Page 49 - COSO Guidance Book
P. 49

Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    9




               Communication and training are also important tools for   training should include periodic discussion of the code
               promoting an ethical culture, because each reinforces   of conduct, but it should also include training on specific
               an overall mindset of compliance and integrity, while also   compliance issues tailored to individual groups of employees
               improving awareness of key compliance issues. Accordingly,   exposed to these risks in connection with their work.

                 Table 2.3  Defines desired culture
                Key           • Ensure that the board is knowledgeable of and approves a code of conduct/ethics and other key
                characteristics  compliance policies
                              • Explain expectations relating to ethics and compliance in a code of conduct/ethics
                              • Provide and require training on the code of conduct and on ethical decision-making for all staff (including
                               board members)
                              • Perform ongoing monitoring or assessment of organizational culture
                              • Develop objectively measurable compliance metrics tied to performance evaluations and compensation,
                               where appropriate
                              • Adopt meaningful incentives to promote consistent execution of the C&E program
                              • Include references to organizational values, expectations, and importance of ethics in communications from
                               leadership

               Principle 4 — Demonstrates commitment to            accountable for their individual roles in managing compliance
               core values                                         risks, and this should be reflected in job descriptions,
               Commitment to core values should be represented in a value   performance evaluations, and incentives.
               statement or other set of guiding principles that demonstrates
               a commitment to compliance and ethical business conduct.   When allegations of noncompliance or unethical behavior
               Increasingly, studies show a correlation between ethical   emerge, they must be taken seriously. This means that
               culture and organizational performance, consistent with ERM’s   individuals should be required to report wrongdoing and have
               goal of creating value.                             multiple avenues for reporting. Once an allegation is received,
                                                                   sound investigative protocols should be followed in a timely
               The tone from the top plays an important role in managing   manner to assess the credibility of the allegation. In addition,
               compliance risks. The tone set by the executive team must   individuals who report concerns about wrongdoing must feel
               set an example of compliance and ethical behavior. This   safe speaking up and be protected from retaliation in order for
               commitment must cascade throughout the organization, thus   this system to operate effectively.
               the term tone “from” the top rather than tone “at” the top.
               Each layer of leaders within an organization — the supervisors   If wrongdoing is confirmed through the investigative process,
               and managers of others — must communicate and pass this   disciplinary action should be taken in a degree that is
               tone on to the next level.                          appropriate to the level of wrongdoing. Discipline should be
                                                                   consistent based on the nature of the wrongdoing, without
               Commitment to compliance and ethics, however, requires   regard to the individual’s level on the organization chart or
               much more than setting the tone. Employees should be held   level of influence within the organization.

                 Table 2.4  Demonstrates a commitment to core values
                Key           • Actively promote a culture of compliance risk awareness, including setting an ethical and compliant tone by
                characteristics  leadership
                              • Balance business incentives with material compliance incentives
                              • Incorporate accountability for the management of (1) compliance risks and (2) compliance program imple-
                               mentation into employee performance measurement, promotions, and incentive programs, particularly at
                               senior levels
                              • Protect those who report suspected wrongdoing, with zero tolerance for retaliation
                              • Take allegations of wrongdoing seriously and investigate in a timely manner
                              • Promote organizational justice, including accountability for wrongdoing, fairness and consistency in discipline,
                               and fairness in promotions
                              • Communicate lessons learned from compliance and ethics failures across the organization in
                               appropriate detail








                                                                                                          c oso . or g
   44   45   46   47   48   49   50   51   52   53   54