Page 71 - COSO Guidance
P. 71
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 31
APPENDIX 1.
Elements of an Effective Compliance and Ethics Program
Introduction (4) (A) The organization shall take reasonable steps to
The seven elements of an effective compliance and ethics communicate periodically and in a practical manner
program are described in the U.S. Federal Sentencing its standards and procedures, and other aspects of
Guidelines (USSG), ¶8B2.1, subsection (b) as follows: the compliance and ethics program, to the individuals
referred to in subparagraph (B) by conducting effective
(1) The organization shall establish standards and procedures training programs and otherwise disseminating
to prevent and detect criminal conduct. information appropriate to such individuals’ respective
roles and responsibilities.
(2) (A) The organization’s governing authority shall be (B) The individuals referred to in subparagraph (A)
knowledgeable about the content and operation of are the members of the governing authority,
the compliance and ethics program and shall exercise high- level personnel, substantial authority personnel,
reasonable oversight with respect to the the organization’s employees, and, as appropriate, the
implementation and effectiveness of the compliance organization’s agents.
and ethics program.
(B) High-level personnel of the organization shall ensure (5) The organization shall take reasonable steps—
that the organization has an effective compliance and (A) to ensure that the organization’s compliance and ethics
ethics program, as described in this guideline. Specific program is followed, including monitoring and auditing
individual(s) within high-level personnel shall be to detect criminal conduct;
assigned overall responsibility for the compliance (B) to evaluate periodically the effectiveness of the
and ethics program. organization’s compliance and ethics program; and
(C) Specific individual(s) within the organization shall (C) to have and publicize a system, which may include
be delegated day-to-day operational responsibility mechanisms that allow for anonymity or confidentiality,
for the compliance and ethics program. Individual(s) whereby the organization’s employees and agents
with operational responsibility shall report periodically may report or seek guidance regarding potential or
to high-level personnel and, as appropriate, to the actual criminal conduct without fear of retaliation.
governing authority, or an appropriate subgroup of the
governing authority, on the effectiveness of the (6) The organization’s compliance and ethics program shall
compliance and ethics program. To carry out such be promoted and enforced consistently throughout the
operational responsibility, such individual(s) shall be organization through (A) appropriate incentives to perform
given adequate resources, appropriate authority, and in accordance with the compliance and ethics program;
direct access to the governing authority or an a and (B) appropriate disciplinary measures for engaging in
ppropriate subgroup of the governing authority. criminal conduct and for failing to take reasonable steps to
prevent or detect criminal conduct.
(3) The organization shall use reasonable efforts not to include
within the substantial authority personnel of the organization (7) After criminal conduct has been detected, the organization
any individual whom the organization knew, or should have shall take reasonable steps to respond appropriately to
known through the exercise of due diligence, has engaged the criminal conduct and to prevent further similar criminal
in illegal activities or other conduct inconsistent with an conduct, including making any necessary modifications to
effective compliance and ethics program. the organization’s compliance and ethics program.
c oso . or g
