2    |   Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework




        both an early step in developing the program and an   The current U.S. Federal Sentencing Guidelines (USSG) identify
        ongoing exercise as the risk landscape changes, and input   the following seven elements of an effective C&E program:
        from compliance, legal, senior leaders, and the board are
        considered.                                         1 Standards and procedures


        Compliance violations often result in fines, penalties, civil   2 Governance, oversight, and authority
        settlements, or similar financial liabilities. However, not all

        compliance violations have direct financial ramifications. In   3 Due diligence in delegation of authority
        some cases, the initial impact may be purely reputational.   4 Communication and training
        However, reputational damage often leads to future financial
        or nonfinancial harm, ranging from loss of customers to loss of   5 Monitoring, auditing, and reporting systems

        employees, competitive disadvantages, or other effects (e.g.,
        suspension, debarment).                             6 Incentives and enforcement

        Most noncompliance stems from actions taken by insiders   7 Response to wrongdoing

        – employees, management, or members of an organization’s
        board of directors. Increasingly, risks also result from   Separately, the USSG also require that organizations
        contractors and other third parties whose actions affect an   periodically assess the risk of noncompliance and continually
        organization. The most common examples involve vendors   look for ways to improve their C&E programs. This two-part
        in an organization’s supply chain (e.g., when a supplier of   requirement has often been referred to as the eighth element
        Egyptian cotton bedding for several major retailers was found   of an effective program. Each of these elements is explained in
        to be using a lesser grade of cotton that was not from Egypt,   greater detail in Appendix 1.
        the retailers incurred significant liabilities to their customers)
        or third parties involved in the sales cycle (e.g., intermediaries   The USSG also state that organizations should promote a
        that may pay bribes to government officials in order to obtain   culture that encourages ethical conduct and a commitment
        lucrative contracts for an organization).           to compliance with the law. This acknowledgment that
                                                            organizational culture and business ethics play integral roles
        A final consideration in determining the scope of a program   in compliance risk management is one of the factors that led to
        is the potential for inherited risks resulting from merger and   the common use of the term “compliance and ethics program”
        acquisition (M&A) activity. As M&A transactions take place,   or “C&E program”.
        the universe of compliance risks to which an organization is
        exposed can change drastically and instantly. These risks may   The USSG do not mandate C&E programs for any organization;
        relate to events that took place prior to the merger or may   however, they provide an incentive for the establishment
        simply result from unique risks faced by the merged entity that   of such programs as a means of mitigating the significant
        the acquiror had not previously faced.              penalties that can otherwise result when an organization is
                                                            found to have violated federal laws. In criminal cases involving
        The evolution of compliance and ethics programs     noncompliance with laws, an organization’s penalty can be
        Although compliance with laws and regulations has been   decreased significantly from a base amount determined, in
        an expectation for many years, compliance and ethics as   part, on the existence of an effective C&E program. Developing
        a profession and as a distinct function in organizations is a   case law related to the guidelines has added further weight
        relatively recent development. It stems from the equally recent   to the importance of C&E programs, particularly in highly
        emergence of the C&E program as a valuable and frequently   regulated entities, with courts concluding that the failure to
        required element of organizational management.      implement an effective C&E program may represent a breach
                                                            of fiduciary duty. Additionally, guidance issued by the U.S.
        A series of events in the 1980s in the United States led to   Department of Justice and other agencies have emphasized
        the U.S. Sentencing Commission publishing guidelines in   the importance of C&E programs.
        1991 for the punishment of organizations for violations of
        the law. Among its provisions, the sentencing guidelines for   Although the USSG don’t require organizations to have C&E
        organizations provide for very significant reductions in criminal   programs, individual government agencies sometimes do.
        penalties if an organization has an effective compliance   For example, certain healthcare organizations must have
        program in place. Important amendments were made in 2004   compliance programs as a condition for eligibility to participate
        and 2010 to clarify and expand on the characteristics of an   in Medicare, and the Federal Acquisition Regulations require
        effective program.                                  certain government contractors to have compliance programs.







           c oso . or g