The Securities and Exchange Commission is warning financial firms that following the spirit of the law is just as important as the letter of the law.

In a speech to the National Society of Compliance Professionals, Carlo di Florio, director of the SEC's Compliance Inspections and Examinations, says that a firm's "ethical culture" will go a long way into deciding just how rigorously the SEC will investigate the firm.

That ethical culture involves whether or not a firm takes a "nonchalant attitude toward compliance and risk management."

Ethics is not just about following federal securities laws but also about good business, di Floria said. And good business is tied to effectively managing risk on an enterprisewide basis.

"In the wake of the financial crisis, enterprise risk management is a rapidly evolving discipline that places ethical values at the heart of good governance, enterprise risk management and c ompliance," Di Florio said.

He defined the roles and responsibilities of diferent business units as follows:

The Business: First line of defense for taking, managing and supervising risk effectively.

Compliance and Ethics or Risk Management: Second line of defense which need adequate resources, independence and authority to implement effective programs and escalate risk issues.

Internal Audit: Third line of defense responsible for providing independent verification and assurance that controls are in palce and operating effectively.

Senior Management: The unit responsible for reinforcing the tone at the top to drive a culture of complance and ethics which will ensure effective enterpriserisk management.

The Board of Directors: The unit responsible for overseeing management and ensuring that risk management, regulatory, compliance and ethics obligations are met.

-- This article first appeared on Money Management Executive.