
Compliance
Management
Support Processes
Compliance
Management
Figure 25: Compliance Management Process.
56
Once the process‟s approach has been pointed out in the company structure, i.e. the
internal structure, the next chapter distinguished between compliance fields.
3.1 Minimum External Requirements to Comply with Regulations
The captive entity and its subsidiaries must comply with different laws as seen in chapter
2. The names of the laws differ by market even though the content of the law is the same.
The business activities of the captives determine the laws and relationships were the
captive has to comply with. The law names or compliance topics are presented as
compliance fields as done in chapter 2. In order to identify with which topics the captive
entity will comply with, it is important to state the relevance of the fields. The following
figure presents a distinction regarding the compliance fields of the Captive Financial
Services Company. The relevant ones are those who need to comply with and the non
relevant ones are specific of the auto industry or corporate organization, but not for the
financial services industry.
Cross Process
Active Bribery
Corruption
Fraud, Unfaithful
Theft, Embezzlement
Conflict of interests
Report Manipulation
Abuse of Information
Specific Process
Capital Market Law
Corporate Law
Business Obligations
Sustainability
relevant
Compliance Fields
Specific Process
Product Compliance
Trade Compliance
Competition Regulation
Taxes
Labor Law
Data Protection
Money Laundering
Banking Supervision /
Specific Financing
Cross Process
non relevant
Figure 26: Relevant Compliance Fields for the Captive Financial Services Company.
The relevant compliance fields differentiate in cross process which are related to several
processes within the enterprise, and the specific process are ones which are involve only
in one process of the entity. The different fields are shown in Figure 26. Most of the cross
process fields are been taken care of by the operational risk, i.e. are already consider as a
possible risk in the operational activities of the company. In addition there are
requirements demanded by MaRisk (BTR4) in Germany or COSO (general frame) in US
57
which are explained in chapter 1.3. The topics Fraud, Theft, Manipulation and Abuse of
Information are taking care by the internal control system and the MaRisk Handbook from
the captive company. The field Conflict of Interest is a compliance of the corporate
governance code. The fields Active Bribery and Corruption can be related to operational
risk, behaviour risk or to reputational risk, depending on the situation or definition of the
term. In the case of a direct loss by this situation or if it is identified within the operational
risk definition of MaRisk then is operational risk, if not, behaviour risk. In the case of an
indirect loss with relation to word of mouth or bad publicity then it is reputational risk.
Operational risk, reputational risk and behaviour risk are the most important risk
categories in the case of compliance. When the company do not comply with a rule, most
of the times the company receives a sanction or warning from the authorities. The
economical or factual sanction represents a risk. Therefore in the internal control system
these three types of new risks are included.
Regarding the specific processes the most important are Money Laundering and Banking
Supervision. Money Laundering is included in the internal control system and Banking
Supervision is actually regulated in the KWG and MaRisk, which demand an internal
control system. These two specific issues are well developed by the Captive Financial
Services Company and handled in the Risk Management and Controlling Department. In
the case of the other specific processes (Trade, Competition Regulation, Taxes and
Labour) the other departments are in charge of their own compliance as the compliance
management system requires and any risk embedded in the process is included in the
internal control system. Moreover, the changes required by the departments shall be done
according to the compliance management model when needed.
3.2 Model
The compliance management model is stated as a handbook for the Captive Financial
Services Company. It contains all practical findings of the thesis as well as the processes
to develop compliance management. The first step process related to the Captive
Financial Services Company in the compliance core process is the directive creation. The
figure 27 presents the main contents of the captive group directive for compliance
management.
The compliance management process is described in a directive for the Captive Financial
Services Company. The controls and the reporting are also explained in the directive
whose intention is to portray the guideline and procedure for compliance which shall be
used by any department for its future regulation conformity.
58
A directive proposal is written which has the status of draft at the moment in the Captive
Financial Services Company. The directive proposal is developed according to the internal
rules for directive creation.
Compliance
Management
Directive
1. Process
2. Controls
3. Reporting
Figure 27: Compliance Management Directive.
The directive proposal includes the responsibility matrix regarding the core and support
compliance management process. In the Table 10 both matrixes are presented in order to
identify the three main responsibilities to carry out, assist or inform about the compliance
management activities.
For every step process there is an organizational unit or entity department that carries out
the activity, shown in the upper row, but depending on the involvement and relevance to
other departments they carry out, assist or will be informed.
On the top part of Table 10 is the responsibility matrix for the compliance core process
(CM). The directive creation which is carried out by the Compliance Financial Services
Departments (CFS Departments) assisted by the business unit Directives Manager, and
informed to the CEO /CFO, Risk Management and the parent company human resources
that are also in charge of controlling new directives. The Risk Identification and Scanning
is carried out by the Risk Management Department (RM), assisted by the Legal
Department in case of new laws. In this case, the compliance officer (CCO) and the
captive entity departments regarding specific topics are informed. Training and content
awareness is developed by the CCO, assisted by the departments and informed to RM,
CEO, CFO and to the parent company CCO. The prevention and consulting is carried on
by the CCO and assisted by the departments of the captive entity. The monitoring
59
involves specific know how, therefore is carried out by the departments and informed to
RM, CEO and CFO. The departments also carry out the creation of process measures,
assisted by CCO in order to keep new process measures according to directives
guidelines and policies. RM assists also with the compliance risks supervision. In case of
any changes the directives manager, CEO and CFO are informed. The last step, reporting
and escalation, is carried out by the compliance officer, and in the case of escalation to
the parent company assisted by its CCO. The CEO, CFO, Legal Department, and the
captive entity departments involved are informed.
AM GC AM GR AM MI CFS CEO/ CFO CFS RM
CFS Compl.
Officer
CFS Directives
Manager
CFS Depart-
ments
Directive Creation I I I A C
Risk Identification and Scanning A I C A I A
Set up Training and Content Awareness for Target
Groups and FrequencyI I I C A
Specific Topics of Prevention and Consulting I I A C A
Process Monitoring I I C
Creation of Process Measures I A A I C
Reporting and Escalation A I I I C I
AM GC AM GR AM MI CFS CEO/ CFO CFS RM
CFS Compl.
