COSO and the Society of Corporate Compliance & Ethics released guidance today about how to integrate corporate ethics and compliance concerns into a company’s larger risk management program, complete with a list of best practices for compliance programs mapped to COSO’s enterprise risk management framework.
It’s a useful document for people who like to think about proper oversight of ethics and compliance issues; one can easily see how the themes in this material also appear in more formal guidance from regulators and even in recent enforcement actions for compliance failures. Let’s take a look.
The guidance itself is available for free at the COSO website, a slim 27 pages that you can read in one sitting. It’s the latest in a series of papers COSO has churned out in recent years connecting its ERM framework to specific issues: cybersecurity, climate change, healthcare, and so forth. Compliance risk is just the latest volume.
The first section of the guidance reviews the fundamentals of compliance programs, risk management, and internal control. All three overlap with each other to some extent, and COSO is famous for its internal controls framework, which most publicly traded companies use as the template to achieve compliance with the Sarbanes-Oxley Act. So if you need a refresher on what’s what, start here.
The meat of this guidance starts on Page 6. COSO presents the five components of its enterprise risk management framework, and the 20 principles that comprise those five components. See below:
Then, one component at a time, the guidance maps compliance program best practices to those 20 principles.
Examples of Compliance and ERM Principles
The first component of the COSO ERM framework is “Governance and Culture,” which deals with how an organization’s board of directors should establish the corporate culture, hire qualified executives, and build basic operating structures to assure that risks are managed. This component has five principles underneath it, such as “exercise board risk oversight” and “demonstrate commitment to core values.”
The guidance takes those ERM ideas and looks at them through a compliance lens, complete with specific examples of how the board could support a strong compliance function.
So where one principle for strong governance and culture is “establish operating structures,” COSO and the SCCE offer these specific suggestions:
If you consider those suggestions for a moment, you can see how they relate to other pronouncements we’ve seen from regulators. “Maintain independence of the CCO and the compliance function” — that stems from the Justice Department’s guidance on effective compliance programs, where prosecutors talk about the autonomy and authority of the chief compliance officer. “Ensure that the CCO directly reports to the board” — that’s a principle of the U.S. Sentencing Guidelines’ elements of an effective compliance program.
The above suggestions also remind me of what banking regulators told Citibank to implement earlier this fall, when they served the bank with a $400 million penalty and a raft of corrective actions to make. Among those actions: the board needs to assure that risk and compliance executives are empowered to exercise independent oversight; and internal complaints are tracked, managed, and reported to the board as necessary. Those are the first two and the final bullet points in that table above.
A more practical example of compliance and ERM is in the COSO’s third component, “Performance.” One principle within that component is “implement risk responses” — which is just an abstract way of saying “implement internal controls to keep risk in check.”
So what would that principle look like when viewed through the compliance lens? COSO and SCCE offer this:
Again, the language is a bit abstract, but the points are relevant. The first point about considering the need for modifications in the compliance program when designing risk responses — well, that’s assessing your internal controls and whether to modify them in the face of changing risks. Which is a major theme of the Justice Department guidelines for effective programs.
The second point about designing compliance risk responses that consider the impact on other risks: that’s just good sense. If the compliance program is concocting internal controls without considering how those things might affect other parts of the business, you’re — gasp! — working in a silo.
We could continue through the other 18 principles of the COSO ERM framework, but you get the idea. This guidance takes those principles and frames them in a compliance-specific way. Then it gives an abundance of examples for how compliance officers can implement those principles in practice. There is plenty there for compliance officers to have a great conversation with the board about managing compliance risk — which, incidentally, is one of the very first examples this guidance recommends.
Selling the Board on This
One challenge that occurs to me: getting the board to pay much attention to the compliance program at all. It’s not that boards disregard compliance; many of them just don’t have the time or resources to give compliance the attention it deserves. (See the podcast I recorded with compliance veteran Joel Katz last year, where he spoke about this issue.)
Compliance officers could back into this conversation with the board by framing compliance as a subset of risk within enterprise risk management — because risk management is something they understand. Consider this paragraph from the guidance:
An important aspect of ERM is its focus on creating, preserving, and realizing value. The C&E program supports each of these three goals. An effective C&E program allows an organization to more confidently pursue new value creation opportunities. Further, value that has been created by an organization can quickly become impaired when accompanied by violations of laws or regulations. An effective C&E program can preserve this value and enable an organization to fully realize it.
Board directors are certainly sweating how the organization can keep providing value to its stakeholders. They also know that a snafu with corporate compliance can bring much headache, and distract everyone from the big strategic objectives they want to achieve.
So you can frame a strong corporate compliance program as part of the company’s enterprise risk management: “We need to get compliance right, and make sure that strong compliance supports risk management, which helps the company pursue its strategy. And here are all the ways we can strengthen compliance in that way.”
From our lips to the board’s ears.