Page 53 - COSO Guidance Book
P. 53

Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    13




               Principle 8 — Evaluates alternative strategies      mergers and acquisitions in order to understand the level of
               The compliance function should be involved in strategy   risk that may be inherited as a result of the transaction, as well
               discussions from the standpoint of (1) understanding the   as any C&E program integration needs and risks that may need
               strategy so that the C&E program can be designed to   to be addressed.
               manage compliance risks appropriately and (2) advising
               strategic decision makers about possible compliance risks   Once strategy has been decided, the compliance function
               associated with strategies under consideration. Compliance   should identify and understand the implications for
               risk assessment and management are most effective when   the organization’s C&E program. Begin by identifying
               the compliance function is fully informed prior to embarking   and assessing compliance risks, as well as suggesting
               on new strategic initiatives, enabling the C&E program to be   modifications to internal controls aimed at mitigating
               prepared to proactively address new or changing compliance   compliance risk. Consider changes to training, monitoring, and
               risks. The CCO should also play a role in developing new   auditing plans for the C&E program, and the development of
               compliance risk mitigation approaches in the context of   key compliance metrics or performance indicators.
               changing strategies and risk appetite, as well as assistance in
               evaluating compliance risk issues associated with alternative   As a strategy is being implemented, the organization may
               strategies under consideration.                     continue to make changes to the strategy based on an
                                                                   assessment of its successes and failures. This assessment
               If strategic decisions made by an organization involve merger   is another opportunity for the CCO to provide valuable input
               or acquisition activities, it is important for compliance to be   based on the C&E program’s monitoring and auditing activities,
               involved early in the process so that appropriate due diligence   which may have revealed a level of compliance risk that differs
               focusing on compliance risks can be performed. This due   from what was initially expected.
               diligence is important to the decision-making process for

                 Table 3.3  Evaluates alternative strategies
                Key           • Ensure that the CCO has a seat at the table in discussions of strategies
                characteristics  • Solicit input and insight from the CCO regarding how strategy affects compliance risk
                              • Perform risk-based due diligence on merger and acquisition targets prior to execution of the transaction
                              • Consider implications of strategic decisions (including subsequent changes in strategy) in the design of the
                               C&E program











































                                                                                                          c oso . or g
   48   49   50   51   52   53   54   55   56   57   58