Page 73 - COSO Guidance Book

P. 73

Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework | 33

each operating division approaches compliance similarly. An conduct, maintaining a culture of compliance and ethics,
additional benefit of such a compliance committee is the value how to seek guidance and report suspected problems, the
created by collaboration and input across functional areas to organization’s nonretaliation policy, what the organization does
support the overarching objectives of the C&E program. when suspected compliance issues are reported, and any
other relevant aspect of the program that affects everyone.
The final critical element of compliance oversight involves
making sure there is a clear and written understanding of Focused training dives deeper into specific compliance
the roles and responsibilities of each of these functions or risk areas, critical internal controls, and other procedures
committees. This may be documented in the form of a charter associated with specific risks. Consequently, only those
or policy. employees who play key roles involving those risk areas
are typically required to participate in this type of training.
Due diligence in delegation of authority An example of focused training is a program aimed at sales
Organizations should perform background checks before personnel of an international company on compliance with
hiring new employees and additional periodic checks when the Foreign Corrupt Practices Act. It is not necessary for
permitted or required by law. In addition, the organization every employee to understand what constitutes a violation
should consider the person’s past support of (or failure to of the act, but it is critical for individuals involved in
support or execute) the organization’s C&E program when international sales (and relevant support and finance teams)
promoting employees to positions of greater authority. The to have a sound understanding of this risk as well as the
level and type of background check should correspond to the controls and procedures the organization has implemented
position of each employee, based on the role that person has, to prevent misconduct.
or will have, in relation to compliance risks.
To be effective, training must be more than simple delivery
The USSG refer to this expectation in connection with of educational content. In its June 2020 guidance, DOJ
“substantial authority personnel,” a term defined in the emphasized the importance of (1) allowing employees to ask
application notes as “individuals who within the scope of questions during training and (2) evaluating whether training
their authority exercise a substantial measure of discretion affected employee behavior.
in acting on behalf of an organization,” noting that these
individuals may or may not be considered management. The Although much of the training that involves compliance topics
clear inference is that the scope of diligence should grow is in the form of either traditional classroom style presentations
as the level of responsibility grows. Compliance may wish to or online, web-based programs, training may also involve other
work with human resources and other functions to make these forms of education and communication. For instance, an email
determinations. message or a company newsletter may be used to inform the
workforce or reinforce traditional training on new or changed
Though not explicitly stated in the USSG, regulators have compliance requirements. Communications may also address
grown to expect that organizations perform appropriate lessons learned from compliance failures the organization has
levels of due diligence on third parties that create or involve experienced.
compliance risk for the organization. For example, if a
company utilizes a third party located in another country to Organizations can sometimes be held accountable for
represent the organization, or to sell to customers in that compliance failures of third parties. Accordingly, training
country, an appropriately scaled background check — based should be considered for each third party based on an
on the assessed level of compliance risk involved — would assessment of the associated type and level of
be expected. compliance risk.

Communication and training Finally, other forms of general communications also help
Communication and training, when done effectively, contribute to create and maintain a culture of compliance and ethics.
to the prevention and detection of compliance issues. Every Examples include supportive messages from the CEO,
employee and member of the board of directors should receive informative articles in company newsletters, and many others.
training on general topics that are important to the program,
and more focused training on specific compliance matters Monitoring, auditing, and reporting systems
should be provided to personnel involved in activities relevant Monitoring, in the broad sense, refers to the assessment of
to each compliance risk. whether processes are operating as intended in pursuit of
the system’s improvement. Sometimes the term “monitoring”
General training, done on at least an annual basis, for all is used more narrowly to contrast with “auditing,” where
employees and the board of directors is a hallmark of a robust auditing refers to an assessment by individuals independent of
and effective program. General training covers the code of the system. Both auditing and monitoring draw on the same set

c oso . or g

68 69 70 71 72 73 74 75 76 77 78