Organizations should integrate their risk management and ethics and compliance functions to more effectively manage and mitigate compliance risks, according to recently published guidance from the Committee of Sponsoring Organizations of the Treadway Commission.
The guidance, "Compliance Risk Management: Applying the COSO ERM Framework," looks at how companies can best apply COSO’s enterprise risk management framework to the management of compliance risks. The framework, first published in 2004 and most recently updated in 2017, is widely used by risk professionals to identify and manage enterprise risks, including compliance risks.
The publication–authored by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association–takes the five components and 20 underlying principles of the COSO ERM framework and maps them to the specific requirements and emerging practices of effective ethics and compliance programs.
The five components of risk management are governance and culture; strategy and objective-setting; performance; review and revision; and information, communication and reporting.
A significant aspect of ERM is its focus on creating, preserving and realizing value, according to COSO. The guidance points out an effective ethics and compliance program supports these objectives by allowing an organization to more confidently pursue new value creation opportunities and stay on the right side of the law.
"As compliance and ethics programs continue to evolve and gain wider adoption globally, it makes increasing sense to understand and appreciate the synergies that can be achieved by applying the ERM framework," said Gerry Zack, chief executive of SCCE and HCCA.
While compliance is the responsibility of everyone at an organization, the publication notes "management/mitigation of compliance risk is primarily the responsibility of all management at all levels." It also is important to remember that compliance risk extends to any activity carried out by a third party.
"Compliance risks are common and frequently material risks to achieving an organization’s objectives," said COSO Chairman Paul Sobel.
Another recommendation is the compliance department should be separate from the legal and regulatory affairs department. Compliance should be its own division and led by a chief compliance officer on the executive level. While this is not currently required, it "is rapidly emerging as a preferred practice due to the differing and sometimes conflicting responsibilities of the two functions."
COSO is a joint initiative of five private-sector organizations, and is dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence.
Click here to read the COSO report.