Page 66 - COSO Guidance Book
P. 66
26 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Where adjustments and improvements to the C&E program Another action that can contribute to the continuous
are warranted, appropriate action plans should be developed improvement of the C&E program is benchmarking against
with timelines and specific responsibilities assigned. the practices of other organizations. Often this is done within
Progress on the action plan should be tracked, and there the same industry; however, this may be too narrow, as there
should be appropriate follow-up. are significant differences in the maturity of compliance
programs within industries. There is much to be learned from
Not all improvements to the C&E program are reactionary looking at other industries, particularly ones that, because
in nature. An important aspect of continuous improvement of their regulatory environments, have been dealing with
involves taking proactive measures. The organization should heightened compliance risks for some time.
stay current on new or improved tools, as well as innovative
approaches, that may improve program performance and
effectiveness.
Table 5.3 Pursues improvement in enterprise risk management
Key • Maintain awareness of current trends in compliance risk management (through training, review of regulatory
characteristics guidance, etc.)
• Ensure that compliance periodically self-assesses the C&E program’s performance
• Obtain feedback from the board on the quality and usefulness of compliance risk information shared
• Consider obtaining periodic independent evaluation of the C&E program
• Consider benchmarking the C&E program against similar organizations
• Review efficacy of the compliance risk assessment process on a periodic basis
• Ensure that internal audit plays an active role in periodically evaluating the effectiveness of the C&E program
c oso . or g
