Page 72 - COSO Guidance
P. 72
32 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
¶8B2.1, subsection (c) follows by stating: specific compliance violations (e.g., bribery, false claims,
antitrust, environmental, record retention) by communicating
In implementing subsection (b), the organization shall the organization’s expectations for employee behavior in
periodically assess the risk of criminal conduct and shall connection with individual risk areas.
take appropriate steps to design, implement, or modify each
requirement set forth in subsection (b) to reduce the risk of Governance, oversight, and authority
criminal conduct identified through this process. The compliance and ethics function should be subject to
effective oversight at the board, management, and compliance
This final provision requiring periodic compliance risk officer level.
assessments and continuous improvement of the C&E
program, which was added in 2004, is often referred to as the The board has a clear responsibility to ensure that an effective
eighth element of a C&E program. C&E program is in place and to provide adequate oversight of
the program by being knowledgeable about the content and
All seven elements of a C&E program, along with periodic operation of the program. The board must also ensure that the
risk assessments and ongoing program improvement, must CCO is positioned at a senior level within the organization and
be in place and functioning well in order for the program to has adequate resources and authority to effectively manage
be considered effective. It should be noted that the USSG, the program.
which set forth the seven elements, are guidelines for
federal judges, but they may be much more than “guidelines” In some instances, compliance oversight at the board level
for organizations. The word “shall” appears 17 times in is delegated to a committee, such an audit or compliance
connection with the elements, and many believe the guidelines committee. In other cases, compliance oversight is handled
represent the minimum standards for building an effective C&E by the board as a whole. Either way, the CCO should have
program, at least for U.S. organizations and others operating in a reporting relationship with the board or a committee of
the U.S., as well as U.S.-based multinational companies. the board, even if there is also a reporting line to another
executive position, such as to the CEO.
This appendix is devoted to an overview of each of these
elements, forming the basis for understanding the guidance In this respect, the compliance function is similar to an internal
on its application to ERM found in earlier sections of this audit function, where independence and autonomy are
publication. important. From a day-to-day operational standpoint, the top
compliance professional may report to another member of the
Standards and procedures senior management team, but there should always be a direct
Standards of conduct demonstrate an organization’s reporting line to the board as well so that the compliance
commitment to an ethical workplace and a culture of officer can have candid discussions without interference from
compliance with laws and regulations. This begins with a code other members of management.
of business conduct and ethics. The code should be designed
to apply to all employees, management, and the board. The Although the board provides oversight, management is
code is supported by many policies and procedures. A code responsible for executing the program — ensuring that
should also apply to certain third parties, such as vendors employees complete training, report concerns, fix problems, or
and suppliers, although this code is often different and more perform work activities consistent with program requirements.
abbreviated than the code that applies to employees. The USSG recognized that it is ultimately management that is
responsible for the ensuring the program is effective.
Two types of policies and procedures are essential to a C&E
program: structural and substantive. Structural policies create The CCO has day-to-day responsibility for operating the
the framework for how the program operates. Substantive C&E program and must have the necessary resources and
policies address the organization’s positions on the key laws, access to information to operate the program. Sufficiency of
regulations, and standards that apply to its business activities. resources was added to the list of factors the DOJ considers
when evaluating compliance programs in the June 2020
Examples of structural policies and procedures are those that revision to its Evaluation of Corporate Compliance
define the roles and responsibilities of the compliance officer, Programs guidance.
compliance committee, and the board; methods for reporting
suspected wrongdoing; processes used for auditing and There may also be an internal compliance committee, with
monitoring; investigative responsibilities and procedures; and representatives from major functional areas and/or operating
many others. divisions. Although the CCO may be the most visible leader of
a C&E program, an internal compliance committee can be a
Substantive policies focus on preventing and detecting very effective method of program management, ensuring that
c oso . or g
