Compliance Risk Management Applying The COSO ERM Framework PDF

Summary

This document is a guide to compliance risk management, applying the COSO ERM framework.  It explains compliance risks, their potential harm, and how to manage them by aligning with the C&E program framework. It also outlines the scope of compliance risks and their relationship to laws, regulations, internal policies and ethical expectations and guidelines.

Full Transcript

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

Enterprise Risk Management

COMPLIANCE RISK
MANAGEMENT:
APPLYING THE COSO ERM
FRAMEWORK

By

The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to
specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute
for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.
Authors
Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE & HCCA)

COSO Board Members
Paul J. Sobel Daniel C. Murdock
COSO Chair Financial Executives International

Douglas F. Prawitt Jeffrey C. Thomson
American Accounting Association Institute of Management Accountants

Robert D. Dohrer Patty K. Miller
American Institute of CPAs (AICPA) The Institute of Internal Auditors

Preface
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to providing thought leadership through the development of comprehensive
frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to
improve organizational performance and governance and to reduce the extent of fraud in organizations.
COSO is a private-sector initiative jointly sponsored and funded by the following organizations:

American Accounting Association (AAA)

American Institute of CPAs (AICPA)

Financial Executives International (FEI)

The Institute of Management Accountants (IMA) Committee of Sponsoring Organizations
of the Treadway Commission

The Institute of Internal Auditors (IIA) coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | i

Enterprise Risk Management

COMPLIANCE RISK
MANAGEMENT:
APPLYING THE COSO ERM
FRAMEWORK

Research Commissioned by

Commi tte e o f S p o n s o r i n g O rg a n izations of the Trea d way Commiss ion

November 2020

coso.org
ii | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

Copyright © 2020, Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1234567890 PIP 198765432

COSO images are from COSO Enterprise Risk Management - Integrating with Strategy and Performance ©2017, The
American Institute of Certified Public Accountants on behalf of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO). COSO is a trademark of the Committee of Sponsoring Organizations of the Treadway Commission.

All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted, or displayed in any form or
by any means without written permission. For information regarding licensing and reprint permissions, please contact the
American Institute of Certified Public Accountants, which handles licensing and permissions for COSO copyrighted materials.
Direct all inquiries to [email protected] or AICPA, Attn: Manager, Licensing & Rights, 220 Leigh Farm
Road, Durham, NC 27707 USA. Telephone inquiries may be directed to 888-777-7077.

Design and production: Sergio Analco.

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | iii

Contents Page
1. Introduction 1

2. Governance and Culture for Compliance Risks 7

3. Strategy and Objective-Setting for Compliance Risks 11

4. Performance for Compliance Risks 15

5. Review and Revision for Compliance Risks 22

6. Information, Communication, and Reporting
for Compliance Risks 27

Appendix 1.
Elements of an effective compliance
and ethics program 31

Appendix 2.
International growth in recognition
of compliance and ethics programs 37

Acknowledgments 39

About SCCE & HCCA 39

About COSO 40

coso.org
iv | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 1

1. INTRODUCTION

Why this publication is needed
Compliance risks are common and frequently material risks Most compliance violations either inherently cause harm
to achieving an organization’s objectives. For many years, or have the potential to result in direct harm to individuals,
compliance professionals have used a widely accepted communities, or organizations. Examples of parties that may
framework for compliance and ethics (C&E) programs to be harmed through compliance violations include customers
prevent and timely detect noncompliance and other acts (e.g., violations of privacy or data security laws leading to
of wrongdoing. The C&E program framework is described a breach and theft of personal information, product safety
in Appendix 1 (if readers are not already familiar with the violations resulting in injuries, antitrust violations resulting in
elements of a C&E program, consider reading Appendix 1 inflated prices), employees (e.g., workplace safety regulation
before proceeding). The COSO Enterprise Risk Management violations resulting in injury to a worker, antidiscrimination or
(ERM) Framework, meanwhile, has been used by risk and whistleblower protection law violations), or the general public
other professionals to identify and mitigate a variety of (e.g., environmental violations resulting in illness or death).
organizational risks, including compliance risks.
Although most compliance risks relate to specific laws or
This publication aims to provide guidance on the application regulations, others do not. These other risks, referred to as
of the COSO ERM framework to the identification, “compliance-related risks,” may include risks associated
assessment, and management of compliance risks by with failures to comply with professional standards, internal
aligning it with the C&E program framework, creating a policies of an organization (including codes of conduct and
powerful tool that integrates the concepts underlying each of business ethics), and contractual obligations. For example,
these valuable frameworks. conflicts of interest represent violations of laws or regulations
only in limited instances (frequently involving government
What are compliance and compliance-related risks? officials or programs). Conflicts of interest are frequently
Risk is defined by COSO as “the possibility that events will prohibited by professional standards, terms of contracts and
occur and affect the achievement of strategy and business grant agreements, or internal policies, and they are viewed
objectives.” Risks considered in this definition include those as damaging to an organization if they are not disclosed and
relating to all business objectives, including compliance. managed. As a result, conflicts of interest are commonly
Compliance risks are those risks relating to possible included within the population of compliance risks.
violations of applicable laws, regulations, contractual terms,
standards, or internal policies where such violation could Accordingly, throughout this publication, the term
result in direct or indirect financial liability, civil or criminal “compliance risk” is used in reference to any risk that
penalties, regulatory sanctions, or other negative effects for is either directly associated with a law or regulation or
the organization or its personnel. Throughout this publication, is compliance-related in that it is associated with other
“events” associated with compliance risks will be referred to standards, organizational policies, or ethical expectations
as “noncompliance” or “compliance violations.” and guidelines.

Although the underlying acts (or failures to act) are carried out As this discussion illustrates, the scope of what an
by individuals, compliance violations are generally attributable organization considers to be compliance risks is not an
to the organization when they are carried out by employees exact science, although most organizations use a similar
or agents of the organization in the ordinary course of their list of compliance risk areas within the universe of their
duties. The exact scope of acts attributable to an organization programs (e.g., environmental, bribery, and corruption), even
can vary depending upon the circumstances. In some cases, if the specific compliance risks within each area may differ.
the employee may also bear liability as an individual. Determining the exact scope of a C&E program is typically

coso.org
2 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

both an early step in developing the program and an The current U.S. Federal Sentencing Guidelines (USSG) identify
ongoing exercise as the risk landscape changes, and input the following seven elements of an effective C&E program:
from compliance, legal, senior leaders, and the board are
considered. 1 Standards and procedures

Compliance violations often result in fines, penalties, civil 2 Governance, oversight, and authority
settlements, or similar financial liabilities. However, not all
3 Due diligence in delegation of authority
compliance violations have direct financial ramifications. In
some cases, the initial impact may be purely reputational. 4 Communication and training
However, reputational damage often leads to future financial
or nonfinancial harm, ranging from loss of customers to loss of 5 Monitoring, auditing, and reporting systems
employees, competitive disadvantages, or other effects (e.g.,
suspension, debarment). 6 Incentives and enforcement

