Compliance Risk Management Applying The COSO ERM Framework PDF

Document Details

SeasonedFarce

Uploaded by SeasonedFarce

2020

Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE & HCCA)

Tags

compliance risk management enterprise risk management COSO ERM framework business ethics

Summary

This document is a guide to compliance risk management, applying the COSO ERM framework.  It explains compliance risks, their potential harm, and how to manage them by aligning with the C&E program framework. It also outlines the scope of compliance risks and their relationship to laws, regulations, internal policies and ethical expectations and guidelines.

Full Transcript

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n Enterprise Risk Management COMPLIANCE RISK...

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n Enterprise Risk Management COMPLIANCE RISK MANAGEMENT: APPLYING THE COSO ERM FRAMEWORK By The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization. Authors Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE & HCCA) COSO Board Members Paul J. Sobel Daniel C. Murdock COSO Chair Financial Executives International Douglas F. Prawitt Jeffrey C. Thomson American Accounting Association Institute of Management Accountants Robert D. Dohrer Patty K. Miller American Institute of CPAs (AICPA) The Institute of Internal Auditors Preface This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is dedicated to providing thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations. COSO is a private-sector initiative jointly sponsored and funded by the following organizations: American Accounting Association (AAA) American Institute of CPAs (AICPA) Financial Executives International (FEI) The Institute of Management Accountants (IMA) Committee of Sponsoring Organizations of the Treadway Commission The Institute of Internal Auditors (IIA) coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | i Enterprise Risk Management COMPLIANCE RISK MANAGEMENT: APPLYING THE COSO ERM FRAMEWORK Research Commissioned by Commi tte e o f S p o n s o r i n g O rg a n izations of the Trea d way Commiss ion November 2020 coso.org ii | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework Copyright © 2020, Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1234567890 PIP 198765432 COSO images are from COSO Enterprise Risk Management - Integrating with Strategy and Performance ©2017, The American Institute of Certified Public Accountants on behalf of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is a trademark of the Committee of Sponsoring Organizations of the Treadway Commission. All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted, or displayed in any form or by any means without written permission. For information regarding licensing and reprint permissions, please contact the American Institute of Certified Public Accountants, which handles licensing and permissions for COSO copyrighted materials. Direct all inquiries to [email protected] or AICPA, Attn: Manager, Licensing & Rights, 220 Leigh Farm Road, Durham, NC 27707 USA. Telephone inquiries may be directed to 888-777-7077. Design and production: Sergio Analco. coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | iii Contents Page 1. Introduction 1 2. Governance and Culture for Compliance Risks 7 3. Strategy and Objective-Setting for Compliance Risks 11 4. Performance for Compliance Risks 15 5. Review and Revision for Compliance Risks 22 6. Information, Communication, and Reporting for Compliance Risks 27 Appendix 1. Elements of an effective compliance and ethics program 31 Appendix 2. International growth in recognition of compliance and ethics programs 37 Acknowledgments 39 About SCCE & HCCA 39 About COSO 40 coso.org iv | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 1 1. INTRODUCTION Why this publication is needed Compliance risks are common and frequently material risks Most compliance violations either inherently cause harm to achieving an organization’s objectives. For many years, or have the potential to result in direct harm to individuals, compliance professionals have used a widely accepted communities, or organizations. Examples of parties that may framework for compliance and ethics (C&E) programs to be harmed through compliance violations include customers prevent and timely detect noncompliance and other acts (e.g., violations of privacy or data security laws leading to of wrongdoing. The C&E program framework is described a breach and theft of personal information, product safety in Appendix 1 (if readers are not already familiar with the violations resulting in injuries, antitrust violations resulting in elements of a C&E program, consider reading Appendix 1 inflated prices), employees (e.g., workplace safety regulation before proceeding). The COSO Enterprise Risk Management violations resulting in injury to a worker, antidiscrimination or (ERM) Framework, meanwhile, has been used by risk and whistleblower protection law violations), or the general public other professionals to identify and mitigate a variety of (e.g., environmental violations resulting in illness or death). organizational risks, including compliance risks. Although most compliance risks relate to specific laws or This publication aims to provide guidance on the application regulations, others do not. These other risks, referred to as of the COSO ERM framework to the identification, “compliance-related risks,” may include risks associated assessment, and management of compliance risks by with failures to comply with professional standards, internal aligning it with the C&E program framework, creating a policies of an organization (including codes of conduct and powerful tool that integrates the concepts underlying each of business ethics), and contractual obligations. For example, these valuable frameworks. conflicts of interest represent violations of laws or regulations only in limited instances (frequently involving government What are compliance and compliance-related risks? officials or programs). Conflicts of interest are frequently Risk is defined by COSO as “the possibility that events will prohibited by professional standards, terms of contracts and occur and affect the achievement of strategy and business grant agreements, or internal policies, and they are viewed objectives.” Risks considered in this definition include those as damaging to an organization if they are not disclosed and relating to all business objectives, including compliance. managed. As a result, conflicts of interest are commonly Compliance risks are those risks relating to possible included within the population of compliance risks. violations of applicable laws, regulations, contractual terms, standards, or internal policies where such violation could Accordingly, throughout this publication, the term result in direct or indirect financial liability, civil or criminal “compliance risk” is used in reference to any risk that penalties, regulatory sanctions, or other negative effects for is either directly associated with a law or regulation or the organization or its personnel. Throughout this publication, is compliance-related in that it is associated with other “events” associated with compliance risks will be referred to standards, organizational policies, or ethical expectations as “noncompliance” or “compliance violations.” and guidelines. Although the underlying acts (or failures to act) are carried out As this discussion illustrates, the scope of what an by individuals, compliance violations are generally attributable organization considers to be compliance risks is not an to the organization when they are carried out by employees exact science, although most organizations use a similar or agents of the organization in the ordinary course of their list of compliance risk areas within the universe of their duties. The exact scope of acts attributable to an organization programs (e.g., environmental, bribery, and corruption), even can vary depending upon the circumstances. In some cases, if the specific compliance risks within each area may differ. the employee may also bear liability as an individual. Determining the exact scope of a C&E program is typically coso.org 2 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework both an early step in developing the program and an The current U.S. Federal Sentencing Guidelines (USSG) identify ongoing exercise as the risk landscape changes, and input the following seven elements of an effective C&E program: from compliance, legal, senior leaders, and the board are considered. 1 Standards and procedures Compliance violations often result in fines, penalties, civil 2 Governance, oversight, and authority settlements, or similar financial liabilities. However, not all 3 Due diligence in delegation of authority compliance violations have direct financial ramifications. In some cases, the initial impact may be purely reputational. 4 Communication and training However, reputational damage often leads to future financial or nonfinancial harm, ranging from loss of customers to loss of 5 Monitoring, auditing, and reporting systems employees, competitive disadvantages, or other effects (e.g., suspension, debarment). 