Following new guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) on how to better identify, monitor, and mitigate compliance risks, a follow-up, one-day virtual conference was held Dec. 18 to help compliance officers better understand the guidance and apply it in practice.
COSO states in its report, “Compliance Risk Management: Applying the COSO ERM Framework,” that its aim is “to provide guidance on the application of the COSO ERM Framework to the identification, assessment, and management of compliance risks” in alignment with the compliance and ethics (C&E) program framework. In all, COSO’s compliance risk management framework describes 120 key characteristics of an effective C&E program.
During the virtual event, held by COSO in partnership with the Society of Corporate Compliance & Ethics (SCCE) and the Health Care Compliance Association (HCCA), attendees were asked whether they believe the guidance will increase the level of scrutiny placed on organizations’ C&E programs by internal audit. In response to the online poll, 52 percent said “yes,” while 26 percent said “no.” The remaining 22 percent weren’t sure.
“If we’re out of step with our industry five years from now, and we still haven’t filled in those gaps or haven’t addressed some of the issues that peers are addressing, it will hurt us with enforcement agencies.”
Daniel Roach, Chief Compliance Officer, Optum 360
Daniel Roach, chief compliance officer at Optum 360 and a speaker on the panel, said he believes the framework will trigger increased attention not just from internal audit but at the board- and senior-management level as well, particularly in highly regulated industries. “I think it will create greater emphasis on benchmarking your program against other programs and metrics—things of that nature,” he said.
In that aspect, the compliance risk management guidance “has the potential to be a two-edge sword,” Roach said. “It helps benchmark with others in our industry; it helps us fill in gaps in our programs. On the other hand, if we’re out of step with our industry five years from now, and we still haven’t filled in those gaps or haven’t addressed some of the issues that peers are addressing, it will hurt us with enforcement agencies.”
“It doesn’t mean you have to embrace all 120 characteristics,” said COSO Chairman Paul Sobel. “The key is to make sure you at least consider them. It’s another way of assessing yourself that should limit fines and penalties, should you come under investigation.”
Gerry Zack, chief executive officer of the SCCE and HCCA, commented that regulators aren’t necessarily looking for perfection as much as they want to see that a company is striving to improve its C&E program. “If this becomes a tool that organizations use as part of that process, I think it really has served its purpose,” he said.
Internal audit vs. compliance
Zack said one deciding factor in moving forward with the compliance risk management framework was the notion that it was “inevitable” internal audit would want more guidance on what to look for in a C&E program. “I think this is a nice, fair, and reasonable approach to what all those expectations are, based on current and emerging practices from the regulatory enforcement communities, as well as from the ethics and compliance profession itself,” he said.
“Ideally, you want internal audit and compliance to be communicating, collaborating, and sharing,” Sobel said. “[The guidance] is one way they can do it. So, maybe some of that scrutiny happens behind the scenes, as opposed through a direct audit.”
“We really need to leverage off each other,” Sobel added. As the former chief audit executive at Georgia Pacific, Sobel said he would meet at least monthly with the chief compliance officer, with no agenda. “We had so many crossover objectives that were really the same,” he said. “The key is to make sure you’re properly informed of what each other is doing.”
It’s also important that compliance be able to clearly delineate itself from other business functions, which isn’t always easy to do. At some point, you need to recognize other business functions will use “compliance” in their title—for example, information-security compliance, privacy compliance, and so on.
This speaks to the importance of clearly communicating and educating employees on the responsibilities of each function and how to decipher between them. “What’s more important is that we understand what everybody is talking about when they’re using the term ‘compliance,’” Roach said.
Panelists also talked about best practices relating to enterprise risk assessments versus other types of assessments. When determining how deeply to assess each compliance risk, for example, “there’s no one-size-fits-all answer,” Sobel said.
Typically, however, an enterprise risk assessment addresses a higher level than a risk assessment focused on a specific regulatory area—for example, anti-money laundering, antitrust, or anti-corruption. “We did that at my last company, Georgia Pacific, where we went through … each of the different key regulatory areas and did a separate risk assessment,” Sobel said. “That was quite a useful exercise.”
In some cases, there may be a need to conduct a third, even more granular business-unit level assessment when it comes to risk mitigation, Zack said. Take, for example, a bribery and corruption risk at the enterprise level later determined to be a potential Foreign Corrupt Practices Act (FCPA) violation at the regulatory level.
At the most granular level, you start to assess how each type of bribery scheme could result in a violation. “There are so many different ways a bribe can be paid, and how you mitigate each scenario can be different,” Zack said. Mitigation measures for a bribe paid through a shell company, for example, will differ from mitigation measures for a bribe paid through a salesperson’s expense report.
Defining risk appetite
Panel members also shared advice on how to get management comfortable talking about risk appetite. “Sometimes you have to push the conversation, but they will get there,” Roach said. When engaging in a transaction that implicates a certain law, for example, the key question that each organization needs to answer is, “How much time, effort, and resources do we want to devote to mitigate the risk at a level that we feel comfortable?”
Compliance officers can also turn to guidance COSO published in May specifically addressing risk appetite. Among the topics addressed in that guidance are how to discuss risk appetite in the context of business; how to link risk appetite to strategy; and how to develop risk appetite to support strategy.
“It’s healthy to have discussions about the nature and amount of risks we need to pursue in order to achieve our strategies and objectives,” Sobel said. “If you go to that guidance, I think it will help fill in some of the blanks.”