Tone at the Top: Risk Governance Convergence in the C-Suite

Tone at the Top: Risk Governance Convergence in the C-Suite

Feb 19, 2016 | Corporate Culture, Risk Compliance, Tone at the Top

Last week I had the opportunity to present at the 2016 Deluxe Exchange Client conference on the convergence of Risk & Governance today at Board and Executive levels of organizations. The theme focused on how critical the “Tone at the Top” has become in enabling a more strategic conversation on risk & compliance in today’s market landscape. Over the past year, I have been the co-chair of The Shared Assessments Program Regulatory Compliance Working Group, which has been tackling this same topic. This week, a “Tone at the Top” White Paper has been released, by the Shared Assessments Program to share that dialog with a recap of today’s risk landscape and offers a strategic framework for consideration.


Pre-attendees to our Deluxe conference were asked about the top issues in banking today. Retail Banking respondents top hot topics were 55% Digital Channels, 45% Share of Wallet, and 41% Millennials, while commercial bankers led with 75% Faster Payments and 54% Commercial Mobile. Across the board, all organizations were facing challenges with balancing cybersecurity; costs of compliance; consumer protection limitations; and technology acceleration. The pace of change in risk combined with shifts in digital technologies, have shifted the technology point of view.

Heightened expectations across many compliance focus areas are driving more oversight for corporate governance, cybersecurity, regulatory compliance and business resiliency into the C-Suite. The tone at the top is not simply about corralling compliance topics under the Big Top, but understanding drivers and internal ringleaders needed to navigate the Compliance Circus.


While SOX compliance, PCI, and data breaches focus the conversation on IT controls, the new normal is a shift in governance, risk & compliance beyond IT. There is an increased focus on corporate governance, ethics, reputation risk, and business practices. The aggressive consumer protection enforcement action landscape has put a spotlight on areas of compliance typically not on the enterprise risk registry or risk dashboard. Compliance in operational risk and consumer protection can be open to interpretation as to what is ‘mandated’ vs. what is an industry ‘best practice’. The risk appetite of an organization is based on it culture, values, and norms, and what is acceptable to one organization may not be allowed in another company.

These themes were visible in the results of a recent survey Thomson Reuters, who published the Top 5 Compliance Trends Around the Globe in 2016:

  • Creating a culture of compliance
  • Increased investment in compliance operations
  • Keeping pace with changing regulatory landscape
  • Monitoring third party risk
  • Encouraging whistleblower activity

More than 1/3 of the organizations surveyed spend at least an entire day per week tracking and analyzing regulatory change. 70% expected regulators to publish even more regulatory information, with 28% predicting that volume to be significant. The pace of regulatory change felt in banking has been driven by Dodd Frank Compliance, and that journey is just past the 55% complete mark.


These market drivers are shifting the risk dialog from risk elimination to risk management. Organizations appear to have a lower tolerance for risk remediation, requiring faster resolution timeframes. The role of risk management is expanding to broader topic areas. Communications in all directions, upwards, across management lines, to front line employees, has become more critical in developing the culture of compliance. The tone of the compliance culture is set by the messages from executives, but also the structures for governance oversight functions. Management reporting has shifted from a “once and done” annual exercise to an ongoing conversation with the Board, Audit/Risk committees and the C-Suite.

Broadened accountability has changed the role of the risk/compliance professional within organizations. Further, the shift in governance changes the education and skill set of Board Of Directors, and respective committees to address the technology, operational risk, and regulatory landscape. Maintaining staff in line with the uptick in regulatory change has created gaps for many organizations in getting and keeping the right skill sets. The increased investment in compliance operations was shown in the Thomson Reuters survey that found that last year 71% of firms expected the cost of senior compliance professionals to increase due to the demand for skilled/knowledgeable staff. At the same time, 75% of compliance leaders expected that management will require more/much more attention to these matters.


Many organizations are leveraging a “three lines of defense” model to help navigate governance and compliance with the right balance of oversight. Cracking the whip in only one area is not effective.

Organizations need to have accountable for front line compliance in the lines of business – the first line.
Risk or Compliance teams play an oversight role with monitoring, risk assessments, spot checks, and setting policies and programs to address compliance – the second line.
Assurance or Audit play that fully independent function for oversight, with communication to Board Audit Committees – the third line.
Boards and Audit committees play a fiduciary role, and should have a “Noses in” and “hands out” approach to dealing with risk/compliance, holding the C-Suite and management accountable for the risk and the organization’s response. Implementing this approach requires formalization of the roles and accountabilities for all three lines of defense, with a common framework for measuring risk, mitigation tactics, with enhanced risk management reporting. Scorecards need to be more than data, but data that provides insights that influence actions.


Finding common solutions to common challenges is a long standard approach within industry working groups. The Regulatory Compliance Working Group of The Shared Assessments Program has released a White Paper on Tone at the Top that includes a deep dive on the shifts in regulatory compliance and governance. The analysis, information sharing and collaboration on how organizations are modeling and adapting their organizational design is a key output of the paper. The dialog is just beginning to figure out how to balance the tone at the top on the risk/compliance hire wire with the actions below within an organization.

Bottom Line, the Tone at the Top sends the message that drives the tone at the middle actions.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics