Companies should create closer links between their compliance departments and risk managers who focus on an array of corporate hazards, according to an influential organization that guides companies on enterprise risk-management practices.
The Committee of Sponsoring Organizations of the Treadway Commission, whose recommendations are followed closely by public companies, issued voluntary guidance Tuesday aimed at helping boards, executives and lower-level managers better identify, monitor and mitigate compliance risks.
The guidance encourages organizations to better coordinate risk management, compliance and ethics functions to strengthen protections against legal and regulatory pitfalls.
“You need to integrate those together,” COSO Chairman Paul Sobel said. “Make sure that they’re being managed jointly or at least integrated so that they’re not duplicating efforts.”
Strategic risks, such as ambitious sales efforts, might be monitored by enterprise risk managers but not by compliance departments, for instance. But if tactics used to meet sales goals run afoul of the law, they become a compliance risk.
Breaking down silos between departments would help companies more easily spot such scenarios, Mr. Sobel said. Doing so also could help compliance play a bigger role in advising on legal or regulatory issues that could fall outside the department’s purview, he said. Accounting standards, for instance, often are governed by finance departments, while compliance with employment law is often overseen by human resources.
“The compliance function should always be prepared to serve an overarching role or to step in to assist or address issues if the others are unable or unwilling to properly manage the risk,” the guidance said.
Companies have long referred to federal sentencing guidelines and U.S. Justice Department guidance for prosecutors for clues on how to best develop strong compliance programs. COSO’s guidance puts those guidelines into context with its enterprise risk management framework, a document followed by many companies.
Elements of COSO’s ERM framework, particularly sections on internal controls, are often adopted by companies for the purposes of complying with the Sarbanes-Oxley Act, which requires management to give assurance of the effectiveness of controls over financial reporting.
Not all companies are required to maintain compliance programs, but many do as a matter of good governance. Corporate compliance efforts are often taken into consideration when governments weigh penalties for violations, and fines can be significantly reduced if companies have robust and functioning compliance programs.
The COSO guidance emphasizes the importance of establishing a culture of integrity and communication to reduce legal risks. It also makes recommendations on reporting and governance, including where a compliance department should sit within an organization, something that can vary from company to company.
Compliance departments should be separate from legal- and regulatory-affairs departments, according to COSO, a joint initiative of organizations including the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants and the Institute of Internal Auditors.
“This independence is not generally required, but is rapidly emerging as a preferred practice due to the differing and sometimes conflicting responsibilities of the two functions,” the guidance says.
COSO has been issuing more detailed guidance on specific subjects in recent years to supplement its high-level ERM framework. It is expected to release new guidance on artificial intelligence, cloud computing and integrated financial reporting in the months ahead, Mr. Sobel said.
Write to Jack Hagel at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8