Often, the term “Reasonable Assurance” is used in reference to financial statement audits and is referring to assurance that they are free of material misstatement. Although this situation doesn’t really apply to the CCO’s role in oversight of compliance programs, CCOs do need to obtain Reasonable Assurance of a different kind. As mentioned in my first post on the CCO’s Oversight Role, CCOs are expected to oversee compliance activities scattered across an organization and rely on individual compliance programs to manage their compliance risks. If you are a CCO or work in Corporate Compliance, you likely often ask yourself questions like, “How do I know that the compliance programs are operating effectively? What methods are being utilized to address individual compliance risks? How confident am I in the mitigation of those risks? Am I willing to stake my reputation on it? My career? And in the most serious cases, my freedom in the face of potential jail time?”
In the third installment in my series on GRC for Chief Compliance Officers (CCOs), I will explore how the concept of Reasonable Assurance for a CCO can help address these questions and how a GRC solution can support this methodology.
Defining Reasonable Assurance for a CCO
Since the concept of applying Reasonable Assurance to CCOs is still relatively new, there is no generally agreed upon definition. Additionally, the definition of Reasonable Assurance utilized by financial auditors provides us with a core concept, but is too narrowly defined for the CCO’s needs. Thus, I provide the following definition for a CCO’s use of Reasonable Assurance:
Reasonable Assurance is the level of confidence that the Compliance Programs under the Chief Compliance Officer’s purview are effectively mitigating their identified compliance risk and meeting applicable internal and external requirements.
The general idea is that a CCO can deploy various methods to gain confidence that the various Compliance Programs under their purview are mitigating their compliance risk (e.g., the FCPA Program has an effective Communication/Training program and the controls in place to identify briberies are working effectively). However, it is important to note that Reasonable Assurance does not equate to absolute assurance. Instead, it is a degree of confidence based upon the methods deployed.
Methods for Obtaining Reasonable Assurance
Reasonable Assurance for CCOs isn’t a one size fits all concept – building control frameworks and conducting control tests for risks across the organization is costly, overwhelming, and will ultimately hinder the operation of the business. Instead, Reasonable Assurance should take a risk-based approach and utilize multiple methodologies depending on the risk level.
When determining, which method to employ, the CCO needs to weigh the risk level with the associated costs of implementing the assurance methodology. The higher the risk, the greater level of assurance should be required.
Utilizing a GRC Solution for Compliance Oversight
After making the decision to deploy the concept of reasonable assurance, CCOs are left with the question of, how do we efficiently perform the necessary assessments, and how do we bring all the Compliance Programs’ data together in meaningful reports? This is where a GRC solution can help automate the various methods for obtaining reasonable assurance, while providing efficiencies for individual Compliance Program processes. The most common example, and a standard solution provided by most GRC solutions, is the ability to build out risk and control frameworks inside their GRC solution, enabling individual Compliance Programs and business areas to perform their risk assessments and control tests. The solutions can also provide more custom solutions, for example, for one of my clients, we built a Compliance Maturity assessment that helped establish maturity ratings for each compliance program and set maturity goals that could be monitored by CCOs.
A GRC solution, however, should not be viewed as a silver bullet. Development of business processes, the implementation of reasonable assurance methodologies, and the standardization of terminologies across Compliance Programs are critical steps to build the foundation on which the GRC solution will stand. The CCO needs to set the vision for the end-state of the tool and make decisions that propel the program toward that vision.
Want more information on how a GRC solution can support your CCO in overseeing Compliance Programs? Contact us.