Page 54 - COSO Guidance Book
P. 54
14 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Principle 9 — Formulates business objectives objectives, but at a minimum, it is well informed of such
Linked to strategy, business objectives are measurable criteria objectives and the performance metrics that are used for
by which the organization and individual business units can individual evaluations.
be evaluated. Much like how adoption of strategy can affect
compliance risk, development of business objectives also Risk interactions should also be considered. As business
often creates or affects the likelihood of compliance violations. objectives and performance metrics change in one area of the
Additionally, complying with applicable laws, regulations, organization, compliance risks may be affected — either in the
contract terms, and other requirements should be considered same business unit or in other areas of the organization.
as its own business objective if compliance is not explicitly
addressed through other stated business objectives. Finally, just as performance metrics are an essential
characteristic for business units, the compliance function
Sometimes, performance metrics developed for business units itself should develop and monitor performance metrics. These
can inadvertently create incentives to violate compliance metrics address and measure how well the C&E program and
requirements. Take the simple example of a manufacturing infrastructure is working in practice across the organization,
facility whose personnel are incentivized by aggressive and its overall effectiveness. Examples of measurable metrics
new goals for increased production. This goal could lead — and key performance indicators (KPIs) — include such
to shortcuts in quality control and inspections, resulting in things as training completion rates, timeliness of responding
product safety violations if the production team views violating to issues, investigations, and implementing corrective action
these compliance requirements as an acceptable means of plans, volume, frequency, and types of issues reported through
achieving the new targets. The compliance function should be the organizations’ reporting mechanisms, culture survey
consulted as part of the establishment of business objectives, responses over time, and metrics from monitoring various
in much the same manner as described in Principle 8, to internal compliance controls such as vendor payments in
ensure that incentives are appropriately structured to minimize high-risk operating locations. Although not all areas of the
the promotion of bad behavior or that such incentives are C&E program are easy to objectively measure, the compliance
balanced with appropriate compliance incentives. Ideally, function should take steps to develop and monitor objective
compliance participates in the establishment of business metrics wherever possible.
Table 3.4 Formulates business objectives
Key • Identify and evaluate compliance risks associated with planned business objectives
characteristics • Consider establishing compliance as a separate business objective
• Incorporate compliance risk management and accountability into performance measures and related
evaluations
• Consider interactions between compliance and other risks based on changes in business objectives
• Include objectively measured compliance metrics within business objectives, reflecting the management of
compliance risk and the effectiveness of C&E program implementation, and carrying appropriate weight in
incentive and other compensation decisions
c oso . or g
