Page 62 - COSO Guidance Book
P. 62
22 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
5. REVIEW AND REVISION
FOR COMPLIANCE RISKS
The legal, regulatory, and ethical environments of As Principle 6 discusses, the CCO should be involved in the
organizations are ones of constant change and, frequently, strategy-setting process to allow the C&E program to identify
increased complexity. Technological advancements have and manage the change in compliance risk resulting from
increased the speed of communications and activity, expanding significant shifts in business strategy and objectives. For
the number of individuals an organization can affect across the example, a technology company decides to start or acquire
globe. Even small organizations may be operating in multiple a new line of business in a highly regulated environment,
countries and jurisdictions, and regulations in these places are such as providing cloud services for health systems’ medical
proliferating. Stakeholder expectations regarding organizational records, or an engineering firm seeks to begin contracting
conduct continue to rise. Thus, for compliance risk management with the federal government. An organizational shift to the
to be effective, the organization must regularly review its use of third parties for business processes may also result in
compliance risk management practices and capabilities and potentially significant changes to compliance risk.
take steps to continually improve its C&E program.
Changes in the internal environment in people, processes,
This section describes the application of the review and and technologies can also result in changes to compliance
revision component of the COSO ERM framework and the risk. For example, a change in senior personnel can result in
following three principles associated with the management of a significant shift in the level of risk tolerance as well as the
compliance risks: compliance culture. Increased performance pressures (cost,
sales, productivity, efficiency, etc.) can affect risk. Mergers
15 Assesses substantial change and acquisitions can also drive change in compliance
16 Reviews risk and performance risk. Changes to processes and technologies may also
lead to potential changes to compliance risk. For example,
17 Pursues improvement in enterprise risk management automation may result in the company being able to perform
a task faster, but it may mean that the impact of a failure will
Principle 15 — Assesses substantial change also be magnified.
Changes in the organization’s internal and external
environment can have significant impacts on the Changes in the external environment affect the organization’s
organization’s compliance risk profile, often very quickly, compliance risks through changes to laws, regulations,
which is why many compliance program standards require enforcement priorities, and societal norms and values.
periodic re-evaluation and modification. The CCO needs Assessing the impact on compliance risk has become
to identify potential drivers of changing compliance risk. increasingly complex due to the proliferation of laws and
Broadly, these potential drivers include, but are not limited to regulations across jurisdictions, often with conflicting
the following: requirements. The C&E program needs to keep abreast of
changes to the regulatory environment through studying
• Changes to the organization’s strategies and objectives
information from industry and professional groups as well as
• Changes to people, process, and technology trends in enforcement and guidance provided by regulators.
There are also increasingly sophisticated regulatory change
• Changes in regulatory requirements and/or societal management applications that can assist the C&E program
expectations with identifying and tracking.
c oso . or g
