Page 47 - COSO Guidance
P. 47
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 7
2. GOVERNANCE AND CULTURE
FOR COMPLIANCE RISKS
This section describes the application of the governance — time that may be unavailable for the entire board. As noted
and culture component of the COSO ERM framework to the earlier, the term “board” is used in reference to either the board
management of compliance risks. The COSO framework of directors or a board-level committee that has oversight
describes the following five principles that underlie this responsibility for the C&E program.
component:
For oversight to be exercised properly, there must be an
1 Exercises board risk oversight open and direct line of communication between the CCO
2 Establishes operating structures and the board. This communication should include regularly
scheduled, periodic meetings, including sessions in which the
3 Defines desired culture board meets privately with the CCO without other members of
senior management present.
4 Demonstrates commitment to core values
5 Attracts, develops, and retains capable individuals Having compliance expertise on the board can be extremely
valuable and can enhance oversight of the program. Ideally,
Principle 1 – Exercises board risk oversight this expertise comes from industry-specific experience with
The board of directors is responsible for oversight of the relevant compliance issues as well as experience developing
organization’s C&E program, and management is responsible and managing effective compliance programs.
for the design and operation of the program. The expectation
of board oversight is reinforced in C&E program standards that The board should also ensure there is an effective
have been promulgated in several countries. For instance, the compliance oversight infrastructure in place to support the
USSG § 8B2.1(b)(2)(A)-(C) state that a company’s “governing C&E program, to include adequate staffing and resources,
authority shall be knowledgeable about the content and as well as appropriate authority and empowerment to
operation of the compliance and ethics program and shall achieve the objectives of the program. This infrastructure
exercise reasonable oversight.” may also include an internal compliance committee. Often,
an internal compliance committee composed of individuals
Given the possible complexity of an organization’s C&E program, from key functions or business units is an effective way
it is often advisable for the board to delegate responsibility for for the CCO to maintain open lines of communication to
this oversight to a board-level standing committee, much like facilitate timely awareness of emerging compliance risk
audit oversight is commonly delegated to an audit committee. areas and to obtain important input and buy-in on how to
This enables a committee to devote sufficient time to oversight mitigate and address risks.
Table 2.1 Exercises board risk oversight
Key • Require the board to oversee compliance risk management and the C&E program, including the approval of its charter
characteristics • Ensure that the board is knowledgeable of and demonstrates oversight of the C&E program (regular part of
agendas, monitors compliance metrics, holds regular executive sessions with CCO and others)
• Require that the board includes a member who possesses compliance expertise
• Document evidence of board oversight of the C&E program in minutes
• Provide input or approve appointment/dismissal/reassignment of CCO and ensure independence
• Ensure that sufficient resources are provided for the C&E program
• Receive regular reports from the CCO
• Ensure that the board is informed about material investigations and remediation efforts and provides input
c oso . or g
