Page 57 - COSO Guidance Book
P. 57

Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    17




               Principle 11 — Assesses severity of risk            prohibiting such payments or the controls around the
               Severity of a compliance risk is usually assessed primarily on   payments process. In theory, one would like the assessment
               the basis of likelihood and impact. Other factors may also be   to be made under the assumption of no controls at all being in
               considered and will be explained later.             place, but it is difficult for people to imagine such “no control”
                                                                   situations. They usually make the assessment assuming
               Likelihood is the probability that the risk could occur. In the   “normal controls” or some sort of “minimal controls.” For
               case of compliance, this means the probability of specific   greater precision, some assessment methods break the
               noncompliance with a law/regulation or ethical misconduct.   likelihood assessment in two parts: one for likelihood or
               Assessing the likelihood of compliance risk in most cases is   frequency and the other for effectiveness of internal controls,
               a subjective judgment. Despite being subjective, systematic   as shown in figure 4.2. Some models may even consider
               judgment can be made. One approach is to consider   preventive and detective controls as two separate factors,
               the frequency of noncompliance. Will the event (e.g., a   with preventive controls being more relevant to likelihood or
               salesperson making an illegal payment to a government   frequency, and detective controls more likely affecting the
               official to gain a contract) occur once a year or once every   impact of an event based on the timeliness of detection.
               five years? This judgment would be based on experience
               or perhaps the organization’s historical data, if such data is   In figure 4.2, the likelihood of occurrence is measured on
               available. Another factor that enters into this assessment   a five-point scale from “rare” to “almost certain.” Control
               is the organizational context. Typically, the assessor makes   assumptions and frequency are given descriptive anchors that
               assumptions about controls in place, such as policies   are then matched to the assessor’s beliefs.

                 Figure 4.2  Likelihood of Occurrence*
                Scale    Existing controls                                                  Frequency of noncompliance
                5        • No controls in place                                             Expected to occur in most
                Almost   • No policies or procedures, no responsible person(s) identified, no training, no    circumstances
                certain   management review                                                 More than once per year
                4        • Policies and procedures in place but neither mandated nor updated regularly  Will probably occur
                Likely   • Controls not tested or tested with unsatisfactory results        At least once per year
                         • Responsible person(s) identified
                         • Some formal and informal (on-the-job) training
                         • No management reviews
                3        • Policies mandated, but not updated regularly                     Might occur at some time
                Possible  • Controls tested only occasionally, with mixed results           At least once in 5 years
                         • Responsible person(s) identified
                         • Training is provided when needed
                         • Occasional management reviews are performed, but not documented
                2        • Policies mandated and updated regularly                          Could occur at some time
                Unlikely  • Controls tested with mostly positive results                    At least once in 10 years
                         • Regular training provided to the identified responsible person(s), but not documented
                         • Regular management reviews are performed, but not documented
                1        • Policies mandated and updated regularly                          May occur only in exceptional
                Rare     • Controls regularly tested with positive results                  circumstances
                         • Regular mandatory training is provided to the identified responsible person(s), and the   Less than once in 10 years
                          training is documented
                         • Regular management reviews are performed and documented
               *  Adapted from Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 30,
                 https://compliancecosmos.org/compliance-risk-assessments-introduction.

               This approach is just one example. Every organization should   compliance committee or by the C&E program staff with input
               customize its scale and measurement methodology to fit   from management. Once the scale is determined, it should be
               its particular needs. This customization would be done by a   applied consistently by the assessors.






                                                                                                          c oso . or g
   52   53   54   55   56   57   58   59   60   61   62