Home > Risk > New Guidance from COSO on Compliance Risk. Is it of value?

New Guidance from COSO on Compliance Risk. Is it of value?

November 22, 2020 Leave a comment Go to comments

One of my good friends asked me to review the latest from COSO, Compliance Risk Management: Applying the COSO Framework, which was published this month.

My friend said it was one of the worst pieces of guidance released by COSO, but I tend to disagree. It has value but is incomplete.

I like these comments:

  • Compliance risks are common and frequently material risks to achieving an organization’s objectives.

ndm: It is refreshing to see the reference to achieving objectives.

  • Compliance risks are those risks relating to possible violations of applicable laws, regulations, contractual terms, standards, or internal policies where such violation could result in direct or indirect financial liability, civil or criminal penalties, regulatory sanctions, or other negative effects for the organization or its personnel.

ndm: The publication includes not only violation of laws and regulations but also of corporate values, what OCEG refers to as mandatory and voluntary boundaries.

  • Although the underlying acts (or failures to act) are carried out by individuals, compliance violations are generally attributable to the organization when they are carried out by employees or agents of the organization in the ordinary course of their duties. The exact scope of acts attributable to an organization can vary depending upon the circumstances.
  • Compliance violations often result in fines, penalties, civil settlements, or similar financial liabilities. However, not all compliance violations have direct financial ramifications. In some cases, the initial impact may be purely reputational. However, reputational damage often leads to future financial or nonfinancial harm, ranging from loss of customers to loss of employees, competitive disadvantages, or other effects (e.g., suspension, debarment).
  • A series of events in the 1980s in the United States led to the U.S. Sentencing Commission publishing guidelines in 1991 for the punishment of organizations for violations of the law. Among its provisions, the sentencing guidelines for organizations provide for very significant reductions in criminal penalties if an organization has an effective compliance program in place. Important amendments were made in 2004 and 2010 to clarify and expand on the characteristics of an effective program.
  • Separately, the USSG also require that organizations periodically assess the risk of noncompliance and continually look for ways to improve their C&E programs.
  • The USSG do not mandate C&E programs for any organization; however, they provide an incentive for the establishment of such programs as a means of mitigating the significant penalties that can otherwise result when an organization is found to have violated federal laws.
  • A sampling of some of the guidance from outside the U.S. reveals a mostly consistent picture of what regulators expect from C&E programs. For example, the United Kingdom’s Ministry of Justice has provided guidance on the Bribery Act 2010, describing procedures that commercial organizations can put in place to minimize the risk of bribery.

ndm: I am pleased to see reference to other nations and also to the ISO standards.

  • …internal control is not solely about accounting and financial matters. Compliance with laws and regulations is one of the three fundamental objectives of an organization’s system of internal controls.
  • An important aspect of ERM is its focus on creating, preserving, and realizing value.
  • It is important to understand that although virtually every employee plays a role in managing risk, the management/ mitigation of compliance risk is primarily the responsibility of all management at all levels.
  • The role of the compliance and ethics officer is to help management understand the risks; lead the development of the program to mitigate and manage those risks; evaluate how well the program is being executed; and report to leadership on gaps in coverage, execution, or material instances of noncompliance, including those by senior leaders.
  • The board of directors is responsible for oversight of the organization’s C&E program, and management is responsible for the design and operation of the program.
  • Culture begins with a sincere commitment to compliance and ethics at the leadership level.

ndm: The commitment has to be sincere. Leaders have to walk and talk in a way that people believe in their integrity, morality, and ethical behavior. A leader is somebody you willingly follow, and a leader when it comes to compliance inspires all to be ethical.

  • When allegations of noncompliance or unethical behavior emerge, they must be taken seriously. This means that individuals should be required to report wrongdoing and have multiple avenues for reporting.

ndm: It is hard and legally questionable to require people to report suspected wrongdoing.

  • Context is critical to understanding and managing compliance risks. Business decision-making is one of the drivers of compliance risk; decisions can create new risks, change existing risks, or eliminate risks.
  • Risk interdependencies may also affect how an organization manages compliance risks. An organization’s responses to other risks (e.g., strategic, financial) may affect compliance risk in a positive or adverse way.

ndm: This is one of the areas where the guidance is incomplete. There may other sources of risk and opportunity that need to be considered together with compliance-related risk.

