Page 46 - COSO Guidance
P. 46
6 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
COSO Infographic with Principles
About this Guidance When the USSG were developed, and as the elements of
There are several target audiences for this publication, effective C&E programs have evolved, fitting the seven
including the following: elements within the ERM framework was not a significant
concern or objective. Indeed, much of this evolution
1 Professionals such as risk managers, internal occurred before the first ERM framework was published by
auditors, and others who are involved in applying an COSO in 2004.
organization’s ERM program to compliance risks.
In the remaining portions of this guide, each of the 20
2 Compliance professionals who are aiming to align principles of the COSO ERM framework, depicted in figure
their C&E program to, or integrate it with, ENTERPRISE RISK MANAGEMENT
an organization-wide ERM program. 1.3, is mapped to the specific requirements and emerging
practices of an effective C&E program. Section 2 starts with
3 The senior management team, to better the governance and culture component and the related
understand compliance risk and the C&E program. five principles. Sections 3 to 6 cover the other components
and their related principles, respectively. In each, key steps
MISSION, VISION STRATEGY BUSINESS IMPLEMENTATION ENHANCED
4 Members of the board of directors, to assist them FORMULATION & PERFORMANCE VALUE
are provided to implement and maintain an effective C&E
& CORE VALUES
OBJECTIVE
DEVELOPMENT
in their oversight role. program for each of the ERM principles.
Figure 1.3 Risk Management Components - The 20 principles
Governance Strategy & Performance Review Information,
& Culture Objective-Setting & Revision Communication,
& Reporting
1. Exercises Board Risk 6. Analyzes Business 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information
Oversight Context 11. Assesses Severity Change and Technology
2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk
Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information
3. Defines Desired Culture Strategies 13. Implements Risk 17. Pursues improvement 20. Reports on Risk,
Culture, and
4. Demonstrates 9. Formulates Business Responses in Enterprise Risk
Commitment Objectives 14. Develops Portfolio Management Performance
to Core Values View
5. Attracts, Develops,
and Retains Capable
Individuals
Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance
An example of the application of the guidance provided in this publication to a specific compliance risk can be found at
corporatecompliance.org/coso.
Figure 1.4 Frequently used terms and abbreviations
The following terms and abbreviations are used frequently throughout this publication
Board The board of directors or, where appropriate, a board-level committee that has been delegated the responsibility
for compliance oversight by the board of directors
C&E program Compliance and ethics program
CCO The chief compliance officer, chief compliance and ethics officer, or the equivalent title associated with the
highest-ranking employee charged with oversight of the C&E program
Compliance An internal committee composed of employees from various departments and functions within an organization
committee whose mission is to advise, inform, and partner with the CCO in communicating and extending the compliance
function throughout the organization’s operations
Compliance The possibility that violations of applicable laws, regulations, contractual terms, standards, or internal policies
risk will occur and have a negative financial or nonfinancial impact on the organization
DOJ The United States Department of Justice
USSG The United States Federal Sentencing Guidelines
c oso . or g