6 Incentives and enforcement Most noncompliance stems from actions taken by insiders 7 Response to wrongdoing – employees, management, or members of an organization’s board of directors. Increasingly, risks also result from Separately, the USSG also require that organizations contractors and other third parties whose actions affect an periodically assess the risk of noncompliance and continually organization. The most common examples involve vendors look for ways to improve their C&E programs. This two-part in an organization’s supply chain (e.g., when a supplier of requirement has often been referred to as the eighth element Egyptian cotton bedding for several major retailers was found of an effective program. Each of these elements is explained in to be using a lesser grade of cotton that was not from Egypt, greater detail in Appendix 1. the retailers incurred significant liabilities to their customers) or third parties involved in the sales cycle (e.g., intermediaries The USSG also state that organizations should promote a that may pay bribes to government officials in order to obtain culture that encourages ethical conduct and a commitment lucrative contracts for an organization). to compliance with the law. This acknowledgment that organizational culture and business ethics play integral roles A final consideration in determining the scope of a program in compliance risk management is one of the factors that led to is the potential for inherited risks resulting from merger and the common use of the term “compliance and ethics program” acquisition (M&A) activity. As M&A transactions take place, or “C&E program”. the universe of compliance risks to which an organization is exposed can change drastically and instantly. These risks may The USSG do not mandate C&E programs for any organization; relate to events that took place prior to the merger or may however, they provide an incentive for the establishment simply result from unique risks faced by the merged entity that of such programs as a means of mitigating the significant the acquiror had not previously faced. penalties that can otherwise result when an organization is found to have violated federal laws. In criminal cases involving The evolution of compliance and ethics programs noncompliance with laws, an organization’s penalty can be Although compliance with laws and regulations has been decreased significantly from a base amount determined, in an expectation for many years, compliance and ethics as part, on the existence of an effective C&E program. Developing a profession and as a distinct function in organizations is a case law related to the guidelines has added further weight relatively recent development. It stems from the equally recent to the importance of C&E programs, particularly in highly emergence of the C&E program as a valuable and frequently regulated entities, with courts concluding that the failure to required element of organizational management. implement an effective C&E program may represent a breach of fiduciary duty. Additionally, guidance issued by the U.S. A series of events in the 1980s in the United States led to Department of Justice and other agencies have emphasized the U.S. Sentencing Commission publishing guidelines in the importance of C&E programs. 1991 for the punishment of organizations for violations of the law. Among its provisions, the sentencing guidelines for Although the USSG don’t require organizations to have C&E organizations provide for very significant reductions in criminal programs, individual government agencies sometimes do. penalties if an organization has an effective compliance For example, certain healthcare organizations must have program in place. Important amendments were made in 2004 compliance programs as a condition for eligibility to participate and 2010 to clarify and expand on the characteristics of an in Medicare, and the Federal Acquisition Regulations require effective program. certain government contractors to have compliance programs. coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 3 Finally, a compliance department should be separate from the 1 Performance of a bribery risk assessment legal and regulatory affairs department. This independence is not generally required, but is rapidly emerging as a 2 Leadership and commitment to the anti-bribery preferred practice due to the differing and sometimes management system conflicting responsibilities of the two functions. For example, guidance issued by the Office of Inspector General of 3 Establishment of an anti-bribery compliance function the U.S. Department of Health and Human Services (HHS OIG) indicates that the compliance department should be 4 Sufficient resources provided for the anti-bribery independent. In its 2012 A Toolkit for Health Care Boards, the management system HHS OIG’s Health Care Fraud Prevention and Enforcement Action Team (HEAT) stated: “Protect the compliance officer’s 5 Competence of employees independence by separating this role from your legal counsel and senior management. All decisions affecting the 6 Awareness and training on anti-bribery policies compliance officer’s employment or limiting the scope of the compliance program should require prior board approval.” 7 Due diligence in connection with third-party business associates and employees International guidance on compliance and ethics programs 8 Establishment and implementation of anti-bribery Although the most extensive statutory, regulatory, and controls nonregulatory guidance on C&E programs has emanated from the United States, many other countries have issued various 9 Internal audit of the anti-bribery management system forms of requirements for and guidance on C&E programs. In some instances, guidance on C&E programs outside the U.S. 10 Periodic reviews of the anti-bribery management system is limited in application to specific areas of the law, such as by the governing body bribery and corruption or antitrust/competition. In others, it is broader, like it is in the U.S., and applicable to many areas of Beyond bribery, ISO has also issued guidance more broadly the law. Much of the guidance issued globally mirrors many of on compliance management systems in the form of ISO the concepts and elements described in the USSG. 19600:2014. Most recently, ISO/DIS 37301 was proposed in 2020 to replace ISO 19600. The draft new standard describes the A sampling of some of the guidance from outside the U.S. following five elements of a compliance management system: reveals a mostly consistent picture of what regulators expect from C&E programs. For example, the United Kingdom’s 1 Compliance obligations (identification of new and Ministry of Justice has provided guidance on the Bribery Act changed compliance requirements) 2010, describing procedures that commercial organizations can put in place to minimize the risk of bribery. Those 2 Compliance risk assessment procedures are summarized into the following six principles, which that closely align with the USSG: 3 Compliance policy 1 Proportionate procedures 4 Training and communication 2 Top-level commitment 5 Performance evaluation 3 Risk assessment A variety of other legal and regulatory developments that do not directly reference C&E programs nonetheless affect 4 Due diligence them. For example, 2019 European Union regulations aimed at providing new protections for whistleblowers help in 5 Communication (including training) supporting an important element of an effective C&E program. Similarly, data protection and privacy laws commonly differ 6 Monitoring and review from one country to another, but frequently have direct or indirect effects on C&E programs. Guidance has also been issued by the International Organization for Standardization (ISO). Its 2016 ISO 37001 Anti- Additional examples of international guidance on C&E bribery management systems standard includes the following programs are provided in Appendix 2. What it shows is that expectations of a program: global guidance on C&E programs has far more similarities than coso.org 4 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework differences, even if the scope of application of a C&E program Figure 1.1 The COSO 2013 Framework may differ (i.e., limited to bribery and corruption in some jurisdictions and broader application in others). The common thread across these various guides is a shared appreciation for the elements on which this COSO guide is based. The relationship between compliance, internal control, and enterprise risk management COSO defines internal control in Internal Control – Integrated Framework (2013) and Enterprise Risk Management – Integrating with Strategy and Performance (2017) as follows: A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Source: COSO Internal Control Framework ©2013 COSO defines ERM as follows: As this definition clearly points out, internal control is not solely about accounting and financial matters. Compliance The culture, capabilities, and practices, integrated with laws and regulations is one of the three fundamental with strategy-setting and its performance, that objectives of an organization’s system of internal controls. organizations rely on to manage risk in creating, The following five components of internal control support all preserving, and