Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    29




               Principle 20 — Reports on risk, culture, and        the reporting gets to the department head/manager level,
               performance                                         information should focus on what is needed to manage
               Closely related to the communication of risk information is   compliance risk in that area, although periodic reporting on
               reporting on risk, culture, and performance associated with   organization-wide risk may provide helpful context.
               compliance-related risks. These stakeholders include the
               board of directors, any board-level committee delegated the   Reports on compliance risk management should address
               responsibility of compliance risk oversight (if one exists), the   externally generated risks as well as those that result from
               senior executive team, any internal compliance committee (if   the internal risk universe (e.g., employee acts). Third-party
               one exists), and appropriate managers/heads of departments   risk management is an important element of a C&E program.
               or functions within the organization. Reporting to these groups   Accordingly, reports should be prepared and distributed
               should be tailored to the unique needs and responsibilities of   to appropriate stakeholders on the status of third-party
               each, as should the frequency of reporting.         suppliers, sales agents, and others who could create risk for
                                                                   the organization. These reports should focus on the results of
               For example, reporting to the board should focus on what   third-party due diligence efforts in the selection or continued
               is needed for the effective oversight of the entire C&E   use of vendors and other third parties, site visits, auditing and
               program — information about the risk assessment process,   monitoring procedures, training provided to third parties, and
               identification of the most material risks and actions being   any other matter associated with managing this area of risk.
               taken in response to those risks, meaningful compliance
               metrics addressing both the structural and substantive   One final aspect of reporting that is critical to C&E program
               performance of the program, information about compliance-  effectiveness is documentation. Typically, documentation
               related investigations, resource allocations and needs, etc.   involving investigations is maintained and reviewed only by
               Reporting to the board should also periodically address   the compliance, legal, and/or investigations team. It is crucial
               culture as it pertains to compliance and ethics. Culture can   to properly handle, preserve, and maintain these materials
               be a difficult area to assess; however, efforts should be made   and records in the event of legal action or government
               to provide the board with some perspective and trends on   inquiry. Each compliance-related investigation should be
               organizational culture associated with compliance and ethics.   well documented, include a timeline of events and key steps/
               This may be accomplished through employee surveys; data   actions taken along the way, and summarize any remedial
               associated with culture; and other less formal methods, such   steps. Whether a formal case management software tool is
               as interviews and focus groups.                     used or something simpler is utilized, maintaining this record
                                                                   is an important part of a C&E program. From these records,
               As reports are designed for each level in the organization   useful reports can be generated that provide insight into the
               chart, the information included should be more granular   needs and effectiveness of the investigations element of
               and customized to the needs of each layer. By the time   compliance risk management.

                 Table 6.3  Reports on risk, culture, and performance
                Key          • Provide periodic reports on compliance and ethics risk assessments and related remediation efforts tailored to
                characteristics  key stakeholder needs
                             • Develop and report on meaningful operational and substantive metrics associated with the effectiveness of
                              the C&E program
                             • Provide managers with reports on completion and results of training of their direct reports
                             • Use a case management and reporting system for investigations and outcomes
                             • Establish and follow a policy that clearly articulates the nature of reporting on all significant remediation
                              efforts





















                                                                                                          c oso . or g