Page 63 - COSO Guidance Book
P. 63

Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    23




                 Table 5.1  Assesses substantial change
                Key          • Identify drivers of change in compliance risk — internal and external
                characteristics  • Consider how implementation of new strategic initiatives affects compliance risk
                             • Consider how changes in senior personnel affect compliance risk and/or risk tolerance
                             • Evaluate changes in laws and regulations
                             • Consider developments in enforcement, guidance from regulators, and other trends
                             • Assess changes in local/regional environments

               Principle 16 — Reviews risk and performance         gaps. The plan should include a description of the planned
               As noted in the discussion of Principle 1, the board of   risk responses, who is responsible for the response, how
               directors has oversight responsibilities for the performance   response effectiveness is measured, and who will be
               of the organization’s C&E program, and the CCO and   responsible for the performance review.
               management are responsible for the program’s design and
               implementation. For the board and management to carry out   One model that can help establish role clarity is the
               their responsibilities, mechanisms are needed to provide   Three Lines Model, formerly the Three Lines of Defense,
               assurance that compliance risks are being managed within   updated July 2020 by The Institute of Internal Auditors. This
               tolerable levels.                                   framework distinguishes among the following three groups
                                                                   (or lines) involved in effective risk management:
               The goal of the reviews of C&E program performance goes
               beyond just providing the needed assurance for the board   First line roles (management):
               and management to fulfill their responsibilities for managing   •  Leads and directs actions (including managing risks) and
               compliance risk to acceptable levels; the goal is also to   application of resources to achieve the objectives of the
               continually improve the C&E program. Regulators have    organization
               become more explicit in their expectations regarding the
               review of C&E program performance as a critical element of   •  Maintains a continuous dialogue with the governing body,
               an effective compliance program. As noted earlier, one of the   and reports on planned, actual, and expected outcomes
               seven elements of an effective compliance program under   linked to the objectives of the organization, and risk
               the USSG includes the expectation “to evaluate periodically
               the effectiveness of the organization’s compliance and ethics   •  Establishes and maintains appropriate structures and
               program.” Similar expectations for assessment of the C&E   processes for the management of operations and risk
               program’s performance are found in guidance from various   (including internal control)
               regulators across the globe.
                                                                     •  Ensures compliance with legal, regulatory and ethical
               The expectation is for two types of review: (1) a review   expectations
               of compliance risks that are considered to be a high
               priority based on their assessed likelihood and impact   Second line roles (management):
               of noncompliance and (2) periodic review of the overall   •  Provides complementary expertise, support, monitoring,
               performance and effectiveness of the C&E program. In    and challenge related to the management of risk,
               addition to reviews by auditing and monitoring, there is an   including the following:
               expectation for the use of other mechanisms to provide
               feedback regarding C&E program performance, particularly     -  The development, implementation, and continuous
               a trusted system through which employees and others may     improvement of risk management practices (including
               report or seek guidance regarding potential misconduct.    internal control) at a process, systems, and entity level

               For each high-priority compliance risk, in addition to     -  The achievement of risk management objectives, such
               developing an education and training strategy, the        as compliance with laws, regulations, and acceptable
               organization should develop a monitoring and auditing     ethical behavior; internal control; information and
               plan. Although the compliance function may take the lead     technology security; sustainability; and
               in the development of such plans, it should not be the     quality assurance
               responsibility of compliance alone. Risk owners, internal
               audit, risk management, and potentially others should be   •  Provides analysis and reports on the adequacy
               involved in developing the plan. Role clarification for the plan   and effectiveness of risk management (including
               is essential to minimize duplication of effort and assurance   internal control)





                                                                                                          c oso . or g
   58   59   60   61   62   63   64   65   66   67   68