realizing value. three categories of objectives: The COSO ERM framework, like the internal control Control environment framework, comprises five interrelated components: Risk assessment Governance & culture COSO Control Infographic activities with Principles Strategy & objective-setting Information and communication Performance Monitoring activities Review and revision The relationships between the three objectives, five components, and the entity are depicted in figure 1.1: Information, communication, and reporting Figure 1.2 Risk Management Components ENTERPRISE RISK MANAGEMENT MISSION, VISION STRATEGY BUSINESS IMPLEMENTATION ENHANCED & CORE VALUES DEVELOPMENT OBJECTIVE & PERFORMANCE VALUE FORMULATION Governance Strategy & Performance Review Information, & Culture Objective-Setting & Revision Communication, & Reporting 1. Exercises Source: COSOBoard Risk Risk Management—Integrating Enterprise 10. and 6. Analyzes Business with Strategy Identifies Risk Performance 15. Assesses Substantial 18. Leverages Information Oversight Context 11. Assesses Severity Change and Technology 2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information 3. Defines Desired Culture Strategies 13. Implements Risk 17. Pursues improvement 20. Reports on Risk, 4. Demonstrates 9. Formulates Business Responses in Enterprise Risk Culture, and Commitment Objectives Management Performance 14. Develops Portfolio to Core Values View c5.o Attracts, s o. o r gDevelops, and Retains Capable Individuals Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 5 ERM is different than, but related to, internal controls. ERM There is not a universally accepted definition for the incorporates some of the concepts of internal control. In scope of an organization’s C&E program. It can vary from fact, implementation of internal controls is the most common one organization to another. As a result, compliance with approach to reducing risk. But ERM also includes certain some laws and regulations may be primarily subject to the concepts that are not considered within internal control. For oversight of others, although the compliance function should example, concepts of risk appetite, tolerance, strategy, and always be prepared to serve an overarching role or to step business objectives are set within ERM, but are viewed as in to assist or address issues if the others are unable or preconditions of internal control. ERM is more closely aligned unwilling to properly manage the risk. with strategy than internal control. Another difference among organizations may involve where An important aspect of ERM is its focus on creating, the compliance function “sits” within the organization. preserving, and realizing value. The C&E program supports Although a C&E program is organization-wide, involving each of these three goals. An effective C&E program employees and managers from all functional areas, the allows an organization to more confidently pursue new compliance function, consisting of a dedicated team of value creation opportunities. Further, value that has been compliance and ethics professionals, may be positioned in created by an organization can quickly become impaired a variety of locations within an organization chart. In most when accompanied by violations of laws or regulations. An organizations, it is an independent function, and this is effective C&E program can preserve this value and enable an considered the best practice. In others, it may be a part of, or organization to fully realize it. report to, legal, internal audit, risk management, or another function. Regardless of where the compliance function is Accordingly, the management of compliance risk is an positioned on an organization chart, communication and important element of both the internal control and the collaboration with each of the preceding functions are broader ERM functions and processes of an organization. essential to the success of a C&E program. The scope and positioning of the compliance Likewise, ethics may be considered a function apart from function in an organization compliance. In many organizations, however, compliance As noted earlier, compliance risk generally involves the risk and ethics fall under a compliance and ethics officer. of violations of laws and regulations, but it may also address contract provisions, professional standards, organizational It is important to understand that although virtually every policy, and ethics matters. The laws and regulations that employee plays a role in managing risk, the management/ fall within the scope of a compliance program, however, mitigation of compliance risk is primarily the responsibility of can vary by industry and from organization to organization. all management at all levels. The compliance function leads For example, risk of violating the Foreign Corrupt Practices the development of the C&E program, but it is ultimately Act may fall clearly within the scope of a company’s C&E management’s job to execute the program and for the board program. But compliance with accounting standards to provide oversight. The role of the compliance and ethics required in filings with the U.S. Securities and Exchange officer is to help management understand the risks; lead the Commission may be addressed within the accounting and development of the program to mitigate and manage those finance functions and may be considered outside the scope risks; evaluate how well the program is being executed; of the C&E program. Human resources and employment law and report to leadership on gaps in coverage, execution, risks may be managed entirely within the human resources or material instances of noncompliance, including those by function, or the compliance function may also participate in senior leaders. managing these risks. In summary, management of compliance risk can be performed effectively under a variety of structural models. This publication provides guidance on the design and operation of an effective C&E program regardless of the organizational structure or how responsibilities are allocated. coso.org 6 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework COSO Infographic with Principles About this Guidance When the USSG were developed, and as the elements of There are several target audiences for this publication, effective C&E programs have evolved, fitting the seven including the following: elements within the ERM framework was not a significant concern or objective. Indeed, much of this evolution 1 Professionals such as risk managers, internal occurred before the first ERM framework was published by auditors, and others who are involved in applying an COSO in 2004. organization’s ERM program to compliance risks. In the remaining portions of this guide, each of the 20 2 Compliance professionals who are aiming to align principles of the COSO ERM framework, depicted in figure their C&E program to, or integrate it with, ENTERPRISE RISK MANAGEMENT 1.3, is mapped to the specific requirements and emerging an organization-wide ERM program. practices of an effective C&E program. Section 2 starts with 3 The senior management team, to better the governance and culture component and the related understand compliance risk and the C&E program. five principles. Sections 3 to 6 cover the other components MISSION, VISION STRATEGY BUSINESS and their related principles, respectively. In ENHANCED IMPLEMENTATION each, key steps 4 Members of the board of directors, & CORE VALUES to assist them DEVELOPMENT OBJECTIVE FORMULATION are provided to implement & PERFORMANCE and maintain an effective VALUE C&E in their oversight role. program for each of the ERM principles. Figure 1.3 Risk Management Components - The 20 principles Governance Strategy & Performance Review Information, & Culture Objective-Setting & Revision Communication, & Reporting 1. Exercises Board Risk 6. Analyzes Business 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information Oversight Context 11. Assesses Severity Change and Technology 2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information 3. Defines Desired Culture Strategies 13. Implements Risk 17. Pursues improvement 20. Reports on Risk, 4. Demonstrates 9. Formulates Business Responses in Enterprise Risk Culture, and Commitment Objectives Management Performance 14. Develops Portfolio to Core Values View 5. Attracts, Develops, and Retains Capable Individuals Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance An example of the application of the guidance provided in this publication to a specific compliance risk can be found at corporatecompliance.org/coso. Figure 1.4 Frequently used terms and abbreviations The following terms and abbreviations are used frequently throughout this publication Board The board of directors or, where appropriate, a board-level committee that has been delegated the responsibility for compliance oversight by the board of directors C&E program Compliance and ethics program CCO The chief compliance officer, chief compliance and ethics officer, or the equivalent title associated with the highest-ranking employee charged with oversight of the C&E program Compliance An internal committee composed of employees from various departments and functions within an organization committee whose mission is to