Hello there! Want a discount? Grab 5% OFFon your first order!
originalresearchpapers.com logo
Hello there! Want a discount? Grab 5% OFF on your first order!

Our Services

Get 15% Discount on your First Order

Description1 Importance Of Risk Management Implementation In Hospitality Projects 2 Importance of Risk Management Implementation in Hospitality


Importance Of Risk Management Implementation In Hospitality Projects
Importance of Risk Management Implementation in Hospitality Projects
Risk management is now the focal part of efficient project development and
implementation in the hospitality industry, characterized by a fast-paced and competitive
environment. Also, due to a large amount of capital investment, complicated stakeholder
engagement, and multiple operational challenges in hospitality, the risk management strategy can
shift the balance toward the project, either succeeding or failing. Therefore, it is certainly one of
the project manager’s responsibilities to ensure the completion of the work and avoid any
expensive failure and organizational reputation damage by using probability analysis to
anticipate the potential risks.
Risk management in the area of hospitality construction helps to identify and promptly
prevent any possible hazards. In addition to the quantitative measures managers use to assess
risk, comprehensive risk assessments can help managers make informed decisions. The risk
strategy can accommodate financial, operational, regulatory, and reputation risks (Rajić et al.,
2023). Moreover, this could help design the system of actions for forecasting and dealing with
eventual problems. As a result, this can lead to the effective completion of the projects.
Moreover, risk evaluation and quantification support decision-making because project managers
know the risks better. This helps them make their resource use more proficient, implying that
funds are directed to the problem causing the most risk impact.
Furthermore, risk management renders the human decision-making process much more
dependable. Risk assessment and analysis enable project managers to achieve better results,
allocate resources exactly, and spend funds wisely (Crovini et al., 2020). Consequently, the
financial performance can be more satisfactory; the resources will be fully utilized, and the
success of the implementation is expected to be trusted by the stakeholders. A good example is
Hilton, the Leading Brand of the International hotel chain, which has implemented risk-based
Project Prioritization. This process aims to make smart decisions and efficient resource
utilization in the organization.
An Image of Hilton Risk Management

In addition, customer satisfaction is the principal element of the hotel trade since the
brand is a critical aspect. Risk management should be paid attention to provide timely delivery
and maintain high-quality services. Collaborating on an incident prevention plan can reduce the
impact on guest experience and shield an organization’s reputation from operation risks like
machinery failure, supply chain obstacles, or worker shortage (Alvarez-Milán et al., 2018). The
undisputed success and longevity of the hospitality project depend on customer satisfaction and
the hospitality brand itself. Customer happiness, beliefs, and reputation remain at the core of a
viable customer base.
Also, risk management techniques could be an added advantage in improving interactions
and communication with the stakeholders. Risk distribution data is declared transparent, risk
managers constantly have close contact with the stakeholders, trust is built, all parties
collaboratively solve their problems, and a consensus is reached on their goals and risk
management plans (Crovini et al., 2020). In the actual implementation of the strategy, a teamoriented approach is essential for maximum dividends from decision-making, resource
allocation, and involvement of stakeholders, which will consequently lead to the achievement of
the hospitality project goals. Hospitality giant Hyatt is highly significant in operational risk
management, maintaining high-quality service, and establishing a great brand reputation (Qi,
2023). Due to their project managers’ expertise in planning to mitigate problems, such as
apparatus failure, supply chain, and workforce shortage, Hyatt can acquit itself well when faced
with adversity. The essential goal for them is to prevent any harm from happening to the guest
experience. Likewise, they preserve the company’s reputation, which they aim to retain.
In conclusion, fully integrated risk management in hospitality projects constitutes an
indispensable part of implementing the projects. Risk management is a factor determining the
success and failure of hospitality projects. The focus will be on risk assessment and management,
decision-making procedures, standards of service and the company’s image, employees’ attitudes,
and corporate image. The advancement of the hospitality industry has placed enterprises in a
position where risk management mechanisms must be deployed deliberately and
comprehensively. These techniques are valuable and help to overcome complexity and cope with
powerful competition.
Alvarez-Milán, A., Felix, R., Rauschnabel, P. A., & Hinsch, C. (2018). Strategic customer
engagement marketing: A decision-making framework. Journal of Business Research, 92,
Crovini, C., Santoro, G., & Ossola, G. (2020). Rethinking risk management in entrepreneurial
SMEs: towards the integration with the decision-making process. Management Decision,
59(5), 1085–1113.
Rajić, M., Maksimović, R., & Milosavljević, P. (2023). Emergency Planning and Disaster
Recovery Management Model in Hospitality—Plan-Do-Check-Act Cycle Approach.
Sustainability, 15(7), 6303.
Qi, Y. (2023). Financial Analysis of Hyatt Hotels Corporation. Highlights in Business,
Economics and Management, 15, 111-116.
C o m m i t t e e
o f
S p o n s o r i n g
O r g a n i z a t i o n s
o f
t h e
T r e a d w a y
C o m m i s s i o n
Enterprise Risk Management
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to
specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute
for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.
Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE & HCCA)
COSO Board Members
Paul J. Sobel
COSO Chair
Daniel C. Murdock
Financial Executives International
Douglas F. Prawitt
American Accounting Association
Jeffrey C. Thomson
Institute of Management Accountants
Robert D. Dohrer
American Institute of CPAs (AICPA)
Patty K. Miller
The Institute of Internal Auditors
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to providing thought leadership through the development of comprehensive
frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to
improve organizational performance and governance and to reduce the extent of fraud in organizations.
COSO is a private-sector initiative jointly sponsored and funded by the following organizations:
American Accounting Association (AAA)
American Institute of CPAs (AICPA)
Financial Executives International (FEI)
The Institute of Management Accountants (IMA)
The Institute of Internal Auditors (IIA)
Committee of Sponsoring Organizations
of the Treadway Commission
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Enterprise Risk Management
Research Commissioned by
Commi tte e o f S p o n s o r i n g O rg a n izations of the Trea d way Commiss ion
November 2020
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Copyright © 2020, Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1234567890 PIP 198765432
COSO images are from COSO Enterprise Risk Management – Integrating with Strategy and Performance ©2017, The
American Institute of Certified Public Accountants on behalf of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO). COSO is a trademark of the Committee of Sponsoring Organizations of the Treadway Commission.
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted, or displayed in any form or
by any means without written permission. For information regarding licensing and reprint permissions, please contact the
American Institute of Certified Public Accountants, which handles licensing and permissions for COSO copyrighted materials.
Direct all inquiries to [email protected] or AICPA, Attn: Manager, Licensing & Rights, 220 Leigh Farm
Road, Durham, NC 27707 USA. Telephone inquiries may be directed to 888-777-7077.
Design and production: Sergio Analco.
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
1. Introduction
2. Governance and Culture for Compliance Risks
3. Strategy and Objective-Setting for Compliance Risks
4. Performance for Compliance Risks
5. Review and Revision for Compliance Risks
6. Information, Communication, and Reporting
for Compliance Risks
Appendix 1.
Elements of an effective compliance
and ethics program
Appendix 2.
International growth in recognition
of compliance and ethics programs
About COSO
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Why this publication is needed
Compliance risks are common and frequently material risks
to achieving an organization’s objectives. For many years,
compliance professionals have used a widely accepted
framework for compliance and ethics (C&E) programs to
prevent and timely detect noncompliance and other acts
of wrongdoing. The C&E program framework is described
in Appendix 1 (if readers are not already familiar with the
elements of a C&E program, consider reading Appendix 1
before proceeding). The COSO Enterprise Risk Management
(ERM) Framework, meanwhile, has been used by risk and
other professionals to identify and mitigate a variety of
organizational risks, including compliance risks.
This publication aims to provide guidance on the application
of the COSO ERM framework to the identification,
assessment, and management of compliance risks by
aligning it with the C&E program framework, creating a
powerful tool that integrates the concepts underlying each of
these valuable frameworks.
What are compliance and compliance-related risks?
Risk is defined by COSO as “the possibility that events will
occur and affect the achievement of strategy and business
objectives.” Risks considered in this definition include those
relating to all business objectives, including compliance.
Compliance risks are those risks relating to possible
violations of applicable laws, regulations, contractual terms,
standards, or internal policies where such violation could
result in direct or indirect financial liability, civil or criminal
penalties, regulatory sanctions, or other negative effects for
the organization or its personnel. Throughout this publication,
“events” associated with compliance risks will be referred to
as “noncompliance” or “compliance violations.”
Although the underlying acts (or failures to act) are carried out
by individuals, compliance violations are generally attributable
to the organization when they are carried out by employees
or agents of the organization in the ordinary course of their
duties. The exact scope of acts attributable to an organization
can vary depending upon the circumstances. In some cases,
the employee may also bear liability as an individual.
Most compliance violations either inherently cause harm
or have the potential to result in direct harm to individuals,
communities, or organizations. Examples of parties that may
be harmed through compliance violations include customers
(e.g., violations of privacy or data security laws leading to
a breach and theft of personal information, product safety
violations resulting in injuries, antitrust violations resulting in
inflated prices), employees (e.g., workplace safety regulation
violations resulting in injury to a worker, antidiscrimination or
whistleblower protection law violations), or the general public
(e.g., environmental violations resulting in illness or death).
Although most compliance risks relate to specific laws or
regulations, others do not. These other risks, referred to as
“compliance-related risks,” may include risks associated
with failures to comply with professional standards, internal
policies of an organization (including codes of conduct and
business ethics), and contractual obligations. For example,
conflicts of interest represent violations of laws or regulations
only in limited instances (frequently involving government
officials or programs). Conflicts of interest are frequently
prohibited by professional standards, terms of contracts and
grant agreements, or internal policies, and they are viewed
as damaging to an organization if they are not disclosed and
managed. As a result, conflicts of interest are commonly
included within the population of compliance risks.
Accordingly, throughout this publication, the term
“compliance risk” is used in reference to any risk that
is either directly associated with a law or regulation or
is compliance-related in that it is associated with other
standards, organizational policies, or ethical expectations
and guidelines.
As this discussion illustrates, the scope of what an
organization considers to be compliance risks is not an
exact science, although most organizations use a similar
list of compliance risk areas within the universe of their
programs (e.g., environmental, bribery, and corruption), even
if the specific compliance risks within each area may differ.
Determining the exact scope of a C&E program is typically
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
both an early step in developing the program and an
ongoing exercise as the risk landscape changes, and input
from compliance, legal, senior leaders, and the board are
The current U.S. Federal Sentencing Guidelines (USSG) identify
the following seven elements of an effective C&E program:
Standards and procedures
Compliance violations often result in fines, penalties, civil
settlements, or similar financial liabilities. However, not all
compliance violations have direct financial ramifications. In
some cases, the initial impact may be purely reputational.
However, reputational damage often leads to future financial
or nonfinancial harm, ranging from loss of customers to loss of
employees, competitive disadvantages, or other effects (e.g.,
suspension, debarment).
Governance, oversight, and authority
Due diligence in delegation of authority
Communication and training
Monitoring, auditing, and reporting systems
Incentives and enforcement
Response to wrongdoing
Most noncompliance stems from actions taken by insiders
– employees, management, or members of an organization’s
board of directors. Increasingly, risks also result from
contractors and other third parties whose actions affect an
organization. The most common examples involve vendors
in an organization’s supply chain (e.g., when a supplier of
Egyptian cotton bedding for several major retailers was found
to be using a lesser grade of cotton that was not from Egypt,
the retailers incurred significant liabilities to their customers)
or third parties involved in the sales cycle (e.g., intermediaries
that may pay bribes to government officials in order to obtain
lucrative contracts for an organization).
A final consideration in determining the scope of a program
is the potential for inherited risks resulting from merger and
acquisition (M&A) activity. As M&A transactions take place,
the universe of compliance risks to which an organization is
exposed can change drastically and instantly. These risks may
relate to events that took place prior to the merger or may
simply result from unique risks faced by the merged entity that
the acquiror had not previously faced.
The evolution of compliance and ethics programs
Although compliance with laws and regulations has been
an expectation for many years, compliance and ethics as
a profession and as a distinct function in organizations is a
relatively recent development. It stems from the equally recent
emergence of the C&E program as a valuable and frequently
required element of organizational management.
A series of events in the 1980s in the United States led to
the U.S. Sentencing Commission publishing guidelines in
1991 for the punishment of organizations for violations of
the law. Among its provisions, the sentencing guidelines for
organizations provide for very significant reductions in criminal
penalties if an organization has an effective compliance
program in place. Important amendments were made in 2004
and 2010 to clarify and expand on the characteristics of an
effective program.
Separately, the USSG also require that organizations
periodically assess the risk of noncompliance and continually
look for ways to improve their C&E programs. This two-part
requirement has often been referred to as the eighth element
of an effective program. Each of these elements is explained in
greater detail in Appendix 1.
The USSG also state that organizations should promote a
culture that encourages ethical conduct and a commitment
to compliance with the law. This acknowledgment that
organizational culture and business ethics play integral roles
in compliance risk management is one of the factors that led to
the common use of the term “compliance and ethics program”
or “C&E program”.
The USSG do not mandate C&E programs for any organization;
however, they provide an incentive for the establishment
of such programs as a means of mitigating the significant
penalties that can otherwise result when an organization is
found to have violated federal laws. In criminal cases involving
noncompliance with laws, an organization’s penalty can be
decreased significantly from a base amount determined, in
part, on the existence of an effective C&E program. Developing
case law related to the guidelines has added further weight
to the importance of C&E programs, particularly in highly
regulated entities, with courts concluding that the failure to
implement an effective C&E program may represent a breach
of fiduciary duty. Additionally, guidance issued by the U.S.
Department of Justice and other agencies have emphasized
the importance of C&E programs.
Although the USSG don’t require organizations to have C&E
programs, individual government agencies sometimes do.
For example, certain healthcare organizations must have
compliance programs as a condition for eligibility to participate
in Medicare, and the Federal Acquisition Regulations require
certain government contractors to have compliance programs.
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Finally, a compliance department should be separate from the
legal and regulatory affairs department. This independence
is not generally required, but is rapidly emerging as a
preferred practice due to the differing and sometimes
conflicting responsibilities of the two functions. For example,
guidance issued by the Office of Inspector General of
the U.S. Department of Health and Human Services (HHS
OIG) indicates that the compliance department should be
independent. In its 2012 A Toolkit for Health Care Boards, the
HHS OIG’s Health Care Fraud Prevention and Enforcement
Action Team (HEAT) stated: “Protect the compliance officer’s
independence by separating this role from your legal
counsel and senior management. All decisions affecting the
compliance officer’s employment or limiting the scope of the
compliance program should require prior board approval.”
International guidance on compliance and ethics
Although the most extensive statutory, regulatory, and
nonregulatory guidance on C&E programs has emanated from
the United States, many other countries have issued various
forms of requirements for and guidance on C&E programs. In
some instances, guidance on C&E programs outside the U.S.
is limited in application to specific areas of the law, such as
bribery and corruption or antitrust/competition. In others, it is
broader, like it is in the U.S., and applicable to many areas of
the law. Much of the guidance issued globally mirrors many of
the concepts and elements described in the USSG.
A sampling of some of the guidance from outside the U.S.
reveals a mostly consistent picture of what regulators expect
from C&E programs. For example, the United Kingdom’s
Ministry of Justice has provided guidance on the Bribery Act
2010, describing procedures that commercial organizations
can put in place to minimize the risk of bribery. Those
procedures are summarized into the following six principles,
which that closely align with the USSG:
Performance of a bribery risk assessment
2 Leadership and commitment to the anti-bribery
management system
Establishment of an anti-bribery compliance function
4 Sufficient resources provided for the anti-bribery
management system
Competence of employees
Awareness and training on anti-bribery policies
7 Due diligence in connection with third-party business
associates and employees
8 Establishment and implementation of anti-bribery
Internal audit of the anti-bribery management system
10 Periodic reviews of the anti-bribery management system
by the governing body
Beyond bribery, ISO has also issued guidance more broadly
on compliance management systems in the form of ISO
19600:2014. Most recently, ISO/DIS 37301 was proposed in 2020
to replace ISO 19600. The draft new standard describes the
following five elements of a compliance management system:
1 Compliance obligations (identification of new and
changed compliance requirements)
Compliance risk assessment
Compliance policy
Proportionate procedures
Training and communication
Top-level commitment
Performance evaluation
Risk assessment
Due diligence
Communication (including training)
Monitoring and review
Guidance has also been issued by the International
Organization for Standardization (ISO). Its 2016 ISO 37001 Antibribery management systems standard includes the following
expectations of a program:
A variety of other legal and regulatory developments that
do not directly reference C&E programs nonetheless affect
them. For example, 2019 European Union regulations aimed
at providing new protections for whistleblowers help in
supporting an important element of an effective C&E program.
Similarly, data protection and privacy laws commonly differ
from one country to another, but frequently have direct or
indirect effects on C&E programs.
Additional examples of international guidance on C&E
programs are provided in Appendix 2. What it shows is that
global guidance on C&E programs has far more similarities than
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
differences, even if the scope of application of a C&E program
may differ (i.e., limited to bribery and corruption in some
jurisdictions and broader application in others). The common
thread across these various guides is a shared appreciation
for the elements on which this COSO guide is based.
Figure 1.1 The COSO 2013 Framework
The relationship between compliance, internal
control, and enterprise risk management
COSO defines internal control in Internal Control – Integrated
Framework (2013) and Enterprise Risk Management –
Integrating with Strategy and Performance (2017) as follows:
A process, effected by an entity’s board of directors,
management, and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives relating
to operations, reporting, and compliance.
Source: COSO Internal Control Framework ©2013
As this definition clearly points out, internal control is not
solely about accounting and financial matters. Compliance
with laws and regulations is one of the three fundamental
objectives of an organization’s system of internal controls.
The following five components of internal control support all
three categories of objectives:
COSO defines ERM as follows:
The culture, capabilities, and practices, integrated
with strategy-setting and its performance, that
organizations rely on to manage risk in creating,
preserving, and realizing value.
The COSO ERM framework, like the internal control
framework, comprises five interrelated components:
• Control environment
• Risk assessment
Governance & culture
• Control
Infographic with Principles
Strategy & objective-setting
• Information and communication
• Monitoring activities
Review and revision
The relationships between the three objectives, five
components, and the entity are depicted in figure 1.1:
Information, communication, and reporting
Figure 1.2 Risk Management Components
& Culture
Strategy &
10. and
6. Analyzes Business with Strategy
Risk Risk Management—Integrating
11. Assesses Severity
2. Establishes Operating
3. Defines Desired Culture
4. Demonstrates
to Core Values
c5.o Attracts,
s o . o r gDevelops,
and Retains Capable
7. Defines Risk Appetite
8. Evaluates Alternative
9. Formulates Business
of Risk
12. Prioritizes Risks
13. Implements Risk
14. Develops Portfolio
& Revision
& Reporting
15. Assesses Substantial
18. Leverages Information
and Technology
16. Reviews Risk and
19. Communicates Risk
17. Pursues improvement
in Enterprise Risk
20. Reports on Risk,
Culture, and
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
ERM is different than, but related to, internal controls. ERM
incorporates some of the concepts of internal control. In
fact, implementation of internal controls is the most common
approach to reducing risk. But ERM also includes certain
concepts that are not considered within internal control. For
example, concepts of risk appetite, tolerance, strategy, and
business objectives are set within ERM, but are viewed as
preconditions of internal control. ERM is more closely aligned
with strategy than internal control.
An important aspect of ERM is its focus on creating,
preserving, and realizing value. The C&E program supports
each of these three goals. An effective C&E program
allows an organization to more confidently pursue new
value creation opportunities. Further, value that has been
created by an organization can quickly become impaired
when accompanied by violations of laws or regulations. An
effective C&E program can preserve this value and enable an
organization to fully realize it.
Accordingly, the management of compliance risk is an
important element of both the internal control and the
broader ERM functions and processes of an organization.
The scope and positioning of the compliance
function in an organization
As noted earlier, compliance risk generally involves the risk
of violations of laws and regulations, but it may also address
contract provisions, professional standards, organizational
policy, and ethics matters. The laws and regulations that
fall within the scope of a compliance program, however,
can vary by industry and from organization to organization.
For example, risk of violating the Foreign Corrupt Practices
Act may fall clearly within the scope of a company’s C&E
program. But compliance with accounting standards
required in filings with the U.S. Securities and Exchange
Commission may be addressed within the accounting and
finance functions and may be considered outside the scope
of the C&E program. Human resources and employment law
risks may be managed entirely within the human resources
function, or the compliance function may also participate in
managing these risks.
There is not a universally accepted definition for the
scope of an organization’s C&E program. It can vary from
one organization to another. As a result, compliance with
some laws and regulations may be primarily subject to the
oversight of others, although the compliance function should
always be prepared to serve an overarching role or to step
in to assist or address issues if the others are unable or
unwilling to properly manage the risk.
Another difference among organizations may involve where
the compliance function “sits” within the organization.
Although a C&E program is organization-wide, involving
employees and managers from all functional areas, the
compliance function, consisting of a dedicated team of
compliance and ethics professionals, may be positioned in
a variety of locations within an organization chart. In most
organizations, it is an independent function, and this is
considered the best practice. In others, it may be a part of, or
report to, legal, internal audit, risk management, or another
function. Regardless of where the compliance function is
positioned on an organization chart, communication and
collaboration with each of the preceding functions are
essential to the success of a C&E program.
Likewise, ethics may be considered a function apart from
compliance. In many organizations, however, compliance
and ethics fall under a compliance and ethics officer.
It is important to understand that although virtually every
employee plays a role in managing risk, the management/
mitigation of compliance risk is primarily the responsibility of
all management at all levels. The compliance function leads
the development of the C&E program, but it is ultimately
management’s job to execute the program and for the board
to provide oversight. The role of the compliance and ethics
officer is to help management understand the risks; lead the
development of the program to mitigate and manage those
risks; evaluate how well the program is being executed;
and report to leadership on gaps in coverage, execution,
or material instances of noncompliance, including those by
senior leaders.
In summary, management of compliance risk can be
performed effectively under a variety of structural models.
This publication provides guidance on the design and
operation of an effective C&E program regardless of the
organizational structure or how responsibilities are allocated.
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
COSO Infographic with Principles
About this Guidance
There are several target audiences for this publication,
including the following:
When the USSG were developed, and as the elements of
effective C&E programs have evolved, fitting the seven
elements within the ERM framework was not a significant
concern or objective. Indeed, much of this evolution
occurred before the first ERM framework was published by
COSO in 2004.
Professionals such as risk managers, internal
auditors, and others who are involved in applying an
organization’s ERM program to compliance risks.
In the remaining portions of this guide, each of the 20
Compliance professionals who are aiming to align
principles of the COSO ERM framework, depicted in figure
their C&E program to, or integrate it with, ENTERPRISE RISK MANAGEMENT
1.3, is mapped to the specific requirements and emerging
an organization-wide ERM program.
practices of an effective C&E program. Section 2 starts with
the governance and culture component and the related
The senior management team, to better
five principles. Sections 3 to 6 cover the other components
understand compliance risk and the C&E program.
principles, respectively. In ENHANCED
each, key steps
BUSINESS and their related
of the board of directors,
to assist them
in their oversight role.
program for each of the ERM principles.
Figure 1.3 Risk Management Components – The 20 principles
& Culture
Strategy &
1. Exercises Board Risk
6. Analyzes Business
2. Establishes Operating
7. Defines Risk Appetite
3. Defines Desired Culture
4. Demonstrates
to Core Values
8. Evaluates Alternative
9. Formulates Business
5. Attracts, Develops,
and Retains Capable
10. Identifies Risk
11. Assesses Severity
of Risk
12. Prioritizes Risks
13. Implements Risk
14. Develops Portfolio
& Revision
& Reporting
15. Assesses Substantial
18. Leverages Information
and Technology
16. Reviews Risk and
19. Communicates Risk
17. Pursues improvement
in Enterprise Risk
20. Reports on Risk,
Culture, and
Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance
An example of the application of the guidance provided in this publication to a specific compliance risk can be found at
Figure 1.4 Frequently used terms and abbreviations
The following terms and abbreviations are used frequently throughout this publication
The board of directors or, where appropriate, a board-level committee that has been delegated the responsibility
for compliance oversight by the board of directors
C&E program
Compliance and ethics program
The chief compliance officer, chief compliance and ethics officer, or the equivalent title associated with the
highest-ranking employee charged with oversight of the C&E program
An internal committee composed of employees from various departments and functions within an organization
whose mission is to advise, inform, and partner with the CCO in communicating and extending the compliance
function throughout the organization’s operations
The possibility that violations of applicable laws, regulations, contractual terms, standards, or internal policies
will occur and have a negative financial or nonfinancial impact on the organization
The United States Department of Justice
The United States Federal Sentencing Guidelines
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
This section describes the application of the governance
and culture component of the COSO ERM framework to the
management of compliance risks. The COSO framework
describes the following five principles that underlie this
Exercises board risk oversight
Establishes operating structures
Defines desired culture
Demonstrates commitment to core values
Attracts, develops, and retains capable individuals
Principle 1 – Exercises board risk oversight
The board of directors is responsible for oversight of the
organization’s C&E program, and management is responsible
for the design and operation of the program. The expectation
of board oversight is reinforced in C&E program standards that
have been promulgated in several countries. For instance, the
USSG § 8B2.1(b)(2)(A)-(C) state that a company’s “governing
authority shall be knowledgeable about the content and
operation of the compliance and ethics program and shall
exercise reasonable oversight.”
Given the possible complexity of an organization’s C&E program,
it is often advisable for the board to delegate responsibility for
this oversight to a board-level standing committee, much like
audit oversight is commonly delegated to an audit committee.
This enables a committee to devote sufficient time to oversight
— time that may be unavailable for the entire board. As noted
earlier, the term “board” is used in reference to either the board
of directors or a board-level committee that has oversight
responsibility for the C&E program.
For oversight to be exercised properly, there must be an
open and direct line of communication between the CCO
and the board. This communication should include regularly
scheduled, periodic meetings, including sessions in which the
board meets privately with the CCO without other members of
senior management present.
Having compliance expertise on the board can be extremely
valuable and can enhance oversight of the program. Ideally,
this expertise comes from industry-specific experience with
relevant compliance issues as well as experience developing
and managing effective compliance programs.
The board should also ensure there is an effective
compliance oversight infrastructure in place to support the
C&E program, to include adequate staffing and resources,
as well as appropriate authority and empowerment to
achieve the objectives of the program. This infrastructure
may also include an internal compliance committee. Often,
an internal compliance committee composed of individuals
from key functions or business units is an effective way
for the CCO to maintain open lines of communication to
facilitate timely awareness of emerging compliance risk
areas and to obtain important input and buy-in on how to
mitigate and address risks.
Table 2.1 Exercises board risk oversight
• Require the board to oversee compliance risk management and the C&E program, including the approval of its charter
characteristics • Ensure that the board is knowledgeable of and demonstrates oversight of the C&E program (regular part of
agendas, monitors compliance metrics, holds regular executive sessions with CCO and others)
• Require that the board includes a member who possesses compliance expertise
• Document evidence of board oversight of the C&E program in minutes
• Provide input or approve appointment/dismissal/reassignment of CCO and ensure independence
• Ensure that sufficient resources are provided for the C&E program
• Receive regular reports from the CCO
• Ensure that the board is informed about material investigations and remediation efforts and provides input
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Principle 2 — Establishes operating structures
The positioning of the compliance function within an
organization has important implications for the effectiveness
of the program. The compliance function should be led by
someone who is positioned to be effective, which typically
means being a peer of other senior leaders. Moreover, the
compliance function must have the practical authority,
resources, and tools to effectively fulfill its mandate. Finally,
the compliance function should be functionally separate
and distinct from other functions, particularly those that are
frequently perceived by regulators as having conflicting
obligations or priorities (e.g., legal, finance, etc.). Although
it may be possible for the compliance and ethics function
to be effective when housed within other departments,
the preferred practice is for compliance to be functionally
separate and — like internal audit — report to the board. If
the function does not report to the board, extra care must be
taken to ensure adequate resources and sufficient autonomy,
including direct and unfiltered access to the board.
Operating structure should also include documented policies
and procedures covering the governance and decisionmaking processes associated with the C&E program. From
a governance standpoint, if oversight of the C&E program
has been delegated by the board of directors to a board-
level compliance committee, the committee should operate
in accordance with a board-approved charter. The charter
describes in detail the responsibilities and key operating
procedures of the committee (e.g., frequency and nature of
meetings, reporting to the board) as well as the qualifications
for committee members.
Increasingly, regulators and the enforcement community
consider the stature of the compliance function relative to
other executive functions as a signal of how seriously the C&E
program, and therefore compliance with laws and regulations,
is viewed within an organization. Is the compliance function
buried several layers down the organization chart? Or is
it represented at a very high executive level? Stature also
considers positioning of the CCO relative to other senior
executives of an organization.
Operating structure should also include other key compliance
policies and procedures, such as those that govern
the methodology and performance of compliance risk
assessments, consideration of forming an internal compliance
committee with representation from across the organization,
and procedures for escalation when significant risk events
occur, among other procedures.
Table 2.2 Establishes operating structures
• Maintain independence of the CCO and the compliance and ethics function
• Ensure that the CCO directly reports to and regularly communicates with the board
• Ensure that the CCO and C&E program have high stature relative to other functional leaders
• Grant sufficient authority to the CCO to manage the program effectively
• Provide sufficient resources for the C&E program to be effective
• Address C&E program oversight in the charter (including delegation to a designated committee, if applicable)
• Document policies and procedures specific to the operation of the C&E program
• Establish protocol/procedures for escalation of significant compliance risk events
Principle 3 — Defines desired culture
It is critical for the organization to establish and maintain a
culture of compliance and integrity. Without it, even the most
carefully designed compliance controls will be vulnerable
to failure. Culture begins with a sincere commitment
to compliance and ethics at the leadership level. The
commitment is reflected in several ways, beginning with its
inclusion in a code of conduct or business ethics that is written
in a manner that clearly articulates expectations of behavior.
Leadership can also reinforce and clarify this culture through
other communications. This commitment to culture should be
further reflected through the adoption of important compliance
metrics and by meaningfully incorporating compliance into
the performance evaluation and compensation/incentive
compensation processes, particularly at leadership levels.
An exercise that is helpful in setting expectations for culture is
for senior management to have a robust discussion about the
relationship between compliance risk and the organization’s
risk appetite and risk tolerance, which are discussed further
in the next section. In particular, tolerance, which considers
acceptable levels of variation in performance related to
achieving business objectives, should consider the potential
impact of compliance risk, because compliance with laws,
regulations, and other requirements should itself be one of the
primary business objectives for all organizations.
Another aspect in a culture of compliance is that of risk
awareness. It is one thing to have a culture in which
compliance is important. But an essential element of such an
environment is a culture of risk awareness, where employees
are vigilant and willing to raise concerns when they see
warning signs of risk.
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Communication and training are also important tools for
promoting an ethical culture, because each reinforces
an overall mindset of compliance and integrity, while also
improving awareness of key compliance issues. Accordingly,
training should include periodic discussion of the code
of conduct, but it should also include training on specific
compliance issues tailored to individual groups of employees
exposed to these risks in connection with their work.
Table 2.3 Defines desired culture
• Ensure that the board is knowledgeable of and approves a code of conduct/ethics and other key
compliance policies
• Explain expectations relating to ethics and compliance in a code of conduct/ethics
• Provide and require training on the code of conduct and on ethical decision-making for all staff (including
board members)
• Perform ongoing monitoring or assessment of organizational culture
• Develop objectively measurable compliance metrics tied to performance evaluations and compensation,
where appropriate
• Adopt meaningful incentives to promote consistent execution of the C&E program
• Include references to organizational values, expectations, and importance of ethics in communications from
Principle 4 — Demonstrates commitment to
core values
Commitment to core values should be represented in a value
statement or other set of guiding principles that demonstrates
a commitment to compliance and ethical business conduct.
Increasingly, studies show a correlation between ethical
culture and organizational performance, consistent with ERM’s
goal of creating value.
The tone from the top plays an important role in managing
compliance risks. The tone set by the executive team must
set an example of compliance and ethical behavior. This
commitment must cascade throughout the organization, thus
the term tone “from” the top rather than tone “at” the top.
Each layer of leaders within an organization — the supervisors
and managers of others — must communicate and pass this
tone on to the next level.
Commitment to compliance and ethics, however, requires
much more than setting the tone. Employees should be held
accountable for their individual roles in managing compliance
risks, and this should be reflected in job descriptions,
performance evaluations, and incentives.
When allegations of noncompliance or unethical behavior
emerge, they must be taken seriously. This means that
individuals should be required to report wrongdoing and have
multiple avenues for reporting. Once an allegation is received,
sound investigative protocols should be followed in a timely
manner to assess the credibility of the allegation. In addition,
individuals who report concerns about wrongdoing must feel
safe speaking up and be protected from retaliation in order for
this system to operate effectively.
If wrongdoing is confirmed through the investigative process,
disciplinary action should be taken in a degree that is
appropriate to the level of wrongdoing. Discipline should be
consistent based on the nature of the wrongdoing, without
regard to the individual’s level on the organization chart or
level of influence within the organization.
Table 2.4 Demonstrates a commitment to core values
• Actively promote a culture of compliance risk awareness, including setting an ethical and compliant tone by
• Balance business incentives with material compliance incentives
• Incorporate accountability for the management of (1) compliance risks and (2) compliance program implementation into employee performance measurement, promotions, and incentive programs, particularly at
senior levels
• Protect those who report suspected wrongdoing, with zero tolerance for retaliation
• Take allegations of wrongdoing seriously and investigate in a timely manner
• Promote organizational justice, including accountability for wrongdoing, fairness and consistency in discipline,
and fairness in promotions
• Communicate lessons learned from compliance and ethics failures across the organization in
appropriate detail
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Principle 5 — Attracts, develops, and retains
capable individuals
An effective compliance function should be led by a CCO with
appropriate experience and qualifications. The specifics of
prior experience and other qualifications can vary based on
the nature of the organization, its industry, and many other
Throughout the entire organization, hiring individuals who
respect compliance and make business decisions in an
ethical manner is vital to the management of compliance risks.
Indeed, being perceived as an organization that is committed
to compliance and ethics helps companies attract and retain
good people.
The USSG, which established the framework for what has
become the global standard for C&E programs, state that
an “organization shall use reasonable efforts not to include
within the substantial authority personnel of the organization
