For some time now, we’ve been saying on this blog that strong corporate compliance goes hand-in-glove with strong enterprise risk management. The former is often a subset of the latter, and the latter is crucial for a business to execute its strategy smartly.
That’s the theory, anyway. So you can imagine how pleased I was to see COSO and the Society of Corporate Compliance & Ethics publish guidance that helps compliance and risk officers put that theory into practice.
Why Is That Guidance Important?
Because far too many businesses still fall into two comfortable but less effective habits.
First, they treat the compliance program as separate from the rest of the business rather than part of an overall business strategy: a final check on your plans or transactions after those things have been developed, to be sure nothing you’re doing might invite regulatory trouble. This is why so many employees view compliance as an obstacle to doing their job, rather than a guardrail to do their job correctly.
Second, too many businesses don’t practice risk management in a disciplined way. All companies do practice risk management somehow — but if executives address the risks to their operations in a haphazard or unwitting way, they’ll never be able to fully execute their business strategy. At best, they’ll continue changing their strategies and operations in reaction to other events rather than proactively planning for them.
One way that companies can address both missteps is with the guidance from COSO and SCCE. It describes how businesses can develop a more rigorous approach to risk management so executives can stay focused on strategy; and how to integrate compliance concerns into that risk management effort.
Look at the world around us. For many, it’s both highly regulated and highly risky at the same time. CEOs and boards need to ensure that the corporate enterprises they oversee have strong processes in place to withstand both of those forces. So, any time we see guidance along the lines of what COSO and the SCCE just distributed, that’s valuable.
What Advice Does This Guidance Offer?
To answer this question, begin with COSO’s framework for enterprise risk management. The framework has five primary components:
- Governance and culture
- Strategy and objective setting
- Review and revision
- Information, communication, and reporting
Each of these five components has specific principles for organizations to follow. For example, under the Performance component are principles such as “identify risk,” “assess severity of risk,” and “implement risk responses.”
There are 20 principles for the framework in total. We don’t need to cover them in detail. Just know that COSO’s risk management framework maps out what an organization can do for good enterprise risk management — including what the board, senior executives, and business operations leaders should each do to support the risk management efforts of the others.
COSO’s risk management framework maps out what an organization can do for good enterprise risk management — including what the board, senior executives, and business operations leaders should each do to support the risk management efforts of the others.
The ERM framework can be used to manage many types of risks. In fact, COSO has published several pieces of guidance over the years on how to apply the ERM framework to specific issues, such as cybersecurity and ESG issues. The guidance about compliance risks is the latest volume in the library.
When we see the ERM component “performance” and its principles of “assess severity of risk,” and “implement risk responses” — you can ask, over and over again, “How does our organization do those things for [insert risk here]?”
That’s how compliance, security, and risk officers can talk about risk management with the board. The board should be asking those questions above; risk and compliance professionals need to answer them.
From ERM Guidance to ERM Program
Risk management isn’t just about conversations, of course. CEOs and executives need data to make decisions. So, organizations still need to take this guidance and build it into an actual risk management program.
First, you’ll need proven, tested business processes that support the objectives you want to achieve. For compliance risk, that might be a strong third-party due diligence process; for ESG risks, that might be policies and training to promote workplace respect and racial equity.
Second, you’ll need technology that can monitor the performance of those processes and generate data about how well they’re working. How many third parties somehow get a payment before due diligence? How many harassment complaints arrive through the hotline? Or, for climate change risk: how many distribution centers exist in fire or flood zones?
Third, you’ll need reporting systems to pull all that data together into one integrated picture. That data should tie back to the risks that the board and senior executives have identified. Risk assurance executives (compliance, security, legal, HR, and so forth) can then have more productive conversations with the board about how well the business is or isn’t executing on strategy, and why.
That’s how CEOs and their lieutenants can drive the business toward better, risk-aware performance. It’s not easy, but guidance such as what COSO and the SCCE just published can help provide a consistent and tested approach to the best path forward.