advise, inform, and partner with the CCO in communicating and extending the compliance function throughout the organization’s operations Compliance The possibility that violations of applicable laws, regulations, contractual terms, standards, or internal policies risk will occur and have a negative financial or nonfinancial impact on the organization DOJ The United States Department of Justice USSG The United States Federal Sentencing Guidelines coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 7 2. GOVERNANCE AND CULTURE FOR COMPLIANCE RISKS This section describes the application of the governance — time that may be unavailable for the entire board. As noted and culture component of the COSO ERM framework to the earlier, the term “board” is used in reference to either the board management of compliance risks. The COSO framework of directors or a board-level committee that has oversight describes the following five principles that underlie this responsibility for the C&E program. component: For oversight to be exercised properly, there must be an 1 Exercises board risk oversight open and direct line of communication between the CCO 2 Establishes operating structures and the board. This communication should include regularly scheduled, periodic meetings, including sessions in which the 3 Defines desired culture board meets privately with the CCO without other members of senior management present. 4 Demonstrates commitment to core values 5 Attracts, develops, and retains capable individuals Having compliance expertise on the board can be extremely valuable and can enhance oversight of the program. Ideally, Principle 1 – Exercises board risk oversight this expertise comes from industry-specific experience with The board of directors is responsible for oversight of the relevant compliance issues as well as experience developing organization’s C&E program, and management is responsible and managing effective compliance programs. for the design and operation of the program. The expectation of board oversight is reinforced in C&E program standards that The board should also ensure there is an effective have been promulgated in several countries. For instance, the compliance oversight infrastructure in place to support the USSG § 8B2.1(b)(2)(A)-(C) state that a company’s “governing C&E program, to include adequate staffing and resources, authority shall be knowledgeable about the content and as well as appropriate authority and empowerment to operation of the compliance and ethics program and shall achieve the objectives of the program. This infrastructure exercise reasonable oversight.” may also include an internal compliance committee. Often, an internal compliance committee composed of individuals Given the possible complexity of an organization’s C&E program, from key functions or business units is an effective way it is often advisable for the board to delegate responsibility for for the CCO to maintain open lines of communication to this oversight to a board-level standing committee, much like facilitate timely awareness of emerging compliance risk audit oversight is commonly delegated to an audit committee. areas and to obtain important input and buy-in on how to This enables a committee to devote sufficient time to oversight mitigate and address risks. Table 2.1 Exercises board risk oversight Key Require the board to oversee compliance risk management and the C&E program, including the approval of its charter characteristics Ensure that the board is knowledgeable of and demonstrates oversight of the C&E program (regular part of agendas, monitors compliance metrics, holds regular executive sessions with CCO and others) Require that the board includes a member who possesses compliance expertise Document evidence of board oversight of the C&E program in minutes Provide input or approve appointment/dismissal/reassignment of CCO and ensure independence Ensure that sufficient resources are provided for the C&E program Receive regular reports from the CCO Ensure that the board is informed about material investigations and remediation efforts and provides input coso.org 8 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework Principle 2 — Establishes operating structures level compliance committee, the committee should operate The positioning of the compliance function within an in accordance with a board-approved charter. The charter organization has important implications for the effectiveness describes in detail the responsibilities and key operating of the program. The compliance function should be led by procedures of the committee (e.g., frequency and nature of someone who is positioned to be effective, which typically meetings, reporting to the board) as well as the qualifications means being a peer of other senior leaders. Moreover, the for committee members. compliance function must have the practical authority, resources, and tools to effectively fulfill its mandate. Finally, Increasingly, regulators and the enforcement community the compliance function should be functionally separate consider the stature of the compliance function relative to and distinct from other functions, particularly those that are other executive functions as a signal of how seriously the C&E frequently perceived by regulators as having conflicting program, and therefore compliance with laws and regulations, obligations or priorities (e.g., legal, finance, etc.). Although is viewed within an organization. Is the compliance function it may be possible for the compliance and ethics function buried several layers down the organization chart? Or is to be effective when housed within other departments, it represented at a very high executive level? Stature also the preferred practice is for compliance to be functionally considers positioning of the CCO relative to other senior separate and — like internal audit — report to the board. If executives of an organization. the function does not report to the board, extra care must be taken to ensure adequate resources and sufficient autonomy, Operating structure should also include other key compliance including direct and unfiltered access to the board. policies and procedures, such as those that govern the methodology and performance of compliance risk Operating structure should also include documented policies assessments, consideration of forming an internal compliance and procedures covering the governance and decision- committee with representation from across the organization, making processes associated with the C&E program. From and procedures for escalation when significant risk events a governance standpoint, if oversight of the C&E program occur, among other procedures. has been delegated by the board of directors to a board- Table 2.2 Establishes operating structures Key Maintain independence of the CCO and the compliance and ethics function characteristics Ensure that the CCO directly reports to and regularly communicates with the board Ensure that the CCO and C&E program have high stature relative to other functional leaders Grant sufficient authority to the CCO to manage the program effectively Provide sufficient resources for the C&E program to be effective Address C&E program oversight in the charter (including delegation to a designated committee, if applicable) Document policies and procedures specific to the operation of the C&E program Establish protocol/procedures for escalation of significant compliance risk events Principle 3 — Defines desired culture An exercise that is helpful in setting expectations for culture is It is critical for the organization to establish and maintain a for senior management to have a robust discussion about the culture of compliance and integrity. Without it, even the most relationship between compliance risk and the organization’s carefully designed compliance controls will be vulnerable risk appetite and risk tolerance, which are discussed further to failure. Culture begins with a sincere commitment in the next section. In particular, tolerance, which considers to compliance and ethics at the leadership level. The acceptable levels of variation in performance related to commitment is reflected in several ways, beginning with its achieving business objectives, should consider the potential inclusion in a code of conduct or business ethics that is written impact of compliance risk, because compliance with laws, in a manner that clearly articulates expectations of behavior. regulations, and other requirements should itself be one of the Leadership can also reinforce and clarify this culture through primary business objectives for all organizations. other communications. This commitment to culture should be further reflected through the adoption of important compliance Another aspect in a culture of compliance is that of risk metrics and by meaningfully incorporating compliance into awareness. It is one thing to have a culture in which the performance evaluation and compensation/incentive compliance is important. But an essential element of such an compensation processes, particularly at leadership levels. environment is a culture of risk awareness, where employees are vigilant and willing to raise concerns when they see warning signs of