Page 45 - COSO Guidance Book
P. 45

Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    5




               ERM is different than, but related to, internal controls. ERM   There is not a universally accepted definition for the
               incorporates some of the concepts of internal control. In   scope of an organization’s C&E program. It can vary from
               fact, implementation of internal controls is the most common   one organization to another. As a result, compliance with
               approach to reducing risk. But ERM also includes certain   some laws and regulations may be primarily subject to the
               concepts that are not considered within internal control. For   oversight of others, although the compliance function should
               example, concepts of risk appetite, tolerance, strategy, and   always be prepared to serve an overarching role or to step
               business objectives are set within ERM, but are viewed as   in to assist or address issues if the others are unable or
               preconditions of internal control. ERM is more closely aligned   unwilling to properly manage the risk.
               with strategy than internal control.
                                                                   Another difference among organizations may involve where
               An important aspect of ERM is its focus on creating,   the compliance function “sits” within the organization.
               preserving, and realizing value. The C&E program supports   Although a C&E program is organization-wide, involving
               each of these three goals. An effective C&E program   employees and managers from all functional areas, the
               allows an organization to more confidently pursue new   compliance function, consisting of a dedicated team of
               value creation opportunities. Further, value that has been   compliance and ethics professionals, may be positioned in
               created by an organization can quickly become impaired   a variety of locations within an organization chart. In most
               when accompanied by violations of laws or regulations. An   organizations, it is an independent function, and this is
               effective C&E program can preserve this value and enable an   considered the best practice. In others, it may be a part of, or
               organization to fully realize it.                   report to, legal, internal audit, risk management, or another
                                                                   function. Regardless of where the compliance function is
               Accordingly, the management of compliance risk is an   positioned on an organization chart, communication and
               important element of both the internal control and the   collaboration with each of the preceding functions are
               broader ERM functions and processes of an organization.   essential to the success of a C&E program.

               The scope and positioning of the compliance         Likewise, ethics may be considered a function apart from
               function in an organization                         compliance. In many organizations, however, compliance
               As noted earlier, compliance risk generally involves the risk   and ethics fall under a compliance and ethics officer.
               of violations of laws and regulations, but it may also address
               contract provisions, professional standards, organizational   It is important to understand that although virtually every
               policy, and ethics matters. The laws and regulations that   employee plays a role in managing risk, the management/
               fall within the scope of a compliance program, however,   mitigation of compliance risk is primarily the responsibility of
               can vary by industry and from organization to organization.   all management at all levels. The compliance function leads
               For example, risk of violating the Foreign Corrupt Practices   the development of the C&E program, but it is ultimately
               Act may fall clearly within the scope of a company’s C&E   management’s job to execute the program and for the board
               program. But compliance with accounting standards   to provide oversight. The role of the compliance and ethics
               required in filings with the U.S. Securities and Exchange   officer is to help management understand the risks; lead the
               Commission may be addressed within the accounting and   development of the program to mitigate and manage those
               finance functions and may be considered outside the scope   risks; evaluate how well the program is being executed;
               of the C&E program. Human resources and employment law   and report to leadership on gaps in coverage, execution,
               risks may be managed entirely within the human resources   or material instances of noncompliance, including those by
               function, or the compliance function may also participate in   senior leaders.
               managing these risks.
                                                                   In summary, management of compliance risk can be
                                                                   performed effectively under a variety of structural models.
                                                                   This publication provides guidance on the design and
                                                                   operation of an effective C&E program regardless of the
                                                                   organizational structure or how responsibilities are allocated.
















                                                                                                          c oso . or g
   40   41   42   43   44   45   46   47   48   49   50