World-Class Compliance Assurance Program Part 1: Enterprise and Compliance Risk Management
October 11, 2016 - Kestrel Management
This is the first in a series of five articles on developing and maintaining a world-class compliance assurance program.
Global organizations face increasing pressure to operate in a manner that is safe, sustainable, and in compliance with an ever-growing array of regulations and other requirements regarding material use, supply chain, byproducts, and Environmental, Health & Safety (EHS) practices, among many others.
In order to achieve these objectives, developing and maintaining key internal controls that ensure reliability of compliance programs/systems that adhere to current and pending regulations, industry standards, and other requirements is critically important. Further, the connection between EHS management and compliance assurance needs to be harmonized. Reliable and effective regulatory compliance commonly is an outcome of consistent and reliable EHS Management System (EHSMS) design and implementation. This connection is especially important to avoid recurring compliance issues.
This article is the first in a series written to provide a description of world-class compliance assurance and how it is integrated into an overarching EHSMS starting with a review of Enterprise and Compliance Risk Management.
Enterprise Risk Management (ERM)
Enterprise Risk Management (ERM) is the process of identifying and analyzing risk from an integrated, company-wide perspective. The framework focuses on the necessity of a consistent “risk and control consciousness” throughout the enterprise; importance of considering risk during the formulation of strategy; interrelationships of risks across business and functional units and at every level of the organization; and allocation of resources to risks within the company’s risk appetite and tolerances.
There are natural linkages between ERM, improved financial reporting and transparency, and regulatory compliance assurance. In fact, ERM is geared at achieving objectives in one or more separate but overlapping categories:
- Strategic – high-level goals, aligned with and supporting its mission
- Operations – effective and efficient use of its resources
- Compliance – compliance with applicable laws and regulations
- Metrics – for measuring risk management performance and progress
- Reporting – reliability of reporting
One significant form of enterprise risk—compliance risk—is present to varying degrees in virtually all of a company’s business systems, operations, infrastructure, and other assets.
Compliance risk is essentially the threat posed to an entity’s financial, organizational, or reputational standing, which may result from violating laws, regulations, codes of conduct, or organizational standards of practice. It applies to both operating and support functions.
Compliance requirements are set by various levels of government (e.g., federal, state, local), many domestic agencies (e.g., EPA, OSHA, MSHA, COE, DOT, FDA), non-governmental organizations (NGOs), and agencies specific to other countries in which the organization operates or does business. Requirements are typically published in associated law, rule, and regulatory documents; industry standards; or the organization’s own policies. Environmental and occupational safety compliance are significant types of compliance risks facing an enterprise.
A compliance risk assessment requires a focused approach to help the organization understand the full range of its compliance risk exposure, including the likelihood that a risk event may occur, the reasons it may occur, and the potential severity of its impact. It also helps the organization prioritize risks, identify applicable owners, and allocate appropriate resources for risk mitigation.
U.S. Federal Sentencing Guidelines for Organizations and Corporate Compliance Programs
Beyond the organizational impacts stated above, a strong compliance assurance program may result in the reduction of fines and penalties under the U.S. Federal Sentencing Guidelines for Organizations and Corporate Compliance Programs in the event of a compliance failure.
The U.S. Federal Sentencing Guidelines were promulgated in 1991 to ensure that organizations cannot profit from wrongdoing. The purpose of these Guidelines is to promote good corporate citizenship by encouraging implementation of compliance programs that prevent criminal conduct. The Guidelines provide organizations with a tangible incentive to implement effective programs that encourage positive organizational behavior.
The Sarbanes-Oxley Act—and renewed focus on corporate ethics—prompted certain clarifying revisions to the Guidelines in 2004, requiring more high-level oversight of the compliance program, along with more training, monitoring, and emphasis on creating an ethical work environment. The Sentencing Guidelines’ minimum requirements include the following seven compliance program elements:
- Organizational infrastructure—Ensure that the Board has knowledge of content and operation of compliance program and exercises reasonable oversight; high-level individuals have direct, overall responsibility; specific individuals have day-to-day operational responsibility, adequate resources and appropriate authority, and direct access to Board or Audit Committee.
- Risk assessment—Periodically assess risk of non-compliant activities; implement or modify programs to reduce risk.
- Standards and procedures—Develop and implement to prevent, detect, and respond to noncompliance.
- Due care in delegation—Exclude from compliance authority those who have engaged in illegal activities or act inconsistently with the program.
- Training/communication—Conduct effective training and disseminate information regarding responsibilities.
- Monitoring and auditing—Take steps to ensure compliance program is followed, including auditing and monitoring, with a system for reporting noncompliant conduct without fear of retaliation.
- Incentives and discipline—Promote and enforce program consistently through incentives supporting compliance and discipline for engaging in or failing to take steps to prevent or detect noncompliance.
Importantly, these Guidelines have become a barometer for prosecutors in determining whether a company should be charged with a crime at the end of an investigation (and the severity of the action) or may be eligible for a reduced sentence/fine based on its compliance and ethics program. They are helpful in defining the attributes of world-class compliance assurance, in which EHS compliance would be structured.
Read the other articles in this series:
- Part 2: Management Systems and their Importance to Compliance Assurance
- Part 3: Compliance Risks and Compliance Program Assessment
- Part 4: Audit Program Best Practices
- Part 5: Maintaining a Compliance Assurance Program
Submitted by: Tom Kunes