Most noncompliance stems from actions taken by insiders 7 Response to wrongdoing
– employees, management, or members of an organization’s
board of directors. Increasingly, risks also result from Separately, the USSG also require that organizations
contractors and other third parties whose actions affect an periodically assess the risk of noncompliance and continually
organization. The most common examples involve vendors look for ways to improve their C&E programs. This two-part
in an organization’s supply chain (e.g., when a supplier of requirement has often been referred to as the eighth element
Egyptian cotton bedding for several major retailers was found of an effective program. Each of these elements is explained in
to be using a lesser grade of cotton that was not from Egypt, greater detail in Appendix 1.
the retailers incurred significant liabilities to their customers)
or third parties involved in the sales cycle (e.g., intermediaries The USSG also state that organizations should promote a
that may pay bribes to government officials in order to obtain culture that encourages ethical conduct and a commitment
lucrative contracts for an organization). to compliance with the law. This acknowledgment that
organizational culture and business ethics play integral roles
A final consideration in determining the scope of a program in compliance risk management is one of the factors that led to
is the potential for inherited risks resulting from merger and the common use of the term “compliance and ethics program”
acquisition (M&A) activity. As M&A transactions take place, or “C&E program”.
the universe of compliance risks to which an organization is
exposed can change drastically and instantly. These risks may The USSG do not mandate C&E programs for any organization;
relate to events that took place prior to the merger or may however, they provide an incentive for the establishment
simply result from unique risks faced by the merged entity that of such programs as a means of mitigating the significant
the acquiror had not previously faced. penalties that can otherwise result when an organization is
found to have violated federal laws. In criminal cases involving
The evolution of compliance and ethics programs noncompliance with laws, an organization’s penalty can be
Although compliance with laws and regulations has been decreased significantly from a base amount determined, in
an expectation for many years, compliance and ethics as part, on the existence of an effective C&E program. Developing
a profession and as a distinct function in organizations is a case law related to the guidelines has added further weight
relatively recent development. It stems from the equally recent to the importance of C&E programs, particularly in highly
emergence of the C&E program as a valuable and frequently regulated entities, with courts concluding that the failure to
required element of organizational management. implement an effective C&E program may represent a breach
of fiduciary duty. Additionally, guidance issued by the U.S.
A series of events in the 1980s in the United States led to Department of Justice and other agencies have emphasized
the U.S. Sentencing Commission publishing guidelines in the importance of C&E programs.
1991 for the punishment of organizations for violations of
the law. Among its provisions, the sentencing guidelines for Although the USSG don’t require organizations to have C&E
organizations provide for very significant reductions in criminal programs, individual government agencies sometimes do.
penalties if an organization has an effective compliance For example, certain healthcare organizations must have
program in place. Important amendments were made in 2004 compliance programs as a condition for eligibility to participate
and 2010 to clarify and expand on the characteristics of an in Medicare, and the Federal Acquisition Regulations require
effective program. certain government contractors to have compliance programs.

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 3

Finally, a compliance department should be separate from the 1 Performance of a bribery risk assessment
legal and regulatory affairs department. This independence
is not generally required, but is rapidly emerging as a 2 Leadership and commitment to the anti-bribery
preferred practice due to the differing and sometimes management system
conflicting responsibilities of the two functions. For example,
guidance issued by the Office of Inspector General of 3 Establishment of an anti-bribery compliance function
the U.S. Department of Health and Human Services (HHS
OIG) indicates that the compliance department should be 4 Sufficient resources provided for the anti-bribery
independent. In its 2012 A Toolkit for Health Care Boards, the management system
HHS OIG’s Health Care Fraud Prevention and Enforcement
Action Team (HEAT) stated: “Protect the compliance officer’s 5 Competence of employees
independence by separating this role from your legal
counsel and senior management. All decisions affecting the 6 Awareness and training on anti-bribery policies
compliance officer’s employment or limiting the scope of the
compliance program should require prior board approval.” 7 Due diligence in connection with third-party business
associates and employees
International guidance on compliance and ethics
programs 8 Establishment and implementation of anti-bribery
Although the most extensive statutory, regulatory, and controls
nonregulatory guidance on C&E programs has emanated from
the United States, many other countries have issued various 9 Internal audit of the anti-bribery management system
forms of requirements for and guidance on C&E programs. In
some instances, guidance on C&E programs outside the U.S. 10 Periodic reviews of the anti-bribery management system
is limited in application to specific areas of the law, such as by the governing body
bribery and corruption or antitrust/competition. In others, it is
broader, like it is in the U.S., and applicable to many areas of Beyond bribery, ISO has also issued guidance more broadly
the law. Much of the guidance issued globally mirrors many of on compliance management systems in the form of ISO
the concepts and elements described in the USSG. 19600:2014. Most recently, ISO/DIS 37301 was proposed in 2020
to replace ISO 19600. The draft new standard describes the
A sampling of some of the guidance from outside the U.S. following five elements of a compliance management system:
reveals a mostly consistent picture of what regulators expect
from C&E programs. For example, the United Kingdom’s 1 Compliance obligations (identification of new and
Ministry of Justice has provided guidance on the Bribery Act changed compliance requirements)
2010, describing procedures that commercial organizations
can put in place to minimize the risk of bribery. Those 2 Compliance risk assessment
procedures are summarized into the following six principles,
which that closely align with the USSG: 3 Compliance policy

1 Proportionate procedures 4 Training and communication

2 Top-level commitment 5 Performance evaluation

3 Risk assessment A variety of other legal and regulatory developments that
do not directly reference C&E programs nonetheless affect
4 Due diligence them. For example, 2019 European Union regulations aimed
at providing new protections for whistleblowers help in
5 Communication (including training) supporting an important element of an effective C&E program.
Similarly, data protection and privacy laws commonly differ
6 Monitoring and review from one country to another, but frequently have direct or
indirect effects on C&E programs.
Guidance has also been issued by the International
Organization for Standardization (ISO). Its 2016 ISO 37001 Anti- Additional examples of international guidance on C&E
bribery management systems standard includes the following programs are provided in Appendix 2. What it shows is that
expectations of a program: global guidance on C&E programs has far more similarities than

coso.org
4 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

differences, even if the scope of application of a C&E program Figure 1.1 The COSO 2013 Framework
may differ (i.e., limited to bribery and corruption in some
jurisdictions and broader application in others). The common
thread across these various guides is a shared appreciation
for the elements on which this COSO guide is based.

