Page 76 - COSO Guidance Book
P. 76
36 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
6. Scope — Understand what the scope of an investigation Risk assessment and program improvement
is from the outset and gear the investigation plan Regulators consistently emphasize the importance of taking
accordingly. a risk-based approach to training, monitoring and auditing,
and the other elements of a C&E program. As such, a
There are many steps to an investigation (e.g., gathering sound risk assessment process is critical. Approaches and
documents, identifying electronic records, conducting considerations for assessing the risk of compliance and
interviews of personnel). And in the end, there may or may ethics events are generally very similar to assessing other
not be any need or desire for a written report. But the case types of risks. For example, a typical approach would include
file should always be closed out properly. the following steps:
If the investigation uncovers compliance failures, a root 1. Identify compliance risks that are inherent to the
cause analysis should be performed to fully understand organization’s activities
where any breakdowns or omissions in internal controls 2. Map compliance risks to existing internal controls
occurred, or whether weaknesses in the design of internal 3. Assess the effectiveness of internal controls
controls were identified. Once this is done, the organization 4. Assess the likelihood and impact of each compliance risk
must turn its attention to remediating the underlying 5. Prioritize (via scoring, heat maps, or other methods)
problems. In cases in which existing policies and procedures compliance risks based on the assessment
were well designed, but the execution of those controls 6. Design risk responses (e.g., improvements to internal
failed, remediation may require nothing more than training controls, training) to reduce risk to an acceptable level
(or retraining) certain groups of employees on those controls 7. Assign responsibility and monitor implementation of risk
and the reinstatement or introduction of the appropriate responses
monitoring processes.
Although these are the core elements of a typical risk
In other cases, remediation involves significantly more effort. assessment, many additional factors can be considered
Modifying policies and procedures, improving preventive to further enhance the quality of a risk assessment. Risk
controls, changing business processes or incentives, and assessments should be updated periodically, either on a
any other remediation efforts should all be aimed at making fixed time interval or when relevant new information comes
sure a particular act of noncompliance does not happen to light indicating a change may have occurred that affects
again. In cases where prevention is costly or impractical, a risk.
remediation might involve adding or modifying detective
controls so that if noncompliance occurs in the future, it Another 2004 addition to the USSG involves an expectation that
will be detected and corrected sooner, resulting in reduced efforts are made to continuously improve the C&E program.
losses or penalties. Regardless of the nature of planned Periodic risk assessment is one method of identifying needed
actions, accountability for fully implementing remediation improvements to the program. But there are many other ways
plans should be established and monitored. of identifying improvements: a thorough root cause analysis
at the conclusion of an investigation, feedback mechanisms,
auditing and monitoring, and others. Benchmarking against
other organizations is also an effective method of assessing
program effectiveness. Assessing program effectiveness can
be performed internally or by third parties (e.g., consulting
firms). Additionally, looking outside the organization —
attending conferences, reading publications, and monitoring
government guidance — is an excellent way to identify
emerging practices that can be adopted to improve a program.
c oso . or g
