Compliance Risk Management - Applying the COSO ERM Framework (COSO)

Why this publication is needed ?

Compliance risks are common and frequently material risks to achieving an organization’s objectives. For many years, compliance professionals have used a widely accepted framework for compliance and ethics (C&E) programs to prevent and timely detect noncompliance and other acts of wrongdoing. The C&E program framework is described in Appendix 1 (if readers are not already familiar with the elements of a C&E program, consider reading Appendix 1 before proceeding). The COSO Enterprise Risk Management (ERM) Framework, meanwhile, has been used by risk and other professionals to identify and mitigate a variety of organizational risks, including compliance risks. This publication aims to provide guidance on the application of the COSO ERM framework to the identification, assessment, and management of compliance risks by aligning it with the C&E program framework, creating a powerful tool that integrates the concepts underlying each of these valuable frameworks.

What are compliance and compliance-related risks?

Risk is defined by COSO as “the possibility that events will occur and affect the achievement of strategy and business objectives.” Risks considered in this definition include those relating to all business objectives, including compliance. Compliance risks are those risks relating to possible violations of applicable laws, regulations, contractual terms, standards, or internal policies where such violation could result in direct or indirect financial liability, civil or criminal penalties, regulatory sanctions, or other negative effects for the organization or its personnel. Throughout this publication, “events” associated with compliance risks will be referred to as “noncompliance” or “compliance violations.”

Although the underlying acts (or failures to act) are carried out by individuals, compliance violations are generally attributable to the organization when they are carried out by employees or agents of the organization in the ordinary course of their duties. The exact scope of acts attributable to an organization can vary depending upon the circumstances. In some cases, the employee may also bear liability as an individual.

Most compliance violations either inherently cause harm or have the potential to result in direct harm to individuals, communities, or organizations. Examples of parties that may be harmed through compliance violations include customers (e.g., violations of privacy or data security laws leading to a breach and theft of personal information, product safety violations resulting in injuries, antitrust violations resulting in inflated prices), employees (e.g., workplace safety regulation violations resulting in injury to a worker, antidiscrimination or whistleblower protection law violations), or the general public (e.g., environmental violations resulting in illness or death).

Although most compliance risks relate to specific laws or regulations, others do not. These other risks, referred to as “compliance-related risks,” may include risks associated with failures to comply with professional standards, internal policies of an organization (including codes of conduct and business ethics), and contractual obligations. For example, conflicts of interest represent violations of laws or regulations only in limited instances (frequently involving government officials or programs). Conflicts of interest are frequently prohibited by professional standards, terms of contracts and grant agreements, or internal policies, and they are viewed as damaging to an organization if they are not disclosed and managed. As a result, conflicts of interest are commonly included within the population of compliance risks.

Accordingly, throughout this publication, the term “compliance risk” is used in reference to any risk that is either directly associated with a law or regulation or is compliance-related in that it is associated with other standards, organizational policies, or ethical expectations and guidelines.

As this discussion illustrates, the scope of what an organization considers to be compliance risks is not an exact science, although most organizations use a similar list of compliance risk areas within the universe of their programs (e.g., environmental, bribery, and corruption), even if the specific compliance risks within each area may differ. Determining the exact scope of a C&E program is typically both an early step in developing the program and an ongoing exercise as the risk landscape changes, and input from compliance, legal, senior leaders, and the board are considered.

Compliance violations often result in fines, penalties, civil settlements, or similar financial liabilities. However, not all compliance violations have direct financial ramifications. In some cases, the initial impact may be purely reputational. However, reputational damage often leads to future financial or nonfinancial harm, ranging from loss of customers to loss of employees, competitive disadvantages, or other effects (e.g., suspension, debarment).

Most noncompliance stems from actions taken by insiders – employees, management, or members of an organization’s board of directors. Increasingly, risks also result from contractors and other third parties whose actions affect an organization. The most common examples involve vendors in an organization’s supply chain (e.g., when a supplier of Egyptian cotton bedding for several major retailers was found to be using a lesser grade of cotton that was not from Egypt, the retailers incurred significant liabilities to their customers) or third parties involved in the sales cycle (e.g., intermediaries that may pay bribes to government officials in order to obtain lucrative contracts for an organization).

A final consideration in determining the scope of a program is the potential for inherited risks resulting from merger and acquisition (M&A) activity. As M&A transactions take place, the universe of compliance risks to which an organization is exposed can change drastically and instantly. These risks may relate to events that took place prior to the merger or may simply result from unique risks faced by the merged entity that the acquiror had not previously faced.

The evolution of compliance and ethics programs

Although compliance with laws and regulations has been an expectation for many years, compliance and ethics as a profession and as a distinct function in organizations is a relatively recent development. It stems from the equally recent emergence of the C&E program as a valuable and frequently required element of organizational management.

A series of events in the 1980s in the United States led to the U.S. Sentencing Commission publishing guidelines in 1991 for the punishment of organizations for violations of the law. Among its provisions, the sentencing guidelines for organizations provide for very significant reductions in criminal penalties if an organization has an effective compliance program in place. Important amendments were made in 2004 and 2010 to clarify and expand on the characteristics of an effective program.