The relationship between compliance, internal
control, and enterprise risk management
COSO defines internal control in Internal Control – Integrated
Framework (2013) and Enterprise Risk Management –
Integrating with Strategy and Performance (2017) as follows:

A process, effected by an entity’s board of directors,
management, and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives relating
to operations, reporting, and compliance. Source: COSO Internal Control Framework ©2013

COSO defines ERM as follows:
As this definition clearly points out, internal control is not
solely about accounting and financial matters. Compliance The culture, capabilities, and practices, integrated
with laws and regulations is one of the three fundamental with strategy-setting and its performance, that
objectives of an organization’s system of internal controls. organizations rely on to manage risk in creating,
The following five components of internal control support all preserving, and realizing value.
three categories of objectives:
The COSO ERM framework, like the internal control
Control environment framework, comprises five interrelated components:
Risk assessment
Governance & culture
COSO
Control Infographic
activities with Principles
Strategy & objective-setting
Information and communication
Performance
Monitoring activities
Review and revision
The relationships between the three objectives, five
components, and the entity are depicted in figure 1.1: Information, communication, and reporting

Figure 1.2 Risk Management Components
ENTERPRISE RISK MANAGEMENT

MISSION, VISION STRATEGY BUSINESS IMPLEMENTATION ENHANCED
& CORE VALUES DEVELOPMENT OBJECTIVE & PERFORMANCE VALUE
FORMULATION

Governance Strategy & Performance Review Information,
& Culture Objective-Setting & Revision Communication,
& Reporting
1. Exercises
Source: COSOBoard Risk Risk Management—Integrating
Enterprise 10. and
6. Analyzes Business with Strategy Identifies Risk
Performance 15. Assesses Substantial 18. Leverages Information
Oversight Context 11. Assesses Severity Change and Technology
2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk
Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information
3. Defines Desired Culture Strategies 13. Implements Risk 17. Pursues improvement 20. Reports on Risk,
4. Demonstrates 9. Formulates Business Responses in Enterprise Risk Culture, and
Commitment Objectives Management Performance
14. Develops Portfolio
to Core Values View
c5.o Attracts,
s o. o r gDevelops,
and Retains Capable
Individuals
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 5

ERM is different than, but related to, internal controls. ERM There is not a universally accepted definition for the
incorporates some of the concepts of internal control. In scope of an organization’s C&E program. It can vary from
fact, implementation of internal controls is the most common one organization to another. As a result, compliance with
approach to reducing risk. But ERM also includes certain some laws and regulations may be primarily subject to the
concepts that are not considered within internal control. For oversight of others, although the compliance function should
example, concepts of risk appetite, tolerance, strategy, and always be prepared to serve an overarching role or to step
business objectives are set within ERM, but are viewed as in to assist or address issues if the others are unable or
preconditions of internal control. ERM is more closely aligned unwilling to properly manage the risk.
with strategy than internal control.
Another difference among organizations may involve where
An important aspect of ERM is its focus on creating, the compliance function “sits” within the organization.
preserving, and realizing value. The C&E program supports Although a C&E program is organization-wide, involving
each of these three goals. An effective C&E program employees and managers from all functional areas, the
allows an organization to more confidently pursue new compliance function, consisting of a dedicated team of
value creation opportunities. Further, value that has been compliance and ethics professionals, may be positioned in
created by an organization can quickly become impaired a variety of locations within an organization chart. In most
when accompanied by violations of laws or regulations. An organizations, it is an independent function, and this is
effective C&E program can preserve this value and enable an considered the best practice. In others, it may be a part of, or
organization to fully realize it. report to, legal, internal audit, risk management, or another
function. Regardless of where the compliance function is
Accordingly, the management of compliance risk is an positioned on an organization chart, communication and
important element of both the internal control and the collaboration with each of the preceding functions are
broader ERM functions and processes of an organization. essential to the success of a C&E program.

The scope and positioning of the compliance Likewise, ethics may be considered a function apart from
function in an organization compliance. In many organizations, however, compliance
As noted earlier, compliance risk generally involves the risk and ethics fall under a compliance and ethics officer.
of violations of laws and regulations, but it may also address
contract provisions, professional standards, organizational It is important to understand that although virtually every
policy, and ethics matters. The laws and regulations that employee plays a role in managing risk, the management/
fall within the scope of a compliance program, however, mitigation of compliance risk is primarily the responsibility of
can vary by industry and from organization to organization. all management at all levels. The compliance function leads
For example, risk of violating the Foreign Corrupt Practices the development of the C&E program, but it is ultimately
Act may fall clearly within the scope of a company’s C&E management’s job to execute the program and for the board
program. But compliance with accounting standards to provide oversight. The role of the compliance and ethics
required in filings with the U.S. Securities and Exchange officer is to help management understand the risks; lead the
Commission may be addressed within the accounting and development of the program to mitigate and manage those
finance functions and may be considered outside the scope risks; evaluate how well the program is being executed;
of the C&E program. Human resources and employment law and report to leadership on gaps in coverage, execution,
risks may be managed entirely within the human resources or material instances of noncompliance, including those by
function, or the compliance function may also participate in senior leaders.
managing these risks.
In summary, management of compliance risk can be
performed effectively under a variety of structural models.
This publication provides guidance on the design and
operation of an effective C&E program regardless of the
organizational structure or how responsibilities are allocated.

coso.org
6 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

COSO Infographic with Principles
About this Guidance When the USSG were developed, and as the elements of
There are several target audiences for this publication, effective C&E programs have evolved, fitting the seven
including the following: elements within the ERM framework was not a significant
concern or objective. Indeed, much of this evolution
1 Professionals such as risk managers, internal occurred before the first ERM framework was published by
auditors, and others who are involved in applying an COSO in 2004.
organization’s ERM program to compliance risks.
In the remaining portions of this guide, each of the 20
2 Compliance professionals who are aiming to align principles of the COSO ERM framework, depicted in figure
their C&E program to, or integrate it with, ENTERPRISE RISK MANAGEMENT
1.3, is mapped to the specific requirements and emerging
an organization-wide ERM program.
practices of an effective C&E program. Section 2 starts with
3 The senior management team, to better the governance and culture component and the related
understand compliance risk and the C&E program. five principles. Sections 3 to 6 cover the other components
MISSION, VISION STRATEGY BUSINESS and their related principles, respectively. In ENHANCED
IMPLEMENTATION each, key steps
4 Members of the board of directors,
& CORE VALUES
to assist them
DEVELOPMENT OBJECTIVE
FORMULATION
are provided to implement
& PERFORMANCE
and maintain an effective
VALUE
C&E
in their oversight role. program for each of the ERM principles.

Figure 1.3 Risk Management Components - The 20 principles
Governance Strategy & Performance Review Information,
& Culture Objective-Setting & Revision Communication,
& Reporting
1. Exercises Board Risk 6. Analyzes Business 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information
Oversight Context 11. Assesses Severity Change and Technology
2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk
Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information
3. Defines Desired Culture Strategies 13. Implements Risk 17. Pursues improvement 20. Reports on Risk,
4. Demonstrates 9. Formulates Business Responses in Enterprise Risk Culture, and
Commitment Objectives Management Performance
14. Develops Portfolio
to Core Values View
5. Attracts, Develops,
and Retains Capable
Individuals

Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance

An example of the application of the guidance provided in this publication to a specific compliance risk can be found at
corporatecompliance.org/coso.