any individual whom the organization knew, or should
have known through the exercise of due diligence, has
engaged in illegal activities or other conduct inconsistent
with an effective compliance and ethics program.” As such,
organizations should perform background checks appropriate
to the responsibilities of the position and in compliance with
relevant employment laws. The CCO may collaborate with
human resources and others to identify positions considered
to involve “substantial authority”— those that could create
compliance risk for the organization.
The COSO ERM framework indicates that performance
evaluation and the establishment of appropriate incentives
are two important ingredients for developing and retaining
individuals. These tools are critical for the management of
compliance risks as well. The Department of Justice (DOJ)
notes that a “hallmark of effective implementation of a
compliance program is the establishment of incentives for
compliance and disincentives for non-compliance.”
Just as training on a code of conduct and broad ethical issues
helps to define an organization’s desired culture (Principle 3),
training on specific compliance risk topics further develops
individuals’ abilities to effectively recognize and manage
compliance risks. Furthermore, the compliance team itself
should continue to be developed with training on emerging
practices for managing a C&E program and changes in the
legal/regulatory environment.
In recent years, numerous compliance issues have been
triggered by third parties (nonemployees), especially those
that play integral roles in connection with supply chains,
sales, delivery, and other key functions. Accordingly, the due
diligence concepts described in this section should also be
applied when engaging third parties to carry out activities
on behalf of the organization (e.g., suppliers, sales agents,
outsourcing partners), based on the level of compliance risk
associated with each third party. The degree of background
checking, other due diligence, and compliance-related
performance measures should vary based on the assessed
level of risk, and due diligence should be repeated periodically
as part of maintaining ongoing relationships with high-risk third
parties. Due diligence in engaging with certain third parties,
as well as ongoing training and monitoring of compliance
performance of third parties, have become expected by
regulators and are integral elements of this principle.
Table 2.5 Attracts, develops, and retains capable individuals
• Hire and retain a CCO with appropriate experience/expertise to lead the C&E program
• Staff the compliance team with individuals that possess relevant expertise
• Perform background checks aimed at screening for compliance risk, tailored to the level of risk associated
with each position
• Consider employee execution of and adherence to the requirements and expectations of the C&E program in
the preparation of performance evaluations
• Appropriately tailor compliance training based on the compliance risks encountered for specific roles in the
• Perform risk-based due diligence on third parties
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
This section describes the application of the strategy and
objective-setting component of the COSO ERM framework, and
the following four principles associated with the management
of compliance risks:
Analyzes business context
Defines risk appetite
Evaluates alternative strategies
Formulates business objectives
Principle 6 — Analyzes business context
Context is critical to understanding and managing
compliance risks. Business decision-making is one of the
drivers of compliance risk; decisions can create new risks,
change existing risks, or eliminate risks. Accordingly, the
identification of a compliance risk universe should consider
the organization’s evolving strategy. The CCO should have
an appropriate level of involvement in the strategy-setting
process to enable the compliance function to be positioned
to identify and develop plans to manage compliance risks that
emerge from changes in strategy. Likewise, the CCO should
be informed of sudden shifts in strategy that may occur as an
organization responds to changes in its environment.
Context for effective compliance risk management includes
consideration of other internal drivers of compliance risk —
factors that can create new risks or change existing ones.
Some of the most important internal drivers of compliance
risk include changes in people, processes, and technology.
Another driver of compliance risk is management pressure,
particularly when such pressure is not coupled with reminders
regarding the expectation of compliance and appropriate
incentives to adhere to the C&E program. More broadly,
changes in organizational culture can arise from many factors
and can affect compliance risk.
External drivers of compliance risk also represent an important
element of context in identifying and managing compliance
risks. The most obvious external factors are those involving the
legal, regulatory, and enforcement landscape. For example,
recent changes in data privacy and security laws have
created entirely new compliance risks for some organizations.
External drivers also include competitive, economic, and other
factors that may directly or indirectly affect compliance risk.
External factors may be at a macro level (e.g., industrywide
competition, economic conditions) or at a micro level (e.g.,
changes in local or regional laws and regulations).
Risk interdependencies may also affect how an organization
manages compliance risks. An organization’s responses to
other risks (e.g., strategic, financial) may affect compliance
risk in a positive or adverse way.
Table 3.1 Analyzes business context
• Consider and reflect organizational strategy in performing compliance risk assessments and managing
compliance risk
• Consider how compliance risks are affected by internal changes, such as changes in people, structures,
processes, technology, etc.
• Evaluate effects of external factors (e.g., competitive, economic, enforcement trends, environmental, political,
social forces) on compliance risks
• Identify and consider risk interdependencies in the development of strategy
• Give consideration to cultural and regional differences in legal frameworks based on locations where the
organization operates
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Principle 7 — Defines risk appetite
For those not familiar with the term, appetite for compliance risk
often conjures up images of organizations willfully accepting
known compliance violations. The very nature of compliance risk
means that a law may be violated that could result in financial
or nonfinancial consequences for the organization (e.g., fines,
suspension or debarment, reputational damage). The level of
acceptance of compliance risk in the pursuit of business goals
and objectives is a topic for discussion among management
and the board (being clear to point out that this discussion is not
related to accepting known violations; it is about the realistic
assumption that it is impossible to eliminate the possibility of a
noncompliance event).
As defined by COSO, risk appetite refers to the types and
amount of risk, on a broad level, that the organization is
willing to accept in pursuit of value. Neither appetite nor risk
tolerance — the acceptable levels of variation in performance
related to business objectives — is typically defined at the
risk-specific level.
Although neither appetite nor tolerance are expressed in
terms of compliance risk, there may be separate risk-centric
statements relating to individual compliance risk areas. More
commonly, the potential impact of compliance risk on the
achievement of business objectives should be considered in
relation to determining and stating risk appetite and tolerance.
As noted earlier, compliance with laws, regulations, and
other requirements should itself be considered as a business
objective of the organization.
A practical way of viewing compliance risk and its relationship
to risk appetite and tolerance is by viewing it at the business
unit or location level and by type of compliance risk. At the
business unit (or functional) level, each group often has its own
unique compliance risks, each with vastly different potential
consequences for violations. For example, an international
bribery violation may result in much more significant financial
penalties than a building code violation.
Although a fire code violation may trigger only a rather
small fine, however, the potential consequences of a fire
code violation tragically resulting in the loss of life could be
enormous. Seemingly immaterial compliance risks like this
building code violation could lead to other risks, such as a
request for a bribe from a building inspector. Examining risk
appetite with consideration for the full range of potential
consequences is an important element of compliance risk
As noted in COSO’s May 2020 publication, Risk Appetite –
Critical to Success: Using Risk Appetite to Thrive in a Changing
World, three of the inputs to risk appetite are as follows:
1. Board and management perspectives on appetite
2. Understanding the existing risk profile
3. Organizational culture
Board and management perspective on risk appetite should
be framed, in part, on a consideration of the relationships
between compliance risk and the achievement of business
objectives. This can be achieved only if the board and
management have a sufficient understanding of compliance
risk as a component of the organization’s overall risk profile.
Similarly, as noted earlier, maintaining a culture of compliance
is an essential element of a C&E program and, therefore,
should be considered in developing an organization-wide
appetite for risk in general.
Understanding how much of a threat a compliance risk poses
to the achievement of business objectives enables the CCO
to effectively prioritize the deployment of preventive and
detective resources. For example, if an organization has
determined that a particular category of compliance risk poses
a significant threat to the achievement of business objectives,
the organization may allocate greater resources to managing
that risk. More attention may be devoted to auditing and
monitoring in this area, among other possible responses.
Organizations must also recognize that they cannot
realistically eliminate all compliance risks or reduce the
likelihood of occurrence to zero. This is simply not possible. As
a result, engaging in discussions about risk appetite relating
to compliance risks is a valuable tool in prioritizing efforts
aimed at prevention and detection of specific compliance
violations. Guidance from regulators is consistent with this
concept: expecting organizations to reduce and manage, not
necessarily eliminate, compliance risk.
Table 3.2 Defines risk appetite
• Consider compliance risk as part of the organization’s risk profile in determining risk appetite
• Consider compliance risk by (1) type of risk (e.g., anti-bribery), (2) business unit or organizational function
(e.g., human resources), and (3) location or region
• Determine and evaluate the relationships between compliance risks and the achievement of business
• Discuss risk appetite on a regular basis and update as necessary based on changes in compliance risk
• Consider developing specific risk-centric appetite statements associated with compliance risks in support of
organizational risk appetite and tolerance
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Principle 8 — Evaluates alternative strategies
The compliance function should be involved in strategy
discussions from the standpoint of (1) understanding the
strategy so that the C&E program can be designed to
manage compliance risks appropriately and (2) advising
strategic decision makers about possible compliance risks
associated with strategies under consideration. Compliance
risk assessment and management are most effective when
the compliance function is fully informed prior to embarking
on new strategic initiatives, enabling the C&E program to be
prepared to proactively address new or changing compliance
risks. The CCO should also play a role in developing new
compliance risk mitigation approaches in the context of
changing strategies and risk appetite, as well as assistance in
evaluating compliance risk issues associated with alternative
strategies under consideration.
If strategic decisions made by an organization involve merger
or acquisition activities, it is important for compliance to be
involved early in the process so that appropriate due diligence
focusing on compliance risks can be performed. This due
diligence is important to the decision-making process for
mergers and acquisitions in order to understand the level of
risk that may be inherited as a result of the transaction, as well
as any C&E program integration needs and risks that may need
to be addressed.
Once strategy has been decided, the compliance function
should identify and understand the implications for
the organization’s C&E program. Begin by identifying
and assessing compliance risks, as well as suggesting
modifications to internal controls aimed at mitigating
compliance risk. Consider changes to training, monitoring, and
auditing plans for the C&E program, and the development of
key compliance metrics or performance indicators.
As a strategy is being implemented, the organization may
continue to make changes to the strategy based on an
assessment of its successes and failures. This assessment
is another opportunity for the CCO to provide valuable input
based on the C&E program’s monitoring and auditing activities,
which may have revealed a level of compliance risk that differs
from what was initially expected.
Table 3.3 Evaluates alternative strategies
• Ensure that the CCO has a seat at the table in discussions of strategies
• Solicit input and insight from the CCO regarding how strategy affects compliance risk
• Perform risk-based due diligence on merger and acquisition targets prior to execution of the transaction
• Consider implications of strategic decisions (including subsequent changes in strategy) in the design of the
C&E program
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Principle 9 — Formulates business objectives
Linked to strategy, business objectives are measurable criteria
by which the organization and individual business units can
be evaluated. Much like how adoption of strategy can affect
compliance risk, development of business objectives also
often creates or affects the likelihood of compliance violations.
Additionally, complying with applicable laws, regulations,
contract terms, and other requirements should be considered
as its own business objective if compliance is not explicitly
addressed through other stated business objectives.
Sometimes, performance metrics developed for business units
can inadvertently create incentives to violate compliance
requirements. Take the simple example of a manufacturing
facility whose personnel are incentivized by aggressive
new goals for increased production. This goal could lead
to shortcuts in quality control and inspections, resulting in
product safety violations if the production team views violating
these compliance requirements as an acceptable means of
achieving the new targets. The compliance function should be
consulted as part of the establishment of business objectives,
in much the same manner as described in Principle 8, to
ensure that incentives are appropriately structured to minimize
the promotion of bad behavior or that such incentives are
balanced with appropriate compliance incentives. Ideally,
compliance participates in the establishment of business
objectives, but at a minimum, it is well informed of such
objectives and the performance metrics that are used for
individual evaluations.
Risk interactions should also be considered. As business
objectives and performance metrics change in one area of the
organization, compliance risks may be affected — either in the
same business unit or in other areas of the organization.
Finally, just as performance metrics are an essential
characteristic for business units, the compliance function
itself should develop and monitor performance metrics. These
metrics address and measure how well the C&E program and
infrastructure is working in practice across the organization,
and its overall effectiveness. Examples of measurable metrics
— and key performance indicators (KPIs) — include such
things as training completion rates, timeliness of responding
to issues, investigations, and implementing corrective action
plans, volume, frequency, and types of issues reported through
the organizations’ reporting mechanisms, culture survey
responses over time, and metrics from monitoring various
internal compliance controls such as vendor payments in
high-risk operating locations. Although not all areas of the
C&E program are easy to objectively measure, the compliance
function should take steps to develop and monitor objective
metrics wherever possible.
Table 3.4 Formulates business objectives
• Identify and evaluate compliance risks associated with planned business objectives
• Consider establishing compliance as a separate business objective
• Incorporate compliance risk management and accountability into performance measures and related
• Consider interactions between compliance and other risks based on changes in business objectives
• Include objectively measured compliance metrics within business objectives, reflecting the management of
compliance risk and the effectiveness of C&E program implementation, and carrying appropriate weight in
incentive and other compensation decisions
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
This section describes the application of the performance
component of the COSO ERM framework and the following
five principles associated with the management of
compliance risks:
10 Identifies risk
Assesses severity of risk
Prioritizes risk
Implements risk responses
Develops portfolio view
For C&E programs to be effective, it is expected by
regulators and others that organizations periodically
assess the potential threats of legal, regulatory, and policy
noncompliance, as well as ethical misconduct, so that
the organization can take steps to manage these risks to
acceptable levels.
Principle 10 — Identifies risk
One of the most challenging tasks for the C&E program is
the identification of the myriad compliance risks faced by
the organization. Organizations are subject to thousands of
laws and regulations ranging from antitrust, privacy, fraud,
and intellectual property rights/obligations to local sales
tax, licensing requirements, and environmental standards.
Further, these threats constantly change with new and
altered legal and regulatory requirements; with shifts in
organizational strategies, such as a retailer entering the
business of health care services; and with the emergence of
new compliance risks as societal values evolve. To function
effectively, the C&E program needs to have processes in
place to identify and track these various risks across the
Historically, many organizations approached compliance
with laws and regulations in silos, developing programs to
address specific issues where the organization or others
in the industry had encountered significant challenges. For
example, the business unit directly involved with the risk,
such as antitrust or environmental or money laundering,
would be responsible for most, if not all, aspects of
compliance with those laws. As compliance programs have
matured, they have moved to a more integrative, proactive
approach based not on a particular past crisis that the
organization wishes to avoid repeating, but on the systematic
assessment of the organization and its environment to
identify current and future threats to compliance. This same
motive is what drives organizations to implement ERM.
Not all compliance threats will be considered priorities in
the ERM context. For example, of the 10 most significant
compliance risks identified by the C&E program, perhaps
only 2 or 3 of them will be among the 10 most important
identified by the ERM function at the organizational level,
after consolidating compliance risks with all other risks.
Yet for the C&E program, these are important, because
they can emerge as serious threats through their impact
on the compliance culture. Regulators expect a specific
assessment of compliance risks as part of the C&E program.
This suggests that even when an organization has a mature,
well-developed ERM program, the C&E program should
supplement the organizational-level ERM and should strive
to identify and manage all compliance risks, regardless of
whether all are material at the enterprise level.
Developing a risk inventory for compliance risk is similar
to the process of developing the ERM risk inventory. As
illustrated in figure 4.1, there are a number of approaches
that can be taken, with some approaches being more
effective in identifying new and emerging risks.
For compliance risk identification, some approaches have
been found to be particularly useful. Many organizations
start with a risk inventory identified by similarly situated
organizations or industry associations. This inventory needs
to be viewed as a starting place and should then be tailored
to the organization, considering its unique operations.
Another often-used approach is to interview key employees
to better understand operations and determine applicable
laws and regulations that they deal with on a regular basis.
As noted in figure 4.1, this method is effective at identifying
existing laws and regulations posing compliance risks and
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Figure 4.1 Approaches for Identifying Risks*
of Risk



Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance, Volume 1, p. 69
may provide an indicator of emerging risk, but it may not be
as effective at identifying new risks or changing enforcement
standards not yet apparent to employees. Surveys may also
be used to ask key managers to identify applicable laws and
regulations that they deal with regularly in their area.1
Regardless of the approaches taken, the variety and
complexity of compliance risks create the need for
operations managers and risk owners to be involved in the
risk-identification process. One way of doing this is the
development of compliance committees at various levels in the
organization. Senior management and the board must also be
involved by including the C&E program leadership in strategic
planning so they can understand the organization’s current
and evolving strategies and the related compliance risk.
Information provided by regulators can also be helpful in
identifying new and emerging risk, because many of these
agencies issue alerts regarding where they see emerging
risks and have compliance concerns. For example, the SEC
Office of Compliance Inspections and Examinations issues
special risk alerts, and the HHS OIG publishes its work plan
to alert organizations to areas considered to be high risk.
Further, compliance risk extends beyond the legal boundaries
of the organization. Third-party contractors, suppliers,
and partners in strategic alliances can pose significant
compliance and ethical risks. Concerns specifically related
to third-party risks include the following:
1. The organization usually has a lessened ability to
control or oversee the work of a third party than it
would with its own employees.
2. Third parties often do not have as strong of an
incentive to adhere to compliance and ethics
expectations as employees do.
3. Third parties may operate in geographic areas that
are distant from the organization’s headquarters,
sometimes with differing laws, norms, and customs.
For these reasons, assessing risk involving third parties can
be complicated, but risk assessments should be performed at
the time a third party is engaged and periodically thereafter.
The extent of each risk assessment, due diligence process,
and subsequent monitoring and auditing should consider the
role the third party plays, materiality, and other factors that
could affect the level of risk associated with each third party.
Not all compliance risks will rise to the entity level and
appear in the ERM risk register; however, the risk of
regulatory change would be included in such an entity-level
inventory in most organizations.
Table 4.1 Identifies risk
• Describe the compliance risk identification and assessment process in documented policies and procedures
characteristics • Identify compliance risks associated with planned strategy and business objectives
• Assess internal and external environments to identify risks
• Create process for identifying new and emerging risks
• Consider risks associated with use of third parties
• Consider information gathered through hotlines, other reporting channels, and results of investigations
1 Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 21–25,

Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Principle 11 — Assesses severity of risk
Severity of a compliance risk is usually assessed primarily on
the basis of likelihood and impact. Other factors may also be
considered and will be explained later.
Likelihood is the probability that the risk could occur. In the
case of compliance, this means the probability of specific
noncompliance with a law/regulation or ethical misconduct.
Assessing the likelihood of compliance risk in most cases is
a subjective judgment. Despite being subjective, systematic
judgment can be made. One approach is to consider
the frequency of noncompliance. Will the event (e.g., a
salesperson making an illegal payment to a government
official to gain a contract) occur once a year or once every
five years? This judgment would be based on experience
or perhaps the organization’s historical data, if such data is
available. Another factor that enters into this assessment
is the organizational context. Typically, the assessor makes
assumptions about controls in place, such as policies
prohibiting such payments or the controls around the
payments process. In theory, one would like the assessment
to be made under the assumption of no controls at all being in
place, but it is difficult for people to imagine such “no control”
situations. They usually make the assessment assuming
“normal controls” or some sort of “minimal controls.” For
greater precision, some assessment methods break the
likelihood assessment in two parts: one for likelihood or
frequency and the other for effectiveness of internal controls,
as shown in figure 4.2. Some models may even consider
preventive and detective controls as two separate factors,
with preventive controls being more relevant to likelihood or
frequency, and detective controls more likely affecting the
impact of an event based on the timeliness of detection.
In figure 4.2, the likelihood of occurrence is measured on
a five-point scale from “rare” to “almost certain.” Control
assumptions and frequency are given descriptive anchors that
are then matched to the assessor’s beliefs.
Figure 4.2 Likelihood of Occurrence*
Existing controls
Frequency of noncompliance
• No controls in place
• No policies or procedures, no responsible person(s) identified, no training, no
management review
Expected to occur in most
More than once per year
• Policies and procedures in place but neither mandated nor updated regularly
• Controls not tested or tested with unsatisfactory results
• Responsible person(s) identified
• Some formal and informal (on-the-job) training
• No management reviews
Will probably occur
At least once per year
• Policies mandated, but not updated regularly
• Controls tested only occasionally, with mixed results
• Responsible person(s) identified
• Training is provided when needed
• Occasional management reviews are performed, but not documented
Might occur at some time
At least once in 5 years
• Policies mandated and updated regularly
• Controls tested with mostly positive results
• Regular training provided to the identified responsible person(s), but not documented
• Regular management reviews are performed, but not documented
Could occur at some time
At least once in 10 years
• Policies mandated and updated regularly
• Controls regularly tested with positive results
• Regular mandatory training is provided to the identified responsible person(s), and the
training is documented
• Regular management reviews are performed and documented
May occur only in exceptional
Less than once in 10 years
* Adapted from Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 30,

This approach is just one example. Every organization should
customize its scale and measurement methodology to fit
its particular needs. This customization would be done by a
compliance committee or by the C&E program staff with input
from management. Once the scale is determined, it should be
applied consistently by the assessors.
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
The second component of risk severity is impact. Impact is the
result or effect of risk in terms of the organization’s strategy
and business objectives. With compliance risk, one thinks
immediately of civil and criminal fines and penalties, and the
possible direct financial consequences of noncompliance.
Another significant factor may be the reputational impact of
compliance and ethical issues. This and other consequences
(e.g., sanctions, suspension, and debarment) may have a
material indirect financial impact, as well as an impact on
morale and other factors that are difficult to measure.
• Operational — Potential disruption of business operations
from plant shutdowns, suspensions, debarments, and loss
of license
Impact of noncompliance and ethical failures can be assessed
using a variety of measurement categories.
• Ability to pursue strategic goals — Prohibition to added
new customers, loss of license
• Legal — Consisting of civil and criminal fines and penalties
Figure 4.3 illustrates how these categories might be used to
construct a scale for assessing the impact of compliance risks.
• Reputation (image) — Effect of media coverage; damage
to organization’s image/brand; and subsequent diminished
attractiveness to current and potential future employees,
business partners, vendors, and customers
• Health and safety — Employee, patient, customer
• Financial — Internal and external costs associated
with investigating and remediation (e.g., legal fees,
consultants, investigators)
Figure 4.3 Impact of Compliance Risks
Reputation (Image)+
Health and
Ability to
Strategic Goals*
In compliance
> 1 month
Sustained U.S. national
(and international) negative
media coverage (front page
of business section)
deaths or
Loss of
or license
Significant violation,
Catastrophic criminal conviction
probable, loss of
accreditation or
# Amounts are examples only; each organization should set amounts to reflect its size and financial strength.
* Adapted from Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 39,

