Page 52 - COSO Guidance
P. 52
12 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Principle 7 — Defines risk appetite request for a bribe from a building inspector. Examining risk
For those not familiar with the term, appetite for compliance risk appetite with consideration for the full range of potential
often conjures up images of organizations willfully accepting consequences is an important element of compliance risk
known compliance violations. The very nature of compliance risk management.
means that a law may be violated that could result in financial
or nonfinancial consequences for the organization (e.g., fines, As noted in COSO’s May 2020 publication, Risk Appetite –
suspension or debarment, reputational damage). The level of Critical to Success: Using Risk Appetite to Thrive in a Changing
acceptance of compliance risk in the pursuit of business goals World, three of the inputs to risk appetite are as follows:
and objectives is a topic for discussion among management
and the board (being clear to point out that this discussion is not 1. Board and management perspectives on appetite
related to accepting known violations; it is about the realistic
assumption that it is impossible to eliminate the possibility of a 2. Understanding the existing risk profile
noncompliance event).
3. Organizational culture
As defined by COSO, risk appetite refers to the types and
amount of risk, on a broad level, that the organization is Board and management perspective on risk appetite should
willing to accept in pursuit of value. Neither appetite nor risk be framed, in part, on a consideration of the relationships
tolerance — the acceptable levels of variation in performance between compliance risk and the achievement of business
related to business objectives — is typically defined at the objectives. This can be achieved only if the board and
risk-specific level. management have a sufficient understanding of compliance
risk as a component of the organization’s overall risk profile.
Although neither appetite nor tolerance are expressed in Similarly, as noted earlier, maintaining a culture of compliance
terms of compliance risk, there may be separate risk-centric is an essential element of a C&E program and, therefore,
statements relating to individual compliance risk areas. More should be considered in developing an organization-wide
commonly, the potential impact of compliance risk on the appetite for risk in general.
achievement of business objectives should be considered in
relation to determining and stating risk appetite and tolerance. Understanding how much of a threat a compliance risk poses
As noted earlier, compliance with laws, regulations, and to the achievement of business objectives enables the CCO
other requirements should itself be considered as a business to effectively prioritize the deployment of preventive and
objective of the organization. detective resources. For example, if an organization has
determined that a particular category of compliance risk poses
A practical way of viewing compliance risk and its relationship a significant threat to the achievement of business objectives,
to risk appetite and tolerance is by viewing it at the business the organization may allocate greater resources to managing
unit or location level and by type of compliance risk. At the that risk. More attention may be devoted to auditing and
business unit (or functional) level, each group often has its own monitoring in this area, among other possible responses.
unique compliance risks, each with vastly different potential
consequences for violations. For example, an international Organizations must also recognize that they cannot
bribery violation may result in much more significant financial realistically eliminate all compliance risks or reduce the
penalties than a building code violation. likelihood of occurrence to zero. This is simply not possible. As
a result, engaging in discussions about risk appetite relating
Although a fire code violation may trigger only a rather to compliance risks is a valuable tool in prioritizing efforts
small fine, however, the potential consequences of a fire aimed at prevention and detection of specific compliance
code violation tragically resulting in the loss of life could be violations. Guidance from regulators is consistent with this
enormous. Seemingly immaterial compliance risks like this concept: expecting organizations to reduce and manage, not
building code violation could lead to other risks, such as a necessarily eliminate, compliance risk.
Table 3.2 Defines risk appetite
Key • Consider compliance risk as part of the organization’s risk profile in determining risk appetite
characteristics • Consider compliance risk by (1) type of risk (e.g., anti-bribery), (2) business unit or organizational function
(e.g., human resources), and (3) location or region
• Determine and evaluate the relationships between compliance risks and the achievement of business
objectives
• Discuss risk appetite on a regular basis and update as necessary based on changes in compliance risk
• Consider developing specific risk-centric appetite statements associated with compliance risks in support of
organizational risk appetite and tolerance
c oso . or g
