Page 65 - COSO Guidance Book
P. 65

Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    25




               One issue of note in the DOJ framework is that the overall   the data from the confidential reporting system (including
               review of the C&E program is expected to include a   monitoring and auditing results and other data) should be
               measurement of the organization’s culture of compliance,   used to identify gaps in the design or execution of the C&E
               including seeking input from all levels of employees   program. Research has consistently found, however, that
               to determine how they perceive senior and middle    in many organizations, only a small portion of misconduct
               management’s commitment to compliance.              issues are reported through the confidential mechanism, so
                                                                   other feedback and data points must also be considered. For
               Finally, in addition to monitoring and auditing, there are other   instance, many employees report misconduct to supervisors
               mechanisms that provide feedback on the performance   rather than use the confidential mechanism. In the majority
               of the C&E program. A confidential reporting mechanism   of cases, these are handled by the supervisors and others
               through which employees and others can report suspected   in the organization; however, the data is not necessarily
               misconduct involving the organization will identify specific   tracked or reported to compliance, so there is no feedback
               instances where investigation and remediation are required   on C&E program performance. To get this feedback, some
               and may identify opportunities to improve the program.   organizations have policies requiring supervisors to report
               Employees can also use this mechanism to seek guidance and   such cases to compliance so they can be tracked and
               ask questions about their work and the work environment.   analyzed.

               When investigations of reported allegations of misconduct   Other mechanisms are information from exit interviews —
               conclude that there is indeed misconduct, the organization   where employees are asked if they have observed instances
               should take appropriate steps to respond and to prevent   of misconduct in the organization — periodic employee
               further similar misconduct, including making appropriate   surveys, and feedback from participants in compliance
               modifications to the C&E program. Analysis of trends in   training.


                 Table 5.2  Reviews risk and performance
                Key          • Monitor performance against compliance and ethics metrics and report at the management and board levels
                characteristics  • Update compliance risk assessments on a periodic basis
                             • Develop monitoring plans for high-priority risks, assign assurance responsibilities clearly across the three lines,
                              and set clear performance expectations
                             • Ensure that internal audit considers compliance risk in connection with its review of entity risk and
                              performance
                             • Periodically assess the organization’s culture of compliance
                             • Ensure that annual C&E program work plans reflect risk assessment (cross-referenced)
                             • Include appropriate audit rights clauses in third-party contracts to facilitate monitoring and auditing
                             • Obtain feedback from participants in compliance training, hotline reports, employee surveys, and exit
                              interviews
                             • Require that implementation of corrective action plans is an important metric monitored by management and
                              the board
                             • Perform root cause analyses for compliance risk events experienced


               Principle 17 — Pursues improvement in enterprise    rewarded with reduced fines and requirements in resolution
               risk management                                     agreements and prosecution decisions.
               One of the key indicators of an effective C&E program is a
               commitment to continuous improvement. Principles 15 and   The CCO should meet periodically with the board, as well
               16 explain the importance of using a variety of mechanisms   as with the organization’s internal compliance committee,
               to identify substantial changes in the organization and its   if one exists. Together, they should address the results of
               environment and to identify gaps in program effectiveness.   performance reviews and the C&E program’s proposed
               Merely identifying issues is not enough, however. Action   action plan to address identified gaps in C&E program
               must be taken to adjust and improve the C&E program.   performance, as well as proactive improvements to the
               Increasingly, regulators emphasize the importance of the   program. In addition, the results of investigations where
               organization demonstrating its efforts to review the program   misconduct was found should be analyzed to determine root
               and take action to ensure that it does not become stale. For   cause and what adjustments need to be made to the C&E
               many regulators, proactive efforts by the organization may be   program and discussed with the respective committee.







                                                                                                          c oso . or g
   60   61   62   63   64   65   66   67   68   69   70