Table of Contents
Chapter Goals:
-
Develop compliance risk factors that are specific to your business, industry, and country.
-
Understand how to prioritize the compliance risk factors, which includes assessing the likelihood of the risk’s occurrence.
Two compliance risk factors are typically used to determine the risk level of a compliance issue—likelihood of occurrence and impact of occurrence. It is with these two factors that you will be able to turn your risk universe list into a risk universe matrix—a graphical representation of risks that can help prioritize your risk mitigation efforts.
General Overview
In general, likelihood of occurrence is the probability that noncompliance with a law or regulation will occur daily, monthly, yearly, once every five years, ten years, etc. Impact of occurrence is the degree to which a noncompliant incident will have a negative effect on the business in terms of financial resources being depleted, your CEO going to jail, damage to the corporate reputation in the eyes of the public, or even a more practical issue—a data breach resulting in disclosure of personally identifiable information (PII).
It is both the likelihood and the impact of occurrence that will help your compliance team determine how the business will prioritize the compliance risks. If the likelihood of an occurrence of noncompliance is every five years and the impact on the firm is minimal (say, a fine of $1,000), this risk would be relatively low in terms of concern to the business. Of course, this does not mean that you should ignore this risk. Rather, this scenario of an unlikely incident coupled with a low impact caused by the incident means that this noncompliance issue is probably one you will deal with later.
In contrast, noncompliance with the law regarding payment of overtime to your employees every week for a period of years, which in the United States is a violation of the Fair Labor Standards Act, could have a devastating impact. Your business would face substantial punitive fines as well as a requirement to pay lost wages and attorney fees. It also could make a lot of employees angry, cause a tremendous amount of bad publicity, and a possible Department of Labor or Internal Revenue Service audit. Since this scenario could become a daily (or at least weekly) occurrence and have significant short-term and long-term impact, it should be prioritized to fix.
Likelihood of Occurrence
What is the probability that your business will violate a specific law or regulation? Of course, you hope the answer is “never.”
More likely the answer to this question is “unfortunately, probably a lot more than I imagined.” And while it is desirable that the noncompliance is an unintentional act with no malice intended, measuring the likelihood of noncompliance also incorporates the possibility of an intentional act.
Likelihood of occurrence uses two factors—controls and frequency—to determine the potential for encountering it.
Figure 1 shows a sample method to evaluate the likelihood-of-occurrence factors for any form of business. This sample is generic; each business must develop a customized version based on its unique set of risks and compliance concerns in its universe.
Figure 1: Likelihood of Occurrence Factors
| Likelihood of Occurrence Factors | |||
| Rank/Scale | Measure of Likelihood | ||
| Existing Controls | Frequency of Noncompliance | ||
| 1 | Rare |
|
May only occur in exceptional circumstances Less than once in 10 years |
| 2 | Unlikely |
|
Could occur at some time At least once in 10 years |
| 3 | Possible |
|
Might occur at some time At least once in 5 years |
| 4 | Likely |
|
Will probably occur At least once per year |
| 5 | Almost Certain |
|
Expected to occur in most circumstances More than once per year |
|
*Identified responsible person(s). This term refers to any individual(s) in your organization who is responsible for ensuring that he/she knows that there is a law and is empowered by your organization to bring the entity into compliance with the law and to monitor continued compliance the law. Sometimes this person is called a Compliance Partner or other similar terminology to reflect the importance of the employee within this compliance structure. | |||
Existing Controls
Existing controls shape behavior. Controls could be policies, procedures, training, or any method of controlling behavior that is effective at your business. Perhaps your firm has a particularly strong culture of compliance so that noncompliant behavior is simply not expected and is clearly not condoned. Perhaps you have a systematic (and documented) training program that highlights key areas of noncompliance and how to report any concerns about noncompliance. Whatever your controls, they are existing controls—controls in place at your business designed to ensure that it is complying with a law or regulation.
The fewer controls in place, the more likely that an issue of noncompliance will occur. The fewer controls that are known to employees, the more likely an issue of noncompliance will occur. Employees need to know what they are responsible for doing (and not doing) and need to be aware of the consequences for noncompliant actions. Taking a very dim view of society, it is possible that when the business does not have controls in place and has not informed employees of these controls, employees may likely make wrong choices. That is not a culture to be proud of; it is a reality where taking the wrong action might take less time and energy than taking the right action. And this could be the case if the employer does not have the right controls in place to stop this action.