Officer
CFS Directives
Manager
CFS Depart-
ments
Directives Management I I I I C A
Compliance Systems (Methodology, Technology &
Tools)A I A C A
Training Platform I A C A
Whistle Blowing & Help Desk I I C
Audit A C I A I
Investigation A I C I A I
Communication I A C I
Acronyms
C = Carries out, A = Responsibility to assist, I = Will be informed
CM: Core Process, CU: Support Process, AM: Auto Manufacturer, GR: Chief Executive Office of Legal, GC: Chief Executive Office of Compliance, MI: Human
Resources, CFS: Captive Financial Services, RM: Risk Management.
CM ActivitiesOrganizational unit and/ or decision maker involved
C = Carries out, A = Responsibility to assist, I = Will be informed
Organizational unit and/ or decision maker involvedCU Activities
Table 10: Responsibility Matrix of Core and Support Processes.
On the bottom part of Table 10 shows the responsibility matrix for the compliance support
process. The first step is the directives management, carried out by the directives
manager, assisted by the departments in the case of specific information or changes to
the directive. The CEO, CFO, CCO, RM and Human Resources Department are informed.
The tools development and management are responsibility of the CCO with the
assistance of the captive entity‟s departments including RM. The parent company CCO in
this case gives also support. The training platform is carried out by the CCO and assisted
by the CEO, CFO and other departments, and informed to the parent company CCO. The
whistle blowing and help desk step is carried out by the CCO, and informed of this are the
CEO, CFO and parent company CCO. The audit is carried on by the CEO and CFO,
assited by the parent company CCO as well as the CCO of the captive entity. Legal, RM
and other related departments are informed. The investigation step is done by the CEO
60
and CFO, assisted by the CCOs, legal, RM, also the departments involved are informed.
The last step is the communication one which is carried out by the compliance officer and
assisted by the CEO and CFO. Informed are the related departments as well as the
parent company CCO.
Once the process and responsibilities of the organizational units are explained, the
internal control system is presented in the compliance management directive. As it has
been already explained, MaRisk demands an internal control system. This means that
such an internal control system has already all the compliance risks integrated. Figure 28
shows the internal control system for compliance.
Internal Control System (ICS) Description for Compliance
Process Sub-Process Risk Category Risk Description Impact
Legal/ External
Impact Internal
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Limit of Authority Exceeding of limits of authority. BoD or
Vorstands approval necessary
n.a. compliance issue
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Privacy Breach Risk of loss resulting from inadequate
or failed internal processes, people and
systems, or from external events and
includes legal risks.
Customer Claim,
Penalty Payment
compliance issue
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Lost Customer File Risk of loss resulting from inadequate
or failed internal processes, people and
systems, or from external events and
includes legal risks.
Customer Claim,
Penalty Payment
compliance issue
all operational processes all operational processes Operational Risk Breakdown of
Porsche office
building in Padova
Breakdown of Porsche office building in
Padova means that either PFS office
space or the entire building in Padova is
unavailable for business Operations.
This can have several reasons like, fire,
storm, flooding, earthquake, other
environmental reasons o
Delayed customer
service.
compliance issue
all processes all processes Operational Risk Unavailability of high
number of
employess (e.g.
epidemics)
Unavailability of high number of
employess (e.g. epidemics)means that
a significant number of employees are
absent at the same time and can not
perform their normal job.
compliance issue compliance issue
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Non Compliance Risk of non compliance in the area of
product compliance.
Government Claim,
Penalty Payment
loss of license and
business
all operational processes all operational processes Operational Risk Failure to follow
internal processes
Risk of interruption the day-to-day
business because of failure to follow
Directives, Guidelines and Procedures
described within PFS Group.
Customer Claim,
Penalty Payment
compliance issue
2 Marketing & Sales 2.5 Process Customer/ Dealer
Contract Request
Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad publicity
Image damage n.a.
5 Customer Care all sub-processes Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad publicity
Image damage n.a.
Process Sub-Process Risk Category Risk Description Impact
Legal/ External
Impact Internal
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Limit of Authority Exceeding of limits of authority. BoD or
Vorstands approval necessary
n.a. compliance issue
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Privacy Breach Risk of loss resulting from inadequate
or failed internal processes, people and
systems, or from external events and
includes legal risks.
Customer Claim,
Penalty Payment
compliance issue
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Lost Customer File Risk of loss resulting from inadequate
or failed internal processes, people and
systems, or from external events and
includes legal risks.
Customer Claim,
Penalty Payment
compliance issue
all operational processes all operational processes Operational Risk Breakdown of
Porsche office
building in Padova
Breakdown of Porsche office building in
Padova means that either PFS office
space or the entire building in Padova is
unavailable for business Operations.
This can have several reasons like, fire,
storm, flooding, earthquake, other
environmental reasons o
Delayed customer
service.
compliance issue
all processes all processes Operational Risk Unavailability of high
number of
employess (e.g.
epidemics)
Unavailability of high number of
employess (e.g. epidemics)means that
a significant number of employees are
absent at the same time and can not
perform their normal job.
compliance issue compliance issue
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Non Compliance Risk of non compliance in the area of
product compliance.
Government Claim,
Penalty Payment
loss of license and
business
all operational processes all operational processes Operational Risk Failure to follow
internal processes
Risk of interruption the day-to-day
business because of failure to follow
Directives, Guidelines and Procedures
described within PFS Group.
Customer Claim,
Penalty Payment
compliance issue
2 Marketing & Sales 2.5 Process Customer/ Dealer
Contract Request
Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad publicity
Image damage n.a.
5 Customer Care all sub-processes Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad publicity
Image damage n.a.
Manual
Controls
Automated
ControlsRandom
Tests
Internal
Controls
Process Sub-Process Risk Category Risk Description Impact
Legal/ External
Impact Internal
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Limit of Authority Exceeding of limits of authority. BoD or
Vorstands approval necessary
n.a. compliance issue
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Privacy Breach Risk of loss resulting from inadequate
or failed internal processes, people and
systems, or from external events and
includes legal risks.
Customer Claim,
Penalty Payment
compliance issue
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Lost Customer File Risk of loss resulting from inadequate
or failed internal processes, people and
systems, or from external events and
includes legal risks.
Customer Claim,
Penalty Payment
compliance issue
all operational processes all operational processes Operational Risk Breakdown of
Porsche office
building in Padova
Breakdown of Porsche office building in
Padova means that either PFS office
space or the entire building in Padova is
unavailable for business Operations.