risk. coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 9 Communication and training are also important tools for training should include periodic discussion of the code promoting an ethical culture, because each reinforces of conduct, but it should also include training on specific an overall mindset of compliance and integrity, while also compliance issues tailored to individual groups of employees improving awareness of key compliance issues. Accordingly, exposed to these risks in connection with their work. Table 2.3 Defines desired culture Key Ensure that the board is knowledgeable of and approves a code of conduct/ethics and other key characteristics compliance policies Explain expectations relating to ethics and compliance in a code of conduct/ethics Provide and require training on the code of conduct and on ethical decision-making for all staff (including board members) Perform ongoing monitoring or assessment of organizational culture Develop objectively measurable compliance metrics tied to performance evaluations and compensation, where appropriate Adopt meaningful incentives to promote consistent execution of the C&E program Include references to organizational values, expectations, and importance of ethics in communications from leadership Principle 4 — Demonstrates commitment to accountable for their individual roles in managing compliance core values risks, and this should be reflected in job descriptions, Commitment to core values should be represented in a value performance evaluations, and incentives. statement or other set of guiding principles that demonstrates a commitment to compliance and ethical business conduct. When allegations of noncompliance or unethical behavior Increasingly, studies show a correlation between ethical emerge, they must be taken seriously. This means that culture and organizational performance, consistent with ERM’s individuals should be required to report wrongdoing and have goal of creating value. multiple avenues for reporting. Once an allegation is received, sound investigative protocols should be followed in a timely The tone from the top plays an important role in managing manner to assess the credibility of the allegation. In addition, compliance risks. The tone set by the executive team must individuals who report concerns about wrongdoing must feel set an example of compliance and ethical behavior. This safe speaking up and be protected from retaliation in order for commitment must cascade throughout the organization, thus this system to operate effectively. the term tone “from” the top rather than tone “at” the top. Each layer of leaders within an organization — the supervisors If wrongdoing is confirmed through the investigative process, and managers of others — must communicate and pass this disciplinary action should be taken in a degree that is tone on to the next level. appropriate to the level of wrongdoing. Discipline should be consistent based on the nature of the wrongdoing, without Commitment to compliance and ethics, however, requires regard to the individual’s level on the organization chart or much more than setting the tone. Employees should be held level of influence within the organization. Table 2.4 Demonstrates a commitment to core values Key Actively promote a culture of compliance risk awareness, including setting an ethical and compliant tone by characteristics leadership Balance business incentives with material compliance incentives Incorporate accountability for the management of (1) compliance risks and (2) compliance program imple- mentation into employee performance measurement, promotions, and incentive programs, particularly at senior levels Protect those who report suspected wrongdoing, with zero tolerance for retaliation Take allegations of wrongdoing seriously and investigate in a timely manner Promote organizational justice, including accountability for wrongdoing, fairness and consistency in discipline, and fairness in promotions Communicate lessons learned from compliance and ethics failures across the organization in appropriate detail coso.org 10 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework Principle 5 — Attracts, develops, and retains individuals. These tools are critical for the management of capable individuals compliance risks as well. The Department of Justice (DOJ) An effective compliance function should be led by a CCO with notes that a “hallmark of effective implementation of a appropriate experience and qualifications. The specifics of compliance program is the establishment of incentives for prior experience and other qualifications can vary based on compliance and disincentives for non-compliance.” the nature of the organization, its industry, and many other factors. Just as training on a code of conduct and broad ethical issues helps to define an organization’s desired culture (Principle 3), Throughout the entire organization, hiring individuals who training on specific compliance risk topics further develops respect compliance and make business decisions in an individuals’ abilities to effectively recognize and manage ethical manner is vital to the management of compliance risks. compliance risks. Furthermore, the compliance team itself Indeed, being perceived as an organization that is committed should continue to be developed with training on emerging to compliance and ethics helps companies attract and retain practices for managing a C&E program and changes in the good people. legal/regulatory environment. The USSG, which established the framework for what has In recent years, numerous compliance issues have been become the global standard for C&E programs, state that triggered by third parties (nonemployees), especially those an “organization shall use reasonable efforts not to include that play integral roles in connection with supply chains, within the substantial authority personnel of the organization sales, delivery, and other key functions. Accordingly, the due any individual whom the organization knew, or should diligence concepts described in this section should also be have known through the exercise of due diligence, has applied when engaging third parties to carry out activities engaged in illegal activities or other conduct inconsistent on behalf of the organization (e.g., suppliers, sales agents, with an effective compliance and ethics program.” As such, outsourcing partners), based on the level of compliance risk organizations should perform background checks appropriate associated with each third party. The degree of background to the responsibilities of the position and in compliance with checking, other due diligence, and compliance-related relevant employment laws. The CCO may collaborate with performance measures should vary based on the assessed human resources and others to identify positions considered level of risk, and due diligence should be repeated periodically to involve “substantial authority”— those that could create as part of maintaining ongoing relationships with high-risk third compliance risk for the organization. parties. Due diligence in engaging with certain third parties, as well as ongoing training and monitoring of compliance The COSO ERM framework indicates that performance performance of third parties, have become expected by evaluation and the establishment of appropriate incentives regulators and are integral elements of this principle. are two important ingredients for developing and retaining Table 2.5 Attracts, develops, and retains capable individuals Key Hire and retain a CCO with appropriate experience/expertise to lead the C&E program characteristics Staff the compliance team with individuals that possess relevant expertise Perform background checks aimed at screening for compliance risk, tailored to the level of risk associated with each position Consider employee execution of and adherence to the requirements and expectations of the C&E program in the preparation of performance evaluations Appropriately tailor compliance training based on the compliance risks encountered for specific roles in the organization Perform risk-based due diligence on third parties coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 11 3. STRATEGY AND OBJECTIVE-SETTING FOR COMPLIANCE RISKS This section describes the application of the strategy and factors that can create new risks or change existing ones. objective-setting component of the COSO ERM framework, and Some of the most important internal drivers of compliance the following four principles associated with the management risk include changes in people, processes, and technology. of compliance risks: Another driver of compliance risk is management pressure, particularly when such pressure is not coupled with reminders 6 Analyzes business context regarding the expectation of compliance and appropriate 7 Defines risk appetite incentives to adhere to the C&E program. More broadly, changes in organizational culture can arise from many factors 8 Evaluates alternative strategies and can affect compliance risk. 9 Formulates business objectives External drivers of compliance risk also represent an important Principle 6 — Analyzes business context element of context in identifying and managing compliance Context is critical to understanding and managing