Page 75 - COSO Guidance
P. 75
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 35
auditing and monitoring activities or even outside parties (e.g., program. Accordingly, enforcement and discipline must be
customers, competitors, suppliers). Regardless of what event consistent across all levels of the organization, perhaps most
triggered the concern, an investigation should be prompt, importantly at the highest levels. If the noncompliance of a
thorough, and independent of the affected function or person, highly successful salesperson, an executive, or an influential
and it should be performed in accordance with written policies employee is tolerated while another employee is disciplined
and procedures. Case files or other documentation should for the same violation, the C&E program’s credibility will be
be maintained and protected to ensure the integrity of each undermined, and the organization’s culture can be harmed.
investigation. Investigations are described further in the
section on responding to wrongdoing. As with all elements of a C&E program, discipline should
always consider the local/regional legal environment, as well
It is important to note that the investigation and resolution as contractual or labor union provisions.
of allegations are not the only goals of these reporting
mechanisms. An equally important goal is the feedback In connection with incentives and enforcement involving
provided on the C&E program’s performance so that the vendors, suppliers, and other third parties that may create
program can be improved. This requires tracking and analysis liability, the organization should ensure that there are
of the trends in issues being reported and the areas where appropriately tailored contract provisions imposing relevant
guidance is being sought so that appropriate steps can be compliance obligations and addressing the consequences
taken to increase the C&E program’s effectiveness. of noncompliance, including penalty provisions and contract
termination clauses.
Incentives and enforcement
Noncompliance can be entirely unintentional — often the Response to wrongdoing
result of ineffective controls, ineffective training or new No C&E program guarantees a lifetime of compliance for an
employee orientation, misunderstanding of procedures, organization. If an organization is around long enough or is
a deteriorating culture, or simply carelessness. A natural large enough, noncompliance is inevitable regardless of how
deterioration in processes and internal controls occurs over effective the program is.
time, unless the processes or internal controls are consistently
enforced. Noncompliance can also be intentional — carried What an organization does in response to noncompliance is
out by employees who know they are violating organization an important factor that distinguishes effective programs from
policies and who may understand that they are violating laws ineffective programs. There are two key aspects of responding
and regulations in the process. to wrongdoing: investigating and remediating.
The USSG require the use of incentives and similar tools to A compliance investigation must be prompt and thorough,
promote consistent participation in and/or execution of the fair to all parties, and conducted by individuals who are
C&E program. Just as boards and executives use financial independent from the subjects and not otherwise conflicted.
and recognition incentives to promote sales, safety outcomes, Other key considerations in conducting a compliance
customer or employee satisfaction, and other strategic investigation include the following:
goals, the USSG state that incentives should be a component
of an organization’s compliance efforts. Incentives can be 1. Notifications — Who should be informed about the
particularly effective in motivating leaders to embrace and investigation (e.g., leaders, legal, outside parties)?
execute on the compliance program but can also be used 2. Expertise — Does the organization have all the expertise
effectively at all levels in the organization. Incentives can needed to conduct the investigation, or should outside
be financial or nonfinancial in nature and can be effectively assistance be brought in?
integrated with an organization’s performance management 3. Involvement of compliance — Regardless of whether the
system. compliance officer is conducting the investigation, the
compliance officer should be informed and involved along
In its explanation of enforcement, the USSG recommend the way.
appropriate consequences for ignoring compliance obligations 4. Documentation — Collect, protect, and preserve
or violations of law or policy. Such discipline should consider evidence and other documentation gathered as part of an
whether acts of noncompliance, or the failure to act, was investigation.
intentional or unintentional, as well as the severity of the 5. Oversight and management — The larger the
noncompliance. The organization should provide for a range investigation, the more important it is to establish an
of potential disciplinary actions, from verbal and written appropriate chain of command (including the involvement
warnings up to termination of employment. of legal counsel where appropriate), for all parties
involved to have their work overseen and reviewed, and
Organizational justice is critical to the success of a C&E for the scope of the investigation to be well managed.
c oso . or g