Your compliance team should use the factor of existing controls to help determine the level of compliance risk.[1]
Rank/Scale
The first column in Figure 1 is titled “Rank/Scale” and ranges from 1 to 5. Number 1 represents a simple numeric indication of the lowest likelihood of the risk occurring while 5 represents the highest likelihood of the risk occurring.
In the adjacent column, a descriptive term for each numeric rank is provided. These range from “Rare” to “Almost Certain.” “Rare” represents the lowest likelihood of the risk occurring, while “Almost Certain” represents the highest likelihood of the risk occurring.
The numbers and the terms represent the exact same thing, but it is sometimes helpful for readers of factor matrixes to see words as well as a numbering system to describe a category.
Existing Controls
Using the five-step rating system, if you or the compliance committee were to evaluate a law and determine that the likelihood of noncompliance with this law was a “1” or “Rare,” that could mean that your business has existing controls and policies in place that are effective. Regularly scheduled and mandatory training is provided to the person/people responsible for ensuring compliance with the law within your organization. Their training is documented and regular monitoring by management is performed and documented.
Similarly, if your compliance team evaluates a law and indicates that the likelihood of a noncompliance is a “5,” or “Almost Certain,” your business clearly has ineffective or none of the following: controls, policies or procedures, person responsible for monitoring compliance, awareness training, or monitoring by management put in place.
Likewise, 2 through 4 rankings are variations of this likelihood of occurrence.
Frequency of Noncompliance
Frequency is the rate at which a compliance risk occurs. Is it likely that this compliance risk will occur once every 10 years, once a month, or once a day? It is this determination of how often a risk might occur that determines “Frequency of Noncompliance.”
Using the same five-step ranking and analysis discussed above with “existing controls,” if the compliance team evaluates a law and determines that noncompliance with that law is probably only going to occur in exceptional circumstances, perhaps less than once every 10 years, then the numerical value chosen for this factor would be “1.” For example, if a law requires reporting to an agency once every 10 years, then this law would receive a “1” rating in frequency. In contrast, if the compliance team evaluates a law and determines that instances of noncompliance are probable in most circumstances and typically could occur more than once per year, then the numerical value chosen for this factor would be “5.”
Note that this frequency column presumes quite a range of time. Customization of these factors is critical. It may be that in your industry the frequency factor should be changed to daily, weekly, monthly, yearly, and less than once a year. Adopting the definitions and frequency ranges should not occur without significant input from your colleagues responsible for implementing this overall compliance risk assessment.
How to Evaluate Factors
When an initial assessment of the laws and regulations identified through your risk universe matrix occurs, the person completing the initial assessment will choose 1 through 5 for both factors of noncompliance. These factors are both dependent and independent of each other and are evaluated accordingly. Existing controls and frequency factors are dependent on one another since the likelihood of a compliance risk occurring is based on adequacy of existing controls. With no controls in place, it is more likely that noncompliance will occur more frequently. The factors are also independent of one another, since even if there are controls in place to ensure compliance, the sheer number of times a law must be complied with increases the likelihood of a single instance or multiple instances of noncompliance.
This numerical choice will not be a random decision. In determining the ranking in the existing controls column, your choice will be based on the presence of the various elements listed for each numerical ranking. Does the organization have a calendar system in place to ensure regular review of the policy as well as the law upon which the policy is based? Have the individual(s) charged with ensuring compliance with the law received training on how to comply? Has receipt of that training been documented in some manner?
In the frequency column, the choice of a numerical value will be based on a review of actual requirements of the law and how frequently the business must comply with those requirements. The more frequently requirements must be met, the more possible noncompliance will occur. For example, if your business does not flag employee hours that go above 40 per week, and employees frequently work more than 40 hours but are consistently not paid overtime, the frequency of noncompliance would be a “5.”
All questions for both the existing controls column and the frequency column must be answered in order to determine the appropriate numerical value (1 through 5). By using a spreadsheet, a numerical value can be assigned to each law’s control factors and frequency factors, which ultimately can be used to generate a risk universe matrix.
Action Items:
-
Identify and define what measures of the likelihood of occurrence factors your business will use.
-
Agree on your numerical scale (1–3, 1–5, etc.) and/or your word choice scale to rate each likelihood of occurrence.
-
Work closely with the IT department before beginning this assessment process to determine how best to display data being generated for the risk universe matrix and risk mitigation plan. In these discussions, ensure that whatever software program is chosen (homegrown or purchased), there is room for expansion to include the correlation of the assessment data developed in future years.