enterprise risk management: why the ethics and compliance function ...
enterprise risk management: why the ethics and compliance function ...
enterprise risk management: why the ethics and compliance function ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
What surprised ILHS was <strong>the</strong> difficulty of creating linkage between existing internal control<br />
measures <strong>and</strong> <strong>enterprise</strong> <strong>risk</strong> <strong>management</strong>. Additionally, using IT in ERM was more challenging<br />
than originally anticipated.<br />
Key Learnings:<br />
• ERM was triggered by a need to coordinate <strong>risk</strong> assessment <strong>and</strong> <strong>management</strong> in a large<br />
number of healthcare facilities.<br />
• COSO I <strong>and</strong> II, as well as FSGO, were used to develop <strong>the</strong> ERM process.<br />
• ERM for this organization is carried out in <strong>the</strong> context of legislative <strong>and</strong> public scrutiny.<br />
• ERM will be a part of performance reviews.<br />
Value-Added ERM Contributions:<br />
• The process is just beginning.<br />
G. Large Manufacturer of Wood Products<br />
Ethics <strong>and</strong> Business Conduct, which takes more of a values-based than a <strong>compliance</strong>-based<br />
approach, has been asked to support a companywide <strong>risk</strong> assessment. The decision-making<br />
process that led Large Manufacturer of Wood Products (LMW) to ERM began with new<br />
regulations, such as <strong>the</strong> revised FSGO <strong>and</strong> SOX that require <strong>risk</strong> assessment <strong>and</strong> <strong>management</strong>.<br />
These <strong>risk</strong> assessments begged <strong>the</strong> question of what o<strong>the</strong>r <strong>risk</strong>s are present, <strong>and</strong> how best to<br />
address <strong>the</strong>m. The <strong>ethics</strong> office of LMW turned to ERM as a way to address <strong>the</strong> <strong>risk</strong>s holistically,<br />
but also to increase communications <strong>and</strong> coordination between areas already doing <strong>risk</strong><br />
assessment, such as safety, security, internal audit, information technology, <strong>and</strong> environmental.<br />
LMW has done preliminary work to ensure that <strong>the</strong> right people are at <strong>the</strong> table, e.g., internal<br />
audit director, security director, <strong>ethics</strong> director, environmental health & safety, information<br />
technology security, <strong>and</strong> human resources. Ethics <strong>and</strong> Compliance anticipates <strong>the</strong>y will probably<br />
take a broader view of <strong>risk</strong> than <strong>the</strong>se <strong>function</strong>al areas. This is because <strong>the</strong>y will not limit<br />
<strong>the</strong>mselves to laws <strong>and</strong> regulations, but will include <strong>risk</strong>s to <strong>the</strong> reputation <strong>and</strong> values of <strong>the</strong><br />
company. No particular frameworks have been chosen for implementing ERM. Due to <strong>the</strong><br />
number of consultants who have contacted <strong>the</strong> law department requesting to provide <strong>the</strong>ir<br />
(expensive) services to do a COSO <strong>risk</strong> assessment, <strong>the</strong>re is a resistance to using COSO.<br />
Key Learnings:<br />
• The approach to mission, values, <strong>and</strong> <strong>compliance</strong> by those leading ERM, in this case<br />
Ethics <strong>and</strong> Legal, is likely to shape <strong>the</strong> way ERM is h<strong>and</strong>led.<br />
Value-Added ERM Contributions:<br />
• The process is just beginning.