18    |   Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework




        The second component of risk severity is impact. Impact is the   •  Operational — Potential disruption of business operations
        result or effect of risk in terms of the organization’s strategy   from plant shutdowns, suspensions, debarments, and loss
        and business objectives. With compliance risk, one thinks   of license
        immediately of civil and criminal fines and penalties, and the
        possible direct financial consequences of noncompliance.   •  Reputation (image) — Effect of media coverage; damage
        Another significant factor may be the reputational impact of   to organization’s image/brand; and subsequent diminished
        compliance and ethical issues. This and other consequences   attractiveness to current and potential future employees,
        (e.g., sanctions, suspension, and debarment) may have a   business partners, vendors, and customers
        material indirect financial impact, as well as an impact on
        morale and other factors that are difficult to measure.  •  Health and safety — Employee, patient, customer

        Impact of noncompliance and ethical failures can be assessed   •  Ability to pursue strategic goals — Prohibition to added
        using a variety of measurement categories.             new customers, loss of license

          •  Legal — Consisting of civil and criminal fines and penalties  Figure 4.3 illustrates how these categories might be used to
                                                            construct a scale for assessing the impact of compliance risks.
          •  Financial — Internal and external costs associated
            with investigating and remediation (e.g., legal fees,
            consultants, investigators)

         Figure 4.3  Impact of Compliance Risks
         Scale      Legal*            Financial #  Operational           Reputation (Image)+  Health and   Ability to
                                                (Potential                          Safety*    Pursue
                                                Disruption)*                                   Strategic Goals*
         1          In compliance     < $1 million  < 1/2 day  No press exposure    No injuries  Little or no
         Insignificant                                                                         impact
         2          Civil violation with   $1–$5   < 1 day  Localized negative impact   First aid   Minor impact
         Minor      little/no fines   million               on reputation (such as a   treatment
                                                            single large customer) but
                                                            recoverable
         3          Significant civil   $5–$25   1 day–1 week  Negative media       Medical    Major impact
         Serious    fines/penalties   million               coverage in a           treatment
                                                            specific U.S. region or a
                                                            foreign country
         4          Serious violation,    $25–$100   1 week–1   Negative U.S. national or   Death or   Significant
         Disastrous  criminal prosecution  million  month   international media     extensive   impact
                    probable                                coverage (not front page)  injuries
         5          Significant violation,   > $100   > 1 month  Sustained U.S. national    Multiple   Loss of
         Catastrophic criminal conviction   million         (and international) negative  deaths or   accreditation
                    probable, loss of                       media coverage (front page  several   or license
                    accreditation or                        of business section)    permanent
                    licensure                                                       disabilities
        #  Amounts are examples only; each organization should set amounts to reflect its size and financial strength.
        *  Adapted from Judith W. Spain, Compliance Risk Assessments: An Introduction (Minneapolis: Society of Corporate Compliance and Ethics, 2020), 39,
          https://compliancecosmos.org/compliance-risk-assessments-introduction
        +  Adapted from Deloitte, Compliance risk assessments: The third ingredient in a world-class ethics and compliance program, Deloitte Development LLC, 2015.

        As with the likelihood scale, each organization would adapt   level, determining separate measures can add an additional
        the impact scale and factors to its own environmental context.   level of precision to the assessment.
        The organization’s risk appetite would also be reflected in
        setting the values used in the anchor labels.       Assessment of each of the risks in the compliance risk
                                                            inventory can be made by compliance staff or by a compliance
        An additional factor that may enhance the evaluation of   committee and can be conducted at different levels of the
        severity is the localization or regionalization of the assessment.   organization. In conducting assessments, steps should be
        For multilocation and multinational organizations, risk may vary   taken to minimize bias by avoiding self-assessment and using
        from one location or region to another, based on a wide variety   multiple assessors from varied disciplines and experience to
        of factors. Rather than assessing severity at the organizational   ensure that risks are appropriately evaluated.





           c oso . or g