+ Adapted from Deloitte, Compliance risk assessments: The third ingredient in a world-class ethics and compliance program, Deloitte Development LLC, 2015.
As with the likelihood scale, each organization would adapt
the impact scale and factors to its own environmental context.
The organization’s risk appetite would also be reflected in
setting the values used in the anchor labels.
An additional factor that may enhance the evaluation of
severity is the localization or regionalization of the assessment.
For multilocation and multinational organizations, risk may vary
from one location or region to another, based on a wide variety
of factors. Rather than assessing severity at the organizational
level, determining separate measures can add an additional
level of precision to the assessment.
Assessment of each of the risks in the compliance risk
inventory can be made by compliance staff or by a compliance
committee and can be conducted at different levels of the
organization. In conducting assessments, steps should be
taken to minimize bias by avoiding self-assessment and using
multiple assessors from varied disciplines and experience to
ensure that risks are appropriately evaluated.
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Table 4.2 Assesses severity of risk
• Adopt a uniform scale/scoring system for measuring severity of compliance risks
characteristics • Consider qualitative and quantitative measures
• Establish criteria to assess impact and likelihood of compliance risk event occurrence
• Assess severity of risk at different levels (organizational, regional, affiliate, etc.)
• Consider design and operation of internal controls intended to prevent or detect compliance risk events
• Minimize bias and inadequate knowledge in assessing severity (e.g., minimize self-assessments, use
multidisciplinary teams)
Principle 12 — Prioritizes risks
The assessments of compliance risks in terms of likelihood
and impact allow for prioritization across the organization.
One method used to capture and summarize the severity
assessment is to construct a risk inventory matrix.
Using the example scales from the preceding section, the
following matrix can be developed.
Figure 4.4 Likelihood vs impact matrix
This allows the organization to group risks in terms of how and
when they will be addressed and the level of attention that
each is given. Although it could be argued that the organization
ideally could address all of its compliance risks, from a practical
perspective, more direct and immediate attention is required
for the most serious risks. How this is done will depend on the
organization’s risk appetite and tolerances and its available
resources. For instance, in the example, risks in the green areas
would be periodically reassessed, but no specific risk response
action or extensive monitoring action would be taken. In the
yellow areas, the risk owners would be required to develop
a risk mitigation plan to reduce or eliminate them without the
addition of significant resources. For those risks falling in the
red areas, compliance committees would be assigned to work
with risk owners to develop detailed response plans in which
risk ownership is clearly identified, assign responsibility for risk
responses, and develop monitoring and auditing plans for the
remediation efforts.
In addition to severity and risk appetite, some organizations
consider other factors in their risk prioritization. Adjustments
might be made to the risks on the basis of velocity,
persistence, and recovery. Velocity is the speed at which a risk
affects the organization, such as a serious food safety violation
that would require immediate closure of a food processing
plant. Persistence is how long the risk affects the organization,
such as media coverage from criminal violations lasting four
or five years. Recovery refers to how long it takes to fix the
problem (i.e., time needed to manage the risk to tolerable
levels), such as how long it takes to implement improved
vendor due diligence criteria and processes to reduce the risk
of shell company transactions.
Table 4.3 Prioritizes risks
• Prioritize compliance risks based on assessed level of risk relative to meeting of business objectives
characteristics • Use objective scoring based on assessment
• Consider use of other assessment criteria (trend, velocity, etc.) in prioritizing compliance risks
• Consider possible effects of planned changes in strategy and operations
• Develop risk-based action plans for mitigation (risk responses, implemented in next step)
Principle 13 — Implements risk responses
Risk responses are designed to manage the assessed level
of risk and can take many forms. The most obvious response
to an elevated level of risk is the design and implementation
of improved internal controls over compliance. Effective
mitigation of a compliance risk involves consideration of all
seven elements of a C&E program for each risk (e.g., policies,
Many risk-specific policies involve internal controls. Internal
controls over compliance may be preventive or detective
in nature, and ideally a blend of both is in place. Although
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
prevention of noncompliance and ethical misconduct is
preferred, there may be practical considerations that result
in an organization relying more heavily on timely detective
controls for certain risks.
Effective improvement of internal controls requires an
understanding of the principal drivers of a particular risk.
If the likelihood or frequency of a risk drove the assessed
severity higher, improvements to preventive controls may be
particularly important. On the other hand, impact — especially
when impact correlates to how long a risk goes undetected —
may be mitigated by improving detective controls.
Risk responses may involve many actions other than
improvements to procedural internal controls. For example,
targeted training aimed at areas of vulnerability may be useful.
Training is a form of internal control that is a particularly
valuable response when the design of procedural controls is
sound, but there are breakdowns in those controls based on a
lack of understanding of how the controls are to be applied or
a general lack of awareness of the controls.
Training may also be more general in nature. If the observed
behavior involves a weak culture of compliance, general
training on the importance of compliance may be useful.
Regardless of type, training, by itself, rarely results in
significant improvements. If coupled with improvements in
control processes, however, improvements are much more
likely to be observed.
Another possible risk response is to increase or improve
the auditing and monitoring function related to the specific
compliance risk assessed. This may be done through
increased frequency or scope of monitoring and auditing. Or
it may be achieved by implementing new methods of auditing
and monitoring. For example, increased use of data analytics
aimed at detecting red flags of noncompliance or red flags of
breakdowns in internal controls (also discussed in connection
with ERM Principle 18) can be powerful tools for the audit and
monitoring function.
One aspect of risk response worth further consideration is the
level of granularity of the response. Although some control
responses are very broad and apply to an entire process,
others may be much narrower. This is particularly pertinent
for the design of improved internal controls and certain
auditing and monitoring procedures. The assessment of risk
and controls may reveal a vulnerability in one very specific
part of a lengthy process. For example, an assessment of the
risk of product safety violations for a toy manufacturer might
reveal that new machinery installed on an assembly line has
a particular vulnerability to improper operation that previous
machinery did not have, leading to increased risk of the
manufacture of unsafe products. The response in this instance
may be equally narrow: to implement a different and more
frequent inspection and maintenance schedule for the newer
Of course, the benefits of adding or improving internal controls
and other risk responses should always be weighed against
the financial and nonfinancial costs of these efforts. It may
be possible to reduce a compliance risk to an extremely
low level, but the cost of doing so in terms of slowing down
productivity may be excessive. Accordingly, cost is a practical
consideration when designing and implementing risk
responses. This potential for tension between compliancerelated controls and operational efficiency is often an
important trade-off that requires attention.
For risk responses to be executed properly, accountability
must be established. Responsibility for responses is often
shared among a variety of groups, from the business
unit directly affected by the risk to other units within the
organization, such as internal audit, human resources,
information technology, compliance, and others. For this
reason, the exact nature of the risk response should be agreed
upon by all parties that will play a role in the execution. Once
this is accomplished, a specific timeline for the execution
should be developed, with greater priority given to the risks
identified as furthest above tolerable levels.
The final aspect of risk response involves following up to
evaluate the implementation and operating effectiveness of
those responses. An excellent response plan is only as good
as its execution. Part of the response plan should include
follow-up evaluations and ongoing monitoring to determine
whether all actions in the plan have been properly carried out
and are operating as planned.
Table 4.4 Implements risk responses
• Consider potential need for modifications in each element of the C&E program when designing risk responses
characteristics • Design compliance risk responses that consider the impact on other (non-compliance) risks and risk responses
• Assign accountability for each compliance risk response (including timeline, etc.)
• Follow up to determine whether compliance risk responses have been properly implemented as designed
• Consider compliance risk responses when developing monitoring and auditing plans
Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework |
Principle 14 — Develops portfolio view
It is important to recognize the interrelationship among
compliance risks, as well as the relationships between
compliance risks and other organizational risks. These
interactions can be an important consideration in both the
assessment of risk as well as the design and implementation
of risk responses. This consideration can also lead to the
identification of certain drivers of risk — factors that do not
necessarily create a new risk, but that can increase the likelihood
of one risk event as a result of some other action or event.
Here is a simple illustration: enhanced internal controls
aimed at reducing the risk of a compliance violation could
increase the risk of delays in certain operational or production
processes. This concern would be amplified if the production
team had also identified a slowness in its processes as a risk
requiring a response. The two risk responses could potentially
conflict with each other unless a portfolio view is taken in
connection with both identifying and mitigating risk.
If risks are managed in isolation without consideration of other
risks, inefficiencies — and possibly conflicts — can occur.
For this reason, viewing risks as part of an organization-wide
portfolio of risks is essential.
Another consideration in developing a portfolio view is the
extent to which compliance risks increase or decrease in
severity as they are progressively consolidated to higher levels
within the organization. A compliance risk that at first appears
to be significant at a business unit level may be rather minor
by the time it is consolidated with other risks and rolled up to
a higher level within the organization. Conversely, compliance
risks that are minor in isolation may become much greater
when consolidated with other seemingly minor risks.
Table 4.5 Develops portfolio view
• Consider risk interactions (i.e., how mitigating a compliance risk can affect other risks)
characteristics • Consider interactions of compliance risk responses with other risk responses
• Integrate compliance risk management with ERM
• Have regular meetings/communications between compliance and business units
| Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
The legal, regulatory, and ethical environments of
organizations are ones of constant change and, frequently,
increased complexity. Technological advancements have
increased the speed of communications and activity, expanding
the number of individuals an organization can affect across the
globe. Even small organizations may be operating in multiple
countries and jurisdictions, and regulations in these places are
proliferating. Stakeholder expectations regarding organizational
conduct continue to rise. Thus, for compliance risk management
to be effective, the organization must regularly review its
compliance risk management practices and capabilities and
take steps to continually improve its C&E program.
This section describes the application of the review and
revision component of the COSO ERM framework and the
following three principles associated with the management of
compliance risks:
Assesses substantial change
Reviews risk and performance
Pursues improvement in enterprise risk management
Principle 15 — Assesses substantial change
Changes in the organization’s internal and external
environment can have significant impacts on the
organization’s compliance risk profile, often very quickly,
which is why many compliance program standards require
periodic re-evaluation and modification. The CCO needs
to identify potential drivers of changing compliance risk.
Broadly, these potential drivers include, but are not limited to
the following:
• Changes to the organization’s strategies and objectives
• Changes to people, process, and technology
• Changes in regulatory requirements and/or societal
As Principle 6 discusses, the CCO should be involved in the
strategy-setting process to allow the C&E program to identify
and manage the change in compliance risk resulting from
significant shifts in business strategy and objectives. For
example, a technology company decides to start or acquire
a new line of business in a highly regulated environment,
such as providing cloud services for health systems’ medical
records, or an engineering firm seeks to begin contracting
with the federal government. An organizational shift to the
use of third parties for business processes may also result in
potentially significant changes to compliance risk.
Changes in the internal environment in people, processes,
and technologies can also result in changes to compliance
risk. For example, a change in senior personnel can result in
a significant shift in the level of risk tolerance as well as the
compliance culture. Increased performance pressures (cost,
sales, productivity, efficiency, etc.) can affect risk. Mergers
and acquisitions can also drive change in compliance
risk. Changes to processes and technologies may also
lead to potential changes to compliance risk. For example,
automation may result in the company being able to perform
a task faster, but it may mean that the impact of a failure will
also be magnified.
Changes in the external environment affect the organization’s
compliance risks through changes to laws, regulations,
enforcement priorities, and societal norms and values.
Assessing the impact on compliance risk has become
increasingly complex due to the proliferation of laws and
regulations across jurisdictions, often with conflicting
requirements. The C&E program needs to keep abreast of
changes to the regulatory environment through studying
Purchase answer to see full

Share This Post


Order a Similar Paper and get 15% Discount on your First Order

Related Questions

DescriptionWriting the final training report according to the attached instructions  Major: E-commerce,  Below you will find the directed tasks that

Description Writing the final training report according to the attached instructions  Major: E-commerce,  Below you will find the directed tasks that I perform in this training, and you can add some that are related to the Major. Collaborating with sellers to gather accurate and comprehensive product information, including descriptions, specifications,

You deserve a bonus!

Subscribe and get regular bonuses and discounts.