COSO report: Elevating compliance leads to more informed decision-making

The amount of risk a company is willing to take to achieve its goals—of profitability, sustainability, and more—is increasingly including compliance risk in its calculations.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), which has previously authored a widely accepted framework for compliance and ethics (C&E) programs, on Wednesday issued a fresh set of recommendations for how executives and managers can better identify, monitor, and mitigate compliance risks.

The report, called “Compliance Risk Management: Applying the COSO ERM Framework,” outlines how companies should realign their compliance functions so they can influence all aspects of compliance within an organization.

“A significant aspect of enterprise risk management (ERM) is its focus on creating, preserving, and realizing value,” the organization said in a press release accompanying the report. An effective compliance and ethics program can and should contribute to that value proposition, COSO said.

Many compliance departments are not independent but instead report to other departments, like legal, internal audit, or risk management. COSO recommends compliance be separated out into its own division, led by a chief compliance officer with an executive-level position.

“This independence is not generally required, but is rapidly emerging as a preferred practice due to the differing and sometimes conflicting responsibilities of the two functions,” the COSO report said.

CCOs should have regular and meaningful communication with company executives. For boards of directors to properly oversee compliance, they should consider forming compliance committees, similar to audit committees.

In many companies, the function of compliance is often spread out among various departments. While violations of the Foreign Corrupt Practices Act are generally considered under the purview of compliance, other compliance responsibilities—say, adhering to public accounting standards set by the Securities and Exchange Commission or following federal and state employment laws—might fall under other departments, like accounting or human resources.

“There is not a universally accepted definition for the scope of an organization’s C&E program. It can vary from one organization to another,” the COSO report said. “As a result, compliance with some laws and regulations may be primarily subject to the oversight of others, although the compliance function should always be prepared to serve an overarching role or to step in to assist or address issues if the others are unable or unwilling to properly manage the risk.”

Elevating compliance in this way will improve how a company can assess the risks associated with new ventures, as well as improving the monitoring of compliance within the organization as a whole.

The report also notes compliance is only as effective as a company’s management team wants it to be.

“It is important to understand that although virtually every employee plays a role in managing risk, the management/mitigation of compliance risk is primarily the responsibility of all management at all levels,” the report said. Tone at the top on the importance of ethical behavior among all employees is critical for an C&E program to be successful.

On the regulatory side, a strong C&E program is often a mitigating factor in an enforcement action.

Regulators who are assessing a company’s commitment to compliance, and “therefore its compliance with laws and regulations,” will first examine its organizational structure, the report said.

“Is the compliance function buried several layers down the organization chart? Or is it represented at a very high executive level? Stature also considers positioning of the CCO relative to other senior executives of an organization,” the report said.

Effective compliance programs are not static, either. They are periodically reviewed and altered as a company’s appetite for risk changes.

“For C&E programs to be effective, it is expected by regulators and others that organizations periodically assess the potential threats of legal, regulatory, and policy noncompliance, as well as ethical misconduct, so that the organization can take steps to manage these risks to acceptable levels,” the report said.