The current U.S. Federal Sentencing Guidelines (USSG) identify the following seven elements of an effective C&E program:

• Standards and procedures
• Governance, oversight, and authority
• Due diligence in delegation of authority
• Communication and training
• Monitoring, auditing, and reporting systems
• Incentives and enforcement
• Response to wrongdoing

Separately, the USSG also require that organizations periodically assess the risk of noncompliance and continually look for ways to improve their C&E programs. This two-part requirement has often been referred to as the eighth element of an effective program. Each of these elements is explained in greater detail in Appendix 1.

The USSG also state that organizations should promote a culture that encourages ethical conduct and a commitment to compliance with the law. This acknowledgment that organizational culture and business ethics play integral roles in compliance risk management is one of the factors that led to the common use of the term “compliance and ethics program” or “C&E program”.

The USSG do not mandate C&E programs for any organization; however, they provide an incentive for the establishment of such programs as a means of mitigating the significant penalties that can otherwise result when an organization is found to have violated federal laws. In criminal cases involving noncompliance with laws, an organization’s penalty can be decreased significantly from a base amount determined, in part, on the existence of an effective C&E program. Developing case law related to the guidelines has added further weight to the importance of C&E programs, particularly in highly regulated entities, with courts concluding that the failure to implement an effective C&E program may represent a breach of fiduciary duty. Additionally, guidance issued by the U.S. Department of Justice and other agencies have emphasized the importance of C&E programs.

Although the USSG don’t require organizations to have C&E programs, individual government agencies sometimes do. For example, certain healthcare organizations must have compliance programs as a condition for eligibility to participate in Medicare, and the Federal Acquisition Regulations require certain government contractors to have compliance programs.

Finally, a compliance department should be separate from the legal and regulatory affairs department. This independence is not generally required, but is rapidly emerging as a preferred practice due to the differing and sometimes conflicting responsibilities of the two functions. For example, guidance issued by the Office of Inspector General of the U.S. Department of Health and Human Services (HHS OIG) indicates that the compliance department should be independent. In its 2012 A Toolkit for Health Care Boards, the HHS OIG’s Health Care Fraud Prevention and Enforcement Action Team (HEAT) stated: “Protect the compliance officer’s independence by separating this role from your legal counsel and senior management. All decisions affecting the compliance officer’s employment or limiting the scope of the compliance program should require prior board approval.”

International guidance on compliance and ethics programs

Although the most extensive statutory, regulatory, and nonregulatory guidance on C&E programs has emanated from the United States, many other countries have issued various forms of requirements for and guidance on C&E programs. In some instances, guidance on C&E programs outside the U.S. is limited in application to specific areas of the law, such as bribery and corruption or antitrust/competition. In others, it is broader, like it is in the U.S., and applicable to many areas of the law. Much of the guidance issued globally mirrors many of the concepts and elements described in the USSG

A sampling of some of the guidance from outside the U.S. reveals a mostly consistent picture of what regulators expect from C&E programs. For example, the United Kingdom’s Ministry of Justice has provided guidance on the Bribery Act 2010, describing procedures that commercial organizations can put in place to minimize the risk of bribery.

Those procedures are summarized into the following six principles, which that closely align with the USSG:

• Proportionate procedures
• Top-level commitment
• Risk assessment
• Due diligence
• Communication (including training)
• Monitoring and review

Guidance has also been issued by the International Organization for Standardization (ISO). Its 2016 ISO 37001 Antibribery management systems standard includes the following expectations of a program:

• Performance of a bribery risk assessment
• Leadership and commitment to the anti-bribery management system
• Establishment of an anti-bribery compliance function
• Sufficient resources provided for the anti-bribery management system
• Competence of employees
• Awareness and training on anti-bribery policies
• Due diligence in connection with third-party business associates and employees
• Establishment and implementation of anti-bribery controls
• Internal audit of the anti-bribery management system
• Periodic reviews of the anti-bribery management system by the governing body

Beyond bribery, ISO has also issued guidance more broadly on compliance management systems in the form of ISO 19600:2014. Most recently, ISO/DIS 37301 was proposed in 2020 to replace ISO 19600. The draft new standard describes the following five elements of a compliance management system:

• Compliance obligations (identification of new and changed compliance requirements)
• Compliance risk assessment
• Compliance policy
• Training and communication
• Performance evaluation

A variety of other legal and regulatory developments that do not directly reference C&E programs nonetheless affect them. For example, 2019 European Union regulations aimed at providing new protections for whistleblowers help in supporting an important element of an effective C&E program. Similarly, data protection and privacy laws commonly differ from one country to another, but frequently have direct or indirect effects on C&E programs.

Additional examples of international guidance on C&E programs are provided in Appendix 2. What it shows is that global guidance on C&E programs has far more similarities than differences, even if the scope of application of a C&E program may differ (i.e., limited to bribery and corruption in some jurisdictions and broader application in others). The common thread across these various guides is a shared appreciation for the elements on which this COSO guide is based.

The relationship between compliance, internal control, and enterprise risk management COSO defines internal control in Internal Control – Integrated Framework (2013) and Enterprise Risk Management – Integrating with Strategy and Performance (2017) as follows:

A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

As this definition clearly points out, internal control is not solely about accounting and financial matters. Compliance with laws and regulations is one of the three fundamental objectives of an organization’s system of internal controls. The following five components of internal control support all three categories of objectives:

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities

Read more : see pdf