Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  Unfortunately I posted the third article out of sequence. This is the second posting in this follow up series.

[Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.] 

As stated in the previous article, we believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  In the previous article, we discussed identifying Risk Centers and Risk Owners as one way of identifying all of the various legal/regulatory compliance risks that could impact your company.  Once the risks are identified, under the ERM Framework, the next step in the process would be to rate the “Significance” and the “Likelihood” of compliance failure in order to establish a Priority Rating.  Significance X Likelihood= Priority Rating.

What do we mean by this?  Develop a “Significance” Rating Guide with numbers 1-5 with 1 being “Extreme” and 5 being “Negligible”.  Then develop a “Likelihood” Rating Guide with numbers 1-5 with 1 being “Almost Certain” and 5 being “Rare”.  The next step is to develop a “Priority” Rating Guide from 1-25 with 1 & 2 being “Severe” and 20-25 being “Trivial”.  At the recent Compliance Week 2011 meeting in Washington DC, I saw an excellent presentation by Michele K. Abraham, Corporate Attorney-Ethics & Compliance with The Timken Company.  This is how The Timkin Company rated “Significance”, “Likelihood” and “Priority Rating”:

“Significance” Rating Guide:

Rating

Assessment

Evaluation Criteria-

What is the Impact on the Business

1

Extreme

Consequences would threaten survival of the business or would result in outside monitoring and enforcement.

2

Very High

Consequences would have a material impact on the operations of the Company or could result in outside monitoring and enforcement.

3

Medium

Consequences would result in significant review or changed ways of operating by outside enforcement agency.

4

Low

Consequences would contribute to the failure to accomplish business objectives.

5

Negligible

Consequences would not effect any constituent in any material manner.

“Likelihood” Rating Guide:


Rating

Assessment

Evaluation Criteria-

How likely is this event to occur at your company?

1

Almost Certain

Highly likely, this event is expected to occur.

2

Likely

Strong possibility than an event will occur and there is sufficient historical incidence to support it.

3

Possible

Event may occur at some point, typically there is no history to support it.

4

Unlikely

Not expected, but there is a slight possibility that it may occur.

5

Rare

Highly unlikely, but may occur in unique circumstances.

“Priority” Rating Guide:

Rating

Assessment

Evaluation Criteria-

What Action is Required?

1-2

Severe

Immediate action is required to address this risk, in addition to inclusion in training and education and audit and monitoring plans.

3-4

High

Should be proactively monitored and mitigating through inclusion in training and education and audit and monitoring plans.

5-7

Significant

8-14

Moderate

15-19

Low

Risks at this level should be monitored, but do not necessarily pose any serious threat to the organization at the present time.

20-25

Trivial

These rating guides are a terrific model for you to use to develop the Rating Guides for your business. But remember, each business is different.  The evaluation criteria must be tailored to your company.

Let’s take a look at an example:

Scenario:

Your company sells ready-mix concrete in Louisiana.  With the economic downturn in the housing market, the demand for ready-mix concrete is declining.  You have a competitor who also sells in the same area.  During the risk identification brainstorming sessions with the Sales Department, you learn that at a recent industry wide event your salesman has approached the salesman for the competition and “suggested” that a good price for X pounds of ready-mix concrete is $X dollars.  You recognize that this action is probably a violation of the U.S. anti-trust laws.  How do you rate the “Significance” of this event?  What about the “Likelihood”?  You learn from the legal department that the maximum fine for violating the Sherman Act is $100 million for corporations. You also learn that the maximum fine may be increased to twice the gain derived from the crime or twice the loss suffered by the victims of the crime, if either of those amounts is greater than the statutory maximum fine.  Given the fines and penalties, would you rate this risk a “1” “Extreme” because you believe that the consequences of such an event would threaten the survival of the business or would result in outside monitoring and enforcement?  What about the likelihood? Perhaps you would rank the likelihood as a “2” “Likely” because you believe that there is a strong possibility than an event will occur and there is sufficient historical evidence to support it.  In this case, then the “Priority” rating for an anti-trust violation would be “2” which according to your Priority Rating Guide, suggests that immediate action is required to address this risk.

The questions for us to discuss in the next segment are “How do you manage the risk”? What internal controls do you have or can you implement to mitigate the risk?”

Mary Shaddock Jones, Attorney at Law.  msjones@msjllc.com; 337-515-8527 (c); 337-513-0335 (0)

 

0 comments