Compliance Risk Management

Compliance Risk Management

Global organizations face increasing pressure to operate in a manner that is safe, sustainable, and in compliance with an ever-growing array of regulations and other requirements regarding material use, supply chain, byproducts, and EHS practices, among many others.

In order to achieve these objectives, developing and maintaining key internal controls that ensure the reliability of compliance programs/systems that adhere to current and pending regulations, industry standards, and other requirements is critically important. Further, the connection between EHS management and compliance assurance needs to be harmonized.

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM) is the process of identifying and analyzing risk from an integrated, company-wide perspective. The framework focuses on:

  • Necessity of a consistent “risk and controls consciousness” throughout the enterprise;
  • Importance of considering risk during the formulation of strategy;
  • Interrelationships of risks across business and functional units and at every level of the organization; and
  • Allocation of resources to risks within the company’s risk appetite and tolerances.

There are natural linkages between ERM, improved financial reporting and transparency, and regulatory compliance assurance. In fact, ERM is geared at achieving objectives in one or more separate but overlapping categories:

  • Strategic – high-level goals, aligned with and supporting its mission
  • Operations – effective and efficient use of its resources
  • Compliance – compliance with applicable laws and regulations
  • Metrics – for measuring risk management performance and progress
  • Reporting – reliability of reporting

Compliance Risk

One significant form of enterprise risk—compliance risk—is present to varying degrees in virtually all of a company’s business systems, operations, infrastructure, and other assets.

Compliance risk is essentially the threat posed to an entity’s financial, organizational, or reputational standing, which may result from violating laws, regulations, codes of conduct, or organizational standards of practice. It applies to both operating and support functions.

Compliance requirements are set by various levels of government (e.g., federal, state, local), many domestic agencies (e.g., EPA, OSHA, MSHA, COE, DOT, FDA), non-governmental organizations (NGOs), and agencies specific to other countries in which the organization operates or does business. Requirements are typically published in associated law, rule, and regulatory documents; industry standards; or the organization’s own policies. Environmental and occupational safety compliance are significant types of compliance risks facing an enterprise.

Compliance Risk Assessment

Kestrel Tellevate’s compliance risk assessment relies on a focused approach to help the organization understand the full range of its compliance risk exposure, including:

  • Likelihood that a risk event may occur
  • Reasons it may occur
  • Potential severity of its impact

We also help the organization prioritize risks, identify applicable owners, and allocate appropriate resources for risk mitigation in alignment with the U.S. Federal Sentencing Guidelines for Organizations and Corporate Compliance Programs. KTL incorporates the Sentencing Guidelines’ minimum requirements, which include the following seven compliance program elements:

  • Organizational infrastructure—Ensure that the Board has knowledge of content and operation of the compliance program and exercises reasonable oversight; high-level individuals have direct, overall responsibility; specific individuals have the day-to-day operational responsibility, adequate resources and appropriate authority, and direct access to Board or Audit Committee.Risk assessment—Periodically assess the risk of non-compliant activities; implement or modify programs to reduce risk.
  • Standards and procedures—Develop and implement to prevent, detect, and respond to noncompliance.
  • Due care in delegation—Exclude from compliance authority those who have engaged in illegal activities or act inconsistently with the program.
  • Training/communication—Conduct effective training and disseminate information regarding responsibilities.
  • Monitoring and auditing—Take steps to ensure compliance program is followed, including auditing and monitoring, with a system for reporting noncompliant conduct without fear of retaliation.
  • Incentives and discipline—Promote and enforce program consistently through incentives supporting compliance and discipline for engaging in or failing to take steps to prevent or detect noncompliance.