3.3.17 Assign Risk to your Compliance Obligations – Documents and Clauses | Nimonik - Comprehensive Compliance Program - EHS, Risk, GRC, IRM, ISO

3.3.17 Assign Risk to your Compliance Obligations – Documents and Clauses

Context on Risk Ranking System for Compliance Obligations

Nimonik – Risk Management Guide

Overview

The risk calculator tool along with other Nimonik capabilities offer organizations the ability to manage compliance risk, risk treatments, and other risk data associated with document or clause level obligations.

Compliance risk is the effect of uncertainty on meeting obligations (ISO 31000). These effects may be prevented or mitigated (reducing the effects) by applying  risk treatments. Risk treatments form part of an organization’s overall compliance controls.

Compliance risk prior to treatment is called, “Inherent Risk.”  The risk remaining as a result of risk treatment is called, “Residual Risk.”  The goal of compliance is to reduce the Residual Risk below the risk tolerance level of the organization.

Nimonik should encourage customers to create two custom fields in their registers:

  • Inherent Risk and
  • Residual Risk.

The level of compliance risk can be qualitatively or quantitatively described. The most common is to use risk scores to quantify qualitative evaluations. Risk scores are often calculated as:

Risk Score = Likelihood of Occurrence * Impact of Compliance RIsk

Where:

  • Likelihood is a number that represents the probability that an infraction to compliance obligations may occur.
    • This should reflect how often the organization is engaged in a business activity (i.e. handling hazardous waste) that the document regulates.
  • Consequences is the potential damage that an infraction could cause on the organization.
    • This should include penalties, sanctions, fines, time lost correcting issues and reputation damage.

Likelihood and Impact are subjective determinations that represent underlying probabilistic processes. The key is not to find the perfect or exact risk number, but rather to make a best effort and to critically evaluate the inherent risk.

Once risk treatments have been applied (control measures, training, procedures,…), the risk evaluation should be done again. The impact of control measures can be both on the likelihood (i.e. reduction in the handling of hazardous waste) and on the consequences (i.e. spill response plan).

Compliance Risk Example

Let’s consider the following example:

Obligation:  Report environmental incidents under the OWRA or EPA legislation.

We can consider the following risk scenarios:

Risk Scenarios:

  • Under these regulations, the company needs to report annually. Therefore each facility has a chance of 1 per year that they will not file the appropriate reports.
  • The potential consequence of not reporting ranges between $25,000 and $100,000. However, since the organization has no prior issues with reporting, the organization can take the lower end of this spectrum of $25,000 fine + internal management costs, … etc. and estimate a total cost of $100,000.

Risk Matrix:

Likelihood of interacting with this regulation 1 – Low (Rare)
2 – Medium (Possible)
3 – High (Almost certain)
Impact of Compliance Risk 1 – Low – ($0 – $25,000)
2 – Medium ($25,000 -$100,000)
3 – High (> $100,000)

Using our example, we would pick the risk scenario that is most likely to occur which results in the following risk score using the above risk matrix::

Risk Score = 3 (high) * 2 (Medium) = 6

An organization may decide to accept (i.e., tolerate) this risk as is.  This means they are willing to accept the penalty should it occur.

However, the risk may also be prevented by introducing better reporting processes and using our internal action functionality to reduce the risk of missing a reporting deadline.

The effectiveness of this treatment could result in lowing the likelihood from 3 to a 1.

Risk Score = 1 (low) * 1 (low) = 1

This will result in considerable savings not only in terms of not needing to pay a fine but also the costs associated with reputation, public safety and other impacts.

The challenge is to come up with a calibrated risk matrix that adequately captures the uncertainties and impacts for a given organization.

COSO suggests the following risk matrix which  incorporates impacts to legal, financial, operational, reputation, health & safety, and strategic objectives.

How to Assign Risk

Risk-Type custom fields allow you to calculate the risk of the documents and clauses in your compliance obligations.

To calculate the risk for a document or clause, click on the text that appears in the risk custom field. In the resulting modal, select the appropriate likelihood and consequence values.

Once you click save, the appropriate risk value and colour will be added to the custom field.

If you need to update the risk value, you can do so at any time by clicking on the current value, and selecting the appropriate likelihood and consequence.