Chapter 5. Step Three: Determining Impact of Occurrence

Chapter Goals:

  • Develop compliance risk factors that are specific to your business, industry, and country.

  • Understand how to prioritize those compliance risk factors, which includes assessing the impact of occurrence of the risk.

Two main risk factors must be quantified to determine the risk level of a compliance issue—likelihood of occurrence and impact of occurrence.

The previous chapter explained how to determine the likelihood of occurrence. This is the probability that noncompliance with a specific law or regulation will occur daily, monthly, yearly, once every five years, once every ten years, etc. Next, let’s consider how different risk factors can create a range of impacts.

Impact of occurrence is the probability that a noncompliant incident will have a measurably negative effect on the business, such as financial resources being depleted; damage to the business’s reputation; destruction of vital documents due to a data security breach; or even the potential incarceration of the CEO, CFO, or other key management personnel.

Just as likelihood of occurrence factors are used to determine the level of risk your business faces, impact of occurrence factors must also be considered. Each risk factor is unique and independent of other factors. Thus, each factor needs to be evaluated separately and an appropriate numerical value established.

Figure 2 shows how to quantify the impact of occurrence factors on a business. Obviously, customization of this tool for your business and industry is required.

Note: This example considers factors ranging from compliance to financial outcomes to reputation. If your organization is conducting a narrowly defined compliance risk assessment, it is possible that you may only want to consider the compliance outcomes detailed in the “Level of Noncompliance” column. And, from a strictly construed compliance risk assessment model, that factor truly represents one way to establish the impact of noncompliance on the business.

It is also possible that your entity’s compliance risk assessment may require use of more factors—perhaps all the factors identified in this sample. After all, while the impact of noncompliance with a law, regulation, or established rule can involve going to jail or getting a fine, noncompliance can also affect a business’s reputation, financial assets, health and safety, strategic direction, and operations.

The importance of customization in impact of occurrence factors cannot be stressed enough. Quite frankly, it would be easiest to simply use “Level of Noncompliance” to establish impact and ignore the impact emanating from that outcome. However, from a practical perspective, it is likely that upper management will want to see not only the legal risk but also the associated impact factors quantified. A decision on what factors to consider must occur prior to designing and utilizing the assessment tool.

This document is only available to subscribers. Please log in or purchase access.