Figure 1.4 Frequently used terms and abbreviations
The following terms and abbreviations are used frequently throughout this publication
Board The board of directors or, where appropriate, a board-level committee that has been delegated the responsibility
for compliance oversight by the board of directors
C&E program Compliance and ethics program
CCO The chief compliance officer, chief compliance and ethics officer, or the equivalent title associated with the
highest-ranking employee charged with oversight of the C&E program
Compliance An internal committee composed of employees from various departments and functions within an organization
committee whose mission is to advise, inform, and partner with the CCO in communicating and extending the compliance
function throughout the organization’s operations
Compliance The possibility that violations of applicable laws, regulations, contractual terms, standards, or internal policies
risk will occur and have a negative financial or nonfinancial impact on the organization
DOJ The United States Department of Justice
USSG The United States Federal Sentencing Guidelines

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 7

2. GOVERNANCE AND CULTURE
FOR COMPLIANCE RISKS

This section describes the application of the governance — time that may be unavailable for the entire board. As noted
and culture component of the COSO ERM framework to the earlier, the term “board” is used in reference to either the board
management of compliance risks. The COSO framework of directors or a board-level committee that has oversight
describes the following five principles that underlie this responsibility for the C&E program.
component:
For oversight to be exercised properly, there must be an
1 Exercises board risk oversight open and direct line of communication between the CCO
2 Establishes operating structures and the board. This communication should include regularly
scheduled, periodic meetings, including sessions in which the
3 Defines desired culture board meets privately with the CCO without other members of
senior management present.
4 Demonstrates commitment to core values
5 Attracts, develops, and retains capable individuals Having compliance expertise on the board can be extremely
valuable and can enhance oversight of the program. Ideally,
Principle 1 – Exercises board risk oversight this expertise comes from industry-specific experience with
The board of directors is responsible for oversight of the relevant compliance issues as well as experience developing
organization’s C&E program, and management is responsible and managing effective compliance programs.
for the design and operation of the program. The expectation
of board oversight is reinforced in C&E program standards that The board should also ensure there is an effective
have been promulgated in several countries. For instance, the compliance oversight infrastructure in place to support the
USSG § 8B2.1(b)(2)(A)-(C) state that a company’s “governing C&E program, to include adequate staffing and resources,
authority shall be knowledgeable about the content and as well as appropriate authority and empowerment to
operation of the compliance and ethics program and shall achieve the objectives of the program. This infrastructure
exercise reasonable oversight.” may also include an internal compliance committee. Often,
an internal compliance committee composed of individuals
Given the possible complexity of an organization’s C&E program, from key functions or business units is an effective way
it is often advisable for the board to delegate responsibility for for the CCO to maintain open lines of communication to
this oversight to a board-level standing committee, much like facilitate timely awareness of emerging compliance risk
audit oversight is commonly delegated to an audit committee. areas and to obtain important input and buy-in on how to
This enables a committee to devote sufficient time to oversight mitigate and address risks.

Table 2.1 Exercises board risk oversight
Key Require the board to oversee compliance risk management and the C&E program, including the approval of its charter
characteristics Ensure that the board is knowledgeable of and demonstrates oversight of the C&E program (regular part of
agendas, monitors compliance metrics, holds regular executive sessions with CCO and others)
Require that the board includes a member who possesses compliance expertise
Document evidence of board oversight of the C&E program in minutes
Provide input or approve appointment/dismissal/reassignment of CCO and ensure independence
Ensure that sufficient resources are provided for the C&E program
Receive regular reports from the CCO
Ensure that the board is informed about material investigations and remediation efforts and provides input

coso.org
8 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

Principle 2 — Establishes operating structures level compliance committee, the committee should operate
The positioning of the compliance function within an in accordance with a board-approved charter. The charter
organization has important implications for the effectiveness describes in detail the responsibilities and key operating
of the program. The compliance function should be led by procedures of the committee (e.g., frequency and nature of
someone who is positioned to be effective, which typically meetings, reporting to the board) as well as the qualifications
means being a peer of other senior leaders. Moreover, the for committee members.
compliance function must have the practical authority,
resources, and tools to effectively fulfill its mandate. Finally, Increasingly, regulators and the enforcement community
the compliance function should be functionally separate consider the stature of the compliance function relative to
and distinct from other functions, particularly those that are other executive functions as a signal of how seriously the C&E
frequently perceived by regulators as having conflicting program, and therefore compliance with laws and regulations,
obligations or priorities (e.g., legal, finance, etc.). Although is viewed within an organization. Is the compliance function
it may be possible for the compliance and ethics function buried several layers down the organization chart? Or is
to be effective when housed within other departments, it represented at a very high executive level? Stature also
the preferred practice is for compliance to be functionally considers positioning of the CCO relative to other senior
separate and — like internal audit — report to the board. If executives of an organization.
the function does not report to the board, extra care must be
taken to ensure adequate resources and sufficient autonomy, Operating structure should also include other key compliance
including direct and unfiltered access to the board. policies and procedures, such as those that govern
the methodology and performance of compliance risk
Operating structure should also include documented policies assessments, consideration of forming an internal compliance
and procedures covering the governance and decision- committee with representation from across the organization,
making processes associated with the C&E program. From and procedures for escalation when significant risk events
a governance standpoint, if oversight of the C&E program occur, among other procedures.
has been delegated by the board of directors to a board-

Table 2.2 Establishes operating structures
Key Maintain independence of the CCO and the compliance and ethics function
characteristics Ensure that the CCO directly reports to and regularly communicates with the board
Ensure that the CCO and C&E program have high stature relative to other functional leaders
Grant sufficient authority to the CCO to manage the program effectively
Provide sufficient resources for the C&E program to be effective
Address C&E program oversight in the charter (including delegation to a designated committee, if applicable)
Document policies and procedures specific to the operation of the C&E program
Establish protocol/procedures for escalation of significant compliance risk events

Principle 3 — Defines desired culture An exercise that is helpful in setting expectations for culture is
It is critical for the organization to establish and maintain a for senior management to have a robust discussion about the
culture of compliance and integrity. Without it, even the most relationship between compliance risk and the organization’s
carefully designed compliance controls will be vulnerable risk appetite and risk tolerance, which are discussed further
to failure. Culture begins with a sincere commitment in the next section. In particular, tolerance, which considers
to compliance and ethics at the leadership level. The acceptable levels of variation in performance related to
commitment is reflected in several ways, beginning with its achieving business objectives, should consider the potential
inclusion in a code of conduct or business ethics that is written impact of compliance risk, because compliance with laws,
in a manner that clearly articulates expectations of behavior. regulations, and other requirements should itself be one of the
Leadership can also reinforce and clarify this culture through primary business objectives for all organizations.
other communications. This commitment to culture should be
further reflected through the adoption of important compliance Another aspect in a culture of compliance is that of risk
metrics and by meaningfully incorporating compliance into awareness. It is one thing to have a culture in which
the performance evaluation and compensation/incentive compliance is important. But an essential element of such an
compensation processes, particularly at leadership levels. environment is a culture of risk awareness, where employees
are vigilant and willing to raise concerns when they see
warning signs of risk.

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 9

Communication and training are also important tools for training should include periodic discussion of the code
promoting an ethical culture, because each reinforces of conduct, but it should also include training on specific
an overall mindset of compliance and integrity, while also compliance issues tailored to individual groups of employees
improving awareness of key compliance issues. Accordingly, exposed to these risks in connection with their work.

Table 2.3 Defines desired culture
Key Ensure that the board is knowledgeable of and approves a code of conduct/ethics and other key
characteristics compliance policies
Explain expectations relating to ethics and compliance in a code of conduct/ethics
Provide and require training on the code of conduct and on ethical decision-making for all staff (including
board members)
Perform ongoing monitoring or assessment of organizational culture
Develop objectively measurable compliance metrics tied to performance evaluations and compensation,
where appropriate
Adopt meaningful incentives to promote consistent execution of the C&E program
Include references to organizational values, expectations, and importance of ethics in communications from
leadership

Principle 4 — Demonstrates commitment to accountable for their individual roles in managing compliance
core values risks, and this should be reflected in job descriptions,
Commitment to core values should be represented in a value performance evaluations, and incentives.
statement or other set of guiding principles that demonstrates
a commitment to compliance and ethical business conduct. When allegations of noncompliance or unethical behavior
Increasingly, studies show a correlation between ethical emerge, they must be taken seriously. This means that
culture and organizational performance, consistent with ERM’s individuals should be required to report wrongdoing and have
goal of creating value. multiple avenues for reporting. Once an allegation is received,
sound investigative protocols should be followed in a timely
The tone from the top plays an important role in managing manner to assess the credibility of the allegation. In addition,
compliance risks. The tone set by the executive team must individuals who report concerns about wrongdoing must feel
set an example of compliance and ethical behavior. This safe speaking up and be protected from retaliation in order for
commitment must cascade throughout the organization, thus this system to operate effectively.
the term tone “from” the top rather than tone “at” the top.
Each layer of leaders within an organization — the supervisors If wrongdoing is confirmed through the investigative process,
and managers of others — must communicate and pass this disciplinary action should be taken in a degree that is
tone on to the next level. appropriate to the level of wrongdoing. Discipline should be
consistent based on the nature of the wrongdoing, without
Commitment to compliance and ethics, however, requires regard to the individual’s level on the organization chart or
much more than setting the tone. Employees should be held level of influence within the organization.

Table 2.4 Demonstrates a commitment to core values
Key Actively promote a culture of compliance risk awareness, including setting an ethical and compliant tone by
characteristics leadership
Balance business incentives with material compliance incentives
Incorporate accountability for the management of (1) compliance risks and (2) compliance program imple-
mentation into employee performance measurement, promotions, and incentive programs, particularly at
senior levels
Protect those who report suspected wrongdoing, with zero tolerance for retaliation
Take allegations of wrongdoing seriously and investigate in a timely manner
Promote organizational justice, including accountability for wrongdoing, fairness and consistency in discipline,
and fairness in promotions
Communicate lessons learned from compliance and ethics failures across the organization in
appropriate detail

coso.org
10 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

Principle 5 — Attracts, develops, and retains individuals. These tools are critical for the management of
capable individuals compliance risks as well. The Department of Justice (DOJ)
An effective compliance function should be led by a CCO with notes that a “hallmark of effective implementation of a
appropriate experience and qualifications. The specifics of compliance program is the establishment of incentives for
prior experience and other qualifications can vary based on compliance and disincentives for non-compliance.”
the nature of the organization, its industry, and many other
factors. Just as training on a code of conduct and broad ethical issues
helps to define an organization’s desired culture (Principle 3),
Throughout the entire organization, hiring individuals who training on specific compliance risk topics further develops
respect compliance and make business decisions in an individuals’ abilities to effectively recognize and manage
ethical manner is vital to the management of compliance risks. compliance risks. Furthermore, the compliance team itself
Indeed, being perceived as an organization that is committed should continue to be developed with training on emerging
to compliance and ethics helps companies attract and retain practices for managing a C&E program and changes in the
good people. legal/regulatory environment.

The USSG, which established the framework for what has In recent years, numerous compliance issues have been
become the global standard for C&E programs, state that triggered by third parties (nonemployees), especially those
an “organization shall use reasonable efforts not to include that play integral roles in connection with supply chains,
within the substantial authority personnel of the organization sales, delivery, and other key functions. Accordingly, the due
any individual whom the organization knew, or should diligence concepts described in this section should also be
have known through the exercise of due diligence, has applied when engaging third parties to carry out activities
engaged in illegal activities or other conduct inconsistent on behalf of the organization (e.g., suppliers, sales agents,
with an effective compliance and ethics program.” As such, outsourcing partners), based on the level of compliance risk
organizations should perform background checks appropriate associated with each third party. The degree of background
to the responsibilities of the position and in compliance with checking, other due diligence, and compliance-related
relevant employment laws. The CCO may collaborate with performance measures should vary based on the assessed
human resources and others to identify positions considered level of risk, and due diligence should be repeated periodically
to involve “substantial authority”— those that could create as part of maintaining ongoing relationships with high-risk third
compliance risk for the organization. parties. Due diligence in engaging with certain third parties,
as well as ongoing training and monitoring of compliance
The COSO ERM framework indicates that performance performance of third parties, have become expected by
evaluation and the establishment of appropriate incentives regulators and are integral elements of this principle.
are two important ingredients for developing and retaining

Table 2.5 Attracts, develops, and retains capable individuals
Key Hire and retain a CCO with appropriate experience/expertise to lead the C&E program
characteristics Staff the compliance team with individuals that possess relevant expertise
Perform background checks aimed at screening for compliance risk, tailored to the level of risk associated
with each position
Consider employee execution of and adherence to the requirements and expectations of the C&E program in
the preparation of performance evaluations
Appropriately tailor compliance training based on the compliance risks encountered for specific roles in the
organization
Perform risk-based due diligence on third parties

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 11

3. STRATEGY AND OBJECTIVE-SETTING
FOR COMPLIANCE RISKS

This section describes the application of the strategy and factors that can create new risks or change existing ones.
objective-setting component of the COSO ERM framework, and Some of the most important internal drivers of compliance
the following four principles associated with the management risk include changes in people, processes, and technology.
of compliance risks: Another driver of compliance risk is management pressure,
particularly when such pressure is not coupled with reminders
6 Analyzes business context regarding the expectation of compliance and appropriate
7 Defines risk appetite incentives to adhere to the C&E program. More broadly,
changes in organizational culture can arise from many factors
8 Evaluates alternative strategies and can affect compliance risk.
9 Formulates business objectives
External drivers of compliance risk also represent an important
Principle 6 — Analyzes business context element of context in identifying and managing compliance
Context is critical to understanding and managing risks. The most obvious external factors are those involving the
compliance risks. Business decision-making is one of the legal, regulatory, and enforcement landscape. For example,
drivers of compliance risk; decisions can create new risks, recent changes in data privacy and security laws have
change existing risks, or eliminate risks. Accordingly, the created entirely new compliance risks for some organizations.
identification of a compliance risk universe should consider External drivers also include competitive, economic, and other
the organization’s evolving strategy. The CCO should have factors that may directly or indirectly affect compliance risk.
an appropriate level of involvement in the strategy-setting External factors may be at a macro level (e.g., industrywide
process to enable the compliance function to be positioned competition, economic conditions) or at a micro level (e.g.,
to identify and develop plans to manage compliance risks that changes in local or regional laws and regulations).
emerge from changes in strategy. Likewise, the CCO should
be informed of sudden shifts in strategy that may occur as an Risk interdependencies may also affect how an organization
organization responds to changes in its environment. manages compliance risks. An organization’s responses to
other risks (e.g., strategic, financial) may affect compliance
Context for effective compliance risk management includes risk in a positive or adverse way.
consideration of other internal drivers of compliance risk —

Table 3.1 Analyzes business context
Key Consider and reflect organizational strategy in performing compliance risk assessments and managing
characteristics compliance risk
Consider how compliance risks are affected by internal changes, such as changes in people, structures,
processes, technology, etc.
Evaluate effects of external factors (e.g., competitive, economic, enforcement trends, environmental, political,
social forces) on compliance risks
Identify and consider risk interdependencies in the development of strategy
Give consideration to cultural and regional differences in legal frameworks based on locations where the
organization operates

coso.org
12 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

Principle 7 — Defines risk appetite request for a bribe from a building inspector. Examining risk
For those not familiar with the term, appetite for compliance risk appetite with consideration for the full range of potential
often conjures up images of organizations willfully accepting consequences is an important element of compliance risk
known compliance violations. The very nature of compliance risk management.
means that a law may be violated that could result in financial
or nonfinancial consequences for the organization (e.g., fines, As noted in COSO’s May 2020 publication, Risk Appetite –
suspension or debarment, reputational damage). The level of Critical to Success: Using Risk Appetite to Thrive in a Changing
acceptance of compliance risk in the pursuit of business goals World, three of the inputs to risk appetite are as follows:
and objectives is a topic for discussion among management
and the board (being clear to point out that this discussion is not 1. Board and management perspectives on appetite
related to accepting known violations; it is about the realistic
assumption that it is impossible to eliminate the possibility of a 2. Understanding the existing risk profile
noncompliance event).
3. Organizational culture
As defined by COSO, risk appetite refers to the types and
amount of risk, on a broad level, that the organization is Board and management perspective on risk appetite should
willing to accept in pursuit of value. Neither appetite nor risk be framed, in part, on a consideration of the relationships
tolerance — the acceptable levels of variation in performance between compliance risk and the achievement of business
related to business objectives — is typically defined at the objectives. This can be achieved only if the board and
risk-specific level. management have a sufficient understanding of compliance
risk as a component of the organization’s overall risk profile.
Although neither appetite nor tolerance are expressed in Similarly, as noted earlier, maintaining a culture of compliance
terms of compliance risk, there may be separate risk-centric is an essential element of a C&E program and, therefore,
statements relating to individual compliance risk areas. More should be considered in developing an organization-wide
commonly, the potential impact of compliance risk on the appetite for risk in general.
achievement of business objectives should be considered in
relation to determining and stating risk appetite and tolerance. Understanding how much of a threat a compliance risk poses
As noted earlier, compliance with laws, regulations, and to the achievement of business objectives enables the CCO
other requirements should itself be considered as a business to effectively prioritize the deployment of preventive and
objective of the organization. detective resources. For example, if an organization has
determined that a particular category of compliance risk poses
A practical way of viewing compliance risk and its relationship a significant threat to the achievement of business objectives,
to risk appetite and tolerance is by viewing it at the business the organization may allocate greater resources to managing
unit or location level and by type of compliance risk. At the that risk. More attention may be devoted to auditing and
business unit (or functional) level, each group often has its own monitoring in this area, among other possible responses.
unique compliance risks, each with vastly different potential
consequences for violations. For example, an international Organizations must also recognize that they cannot
bribery violation may result in much more significant financial realistically eliminate all compliance risks or reduce the
penalties than a building code violation. likelihood of occurrence to zero. This is simply not possible. As
a result, engaging in discussions about risk appetite relating
Although a fire code violation may trigger only a rather to compliance risks is a valuable tool in prioritizing efforts
small fine, however, the potential consequences of a fire aimed at prevention and detection of specific compliance
code violation tragically resulting in the loss of life could be violations. Guidance from regulators is consistent with this
enormous. Seemingly immaterial compliance risks like this concept: expecting organizations to reduce and manage, not
building code violation could lead to other risks, such as a necessarily eliminate, compliance risk.

Table 3.2 Defines risk appetite
Key Consider compliance risk as part of the organization’s risk profile in determining risk appetite
characteristics Consider compliance risk by (1) type of risk (e.g., anti-bribery), (2) business unit or organizational function
(e.g., human resources), and (3) location or region
Determine and evaluate the relationships between compliance risks and the achievement of business
objectives
Discuss risk appetite on a regular basis and update as necessary based on changes in compliance risk
Consider developing specific risk-centric appetite statements associated with compliance risks in support of
organizational risk appetite and tolerance

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 13

Principle 8 — Evaluates alternative strategies mergers and acquisitions in order to understand the level of
The compliance function should be involved in strategy risk that may be inherited as a result of the transaction, as well
discussions from the standpoint of (1) understanding the as any C&E program integration needs and risks that may need
strategy so that the C&E program can be designed to to be addressed.
manage compliance risks appropriately and (2) advising
strategic decision makers about possible compliance risks Once strategy has been decided, the compliance function
associated with strategies under consideration. Compliance should identify and understand the implications for
risk assessment and management are most effective when the organization’s C&E program. Begin by identifying
the compliance function is fully informed prior to embarking and assessing compliance risks, as well as suggesting
on new strategic initiatives, enabling the C&E program to be modifications to internal controls aimed at mitigating
prepared to proactively address new or changing compliance compliance risk. Consider changes to training, monitoring, and
risks. The CCO should also play a role in developing new auditing plans for the C&E program, and the development of
compliance risk mitigation approaches in the context of key compliance metrics or performance indicators.
changing strategies and risk appetite, as well as assistance in
evaluating compliance risk issues associated with alternative As a strategy is being implemented, the organization may
strategies under consideration. continue to make changes to the strategy based on an
assessment of its successes and failures. This assessment
If strategic decisions made by an organization involve merger is another opportunity for the CCO to provide valuable input
or acquisition activities, it is important for compliance to be based on the C&E program’s monitoring and auditing activities,
involved early in the process so that appropriate due diligence which may have revealed a level of compliance risk that differs
focusing on compliance risks can be performed. This due from what was initially expected.
diligence is important to the decision-making process for

Table 3.3 Evaluates alternative strategies
Key Ensure that the CCO has a seat at the table in discussions of strategies
characteristics Solicit input and insight from the CCO regarding how strategy affects compliance risk
Perform risk-based due diligence on merger and acquisition targets prior to execution of the transaction
Consider implications of strategic decisions (including subsequent changes in strategy) in the design of the
C&E program

coso.org
14 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

Principle 9 — Formulates business objectives objectives, but at a minimum, it is well informed of such
Linked to strategy, business objectives are measurable criteria objectives and the performance metrics that are used for
by which the organization and individual business units can individual evaluations.
be evaluated. Much like how adoption of strategy can affect
compliance risk, development of business objectives also Risk interactions should also be considered. As business
often creates or affects the likelihood of compliance violations. objectives and performance metrics change in one area of the
Additionally, complying with applicable laws, regulations, organization, compliance risks may be affected — either in the
contract terms, and other requirements should be considered same business unit or in other areas of the organization.
as its own business objective if compliance is not explicitly
addressed through other stated business objectives. Finally, just as performance metrics are an essential
characteristic for business units, the compliance function
Sometimes, performance metrics developed for business units itself should develop and monitor performance metrics. These
can inadvertently create incentives to violate compliance metrics address and measure how well the C&E program and
requirements. Take the simple example of a manufacturing infrastructure is working in practice across the organization,
facility whose personnel are incentivized by aggressive and its overall effectiveness. Examples of measurable metrics
new goals for increased production. This goal could lead — and key performance indicators (KPIs) — include such
to shortcuts in quality control and inspections, resulting in things as training completion rates, timeliness of responding
product safety violations if the production team views violating to issues, investigations, and implementing corrective action
these compliance requirements as an acceptable means of plans, volume, frequency, and types of issues reported through
achieving the new targets. The compliance function should be the organizations’ reporting mechanisms, culture survey
consulted as part of the establishment of business objectives, responses over time, and metrics from monitoring various
in much the same manner as described in Principle 8, to internal compliance controls such as vendor payments in
ensure that incentives are appropriately structured to minimize high-risk operating locations. Although not all areas of the
the promotion of bad behavior or that such incentives are C&E program are easy to objectively measure, the compliance
balanced with appropriate compliance incentives. Ideally, function should take steps to develop and monitor objective
compliance participates in the establishment of business metrics wherever possible.

Table 3.4 Formulates business objectives
Key Identify and evaluate compliance risks associated with planned business objectives
characteristics Consider establishing compliance as a separate business objective
Incorporate compliance risk management and accountability into performance measures and related
evaluations
Consider interactions between compliance and other risks based on changes in business objectives
Include objectively measured compliance metrics within business objectives, reflecting the management of
compliance risk and the effectiveness of C&E program implementation, and carrying appropriate weight in
incentive and other compensation decisions

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 15

4. PERFORMANCE FOR
COMPLIANCE RISKS

This section describes the application of the performance would be responsible for most, if not all, aspects of
component of the COSO ERM framework and the following compliance with those laws. As compliance programs have
five principles associated with the management of matured, they have moved to a more integrative, proactive
compliance risks: approach based not on a particular past crisis that the
organization wishes to avoid repeating, but on the systematic
10 Identifies risk assessment of the organization and its environment to
11 Assesses severity of risk identify current and future threats to compliance. This same
motive is what drives organizations to implement ERM.
12 Prioritizes risk
13 Implements risk responses Not all compliance threats will be considered priorities in
the ERM context. For example, of the 10 most significant
14 Develops portfolio view compliance risks identified by the C&E program, perhaps
only 2 or 3 of them will be among the 10 most important
For C&E programs to be effective, it is expected by identified by the ERM function at the organizational level,
regulators and others that organizations periodically after consolidating compliance risks with all other risks.
assess the potential threats of legal, regulatory, and policy Yet for the C&E program, these are important, because
noncompliance, as well as ethical misconduct, so that they can emerge as serious threats through their impact
the organization can take steps to manage these risks to on the compliance culture. Regulators expect a specific
acceptable levels. assessment of compliance risks as part of the C&E program.
This suggests that even when an organization has a mature,
Principle 10 — Identifies risk well-developed ERM program, the C&E program should
One of the most challenging tasks for the C&E program is supplement the organizational-level ERM and should strive
the identification of the myriad compliance risks faced by to identify and manage all compliance risks, regardless of
the organization. Organizations are subject to thousands of whether all are material at the enterprise level.
laws and regulations ranging from antitrust, privacy, fraud,
and intellectual property rights/obligations to local sales Developing a risk inventory for compliance risk is similar
tax, licensing requirements, and environmental standards. to the process of developing the ERM risk inventory. As
Further, these threats constantly change with new and illustrated in figure 4.1, there are a number of approaches
altered legal and regulatory requirements; with shifts in that can be taken, with some approaches being more
organizational strategies, such as a retailer entering the effective in identifying new and emerging risks.
business of health care services; and with the emergence of
new compliance risks as societal values evolve. To function For compliance risk identification, some approaches have
effectively, the C&E program needs to have processes in been found to be particularly useful. Many organizations
place to identify and track these various risks across the start with a risk inventory identified by similarly situated
organization. organizations or industry associations. This inventory needs
to be viewed as a starting place and should then be tailored
Historically, many organizations approached compliance to the organization, considering its unique operations.
with laws and regulations in silos, developing programs to Another often-used approach is to interview key employees
address specific issues where the organization or others to better understand operations and determine applicable
in the industry had encountered significant challenges. For laws and regulations that they deal with on a regular basis.
example, the business unit directly involved with the risk, As noted in figure 4.1, this method is effective at identifying
such as antitrust or environmental or money laundering, existing laws and regulations posing compliance risks and

coso.org
16 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

Figure 4.1 Approaches for Identifying Risks*
Types Cognitive Data Interviews Key Process Workshops
of Risk computing Tracking Indicators Analysis
Existing      

New    

Emerging    
Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance, Volume 1, p. 69

may provide an indicator of emerging risk, but it may not be compliance and ethical risks. Concerns specifically related
as effective at identifying new risks or changing enforcement to third-party risks include the following:
standards not yet apparent to employees. Surveys may also
be used to ask key managers to identify applicable laws and 1. The organization usually has a lessened ability to
regulations that they deal with regularly in their area.1 control or oversee the work of a third party than it
would with its own employees.
Regardless of the approaches taken, the variety and
complexity of compliance risks create the need for 2. Third parties often do not have as strong of an
operations managers and risk owners to be involved in the incentive to adhere to compliance and ethics
risk-identification process. One way of doing this is the expectations as employees do.
development of compliance committees at various levels in the
organization. Senior management and the board must also be 3. Third parties may operate in geographic areas that
involved by including the C&E program leadership in strategic are distant from the organization’s headquarters,
planning so they can understand the organization’s current sometimes with differing laws, norms, and customs.
and evolving strategies and the related compliance risk.
For these reasons, assessing risk involving third parties can
Information provided by regulators can also be helpful in be complicated, but risk assessments should be performed at
identifying new and emerging risk, because many of these the time a third party is engaged and periodically thereafter.
agencies issue alerts regarding where they see emerging The extent of each risk assessment, due diligence process,
risks and have compliance concerns. For example, the SEC and subsequent monitoring and auditing should consider the
Office of Compliance Inspections and Examinations issues role the third party plays, materiality, and other factors that
special risk alerts, and the HHS OIG publishes its work plan could affect the level of risk associated with each third party.
to alert organizations to areas considered to be high risk.
Not all compliance risks will rise to the entity level and
Further, compliance risk extends beyond the legal boundaries appear in the ERM risk register; however, the risk of
of the organization. Third-party contractors, suppliers, regulatory change would be included in such an entity-level
and partners in strategic alliances can pose significant inventory in most organizations.

Table 4.1 Identifies risk
Key Describe the compliance risk identification and assessment process in documented policies and procedures
characteristics Identify compliance risks associated with planned strategy and business objectives
Assess internal and external environments to identify risks
Create process for identifying new and emerging risks
Consider risks associated with use of third parties
Consider information gathered through hotlines, other reporting channels, and results of investigations.........

1 Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 21–25,
https://compliancecosmos.org/compliance-risk-assessments-introduction.

coso.org
 Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 17

Principle 11 — Assesses severity of risk prohibiting such payments or the controls around the
Severity of a compliance risk is usually assessed primarily on payments process. In theory, one would like the assessment
the basis of likelihood and impact. Other factors may also be to be made under the assumption of no controls at all being in
considered and will be explained later. place, but it is difficult for people to imagine such “no control”
situations. They usually make the assessment assuming
Likelihood is the probability that the risk could occur. In the “normal controls” or some sort of “minimal controls.” For
case of compliance, this means the probability of specific greater precision, some assessment methods break the
noncompliance with a law/regulation or ethical misconduct. likelihood assessment in two parts: one for likelihood or
Assessing the likelihood of compliance risk in most cases is frequency and the other for effectiveness of internal controls,
a subjective judgment. Despite being subjective, systematic as shown in figure 4.2. Some models may even consider
judgment can be made. One approach is to consider preventive and detective controls as two separate factors,
the frequency of noncompliance. Will the event (e.g., a with preventive controls being more relevant to likelihood or
salesperson making an illegal payment to a government frequency, and detective controls more likely affecting the
official to gain a contract) occur once a year or once every impact of an event based on the timeliness of detection.
five years? This judgment would be based on experience
or perhaps the organization’s historical data, if such data is In figure 4.2, the likelihood of occurrence is measured on
available. Another factor that enters into this assessment a five-point scale from “rare” to “almost certain.” Control
is the organizational context. Typically, the assessor makes assumptions and frequency are given descriptive anchors that
assumptions about controls in place, such as policies are then matched to the assessor’s beliefs.

Figure 4.2 Likelihood of Occurrence*
Scale Existing controls Frequency of noncompliance
5 No controls in place Expected to occur in most
Almost circumstances
No policies or procedures, no responsible person(s) identified, no training, no
certain management review More than once per year
4 Policies and procedures in place but neither mandated nor updated regularly Will probably occur
Likely Controls not tested or tested with unsatisfactory results At least once per year
Responsible person(s) identified
Some formal and informal (on-the-job) training
No management reviews
3 Policies mandated, but not updated regularly Might occur at some time
Possible Controls tested only occasionally, with mixed results At least once in 5 years
Responsible person(s) identified
Training is provided when needed
Occasional management reviews are performed, but not documented
2 Policies mandated and updated regularly Could occur at some time
Unlikely Controls tested with mostly positive results At least once in 10 years
Regular training provided to the identified responsible person(s), but not documented
Regular management reviews are performed, but not documented
1 Policies mandated and updated regularly May occur only in exceptional
Rare circumstances
Controls regularly tested with positive results
Less than once in 10 years
Regular mandatory training is provided to the identified responsible person(s), and the
training is documented
Regular management reviews are performed and documented
* Adapted from Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 30,
https://compliancecosmos.org/compliance-risk-assessments-introduction.

This approach is just one example. Every organization should compliance committee or by the C&E program staff with input
customize its scale and measurement methodology to fit from management. Once the scale is determined, it should be
its particular needs. This customization would be done by a applied consistently by the assessors.

coso.org
18 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework

The second component of risk severity is impact. Impact is the Operational — Potential disruption of business operations
result or effect of risk in terms of the organization’s strategy from plant shutdowns, suspensions, debarments, and loss
and business objectives. With compliance risk, one thinks of license
immediately of civil and criminal fines and penalties, and the
possible direct financial consequences of noncompliance. Reputation (image) — Effect of media coverage; damage
Another significant factor may be the reputational impact of to organization’s image/brand; and subsequent diminished
compliance and ethical issues. This and other consequences attractiveness to current and potential future employees,
(e.g., sanctions, suspension, and debarment) may have a business partners, vendors, and customers
material indirect financial impact, as well as an impact on
morale and other factors that are difficult to measure. Health and safety — Employee, patient, customer

Impact of noncompliance and ethical failures can be assessed Ability to pursue strategic goals — Prohibition to added
using a variety of measurement categories. new customers, loss of license

Legal — Consisting of civil and criminal fines and penalties Figure 4.3 illustrates how these categories might be used to
construct a scale for assessing the impact of compliance risks.
Financial — Internal and external costs associated
with investigating and remediation (e.g., legal fees,
consultants, investigators)

Figure 4.3 Impact of Compliance Risks
Scale Legal* Financial# Operational Reputation (Image)+ Health and Ability to
(Potential Safety* Pursue
Disruption)* Strategic Goals*
1 In compliance < $1 million < 1/2 day No press exposure No injuries Little or no
Insignificant impact
2 Civil violation with $1–$5 < 1 day Localized negative impact First aid Minor impact
Minor little/no fines million on reputation (such as a treatment
single large customer) but
recoverable
3 Significant civil $5–$25 1 day–1 week Negative media Medical Major impact
Serious fines/penalties million coverage in a treatment
specific U.S. region or a
foreign country
4 Serious violation, $25–$100 1 week–1 Negative U.S. national or Death or Significant
Disastrous criminal prosecution million month international media extensive impact
probable coverage (not front page) injuries
5 Significant violation, > $100 > 1 month Sustained U.S. national