The SEC’s Director of the Office of Compliance Inspections and Examinations, Carlo V. di Florio, recently announced that OCIE will begin to review a firm’s enterprise risk management during exams.  This ERM focus will examine (a) how business units manage risk, (b) whether risk management, control and compliance functions are “structured and resourced to ensure they are effectively embedded in the business process” including sufficient independence; (c) how senior management ensures effective oversight; (d) the role of internal audit; and (e) the role of the Board.  Mr. di Florio said, “We will incorporate a strategic dialogue of the enterprise risk management framework into our exams so we can effectively distinguish the forest from the trees and then dive into targeted exams in focused risk areas (e.g., products, asset classes, business units) to test effectiveness.”

OUR TAKE: Moving focus from regulatory compliance to enterprise risk management would significantly alter OCIE’s scope of review.  ERM generally encompasses regulatory compliance but also includes business management, operations, technology, liquidity, and markets.

http://www.sec.gov/news/speech/2011/spch020811cvd.htm