This can have several reasons like, fire,
storm, flooding, earthquake, other
environmental reasons o
Delayed customer
service.
compliance issue
all processes all processes Operational Risk Unavailability of high
number of
employess (e.g.
epidemics)
Unavailability of high number of
employess (e.g. epidemics)means that
a significant number of employees are
absent at the same time and can not
perform their normal job.
compliance issue compliance issue
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Non Compliance Risk of non compliance in the area of
product compliance.
Government Claim,
Penalty Payment
loss of license and
business
all operational processes all operational processes Operational Risk Failure to follow
internal processes
Risk of interruption the day-to-day
business because of failure to follow
Directives, Guidelines and Procedures
described within PFS Group.
Customer Claim,
Penalty Payment
compliance issue
2 Marketing & Sales 2.5 Process Customer/ Dealer
Contract Request
Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad publicity
Image damage n.a.
5 Customer Care all sub-processes Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad publicity
Image damage n.a.
MS Excel
E.g.:
- 4 eye principle
- management rules
(signature)
E.g.:
- Data Protection
(archives entrance)
- Passwords in
consumers info.
systems
E.g.:
- Third party
payments (money
laundering
prevention)
Compliance Directive
1. Compliance Controls 4. Documentation & Reporting
2. Review Controls 5. Define Measures for Broken Controls
3. Maintenance of ICS
Figure 28: Internal Controls for Compliance Management.
61
The figure shows the different parts of the internal control system‟s tools. These are
defined as manual, automated and random tests. Three MS Excel spreadsheets are
developed. The manual controls describe all the supervision activities which can not be
automated, e.g. two signatures in documents or limit power decisions. The automated
controls are the ones developed already in IT systems as control access to the
information of the captive entity, passwords in systems, specific company allowance into
client archives by the configuration of company identification cards. The third system is
the random tests, which include the selective information test for compliance verification.
An example is the third party payments for money laundering prevention from which a
1000 contract portfolio, a group of 50 is chosen to verify that the required information is in
the contract file. For every control there is a spreadsheet according to the compliance
fields related to the company.
In the internal control system of the captive entity there is a risk matrix with the following
categories: process, sub process, risk category, risk, description, impact internal, impact
external, probability, guideline, control activity, reporting, person in charge and test
activity.
The risk evaluation is determined with the relationship of the probability and severity of it.
Therefore, a control activity, reporting and test activity are identified in order to have the
risk identification, evaluation and reporting. Besides the control system tool, in the risk
control matrix the compliance‟s risks are included.
In order to include the compliance risks according to the external requirements a new
classification of risk was included into the risk control matrix. On the risk matrix a
segregation of operational risks in legal and non legal is settled on, in order to identify
direct compliance risk (i.e. not to comply with laws) and internal process that represent a
loss but no compliance risk. In MaRisk, the operational risk does not include the
reputational risk. The reputational risk and behaviour risk are included. In addition
behaviour risk, active bribery or corruption from the compliance fields can be located.
The risk control matrix, shown in Figure 29 also includes all other risks that are for the
Captive Financial Services Company relevant, i.e. credit risk, interest rate risk, liquidity
risk, residual value risk, concentration risk, reputational risk and behaviour risk. It is
important to mention that the main reason for this risk control matrix is to comply with the
internal control system required by AT 4.3 of MaRisk. Consequently, the other risks are
relevant to comply with financial regulations. It is the new risk categories (operational -
internal compliance-, reputational, behaviour) are added as compliance risks.
62
Process Sub-Process Risk
Category
Risk Description Impact
Legal /
External
Impact
Internal
Probability applicable
documentation /
guideline
Control Activity Reporting Person in
charge
Test Activity
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Limit of Authority Exceeding of limits of authority. BoD or
Vorstands approval necessary
n.a. compliance issue low Management Rules PFSx Check Management Rules for applicable
Limits of Authority
BoD Minutes Process Owner Risk Management to check RfA
and write comment
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Privacy Breach Risk of loss resulting from inadequate
or failed internal processes, people
and systems, or from external events
and includes legal risks.
Customer Claim,
Penalty Payment
compliance issue low Information Security Policy ISMS Audit none PFSD IT Penetration Test
5 Customer Care 5.1 Services ongoing (normal
Contracts)
Operational Risk Lost Customer File Risk of loss resulting from inadequate
or failed internal processes, people
and systems, or from external events
and includes legal risks.
Customer Claim,
Penalty Payment
compliance issue low Information Security Policy Physical Security Measures, Access
Controll
none PFSD IT ISMS Audit
all operational processes all operational processes Operational Risk Breakdown of
Porsche office
building in Padova
Breakdown of Porsche office building
in Padova means that either PFS office
space or the entire building in Padova
is unavailable for business Operations.
This can have several reasons like,
fire, storm, flooding, earthquake, other
environmental reasons o
Delayed customer
service.
compliance issue low BCM Handbook none Damage/ Loss Database Process Owner,
Emergency
Coordinator, Crisis
Team
BCM Tests
all processes all processes Operational Risk Unavailability of high
number of
employess (e.g.
epidemics)
Unavailability of high number of
employess (e.g. epidemics)means that
a significant number of employees are
absent at the same time and can not
perform their normal job.
compliance issue compliance issue medium BCM Handbook none Damage/ Loss Database Process Owner,
Emergency
Coordinator, Crisis
Team
BCM Tests
1 Product Development & Pricing 1.2 Develop New Type of Product Operational Risk Non Compliance Risk of non compliance in the area of
product compliance.
Government Claim,
Penalty Payment
loss of license and
business
low Risk Management Handbook none Product Compliance Overview Process Owner none
all operational processes all operational processes Operational Risk Failure to follow
internal processes
Risk of interruption the day-to-day
business because of failure to follow
Directives, Guidelines and Procedures
described within PFS Group.