risks. The most obvious external factors are those involving the compliance risks. Business decision-making is one of the legal, regulatory, and enforcement landscape. For example, drivers of compliance risk; decisions can create new risks, recent changes in data privacy and security laws have change existing risks, or eliminate risks. Accordingly, the created entirely new compliance risks for some organizations. identification of a compliance risk universe should consider External drivers also include competitive, economic, and other the organization’s evolving strategy. The CCO should have factors that may directly or indirectly affect compliance risk. an appropriate level of involvement in the strategy-setting External factors may be at a macro level (e.g., industrywide process to enable the compliance function to be positioned competition, economic conditions) or at a micro level (e.g., to identify and develop plans to manage compliance risks that changes in local or regional laws and regulations). emerge from changes in strategy. Likewise, the CCO should be informed of sudden shifts in strategy that may occur as an Risk interdependencies may also affect how an organization organization responds to changes in its environment. manages compliance risks. An organization’s responses to other risks (e.g., strategic, financial) may affect compliance Context for effective compliance risk management includes risk in a positive or adverse way. consideration of other internal drivers of compliance risk — Table 3.1 Analyzes business context Key Consider and reflect organizational strategy in performing compliance risk assessments and managing characteristics compliance risk Consider how compliance risks are affected by internal changes, such as changes in people, structures, processes, technology, etc. Evaluate effects of external factors (e.g., competitive, economic, enforcement trends, environmental, political, social forces) on compliance risks Identify and consider risk interdependencies in the development of strategy Give consideration to cultural and regional differences in legal frameworks based on locations where the organization operates coso.org 12 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework Principle 7 — Defines risk appetite request for a bribe from a building inspector. Examining risk For those not familiar with the term, appetite for compliance risk appetite with consideration for the full range of potential often conjures up images of organizations willfully accepting consequences is an important element of compliance risk known compliance violations. The very nature of compliance risk management. means that a law may be violated that could result in financial or nonfinancial consequences for the organization (e.g., fines, As noted in COSO’s May 2020 publication, Risk Appetite – suspension or debarment, reputational damage). The level of Critical to Success: Using Risk Appetite to Thrive in a Changing acceptance of compliance risk in the pursuit of business goals World, three of the inputs to risk appetite are as follows: and objectives is a topic for discussion among management and the board (being clear to point out that this discussion is not 1. Board and management perspectives on appetite related to accepting known violations; it is about the realistic assumption that it is impossible to eliminate the possibility of a 2. Understanding the existing risk profile noncompliance event). 3. Organizational culture As defined by COSO, risk appetite refers to the types and amount of risk, on a broad level, that the organization is Board and management perspective on risk appetite should willing to accept in pursuit of value. Neither appetite nor risk be framed, in part, on a consideration of the relationships tolerance — the acceptable levels of variation in performance between compliance risk and the achievement of business related to business objectives — is typically defined at the objectives. This can be achieved only if the board and risk-specific level. management have a sufficient understanding of compliance risk as a component of the organization’s overall risk profile. Although neither appetite nor tolerance are expressed in Similarly, as noted earlier, maintaining a culture of compliance terms of compliance risk, there may be separate risk-centric is an essential element of a C&E program and, therefore, statements relating to individual compliance risk areas. More should be considered in developing an organization-wide commonly, the potential impact of compliance risk on the appetite for risk in general. achievement of business objectives should be considered in relation to determining and stating risk appetite and tolerance. Understanding how much of a threat a compliance risk poses As noted earlier, compliance with laws, regulations, and to the achievement of business objectives enables the CCO other requirements should itself be considered as a business to effectively prioritize the deployment of preventive and objective of the organization. detective resources. For example, if an organization has determined that a particular category of compliance risk poses A practical way of viewing compliance risk and its relationship a significant threat to the achievement of business objectives, to risk appetite and tolerance is by viewing it at the business the organization may allocate greater resources to managing unit or location level and by type of compliance risk. At the that risk. More attention may be devoted to auditing and business unit (or functional) level, each group often has its own monitoring in this area, among other possible responses. unique compliance risks, each with vastly different potential consequences for violations. For example, an international Organizations must also recognize that they cannot bribery violation may result in much more significant financial realistically eliminate all compliance risks or reduce the penalties than a building code violation. likelihood of occurrence to zero. This is simply not possible. As a result, engaging in discussions about risk appetite relating Although a fire code violation may trigger only a rather to compliance risks is a valuable tool in prioritizing efforts small fine, however, the potential consequences of a fire aimed at prevention and detection of specific compliance code violation tragically resulting in the loss of life could be violations. Guidance from regulators is consistent with this enormous. Seemingly immaterial compliance risks like this concept: expecting organizations to reduce and manage, not building code violation could lead to other risks, such as a necessarily eliminate, compliance risk. Table 3.2 Defines risk appetite Key Consider compliance risk as part of the organization’s risk profile in determining risk appetite characteristics Consider compliance risk by (1) type of risk (e.g., anti-bribery), (2) business unit or organizational function (e.g., human resources), and (3) location or region Determine and evaluate the relationships between compliance risks and the achievement of business objectives Discuss risk appetite on a regular basis and update as necessary based on changes in compliance risk Consider developing specific risk-centric appetite statements associated with compliance risks in support of organizational risk appetite and tolerance coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 13 Principle 8 — Evaluates alternative strategies mergers and acquisitions in order to understand the level of The compliance function should be involved in strategy risk that may be inherited as a result of the transaction, as well discussions from the standpoint of (1) understanding the as any C&E program integration needs and risks that may need strategy so that the C&E program can be designed to to be addressed. manage compliance risks appropriately and (2) advising strategic decision makers about possible compliance risks Once strategy has been decided, the compliance function associated with strategies under consideration. Compliance should identify and understand the implications for risk assessment and management are most effective when the organization’s C&E program. Begin by identifying the compliance function is fully informed prior to embarking and assessing compliance risks, as well as suggesting on new strategic initiatives, enabling the C&E program to be modifications to internal controls aimed at mitigating prepared to proactively address new or changing compliance compliance risk. Consider changes to training, monitoring, and risks. The CCO should also play a role in developing new auditing plans for the C&E program, and the development of compliance risk mitigation approaches in the context of key compliance metrics or performance indicators. changing strategies and risk appetite, as well as assistance in evaluating compliance risk issues associated with alternative As a strategy is being implemented, the organization may strategies under consideration. continue to make changes to the strategy based on an assessment of its successes and failures. This assessment If strategic decisions made by an organization involve merger is another opportunity for the CCO to provide valuable input or acquisition activities, it