Enterprise Risk Management   |  Compliance Risk Management: Applying the COSO ERM Framework   |    19




                 Table 4.2  Assesses severity of risk
                Key          • Adopt a uniform scale/scoring system for measuring severity of compliance risks
                characteristics  • Consider qualitative and quantitative measures
                             • Establish criteria to assess impact and likelihood of compliance risk event occurrence
                             • Assess severity of risk at different levels (organizational, regional, affiliate, etc.)
                             • Consider design and operation of internal controls intended to prevent or detect compliance risk events
                             • Minimize bias and inadequate knowledge in assessing severity (e.g., minimize self-assessments, use
                              multidisciplinary teams)

               Principle 12 — Prioritizes risks                    for the most serious risks. How this is done will depend on the
               The assessments of compliance risks in terms of likelihood   organization’s risk appetite and tolerances and its available
               and impact allow for prioritization across the organization.   resources. For instance, in the example, risks in the green areas
               One method used to capture and summarize the severity   would be periodically reassessed, but no specific risk response
               assessment is to construct a risk inventory matrix.   action or extensive monitoring action would be taken. In the
                                                                   yellow areas, the risk owners would be required to develop
               Using the example scales from the preceding section, the   a risk mitigation plan to reduce or eliminate them without the
               following matrix can be developed.                  addition of significant resources. For those risks falling in the
                                                                   red areas, compliance committees would be assigned to work
                 Figure 4.4  Likelihood vs impact matrix           with risk owners to develop detailed response plans in which
                    5                                              risk ownership is clearly identified, assign responsibility for risk
                   Almost                                          responses, and develop monitoring and auditing plans for the
                   Certain
                    4                                              remediation efforts.
                   Likely                                          In addition to severity and risk appetite, some organizations
                 LIKELIHOOD  Possible                              consider other factors in their risk prioritization. Adjustments
                    3
                                                                   might be made to the risks on the basis of velocity,
                    2
                   Unlikely
                                                                   affects the organization, such as a serious food safety violation
                     1                                             persistence, and recovery. Velocity is the speed at which a risk
                   Rare                                            that would require immediate closure of a food processing
                            1       2       3        4       5     plant. Persistence is how long the risk affects the organization,
                         Insignificant  Minor  Serious  Disastrous  Catastrophic  such as media coverage from criminal violations lasting four
                                       IMPACT
                                                                   or five years. Recovery refers to how long it takes to fix the
                                                                   problem (i.e., time needed to manage the risk to tolerable
               This allows the organization to group risks in terms of how and   levels), such as how long it takes to implement improved
               when they will be addressed and the level of attention that   vendor due diligence criteria and processes to reduce the risk
               each is given. Although it could be argued that the organization   of shell company transactions.
               ideally could address all of its compliance risks, from a practical
               perspective, more direct and immediate attention is required


                 Table 4.3  Prioritizes risks
                Key          • Prioritize compliance risks based on assessed level of risk relative to meeting of business objectives
                characteristics  • Use objective scoring based on assessment
                             • Consider use of other assessment criteria (trend, velocity, etc.) in prioritizing compliance risks
                             • Consider possible effects of planned changes in strategy and operations
                             • Develop risk-based action plans for mitigation (risk responses, implemented in next step)



               Principle 13 — Implements risk responses            seven elements of a C&E program for each risk (e.g., policies,
               Risk responses are designed to manage the assessed level   training).
               of risk and can take many forms. The most obvious response
               to an elevated level of risk is the design and implementation   Many risk-specific policies involve internal controls. Internal
               of improved internal controls over compliance. Effective   controls over compliance may be preventive or detective
               mitigation of a compliance risk involves consideration of all   in nature, and ideally a blend of both is in place. Although





                                                                                                          c oso . or g