Customer Claim,
Penalty Payment
compliance issue low Directives, Guidelines and
Procedures
Continuous Monitoring, Controlling Tools,
Training and Internal Revision
Damage/ Loss Database Process Owner,
Emergency
Coordinator, Crisis
Team
2 Marketing & Sales 2.5 Process Customer/ Dealer
Contract Request
Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad
publicity
Image damage n.a. low Mission, Vision, Values Quality of Services Survey??? none Compliance Officer none
5 Customer Care all sub-processes Reputational Risk Failure of
professional image
with third parties
Unprofessional third parties treatment
resulting in word of mouth bad
publicity
Image damage n.a. low Mission, Vision, Values Quality of Services Survey??? none Compliance Officer none
all processes all sub-processes Reputational Risk Failure of
professional image
with third parties
Unprofessional treatment among
departments and collegues resulting in
external word of mouth by the
employees as bad publicity
Image damage n.a. low Directives, Guidelines and
Procedures
Internal Revision none Compliance Officer none
Figure 29: Risk Control Matrix.
The reporting of these tools is done without a special format report but within the order
embedded in the excel spreadsheet.
Besides all the parts of the compliance management model that were described before
the survey in chapter 2 is the most relevant tool for compliance, it not only keeps record of
the Captive Financial Services Company requirements and it keeps the list of laws,
standards and rules to comply. Consequently a filing system is provided in order to keep
the legal documents updated for documentation control and reporting purposes in the
entity.
Finally, in order to have documented the compliance management model a handbook for
the Captive Financial Services Company is developed. It integrates the thesis findings as
well as the general model. The content of the compliance management handbook is
shown in Figure 30.
The reasons to write down a Compliance Management Handbook for the Captive
Financial Services Company are three in particular:
- Legal trend: As stated in chapter one the regulations require a compliance
management for the enterprises, actually it is not mandatory for all industries, but
the trend shows it will be. In order to prepare for that situation the captive entity
sets up the Handbook for the national and international requirements that will
follow in the next years.
- Standardization of processes: It keeps in line with the business values and
procedures of the group. It provides a guideline to develop the process for a better
control and to have a record of the procedures as well of the improvements. It is
63
also practical for internal revision purposes. It makes sure that the compliance
activities are being followed assuring a continued success.
- Source of information for compliance: It avoids misunderstandings and provides a
communication link to employees giving clarity in terms of policies and procedures
not only to the headquarters but to the subsidiaries within the group.
The handbook as Introduction states the overview, acronyms, definition of compliance and
contact persons. These subjects are included in any official documentation of the captive
entity with these characteristics. The Regulatory Requirements include the internal and
external requirements. In the case of external requirements the lws demanded by the
specific markets are given by the survey results. In the case of laws that affect the group
company, the responsible group department provides as an input the required information,
e.g. information security. The Areas of Risk present the compliance fields, cross and
specific processes, as well as the input laws responsible for every topic. Regarding
Adoption or Implementation of the Compliance Management Model, the handbook
presents the purposes:
a) provide an effective management of compliance,
b) prevention of misconduct by a constant control over risk areas,
c) remind the company staff of administrative sanctions if offences are committed
(e.g. fraud, theft).
The objectives are also presented in this section:
a) to ensure compliance management strategies, operations, supervision and control
activities,
b) to guarantee effectiveness and efficiency in company process,
c) to protect the value assets and prevent losses, and d) to ensure compliance. The
methodology and process are as explained at the beginning of chapter 3.2. This
part includes the compliance risk explanation in the internal control system.
The Supervisory Body part presents the responsible persons, i.e. chief compliance
officers (of the group company and captive business unit), CEO, CFO. The Disciplinary
System states the principles and sanctions which include verbal or written reprimand,
suspension from service and dismissal on justified grounds or for good cause. Training,
Information and Communication are according to the process. Reporting is also
acknowledged according to the process, presenting the schedule program of the plan
activities and the lag of time for reporting. Finally the Appendix, it contains specific
documentation related to abbreviation or concepts‟ definitions. With the mentioned
elements the model is documented as a handbook providing the benefits of passing the
64
document to the different subsidiaries, if needed. Market specific topics can be added to
each section as an attachment of the handbook.
Compliance Management
Handbook Contents
1) Introduction
2) Regulatory Requirements
3) Areas of Risk (According to relevant
compliance fields)
4) Adoption or implementation of the
Compliance Management Model
5) Supervisory Body
6) Disciplinary System
7) Training, Information and Communication
8) Reporting
9) Appendix
Figure 30: Compliance Management Handbook Contents.
Now that the model is established for the Captive Financial Services Company, to
evaluate this model is taken into account the following factors:
1) compliance management is part of risk management as the theoretical overview
states,
2) the model contains the relationship between the variables analytical and
reporting power, therefore it can be evaluate as a risk management tool.
With this in mind the schema presented in Figure 11 with general tools for risk
management is taken in this chapter and presented to identify the risk management power
of the model in Figure 31.
Since the definition of risk management in chapter one, a definition of effective risk
management is given as the tools‟ relationship of its analytical power and its reporting or
management power. In this case as shown in Figure 31, in order to handle compliance, an
effective risk management system must be built with automated prompts for actions or a
risk workflow management, and on the other side, its analysis must include an economic
capital allocation or causal modeling and simulation. The relation of the compliance
65
management tools is intended to achieve the integrated and holistic area of the schema in
Figure 31.
Analy
tical P
ow
er
Frequency,
severity & other
statistical analyses
Automated
prompts for
actions
Reporting / Management Power
Risk workflow
management
Economic capital
allocation
Data trending &
scaling
Loss data
collection
CM (including
reputational risk)
Causal modeling and
simulation
Risk
identificationRisk and
audit issue
tracking
Risk and
control self-
assessment
Reactive
MeasurersReactive
Managers
Integrated / Holistic
RMProactive
Measurers
Operational
Risk
Previous
CM process
FragmentedEnhanced
Figure 31: Compliance Management Level of Effectiveness.
The description of how the compliance management of the Captive Financial Services
Company passed from a fragmented to an enhanced is as follows. Before the model was
established the captive entity had a compliance process not involving a standardize detail
process, on the other side, some of the cross processes of the compliance fields were
integrated into the operational risk management of the captive entity, i.e. fields like fraud,
theft. Even though operational risk is contemplated in MaRisk (within the captive entity),
and MaRisk states automated prompts for actions and risk workflows management, as
well as economic capital allocation, it is not considered here as part of MaRisk. The
reason for this is that it lacks of the reputational risk as stated in Basel II and MaRisk. In
other words, operational risk is taken separately and not with MaRisk in order to have
operational risk with reputational risk in the same level and not to say that some of the
operational risks have economic capital allocation, hence being hard to locate it in the
schema. Therefore the reason for the improvement of compliance management from
fragmented to enhanced reaching the integrated area of the schema is the following, as
the compliance management tools include the compliance risk (i.e. reputational risk) into
the risk matrix, automatically the internal control system sees for the economic capital
allocation of the risk making it part of the integrated risk management, as well as of the
risk management of the Captive Financial Services Company. The main reason of
66
integrating the compliance management tools into the internal control system of the
captive entity is to facilitate the effectiveness of compliance.
67
IV. Conclusion
The topic compliance for any enterprise can be seen as a cost, a new process or as more
bureaucratic documents to fulfil. On the other side the topic can be seen as an opportunity
to enhance value. Compliance management has been carried out for a long time to
specific processes in the enterprises, in order to enhance value it is necessary to integrate
it as part of the management culture. When compliance is seen as part of the regular
operational activities that run all the way through any process as communication or
monitoring then it becomes part of the management culture. If compliance becomes part
of the natural manner that an enterprise operates, than the entity increases value, not only
by standardizing processes or reducing time and cost to comply, but also by introducing
among the staff the topic compliance as part of the values of the entity.
The fact that in the last years many regulatory scandals have appeared provoked a
demand to comply with several regulations among national and international
organizations. In the case of financial companies the requisites are mandatory, because
most of the scandals are in this field. In other words it has become not only a need, but a
trend. With this in mind, setting up a compliance management is relevant to reduce efforts
and organize coming activities in the area of compliance.
The specific compliance processes, i.e. trade compliance, taxation compliance, bank
supervision, corporate laws, has been done in order to keep the entities into a regulatory
frame according to a government strategy (e.g. trade and taxes -macroeconomic
strategy). Moreover, the cross compliance processes are the trend now to prevent theft,
fraud, bribery, etc. This opens the question in how to aboard the next topic, as single
processes or integrating them into one compliance management system. Many
regulations are dealing with this issue dividing the compliance processes and focusing on
the cross operative ones as abuse of information, corruption, conflict of interest. Two
examples of this regulation are the corporate governance code in Germany that focus on
ethics and conflicts of interest, and present the topic compliance broadly, but not
pretending to integrate all the topics in a system or as part of the management culture in
the enterprise and not including the specific processes. The second example is the
legislative decree 231 of 8 June 2001 issued by the executive branch in Italy. This law
states that meanwhile a company can not be held responsible or be prosecuted for an
offence (definition according to Italy‟s criminal code), if the entity can prove that has
adopted and efficiently put into effect management models to prevent these offences.
Both regulations focus on cross process compliance and not on cross and specific
processes proposing a compliance system.
68
A compliance management system is foreseen, as new topics like corporate governance
and risk management increase in importance in the last years. Corporate governance tries
to establish a relationship of trust between management and shareholders proposing
compliance enforcement and risk control. Risk management as corporate governance
provides transparency, the former in the particular case of risk. One of the risks is non
compliance, but all others are managed more because of compliance regulations than
internal controls in enterprises. As the survey at the end of chapter 1.2 states, the
objective of the Risk Management Department is to find new risks, but the main limitation
and challenges is its focus on regulators, i.e. the priority is not risk management but to
comply with regulations. Therefore, an integrated compliance management system
enforces compliance and reduces its risk. In the same way it reduces the workloads of the
Risk Management Department in order to focus about facing risk and not with complying.
The importance of a compliance system is that it involves the internal and external
regulations, and also enhances the effectiveness of risk management by reducing
compliance risk.
The relevance of structuring a compliance management system is the process integration
as part of the management culture. The importance of introducing compliance since the
core ground base of any enterprise is the relationship of business values, internal
regulations, systems and organization. In the case of the auto industry they started as
large companies that built the vehicle from scratch, from raw material. The industry
evolved from dividing processes into business units to independent companies, e.g.
Delphi in General Motors and Visteon in Ford. The objective was to increase the
profitability of its business units by acquiring external business orders. The first step was
the establishment of the process as a business unit for the group, and then acquiring
external businesses. Today, the companies do not produce the vehicles from scratch,
they buy from the suppliers what is call a module, i.e. the complete dashboard, seats,
doors. Consequently, the auto industry companies are also called assemblers. In the case
of the Captive Financial Services Company the same strategy is followed, they are
established as business units at the moment within the group. A holding is created in
order to control all business units. Other common business units besides the captive entity
are consulting and a motor sport division, the former to make profit out of the know-how of
the company‟s experience and the latter for sport car races and special events. The
subsidiaries from all business units form another business level within the auto group
structure. Consequently, it is relevant to keep the core principles, philosophy, mission and
vision of the enterprise in order to maintain the unity and logic of its operation, as well as
the management culture developed through the years in the auto group company.
69
Considering the auto industry development and the different levels of business in it, the
success of a compliance management system depends on the relation of elements. In the
case of the particular Captive Financial Services Company in its recent years had
developed an internal control system and the elements to comply with MaRisk, therefore
the entity has already established compliance to a certain degree. Moreover, it also had
an independent compliance process particular of the captive entity. Consequently, the
relationship of the group process with a new captive entity process that continues the
same logic and the integration of the compliance tools into the internal control systems
makes an efficient and successful compliance management system possible. The
relevance of this consist in not repeating compliance tasks by having different process
and controls, in the same manner maintaining the business values of the enterprise.
The compliance management system relevance is also observed in the entity future
needs, any new compliance regulation will be embrace by the system without any surprise
or the elaboration of new processes, or determination of responsible persons. The fact
that a model is created, into the organizational structure of the system, facilitates the work
and communication flow within the captive entity that allows the transfer of the system to
its subsidiaries, making it practical, dynamic and efficient.
70
References
Australian/ New Zealand Standards, 2004. AS-NZS 4360:2004 Risk Management.
Sydney: Standards Australia/Standards New Zealand.
Basel Committee on Banking Supervision, 1999. Principles for the management of credit
risk. Consultative paper. (online) Basel: Bank for International Settlements. Available at
<http://www.bis.org/publ/bcbs54.pdf?noframes=1> (Accessed: 21.04.2010).
Basel Committee on Banking Supervision, 1996. Amendment to the capital accord to
incorporate market risks. Consultative paper. (online) Basel: Bank of International
Settlements. Available at <http://www.bis.org/publ/bcbs24.pdf?noframes=1> (accessed:
23.04.2010).
Basel Committee on Banking Supervision, 2005. Compliance and the compliance function
in banks. Consultative paper. (online) Basel: Bank of International Settlements. Available
at <http://www.bis.org/publ/bcbs113.pdf?noframes=1> (accessed: 11.05.2010).
Basel Committee on Banking Supervision, 2008. Principles for Sound Liquidity Risk
Management and Supervision. Consultative paper. (online) Basel: Bank of International
Settlements. Available at <http://www.bis.org/publ/bcbs144.pdf?noframes=1> (Accessed:
02.06.2010).
Basel Committee on Banking Supervision, 2004. International Convergence of Capital
Measurement and Capital Standards. (online) Basel: Bank for International Settlements.
Available at <http://www.bis.org/publ/bcbs107.pdf?noframes=1> (Accessed: 01.06.2010).
Brown, Ted et al. 2005. Auto Finance: The competitive landscape and opportunities for
adaptation. (online) Atlanta: Benchmark Consulting International, NA, Inc. Available at
<http://www.benchmarkinternational.com/Articles/Auto%20Finance%20-
%20Competitive%20Landscape.pdf> (Accessed: 01.06.2010).
Bungartz, Oliver, 2010. Handbuch Interne Kontrollsysteme (IKS). Berlin. (Erich Schmidt
Verlag).
Committee of Sponsoring Organizations of the Treadway Commission (COSO), 1992.
Internal Control – Integrated Framework. New York: AICPA.
71
Committee of Sponsoring Organizations of the Treadway Commission and
PricewaterhouseCoopers LLP, 2004. Enterprise Risk Management Framework. Exposure
Draft for Public Comment. (online) New York: Committee of Sponsoring Organization of
the Treadway Commission. Available at <http://www.huiszoon.com/COSO_ERM_
Framework.pdf> (Accessed: 01.07.2010).
Deloitte & Touche GmbH, 2009. MaRisk Overview (August 14, 2009). (online) Stuttgart:
Deloitte & Touche GmbH. Available at <http://www.deloitte.com/assets/Dcom-
Germany/Local%20Assets/Images/09_Financial%20Services/2009/EN_FSI_MaRisk%20
Banken%20Poster_10_2009.pdf> (Accessed: 31.05.2010).
Deutscher Corporate Governance Kodex, 2009. In der Fassung von 18. Juni 2009.
Federal Minitry of Justice.
Ernst & Young, 2009. Die Bedeutung der Compliance wird stark zunehmen - ein
Expertengespräch. Inside, Ausgabe 28. Interview. Frankfurt: E&Y GmbH. Available at
<http://www.ey.com/Publication/vwLUAssets/Newsletter_Inside_FSO_7_2009/$FILE/New
sletter_Inside_FSO_7_2009.pdf> (Accessed: 28.04.2010).
Federal Financial Supervisory Authority (BaFin), 2009. Circular 15/2009 of Banking
Supervision: Minimum Requirements for Risk Management - MaRisk.
Galliker, J.: Compliance: kosten und nutzen?, 2008. In: KPMG Audit Tax Advisory
Magazin, July 2008. S. 1-9.
German Institute of Auditors, 2010. Principles of Proper Testing of a Compliance
Management System (IDW EPS 980) Draft Version. Berlin: IDW.
Grüninger, S., 2010: Wertorientiertes Compliance Management System, in: Wieland, J.,
Steinmeyer, R., Grüninger S. (Hrsg.): Handbuch Compliance-Management, Berlin, 2010,
Erich Schmidt Verlag. s. 39-69.
IBM Business Consulting Services, 2005. The clairvoyant CRO: Risk Management that is
insightful, illuminating and ingrained enterprise wide. (IBM Institute for Business Value).
International Organization for Standardization, 2009a. ISO/FDIS 31000:2009(E). Geneva:
ISO.
72
International Organization for Standardization, 2009b. ISO/FDIS 31010:2009(E). Geneva:
ISO.
Kloman, Felix, 2003: Enterprise Risk Management: Past, Present and Future in: Kloman,
Felix and Seawrack Press, Inc. Risk Management Reports. Lyme CT USA. May 2003.
KPMG, 2008. Governance, Risk and Compliance: Driving Value through Controls
Monitoring Advisory. (online) New York: KPMG L.L.P. US. 2008. Available at
<http://www.kpmg.ch/docs/GovernanceRiskCompliance.pdf> (Accessed: 01.06.2010).
Mitchell, Scott L. & Stern Switzer, C, 2009. GRC Capability Model: Red Book 2.0. Open
Compliance & Ethics Group. USA.
PricewaterhouseCoopers, 2004. Integrity-Driven Performance: A New Strategy for
Success Through Integrated Governance, Risk and Compliance Management. A White
Paper. (online) New York: PricewaterhouseCoopers International Limited. Available at
<http://ww1.globalcompliance.com/pdf/PwCIntegrityDrivenPerformance.pdf?> (Accessed:
13.04.2010).
PricewaterhouseCoopers, 2007a. Governance, Risikomanagement und Compliance:
Nachhaltigkeit und Integration unterstützt durch Technologie. A White Paper. (online) New
York: PricewaterhouseCoopers International Limited. Available at
<http://www.sap.com/germany/media/mc_729/GRC_Whitepaper_PWC.pdf> (Accessed:
13.04.2010).
PricewaterhouseCoopers 2007b. Creating value: Effective risk management in financial
services. (online) New York: PricewaterhouseCoopers International Limited. Available at
<http://www.pwc.com/en_GX/gx/financial-services/pdf/fs_risk_briefing.pdf> (Accessed:
20.04.2010).
R. K. Jain, P. Gupta 2007. Enhancing Enterprise Competitiveness -Strategy, Operations
and Finance-, New Dehli (U. Dhar, eds., Allied Publishers).
Romeike, Frank; Finke, Robert, 2003 (Hrsg.): Erfolgsfaktor Risikomanagement: Chance
für Industrie und Handel, Lessons learned, Methoden, Checklisten und Implementierung,
Gabler Verlag, Wiesbaden 2003.
73
Security Exchange Commission, 2003. Final Rule: Management's Report on Internal
Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic
Reports. New York: SEC.
Security Exchange Commission, 2007. Commission Guidance Regarding Management‟s
Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the
Securities Exchange Act of 1934. New York: SEC.
U.S. Congress. Sarbanes-Oxley Act of 2002. Available at <http://thomas.loc.gov/cgi-
bin/query/z?c107:H.R.3763.ENR:> (Accessed: 07.05.2010).
Wieland, J. 2010. Compliance Management als Corporate Governance - konzeptionelle
Grundlagen und Erfolgsfaktoren, in: Wieland, J., Steinmeyer, R., Grüninger S. (Hrsg.):
Handbuch Compliance-Management, Erich Schmidt Verlag. s. 15-37.
ZfW (Zentrum für Wirtschaftsethik), 2010. Value Management System. Standard and
Guidance Document. Zittau: Deutschen Netzwerks Wirtschaftsethik - EBEN Deutschland
e. V.
74
Appendices
Appendix 1: COSO Framework Components, Subcomponents and
Detail Description
Risk Management Philosophy Value, Communicate in words and actions
Risk Appetite Value, Qualitative, Quantitative, Linked to strategy
Risk Culture Independent, active,Involved
Board of Directors Independent, active,Involved
Integrity and Ethical values Standards of behaviour, Prerequisite, CEO example, Incentives
Commitment to Competence Knowledge, Skills, Trade-offs
Management Philosophy and Operating Style Formal vs. Informal, Conservative vs. Aggressive, Aligned
Organizational Structure Reporting lines, Centralized / Decentralized, Matrix / Functions / Geography
Assignment of Authority and Responsibility Empowerment, Accountability
Human Resources Policies and Practices Qualified, Training, Compensation, Incentives and discipline
Differences in Environment Management preferences, Value judgments, Management styles
Strategic Objectives High-level goals, Support mission / vision, Strategic choices
Related Objectives Operations, Reporting, Compliance, Safegarding of assets
Selected Objectives Align and support, Management decision
Risk Appetite Growth risk and return, Resource allocation, People process and infrastructure
Risk Tolerance Acceptable variance, Unit of measure of objective
Events Incident, Positive and / or negative impacts
Factors influencing Strategy and Objectives Internal, External
Methodologies and Techniques Ongoing, Periodic, Past and future, Supporting tools
Event Interdependencies Triggering events, Interrelate
Event Categories Common groupings
Risks and Oportunities Negative impact: risk, Positive impact: opportunity; offsets to risks
Inherent and Residual Risk Before management actions, After management actions, Expected and inexpected
Likelihood and Impact Expected, Worse-case and distribution, Time horizons, Unit of measure, Observable data
Qualitative and Quantitative Methods and
Techniques Qualitative, Quantitative, Inherent and residual basis
Correlation Sequence of events, Categories, Stress testing, Scenarios
Identify Risk Response Avoid, Reduce, Share, Accept
Evaluate Possible Risk Response Impact, Likelihood, Cost versus benefit, Innovative responses
Selected Response Management decision
Portfolio View Entity level, Business unit level, Inherent and residual basis
Integration with Risk Response Build directly into management processes, Interrelate
Types of Control Activities Policies, Procedures, Preventative, Detective, Manual, Automatic
General Controls
Information technology management, Information technology infrastructure, Security
management, Software development and maintenance
Application Controls Completeness, Accuracy, Authorization, Validity
Entity-Specific Entity-Specific strategies and objectives, Operating environment, Conplexity of the entity
Information
Internal, External, Manual, Computerized, Formal, Informal, Information systems
architecture
Strategic and Integrated Systems Strategic, Operational, Past and current, Level of detail, Timeliness, Quality
Communication
Internal, External, Entity-wide, Expectations and responsibilites, Framing, Means of
transmission
Ongoing Real-time, Built-in, Day to day operations
Separate Evaluations Scope, Frequency, Self assessment / internal auditors, Extent of communication
Reporting Deficiencies Ongoing, External parties, protocols, Alternative channelsMonitorin
gC
ontr
ol Activi
ties
Ris
k A
ssessm
ent
Ris
k
Response
Info
rmation a
nd
Com
munic
ation
Inte
rnal Envi
ronm
ent
Obje
ctive
Sett
ing
Eve
nt
Identification
75
Appendix 2: Applicability of Tools Used for Risk Assessment
Consequence Probability Level of Risk
Brainstorming SA NA NA NA NA
Structured or semi-structured interviews SA NA NA NA NA
Delphi SA NA NA NA NA
Check-lists SA NA NA NA NA
Primary hazard analysis SA NA NA NA NA
Hazard and operability studies (HAZOP) SA SA A A A
Hazard Analysis and Critical Control Points (HACCP) SA SA NA NA SA
Environmental risk assessment SA SA SA SA SA
Structure « What if? » (SWIFT) SA SA SA SA SA
Scenario analysis SA SA A A A
Business impact analysis A SA A A A
Root cause analysis NA SA SA SA SA
Failure mode effect analysis SA SA SA SA SA
Fault tree analysis A NA SA A A
Event tree analysis A NA A A NA
Cause and consequence analysis A SA SA A A
Cause-and-effect analysis SA SA NA NA NA
Layer protection analysis (LOPA) A SA A A NA
Decision tree NA SA SA A A
Human reliability analysis SA SA SA SA A
Bow tie analysis NA A SA SA A
Reliability centred maintenance SA SA SA SA SA
Sneak circuit analysis A NA NA NA NA
Markov analysis A SA NA NA NA
Monte Carlo simulation NA NA NA NA SA
Bayesian statistics and Bayes Nets NA SA NA NA SA
FN curves A SA SA A SA
Risk indices A SA SA A SA
Consequence/ probability matrix SA SA SA SA A
Cost/ benefit analysis A SA A A A
Multi-criteria decision analysis (MCDA) A SA A SA A
SA = Strongly Applicable; NA = Not Applicable; A = Applicable
Tools and TechniquesRisk Evaluation
Risk AnalysisRisk
Identification
Risk Assessment Process
76
Appendix 3: MaRisk Table of Contents
AT 1 Preliminary remarks
AT 2 Scope of application
AT 2.1 Affected institutions
AT 2.2 Risks
AT 2.3 Transactions
AT 3 Overall responsibility of the management board
AT 4 General requirements for risk management
AT 4.1 Risk-bearing capacity
AT 4.2 Strategies AT 4.3 Internal control system
AT 4.3.1 Organisational and operational structure
AT 4.3.2 Processes for identifying, assessing, treating, monitoring and
communicating risks
AT 4.4 Internal audit
AT 5 Organisational guidelines
AT 6 Documentation
AT 7 Resources
AT 7.1 Personnel
AT 7.2 Technical facilities and related processes AT 7.3 Contingency plan
AT 8 Activities in new products or on new markets
AT 9 Outsourcing
BT 1 Special requirements for the internal control system
BTO Requirements for the organisational and operational structure
BTO 1 Lending business
BTO 1.1 Segregation of functions and voting BTO 1.2 Requirements for lending business processes
BTO 1.2.1 Granting of loans
BTO 1.2.2 Further processing of loans
BTO 1.2.3 Monitoring of loan processing
BTO 1.2.4 Intensified loan management
BTO 1.2.5 Treatment of problem loans
BTO 1.2.6 Risk provisioning
BTO 1.3 Procedure for the early detection of risks
BTO 1.4 Risk classification procedure
BTO 2 Trading business BTO 2.1 Segregation of functions
BTO 2.2 Requirements for trading business processes
BTO 2.2.1 Trading
BTO 2.2.2 Settlement and control
BTO 2.2.3 Positions to be covered by the risk control function
BTR Requirements for processes for identifying, assessing, treating, monitoring and communicating risks
BTR 1 Counterparty risks
BTR 2 Market price risks
BTR 2.1 General requirements BTR 2.2 Market price risks in the trading book
BTR 2.3 Market price risks in the banking book (including interest rate risks)
BTR 3 Liquidity risks
BTR 4 Operational risks
77
Appendix 4: Country Compliance Standards
Country Financial Standards by the Financial Standards Foundation
Special Data Dissemination Standard
Code of Good Practices on Transparency in Monetary Policy
Code of Good Practices on Transparency in Fiscal Policy
Effective Insolvency and Creditor Rights Systems
International Financial Reporting Standards
Principles of Corporate Governance
International Standards on Auditing
Anti-Money Laundering/ Combating Terrorist Financing Standard
Core Principles for Systemically Important Payment Systems
Core Principles for Effective Banking Supervision
Objectives and Principles of Securities Regulation
Insurance Core Principles
Standard
Principles
Principle: 1.(5) Legal protection for supervisors.
Principle: 2. Clearly defined permissible activities for banks and control of the use of the word 'bank'.
Principle: 3. Criteria for structure directors operating plan controls financial condition and capital base.
Principle: 4. Authority to review and reject transfer of ownership.
Principle: 5. Authority to review major acquisitions and investments.
Principle: 6. Minimum capital adequacy requirements (meet Basel Capital Accord for internationally active banks).
Principle: 7. A method exists for the evaluation of procedures related to loans investments and portfolio management.
Principle: 9. Prudential limits and management information system on concentration of exposure.
Principle: 10. Arm's length rule and monitoring for connected lending.
Principle: 11. Policies and procedures for country risk and transfer risk.
Principle: 12. Measuring and monitoring market risk. Limit and/ or specific capital charge on market risk exposure.
Principle: 13. Comprehensive risk management processes.
Principle: 14. Adequate internal controls.
Principle: 15. Strict "know-your-customer" rules and high ethical and professional standards.
Principle: 16. Effective supervisory system consisting of on-site and off-site supervision.
Principle: 17. Regular contact with bank management and understanding of bank's operations.
Principle: 18. Analytical reports and statistical returns on solo and consolidated basis.
Principle: 19. Independent validation of supervisory information through on-site examination or external auditors.
Principle: 20. Ability to supervise on a consolidated basis.
Principle: 22. Adequate supervisory measures to ensure timely corrective action.
Principle: 24. International exchange of information with other supervisors.
Principle: 25. Supervision of local operation of foreign banks and information sharing with home country supervisors.
Principle: 1. (1) Clear responsibilities and objectives for each supervisory agency
Principle: 1.(2) Operational independence and adequate resources.
Principle: 1.(3) A suitable legal framework for authorization and ongoing supervision.
Principle: 23. Banking supervisors must practice global consolidated supervision over their internationally-active banking organizations.
Principle: 1.(4) A suitable legal framework to address compliance with laws as well as safety and soundness concerns.
Principle: 1.(6) Arrangement for sharing of information between supervisors and protection of confidentiality of shared information.
Principle: 8. Policies practices and procedures for evaluating the quality of assets and the adequacy of loan loss provisions and reserves.
Principle: 21. Consistent accounting policies and practices that provide a true and fair view of the financial condition of the bank.
Macroeconomic Policy and
Data Transparency
Institutional and Market
Infrastructure
Financial Regulation and
Supervision
Core Principles for Effective Banking Supervision
78
Appendix 5: Compliance Management Survey
Governance (Please explain briefly)
1. To which laws do you need to comply? Please list the laws:
2. Which licenses do you need to operate beside such already listed in the attached file?
3. With which Standards do you need to comply?
4. Do you expect new laws, license requirements or Standards in the near future (next 2 years)?
5. Is an Internal Control System required?
Organization (explain your answers)
1. Which employee is responsible for the Compliance Management?
2. How is your compliance management process structured?
3. Explain your process to identify new laws / requirements?
4. Which compliance policies do you have?
5. Is the topic “compliance” discussed in any committees you participate?
6. How is your compliance management integrated into the internal and external information system?
79
Hochschule Coburg
Fakultät Wirtschaft
MBA Financial Management
Name: Sergio Benitez Martinez
MASTER-THESIS
Erklärung des Kandidaten
„Es wird versichert, dass die vorliegende Arbeit selbstständig verfasst und noch nicht
anderweitig für Prüfungszwecke vorgelegt wurde. Es wurden keine anderen als die
angegebenen Quellen oder Hilfsmittel benutzt. Wörtliche und sinngemäße Zitate sind als
solche gekennzeichnet.“
(§ 31 Abs. 7 Rahmenprüfungsordnung für die Fachhochschulen in Bayern – RaPO)
..........................................................
Unterschrift - Sergio Benitez Martinez
.........................................................
Ort, Datum