In such uncertain and volatile times many companies are feeling vulnerable – not just because of the pandemic, but also in the face of growing regulatory pressure. An effective compliance and ethics (C&E) programme can help you manage a rapidly changing environment more effectively and make sure your organisation does the right things right. In this blog post we look at valuable new guidance that could help you get your C&E programme up to speed and build strength in the face of vulnerability.
Companies are paying more and more attention to effectively managing and mitigating compliance risks. This is especially true at a time when compliance programmes are under scrutiny by regulators. At the same time, the impact of COVID-19 needs to be dealt with. Fortunately, there are solid frameworks available to support organisations seeking to step up their C&E efforts.
In November 2020, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published new guidance entitled Compliance Risk Management: Applying the COSO ERM Framework. It is designed to help companies enhance their compliance risk management. The publication is based on current leading practices and provides guidance on the design and operation of an effective compliance and ethics programme.
COSO defines enterprise risk management (ERM) as “the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organisations rely on to manage risk in creating, preserving, and realising value”. The COSO framework comprises five interrelated components:
- Governance and culture
- Strategy and objective-setting
- Review and revision
- Information, communication and reporting.
These five components come with 20 underlying principles as shown below.
Source: Compliance Risk Management: Appling the COSO ERM Framework, November 2020.
For each of the 20 principles of the COSO ERM framework, the new COSO guidance maps the specific requirements and emerging practices of an effective compliance and ethics (C&E) programme.
An overview of the COSO ERM framework & the new guidance
To give a brief overview of the new guidance, let’s now take a look at some of the specific requirements and emerging practices cited in helping companies to meet the 20 principles and uphold an effective C&E programme. It is important to mention that the requirements and practices mentioned are exemplary and not intended to be exhaustive.
Governance & Culture is the first component. It requires the board of directors to exercise risk oversight. Consequently, the board must oversee compliance risk management and the compliance and ethics programme; it also needs to set the tone at the top. Effective governance and culture also require the establishment of operating structures. This includes providing sufficient resources for the C&E programme and giving the Chief Compliance Officer sufficient authority to manage it effectively. It is also important to document policies and procedures specific to the operation of the C&E programme, as well as to establish protocol/procedures for escalating significant compliance risk events as required.
The second component, Strategy & Objective, requires an analysis of business context. This includes considering how compliance risks are affected by both internal changes (e.g. people, structures, processes and technology) and external factors (e.g. competitive, enforcement trends, environmental, etc.). As the business context can change over time, these compliance risks have to be re-assessed on a regular basis.
The third component, Performance, addresses the principles of identification, assessment of severity and prioritising of risks, as well as the implementation of risk responses. Compliance risks associated with the planned strategy and business objectives need to be identified by assessing the internal and external environment. The severity of these risks is primarily gauged on the basis of likelihood and impact. Risk responses are then designed to manage the assessed level of risk.
The fourth component deals with the Review & Revision of compliance risks. One of the underlying principles is the review of risk and performance. A monitoring and auditing plan should be developed for each high-priority compliance risk, including a description of the planned risk responses, the person responsible for the response, how response effectiveness is measured and the person responsible for the performance review. Role clarification for the plan is essential to minimise duplication of effort and optimise the risk coverage within the organisation. The Three Lines Model from the Institute of Internal Auditors (IIA) can be used to help establish role clarity. As shown in the visual below, the Three Lines Model makes a clear differentiation between governing activities, management actions and independent assurance activities (such as Internal Audit).
Source: The IIA’s Three Lines Model – An Update of the Three Lines of Defense, July 2020.
A key indicator of a successful and effective C&E programme is the commitment to continuous improvement. Some improvements to the programme are reactive in nature. However, continuous improvement also involves taking proactive measures. So it is crucial to stay current on innovative approaches as well as new or improved tools that could improve the C&E programme’s performance and effectiveness.
The fifth component, Information, Communication and Reporting, includes reports on risk, culture and performance. This could include providing periodic reports on compliance and ethics risk assessments as well as related remediation efforts tailored to key stakeholders.
Call to action
The global pandemic has confronted companies with new and unprecedented challenges and has raised the bar, making an effective, tailormade C&E programme more important than ever.
What can you do to make it happen?
- Bring your C&E programme to life in a comprehensive framework, fully aligned with your enterprise risk management. Break down the silos.
- Assess your current C&E programme against the five components and underlying principles in the new COSO guidance on compliance risk management
- Close the gaps: Define actions to further align with the COSO guidance and strengthen your approach to identifying, assessing and managing compliance risks. Make sure actions have clear accountabilities and due dates.
- Instil a culture of continuous improvement: Regularly check the C&E programme’s effectiveness, ensure agreed actions have been implemented and are bringing the desired results, and be bold in making changes to the C&E programme to address shifts in the internal/external environment.
- Last but not least, broadcast your C&E programme and its objectives throughout the organisation. Make sure it is known and understood by stakeholders at all levels, and get buy-in.
In such uncertain and volatile times, an effective C&E programme is a powerful tool that can help companies manage in the new normal. Now’s a good time to step up your C&E programme and turn it into a beacon to help your organisation to do the right things right.