Page 50 - COSO Guidance Book
P. 50

10    |   Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework




        Principle 5 — Attracts, develops, and retains       individuals. These tools are critical for the management of
        capable individuals                                 compliance risks as well. The Department of Justice (DOJ)
        An effective compliance function should be led by a CCO with   notes that a “hallmark of effective implementation of a
        appropriate experience and qualifications. The specifics of   compliance program is the establishment of incentives for
        prior experience and other qualifications can vary based on   compliance and disincentives for non-compliance.”
        the nature of the organization, its industry, and many other
        factors.                                            Just as training on a code of conduct and broad ethical issues
                                                            helps to define an organization’s desired culture (Principle 3),
        Throughout the entire organization, hiring individuals who   training on specific compliance risk topics further develops
        respect compliance and make business decisions in an   individuals’ abilities to effectively recognize and manage
        ethical manner is vital to the management of compliance risks.   compliance risks. Furthermore, the compliance team itself
        Indeed, being perceived as an organization that is committed   should continue to be developed with training on emerging
        to compliance and ethics helps companies attract and retain   practices for managing a C&E program and changes in the
        good people.                                        legal/regulatory environment.

        The USSG, which established the framework for what has   In recent years, numerous compliance issues have been
        become the global standard for C&E programs, state that   triggered by third parties (nonemployees), especially those
        an “organization shall use reasonable efforts not to include   that play integral roles in connection with supply chains,
        within the substantial authority personnel of the organization   sales, delivery, and other key functions. Accordingly, the due
        any individual whom the organization knew, or should   diligence concepts described in this section should also be
        have known through the exercise of due diligence, has   applied when engaging third parties to carry out activities
        engaged in illegal activities or other conduct inconsistent   on behalf of the organization (e.g., suppliers, sales agents,
        with an effective compliance and ethics program.” As such,   outsourcing partners), based on the level of compliance risk
        organizations should perform background checks appropriate   associated with each third party. The degree of background
        to the responsibilities of the position and in compliance with   checking, other due diligence, and compliance-related
        relevant employment laws. The CCO may collaborate with   performance measures should vary based on the assessed
        human resources and others to identify positions considered   level of risk, and due diligence should be repeated periodically
        to involve “substantial authority”— those that could create   as part of maintaining ongoing relationships with high-risk third
        compliance risk for the organization.               parties. Due diligence in engaging with certain third parties,
                                                            as well as ongoing training and monitoring of compliance
        The COSO ERM framework indicates that performance   performance of third parties, have become expected by
        evaluation and the establishment of appropriate incentives   regulators and are integral elements of this principle.
        are two important ingredients for developing and retaining

         Table 2.5  Attracts, develops, and retains capable individuals
         Key          • Hire and retain a CCO with appropriate experience/expertise to lead the C&E program
         characteristics  • Staff the compliance team with individuals that possess relevant expertise

                      • Perform background checks aimed at screening for compliance risk, tailored to the level of risk associated
                        with each position
                      • Consider employee execution of and adherence to the requirements and expectations of the C&E program in
                        the preparation of performance evaluations
                      • Appropriately tailor compliance training based on the compliance risks encountered for specific roles in the
                        organization
                      • Perform risk-based due diligence on third parties




















           c oso . or g
   45   46   47   48   49   50   51   52   53   54   55