Develop compliance risk factors that are specific to your business, industry, and country.
Understand how to prioritize those compliance risk factors, which includes assessing the impact of occurrence of the risk.
Two main risk factors must be quantified to determine the risk level of a compliance issue—likelihood of occurrence and impact of occurrence.
The previous chapter explained how to determine the likelihood of occurrence. This is the probability that noncompliance with a specific law or regulation will occur daily, monthly, yearly, once every five years, once every ten years, etc. Next, let’s consider how different risk factors can create a range of impacts.
Impact of occurrence is the probability that a noncompliant incident will have a measurably negative effect on the business, such as financial resources being depleted; damage to the business’s reputation; destruction of vital documents due to a data security breach; or even the potential incarceration of the CEO, CFO, or other key management personnel.
Just as likelihood of occurrence factors are used to determine the level of risk your business faces, impact of occurrence factors must also be considered. Each risk factor is unique and independent of other factors. Thus, each factor needs to be evaluated separately and an appropriate numerical value established.
Figure 2 shows how to quantify the impact of occurrence factors on a business. Obviously, customization of this tool for your business and industry is required.
Note: This example considers factors ranging from compliance to financial outcomes to reputation. If your organization is conducting a narrowly defined compliance risk assessment, it is possible that you may only want to consider the compliance outcomes detailed in the “Level of Noncompliance” column. And, from a strictly construed compliance risk assessment model, that factor truly represents one way to establish the impact of noncompliance on the business.
It is also possible that your entity’s compliance risk assessment may require use of more factors—perhaps all the factors identified in this sample. After all, while the impact of noncompliance with a law, regulation, or established rule can involve going to jail or getting a fine, noncompliance can also affect a business’s reputation, financial assets, health and safety, strategic direction, and operations.
The importance of customization in impact of occurrence factors cannot be stressed enough. Quite frankly, it would be easiest to simply use “Level of Noncompliance” to establish impact and ignore the impact emanating from that outcome. However, from a practical perspective, it is likely that upper management will want to see not only the legal risk but also the associated impact factors quantified. A decision on what factors to consider must occur prior to designing and utilizing the assessment tool.
Figure 2: Impact of Occurrence Factors
|Impact of Occurrence Factors|
|Rank/Scale||Measure of Impact|
|Level of Noncompliance||Health and Safety Outcomes||Financial Outcomes||Ability to Pursue Strategic Goals||Potential Disruption of Business Operations||Change in Reputation|
|1||Insignificant||In compliance||No injuries||TBD dollar amount or percentage of budget||Little or no impact||Little or no impact||< ½ day||Unsubstantiated, low impact, low profile, or no news items|
|2||Minor||Civil violation with little/no fines||First aid treatment||TBD dollar amount or percentage of budget||Minor loss or damage||Minor impact||< 1 day||Substantiated, low impact, low news profile|
|3||Serious||Significant civil fines/penalties||Medical treatment||TBD dollar amount or percentage of budget||Major damage||Major impact||1 day–1 week||Substantiated, public embarrassment, moderate impact, moderate news profile|
|4||Disastrous||Serious violation, criminal prosecution probable||Death or extensive injuries||TBD dollar amount or percentage of budget||Significant loss||Significant impact||1 week–1 month||Substantiated, public embarrassment, high impact, high news profile, third-party actions|
|5||Catastrophic||Significant violation, criminal conviction probable, loss of accreditation or licensure||Multiple deaths or several permanent disabilities||TBD dollar amount or percentage of budget||Complete loss of assets||Loss of accreditation or license||> 1 month||Substantiated, public embarrassment, very high multiple impacts, high widespread news profile, third-party actions|