Jose Tabuena

The holiday season is always a good time to remind employees about gifts and hospitality rules. The general messages are clear: Follow the rules; use good judgment; seek help if you aren’t sure what to do; and never do something that doesn’t feel right. This week, columnist Jose Tabuena suggests resources to use when developing and evaluating an organization’s policies for gifts, meals, and entertainment, with tips on how to monitor for compliance.

Compliance programs need to be part of comprehensive enterprise risk management, yes, but ERM does not displace the roles of internal audit and the compliance program. This week, columnist Jose Tabuena discusses risk management as a distinct discipline that auditors and compliance officers can work with. He describes the resources and frameworks used by risk management which, like compliance, has emerged a new cottage industry of professionals.

Audits go wrong for many reasons, so let’s not deny one of them: because auditors sometimes unconsciously give the benefit of the doubt to a client when they should not. What unconscious biases put effective auditing at risk? How can an auditor train himself to find them, or construct practices to thwart them? This week, columnist Jose Tabuena examines the auditor-client relationship and how to keep biases at bay.

Litigation and compliance risk brings something else beyond headaches: legal fees. The internal audit team can help there, even with tricky tasks such as monitoring the performance of outside counsel while they conduct an investigation. Inside, columnist Jose Tabuena offers recommendations on benchmarking what internal audit can do, analytics to try, and outcomes to watch for, all to avoid spending surprises.

The chief compliance officer does not need to manage every compliance risk your company has—but he or she does need to know how every compliance risk is managed. This week, columnist Jose Tabuena explores how “line of sight” should work in a compliance program, and how internal audit can help the CCO ensure that all compliance risks get the management and oversight they need. More inside.

Risk assessment is standard fare for a mature compliance program. The challenge for compliance officers is to ensure that their assessment works well, finding the right risks and generating information they can use to improve their program. This week, columnist Jose Tabuena identifies steps for conducting a meaningful compliance risk assessment and missteps a CCO might make while seeking the perfect assessment, rather than a practical one.

Cyber-security is now a very real risk, with the potential for staggering costs and reputational harm. Cyber-security has another unusual feature as well: It falls into the realm of conscious harms, where companies must play a cat-and-mouse game to stay ahead of attackers. How do you build, maintain, and audit controls for something like that? This week, columnist Jose Tabuena explores tools and methods to consider when an active brain is behind the harm.

Every executive knows that what gets measured gets done; the trick for compliance and audit executives is to assure that the metrics you use don’t lead employees to do something reckless. This week, columnist Jose Tabuena looks at the risks of incentives: where they can go wrong, how to help executives design metrics and incentives that encourage compliance, and what audit procedures can help you confirm the incentives you have actually work.

Managing cyber-security risks is one of the most pressing problems facing businesses today. Absent some technological magic bullet (which won’t be found any time soon), that leaves companies forced to protect cyber-security through better process. What does that mean? How can privacy, compliance, and internal audit band together to lead business units to that goal? Compliance Week columnist Jose Tabuena offers his suggestions inside.

One criticism of the Three Lines of Defense model is that it dwells too much on risk mitigation, and too little on risk opportunity. If you connect the Three Lines model to the COSO framework for internal control, however, a more elegant appreciation of risk management emerges. Inside, columnist Jose Tabuena describes how the role of objective-setting in the new COSO framework can be applied to complement the Three Lines of Defense, to address both risk avoidance and value creation.