is important for compliance to be based on the C&E program’s monitoring and auditing activities, involved early in the process so that appropriate due diligence which may have revealed a level of compliance risk that differs focusing on compliance risks can be performed. This due from what was initially expected. diligence is important to the decision-making process for Table 3.3 Evaluates alternative strategies Key Ensure that the CCO has a seat at the table in discussions of strategies characteristics Solicit input and insight from the CCO regarding how strategy affects compliance risk Perform risk-based due diligence on merger and acquisition targets prior to execution of the transaction Consider implications of strategic decisions (including subsequent changes in strategy) in the design of the C&E program coso.org 14 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework Principle 9 — Formulates business objectives objectives, but at a minimum, it is well informed of such Linked to strategy, business objectives are measurable criteria objectives and the performance metrics that are used for by which the organization and individual business units can individual evaluations. be evaluated. Much like how adoption of strategy can affect compliance risk, development of business objectives also Risk interactions should also be considered. As business often creates or affects the likelihood of compliance violations. objectives and performance metrics change in one area of the Additionally, complying with applicable laws, regulations, organization, compliance risks may be affected — either in the contract terms, and other requirements should be considered same business unit or in other areas of the organization. as its own business objective if compliance is not explicitly addressed through other stated business objectives. Finally, just as performance metrics are an essential characteristic for business units, the compliance function Sometimes, performance metrics developed for business units itself should develop and monitor performance metrics. These can inadvertently create incentives to violate compliance metrics address and measure how well the C&E program and requirements. Take the simple example of a manufacturing infrastructure is working in practice across the organization, facility whose personnel are incentivized by aggressive and its overall effectiveness. Examples of measurable metrics new goals for increased production. This goal could lead — and key performance indicators (KPIs) — include such to shortcuts in quality control and inspections, resulting in things as training completion rates, timeliness of responding product safety violations if the production team views violating to issues, investigations, and implementing corrective action these compliance requirements as an acceptable means of plans, volume, frequency, and types of issues reported through achieving the new targets. The compliance function should be the organizations’ reporting mechanisms, culture survey consulted as part of the establishment of business objectives, responses over time, and metrics from monitoring various in much the same manner as described in Principle 8, to internal compliance controls such as vendor payments in ensure that incentives are appropriately structured to minimize high-risk operating locations. Although not all areas of the the promotion of bad behavior or that such incentives are C&E program are easy to objectively measure, the compliance balanced with appropriate compliance incentives. Ideally, function should take steps to develop and monitor objective compliance participates in the establishment of business metrics wherever possible. Table 3.4 Formulates business objectives Key Identify and evaluate compliance risks associated with planned business objectives characteristics Consider establishing compliance as a separate business objective Incorporate compliance risk management and accountability into performance measures and related evaluations Consider interactions between compliance and other risks based on changes in business objectives Include objectively measured compliance metrics within business objectives, reflecting the management of compliance risk and the effectiveness of C&E program implementation, and carrying appropriate weight in incentive and other compensation decisions coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 15 4. PERFORMANCE FOR COMPLIANCE RISKS This section describes the application of the performance would be responsible for most, if not all, aspects of component of the COSO ERM framework and the following compliance with those laws. As compliance programs have five principles associated with the management of matured, they have moved to a more integrative, proactive compliance risks: approach based not on a particular past crisis that the organization wishes to avoid repeating, but on the systematic 10 Identifies risk assessment of the organization and its environment to 11 Assesses severity of risk identify current and future threats to compliance. This same motive is what drives organizations to implement ERM. 12 Prioritizes risk 13 Implements risk responses Not all compliance threats will be considered priorities in the ERM context. For example, of the 10 most significant 14 Develops portfolio view compliance risks identified by the C&E program, perhaps only 2 or 3 of them will be among the 10 most important For C&E programs to be effective, it is expected by identified by the ERM function at the organizational level, regulators and others that organizations periodically after consolidating compliance risks with all other risks. assess the potential threats of legal, regulatory, and policy Yet for the C&E program, these are important, because noncompliance, as well as ethical misconduct, so that they can emerge as serious threats through their impact the organization can take steps to manage these risks to on the compliance culture. Regulators expect a specific acceptable levels. assessment of compliance risks as part of the C&E program. This suggests that even when an organization has a mature, Principle 10 — Identifies risk well-developed ERM program, the C&E program should One of the most challenging tasks for the C&E program is supplement the organizational-level ERM and should strive the identification of the myriad compliance risks faced by to identify and manage all compliance risks, regardless of the organization. Organizations are subject to thousands of whether all are material at the enterprise level. laws and regulations ranging from antitrust, privacy, fraud, and intellectual property rights/obligations to local sales Developing a risk inventory for compliance risk is similar tax, licensing requirements, and environmental standards. to the process of developing the ERM risk inventory. As Further, these threats constantly change with new and illustrated in figure 4.1, there are a number of approaches altered legal and regulatory requirements; with shifts in that can be taken, with some approaches being more organizational strategies, such as a retailer entering the effective in identifying new and emerging risks. business of health care services; and with the emergence of new compliance risks as societal values evolve. To function For compliance risk identification, some approaches have effectively, the C&E program needs to have processes in been found to be particularly useful. Many organizations place to identify and track these various risks across the start with a risk inventory identified by similarly situated organization. organizations or industry associations. This inventory needs to be viewed as a starting place and should then be tailored Historically, many organizations approached compliance to the organization, considering its unique operations. with laws and regulations in silos, developing programs to Another often-used approach is to interview key employees address specific issues where the organization or others to better understand operations and determine applicable in the industry had encountered significant challenges. For laws and regulations that they deal with on a regular basis. example, the business unit directly involved with the risk, As noted in figure 4.1, this method is effective at identifying such as antitrust or environmental or money laundering, existing laws and regulations posing compliance risks and coso.org 16 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework Figure 4.1 Approaches for Identifying Risks* Types Cognitive Data Interviews Key Process Workshops of Risk computing Tracking Indicators Analysis Existing       New     Emerging     Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance, Volume 1, p. 69 may provide an indicator of emerging risk, but it may not be compliance and ethical risks. Concerns specifically related as effective at identifying new risks or changing enforcement to third-party risks include the following: standards not yet apparent to employees. Surveys may also be used to ask key managers to identify applicable laws and 1. The organization usually has a lessened ability to regulations that they deal with regularly in their area.1 control or oversee the work of a third party than it