Page 56 - COSO Guidance Book
P. 56
16 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Figure 4.1 Approaches for Identifying Risks*
Types Cognitive Data Interviews Key Process Workshops
of Risk computing Tracking Indicators Analysis
Existing
New
Emerging
Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance, Volume 1, p. 69
may provide an indicator of emerging risk, but it may not be compliance and ethical risks. Concerns specifically related
as effective at identifying new risks or changing enforcement to third-party risks include the following:
standards not yet apparent to employees. Surveys may also
be used to ask key managers to identify applicable laws and 1. The organization usually has a lessened ability to
1
regulations that they deal with regularly in their area. control or oversee the work of a third party than it
would with its own employees.
Regardless of the approaches taken, the variety and
complexity of compliance risks create the need for 2. Third parties often do not have as strong of an
operations managers and risk owners to be involved in the incentive to adhere to compliance and ethics
risk-identification process. One way of doing this is the expectations as employees do.
development of compliance committees at various levels in the
organization. Senior management and the board must also be 3. Third parties may operate in geographic areas that
involved by including the C&E program leadership in strategic are distant from the organization’s headquarters,
planning so they can understand the organization’s current sometimes with differing laws, norms, and customs.
and evolving strategies and the related compliance risk.
For these reasons, assessing risk involving third parties can
Information provided by regulators can also be helpful in be complicated, but risk assessments should be performed at
identifying new and emerging risk, because many of these the time a third party is engaged and periodically thereafter.
agencies issue alerts regarding where they see emerging The extent of each risk assessment, due diligence process,
risks and have compliance concerns. For example, the SEC and subsequent monitoring and auditing should consider the
Office of Compliance Inspections and Examinations issues role the third party plays, materiality, and other factors that
special risk alerts, and the HHS OIG publishes its work plan could affect the level of risk associated with each third party.
to alert organizations to areas considered to be high risk.
Not all compliance risks will rise to the entity level and
Further, compliance risk extends beyond the legal boundaries appear in the ERM risk register; however, the risk of
of the organization. Third-party contractors, suppliers, regulatory change would be included in such an entity-level
and partners in strategic alliances can pose significant inventory in most organizations.
Table 4.1 Identifies risk
Key • Describe the compliance risk identification and assessment process in documented policies and procedures
characteristics • Identify compliance risks associated with planned strategy and business objectives
• Assess internal and external environments to identify risks
• Create process for identifying new and emerging risks
• Consider risks associated with use of third parties
• Consider information gathered through hotlines, other reporting channels, and results of investigations
. . . . . . . . .
1 Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 21–25,
https://compliancecosmos.org/compliance-risk-assessments-introduction.
c oso . or g
