Integrate the Three P's of Compliance and Risk Management: Policies, Process, and People
Monday, April 02, 2007
Posted in: General
“Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.”
I Googled my way to this Key Concept described on COSO’s web site (The Committee of Sponsoring Organizations of the Treadway Commission) right after I read a new article by Scott Mitchell, Chairman and CEO of the Open Compliance Ethics Group (OCEG).
I was searching the web to dig deeper after reading Mr. Mitchell’s excellent new article “Automated Controls And Risk Management” in the latest issue of Compliance Week. The article (available only to Compliance Week subscribers) describes the role automation and activity monitoring can play in helping organizations manage compliance risk. Mr. Mitchell states that “ideally, companies should monitor their programs on an ongoing basis so that they are notified of any weaknesses in the system as soon as possible.”
[Check out COSO's Internal Control—Integrated Framwork Executive Summary for a great explanation of internal controls, monitoring, and more]
He goes on to say that effective monitoring (of activities) also provides organizations a means to address potential control failures rather than those that already failed, as well as demonstrating that the organization is serious about maintaining a good compliance posture by adopting an active approach.
The article put into context what one of our customers said to me a few weeks ago when he I asked him how he would describe our product to a peer. He said our product is “the integrator that brings people, policies and processes together in order to make sure that what needs to get done gets done, to mitigate risk.”
People, Process and Policies—how does your organization integrate the three P's?