Corporate Compliance Report

In the wake of high-profile corporate scandals and subsequent regulatory legislation, reporting internal controls has become a requirement. These requirements have led to organizations viewing risk management as an area of vital importance. Best practice organizations have for years looked to the Committee of Sponsoring Organizations of the Treadway's (COSO) Internal Control Integrated Framework as the standard to build a solid system of internal controls (Managing Risk, 2003). Formed in 1985, COSO is a voluntary and independent private sector organization that sponsored the National Commission of Financial Reporting. The National Commission was made up of various industry representatives who studied the underlying causes that lead to fraudulent financial reporting. The committee developed recommendations for public companies, independent auditors, regulators, and educational organizations, which are designed to improve "the quality of financial reporting through business ethics, effective internal controls, and corporate governance"(COSO, n.d., 1). Recognizing the need for organizations to evaluate risk management efforts, COSCO developed a framework for Enterprise Risk Management (ERM) that Morrison Management Specialists and other companies can use to establish strong internal controls.

Enterprise Risk Management

ERM is a controlled approach to help management identify and manage uncertainties and reach certain risk objectives. COSO's ERM framework concentrates on the development of a strategy that includes the importance of a risk and internal control "consciousness" throughout an organization. COSO's framework introduces eight key principles for ERM: "internal environment; objective setting; event identification; risk assessment; risk response; control activities; information and communication; and monitoring" (Managing Risk, 2003, p. 2). COSO's framework also includes four objectives categories; these are: strategy; operations; financial reporting; and compliance. COSCO intended this framework to be an effective tool for keeping stakeholders and board directors informed about organizational procedures and processes. The framework could also be used to help an organization respond to uncertainties that will help directors to measure how well their organizations are managing its own risks.

The most crucial aspect of ERM is the establishment of effective internal controls with respect to organizational risk. COSO's objective of internal controls is to establish a set of conditions within an organization to minimize the potential risk of misuse, loss, waste or fraud in financial reporting. Internal controls can be preventative, detective, or corrective. Preventative controls identify the steps that an organization takes to ensure compliance with polices and procedures. Detective controls are designed to uncover problems after they have occurred. For example, a corporation could conduct random compliance checks. Corrective controls are the actions that an organization will take to resolve issues of noncompliance and could entail education, training, severe discipline, or the time spent in rehabilitating a firm's public image While detective controls are necessary, they are less desirable than preventing a risk even from happening in the first place. Furthermore, without the presences of correction and severe penalties, detective controls are not a sufficient deterrent (Lousteau & Reid, 2006).

Implementation Process

COSCO's ERM framework recognizes the need for organizations to interlace risk management into strategic objectives and organizational culture. By developing a risk culture, risk is seen to affect all layers of an organization and so all parts of an organization must determine how its actions generate or protect against the occurrence of a risk event. According to the Institute of Internal Auditors (2004), every company must recognize that risk exists to realize value for its stakeholders. With this in mind, the steps to implementing ERM include: the development of an organizational strategy that includes risk management; the determination of corporate philosophy and the delegation of risk controls; the performance of risk assessments and determining how much risk the organization is willing to undertake to generate value; identifying risk responses, communicating and analyzing risk results; and continued managerial review and oversight to ensure compliance. The steps that Morrison needs to take during the implementation process should result in establishing a risk management program that establishes an organizational framework that functions interdependently. This means that directors, senior management, auditors, and risk owners must overlap their interests and align corporate governance with risk management (Sobel & Redding, 2004).

Benchmarks and Best Practices

In 1994, the Dey Report, published by the Toronto Stock exchange, recommended that firm boards become involved and responsible for risk management development for their firms and to report efforts annually. A Canadian bank, CIBC, was at that time expanding into global capital markets and began investing heavily in ERM. A risk officer was hired to develop an ERM system that included operational, counterparty credit, and firm-wide market risks. Through its ERM program CIBC was able to avoid significant losses and cut its risk by one-third by responding to early warning indicators uncovered through its risk management process (Lam, 2006). In another instance, JP Morgan Chase, a global financial services firm, was able to learn from a previous experience that the company needed to develop a market risk staff and analytical resources to help it manage market risks. This risk management team was able to keep JP Morgan from suffering losses during the Russian crisis, and the firm was able to report a 4.4% profit gain in a market where its peers were reporting substantial losses.

The senior executives of Duke Energy participated in a two-day strategy meeting to discuss the future of the industry. Three possible scenarios of the future were investigated and a Chief Risk Officer (CRO) was appointed to manage the company's uncertainties within these three scenarios: "'Economic Treadmill' in which U.S. economic growth slips to 1% per year, 'Market.com' in which the Internet revolutionizes the relationships between buyers and sellers, and 'Flawed Competition' in which uneven deregulation will continue in the energy industry, resulting in significant price volatility" (Lam, 2006, p. 14). The CRO subsequently developed various signposts for each scenario that flagged regulatory and environmental trends, technological changes, and the

...