  • Organizations must also recognize that they cannot realistically eliminate all compliance risks or reduce the likelihood of occurrence to zero. This is simply not possible. As a result, engaging in discussions about risk appetite relating to compliance risks is a valuable tool in prioritizing efforts aimed at prevention and detection of specific compliance violations. Guidance from regulators is consistent with this concept: expecting organizations to reduce and manage, not necessarily eliminate, compliance risk.

ndm: This is similarly incomplete. You cannot discuss ‘appetite’ for compliance risk in a vaccum. More later. In addition, expressing a risk appetite for compliance risk is dangerous ground. Do you want to admit (and document) that you are willing to be in violation of law?

  • The compliance function should be involved in strategy discussions from the standpoint of (1) understanding the strategy so that the C&E program can be designed to manage compliance risks appropriately and (2) advising strategic decision makers about possible compliance risks associated with strategies under consideration.
  • If strategic decisions made by an organization involve merger or acquisition activities, it is important for compliance to be involved early in the process so that appropriate due diligence focusing on compliance risks can be performed.
  • Sometimes, performance metrics developed for business units can inadvertently create incentives to violate compliance requirements.
  • Developing a risk inventory for compliance risk is similar to the process of developing the ERM risk inventory.

ndm: Developing a risk inventory (or register) is fraught with problems, as you tend to end up managing the list of risks instead of managing the business for success. Later, COSO refers to and provides an example of a heat map – for which the best reaction is Yuk!

  • In addition to severity and risk appetite, some organizations consider other factors in their risk prioritization. Adjustments might be made to the risks on the basis of velocity, persistence, and recovery.

ndm: It’s refreshing to see recognition that other factors should be considered in assessing risk.

  • If risks are managed in isolation without consideration of other risks, inefficiencies — and possibly conflicts — can occur.

ndm: True, but what about opportunities?

There’s a great deal more information of value. These are just some of the highlights.

So what is missing?

  1. There is no answer to the question of how do I determine how much to invest in preventing non-compliance. What is reasonable, such that it would be accepted by regulators?
  2. There is no discussion of how to consider the fact that decisions involve multiple sources of risk, and making a decision without considering all the things that might happen is likely to have undesirable results.
  3. There is no discussion of how to factor in opportunities, the reason to take risks.
  4. The reporting is siloed rather than showing leaders in management and the board the big picture.
  5. The risk is portrayed as a point rather than as a range of potential effects on objectives.
  6. Even though there is reference to other nations, it is past time for COSO to be an international body with international thought leadership.

These and more are discussed in Risk Management for Success.

I welcome your thoughts.

  1. November 22, 2020 at 11:55 AM

    COSO has been a flawed enterprise from the beginning. It’s only redeeming qualification has been the necessary effort to ‘codify’ in some manner the basic concepts of internal control.

    Such efforts have been flawed since the implementation of FCPA which hijacked an audit concept of internal accounting control based on risk, and made it an artifact of law, with little appreciation for the context in which internal accounting controls operate in the broader enterprise.

    Let us remember that it is management that creates controls, not auditors. If we are to have an effective foundation of management control philosophy, criteria and principles on which to build management practice, and to audit such practice, it must begin with management taking a much stronger and multidisciplinary role in defining that philosophy.

    While professional organizations other than auditors have participated in COSO, and lend an appearance of breadth to the enterprise, I think it’s safe to say the such participants by and large all share their fundamental professional DNA in auditing, and risk assessment is their catechism and mantra.

    But management is more diverse than finance, and management’s primary obsession is with objectives, and secondarily with the risks derived from those objectives, of which compliance is part.

    Over time COSO, to its credit, has evolved to the more objectives-oriented focus that it should have assumed from the beginning, if it had not been so deeply inculcated with the auditing concept of ‘control’. But that concept remains the foundation of its endeavors, and as long is it remains such, all that is derived from it will be to some degree less than it should be, if not flawed.

  2. bwmcuaig
    November 25, 2020 at 4:51 AM

    I completely agree. The underlying beliefs and paradigms driving COSO and specifically the IIA really need to be questioned. Some good things came out of Treadway but most have been lost or disregarded. There has been little or no innovation or progressive thinking in years.

  1. November 26, 2020 at 6:38 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: