Objective II is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful, however the Framework requires a component of management input and oversight that was perhaps not as well understood.
The objective of Risk Assessment consists of four principles.
Principle 6: Suitable objectives.
Principle 7: Identifies and analyzes risk.
Principle 8: Fraud risk.
Principle 9: Identifies and analyzes significant change.
The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Internal Controls Framework. Obviously, risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.
Three key takeaways:
- Risk assessments are required under the COSO 2013 Internal Controls Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
- Look at your risks across your organization and not in a siloed manner.
- Risks, both determination and management of, changes over time so be cognizant of changes in business practices on the ground.
For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.