would with its own employees. Regardless of the approaches taken, the variety and complexity of compliance risks create the need for 2. Third parties often do not have as strong of an operations managers and risk owners to be involved in the incentive to adhere to compliance and ethics risk-identification process. One way of doing this is the expectations as employees do. development of compliance committees at various levels in the organization. Senior management and the board must also be 3. Third parties may operate in geographic areas that involved by including the C&E program leadership in strategic are distant from the organization’s headquarters, planning so they can understand the organization’s current sometimes with differing laws, norms, and customs. and evolving strategies and the related compliance risk. For these reasons, assessing risk involving third parties can Information provided by regulators can also be helpful in be complicated, but risk assessments should be performed at identifying new and emerging risk, because many of these the time a third party is engaged and periodically thereafter. agencies issue alerts regarding where they see emerging The extent of each risk assessment, due diligence process, risks and have compliance concerns. For example, the SEC and subsequent monitoring and auditing should consider the Office of Compliance Inspections and Examinations issues role the third party plays, materiality, and other factors that special risk alerts, and the HHS OIG publishes its work plan could affect the level of risk associated with each third party. to alert organizations to areas considered to be high risk. Not all compliance risks will rise to the entity level and Further, compliance risk extends beyond the legal boundaries appear in the ERM risk register; however, the risk of of the organization. Third-party contractors, suppliers, regulatory change would be included in such an entity-level and partners in strategic alliances can pose significant inventory in most organizations. Table 4.1 Identifies risk Key Describe the compliance risk identification and assessment process in documented policies and procedures characteristics Identify compliance risks associated with planned strategy and business objectives Assess internal and external environments to identify risks Create process for identifying new and emerging risks Consider risks associated with use of third parties Consider information gathered through hotlines, other reporting channels, and results of investigations......... 1 Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 21–25, https://compliancecosmos.org/compliance-risk-assessments-introduction. coso.org Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 17 Principle 11 — Assesses severity of risk prohibiting such payments or the controls around the Severity of a compliance risk is usually assessed primarily on payments process. In theory, one would like the assessment the basis of likelihood and impact. Other factors may also be to be made under the assumption of no controls at all being in considered and will be explained later. place, but it is difficult for people to imagine such “no control” situations. They usually make the assessment assuming Likelihood is the probability that the risk could occur. In the “normal controls” or some sort of “minimal controls.” For case of compliance, this means the probability of specific greater precision, some assessment methods break the noncompliance with a law/regulation or ethical misconduct. likelihood assessment in two parts: one for likelihood or Assessing the likelihood of compliance risk in most cases is frequency and the other for effectiveness of internal controls, a subjective judgment. Despite being subjective, systematic as shown in figure 4.2. Some models may even consider judgment can be made. One approach is to consider preventive and detective controls as two separate factors, the frequency of noncompliance. Will the event (e.g., a with preventive controls being more relevant to likelihood or salesperson making an illegal payment to a government frequency, and detective controls more likely affecting the official to gain a contract) occur once a year or once every impact of an event based on the timeliness of detection. five years? This judgment would be based on experience or perhaps the organization’s historical data, if such data is In figure 4.2, the likelihood of occurrence is measured on available. Another factor that enters into this assessment a five-point scale from “rare” to “almost certain.” Control is the organizational context. Typically, the assessor makes assumptions and frequency are given descriptive anchors that assumptions about controls in place, such as policies are then matched to the assessor’s beliefs. Figure 4.2 Likelihood of Occurrence* Scale Existing controls Frequency of noncompliance 5 No controls in place Expected to occur in most Almost circumstances No policies or procedures, no responsible person(s) identified, no training, no certain management review More than once per year 4 Policies and procedures in place but neither mandated nor updated regularly Will probably occur Likely Controls not tested or tested with unsatisfactory results At least once per year Responsible person(s) identified Some formal and informal (on-the-job) training No management reviews 3 Policies mandated, but not updated regularly Might occur at some time Possible Controls tested only occasionally, with mixed results At least once in 5 years Responsible person(s) identified Training is provided when needed Occasional management reviews are performed, but not documented 2 Policies mandated and updated regularly Could occur at some time Unlikely Controls tested with mostly positive results At least once in 10 years Regular training provided to the identified responsible person(s), but not documented Regular management reviews are performed, but not documented 1 Policies mandated and updated regularly May occur only in exceptional Rare circumstances Controls regularly tested with positive results Less than once in 10 years Regular mandatory training is provided to the identified responsible person(s), and the training is documented Regular management reviews are performed and documented * Adapted from Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 30, https://compliancecosmos.org/compliance-risk-assessments-introduction. This approach is just one example. Every organization should compliance committee or by the C&E program staff with input customize its scale and measurement methodology to fit from management. Once the scale is determined, it should be its particular needs. This customization would be done by a applied consistently by the assessors. coso.org 18 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework The second component of risk severity is impact. Impact is the Operational — Potential disruption of business operations result or effect of risk in terms of the organization’s strategy from plant shutdowns, suspensions, debarments, and loss and business objectives. With compliance risk, one thinks of license immediately of civil and criminal fines and penalties, and the possible direct financial consequences of noncompliance. Reputation (image) — Effect of media coverage; damage Another significant factor may be the reputational impact of to organization’s image/brand; and subsequent diminished compliance and ethical issues. This and other consequences attractiveness to current and potential future employees, (e.g., sanctions, suspension, and debarment) may have a business partners, vendors, and customers material indirect financial impact, as well as an impact on morale and other factors that are difficult to measure. Health and safety — Employee, patient, customer Impact of noncompliance and ethical failures can be assessed Ability to pursue strategic goals — Prohibition to added using a variety of measurement categories. new customers, loss of license Legal — Consisting of civil and criminal fines and penalties Figure 4.3 illustrates how these categories might be used to construct a scale for assessing the impact of compliance risks. Financial — Internal and external costs associated with investigating and remediation (e.g., legal fees, consultants, investigators) Figure 4.3 Impact of Compliance Risks Scale Legal* Financial# Operational Reputation (Image)+ Health and Ability to (Potential Safety* Pursue Disruption)* Strategic Goals* 1 In compliance < $1 million < 1/2 day No press exposure No injuries Little or no Insignificant impact 2 Civil violation with $1–$5 < 1 day Localized negative impact First aid Minor impact Minor little/no fines million on reputation (such as a treatment single large customer) but recoverable 3 Significant civil $5–$25 1 day–1 week Negative media Medical Major impact Serious fines/penalties million coverage in a treatment specific U.S. region or a foreign country 4 Serious violation, $25–$100 1 week–1 Negative U.S. national or Death or Significant Disastrous criminal prosecution million month international media extensive impact probable coverage (not front page) injuries 5 Significant violation, > $100 > 1 month Sustained U.S. national

Use Quizgecko on...
Browser
Browser