Page 61 - COSO Guidance
P. 61

Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    21




               Principle 14 — Develops portfolio view              conflict with each other unless a portfolio view is taken in
               It is important to recognize the interrelationship among   connection with both identifying and mitigating risk.
               compliance risks, as well as the relationships between
               compliance risks and other organizational risks. These   If risks are managed in isolation without consideration of other
               interactions can be an important consideration in both the   risks, inefficiencies — and possibly conflicts — can occur.
               assessment of risk as well as the design and implementation   For this reason, viewing risks as part of an organization-wide
               of risk responses. This consideration can also lead to the   portfolio of risks is essential.
               identification of certain drivers of risk — factors that do not
               necessarily create a new risk, but that can increase the likelihood   Another consideration in developing a portfolio view is the
               of one risk event as a result of some other action or event.  extent to which compliance risks increase or decrease in
                                                                   severity as they are progressively consolidated to higher levels
               Here is a simple illustration: enhanced internal controls   within the organization. A compliance risk that at first appears
               aimed at reducing the risk of a compliance violation could   to be significant at a business unit level may be rather minor
               increase the risk of delays in certain operational or production   by the time it is consolidated with other risks and rolled up to
               processes. This concern would be amplified if the production   a higher level within the organization. Conversely, compliance
               team had also identified a slowness in its processes as a risk   risks that are minor in isolation may become much greater
               requiring a response. The two risk responses could potentially   when consolidated with other seemingly minor risks.

                 Table 4.5  Develops portfolio view
                Key          • Consider risk interactions (i.e., how mitigating a compliance risk can affect other risks)
                characteristics  • Consider interactions of compliance risk responses with other risk responses
                             • Integrate compliance risk management with ERM
                             • Have regular meetings/communications between compliance and business units



















































                                                                                                          c oso . or g
   56   57   58   59   60   61   62   63   64   65   66