Chapter 5. Step Three: Determining Impact of Occurrence

Table of Contents

Chapter Goals:

  • Develop compliance risk factors that are specific to your business, industry, and country.

  • Understand how to prioritize those compliance risk factors, which includes assessing the impact of occurrence of the risk.

Two main risk factors must be quantified to determine the risk level of a compliance issue—likelihood of occurrence and impact of occurrence.

The previous chapter explained how to determine the likelihood of occurrence. This is the probability that noncompliance with a specific law or regulation will occur daily, monthly, yearly, once every five years, once every ten years, etc. Next, let’s consider how different risk factors can create a range of impacts.

Impact of occurrence is the probability that a noncompliant incident will have a measurably negative effect on the business, such as financial resources being depleted; damage to the business’s reputation; destruction of vital documents due to a data security breach; or even the potential incarceration of the CEO, CFO, or other key management personnel.

Just as likelihood of occurrence factors are used to determine the level of risk your business faces, impact of occurrence factors must also be considered. Each risk factor is unique and independent of other factors. Thus, each factor needs to be evaluated separately and an appropriate numerical value established.

Figure 2 shows how to quantify the impact of occurrence factors on a business. Obviously, customization of this tool for your business and industry is required.

Note: This example considers factors ranging from compliance to financial outcomes to reputation. If your organization is conducting a narrowly defined compliance risk assessment, it is possible that you may only want to consider the compliance outcomes detailed in the “Level of Noncompliance” column. And, from a strictly construed compliance risk assessment model, that factor truly represents one way to establish the impact of noncompliance on the business.

It is also possible that your entity’s compliance risk assessment may require use of more factors—perhaps all the factors identified in this sample. After all, while the impact of noncompliance with a law, regulation, or established rule can involve going to jail or getting a fine, noncompliance can also affect a business’s reputation, financial assets, health and safety, strategic direction, and operations.

The importance of customization in impact of occurrence factors cannot be stressed enough. Quite frankly, it would be easiest to simply use “Level of Noncompliance” to establish impact and ignore the impact emanating from that outcome. However, from a practical perspective, it is likely that upper management will want to see not only the legal risk but also the associated impact factors quantified. A decision on what factors to consider must occur prior to designing and utilizing the assessment tool.

Figure 2: Impact of Occurrence Factors

Impact of Occurrence Factors
Rank/ScaleMeasure of Impact
Level of NoncomplianceHealth and Safety OutcomesFinancial OutcomesAbility to Pursue Strategic GoalsPotential Disruption of Business OperationsChange in Reputation
MonetaryNon-monetary
1InsignificantIn complianceNo injuriesTBD dollar amount or percentage of budgetLittle or no impactLittle or no impact< ½ day Unsubstantiated, low impact, low profile, or no news items
2MinorCivil violation with little/no finesFirst aid treatmentTBD dollar amount or percentage of budgetMinor loss or damageMinor impact< 1 daySubstantiated, low impact, low news profile
3SeriousSignificant civil fines/penaltiesMedical treatmentTBD dollar amount or percentage of budgetMajor damageMajor impact1 day–1 weekSubstantiated, public embarrassment, moderate impact, moderate news profile
4DisastrousSerious violation, criminal prosecution probableDeath or extensive injuriesTBD dollar amount or percentage of budgetSignificant lossSignificant impact1 week–1 monthSubstantiated, public embarrassment, high impact, high news profile, third-party actions
5CatastrophicSignificant violation, criminal conviction probable, loss of accreditation or licensure Multiple deaths or several permanent disabilities TBD dollar amount or percentage of budgetComplete loss of assetsLoss of accreditation or license> 1 month Substantiated, public embarrassment, very high multiple impacts, high widespread news profile, third-party actions
This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings