Most compliance professionals use some variation of the same model for assessing the severity of a compliance risk as part of a periodic risk assessment. Severity often considers the likelihood and impact of a risk. Just as the measurement of impact should consider multiple financial and nonfinancial factors, the consideration of likelihood should include several variables.
The most commonly considered elements of likelihood are the ones that are most easily measured. It is often quite easy to determine how many employees or third-party individuals are involved, how many transactions are processed, and how many steps there are in a process. When combined, these factors present a picture of how many opportunities there are for noncompliance to occur. How this measure changes over time provides some insight into whether the likelihood of noncompliance is increasing or declining.
Too often, however, the assessment of likelihood stops there, with the purely mathematical measure of opportunities for noncompliance. There is, however, a whole other category of factors that affect likelihood—only these are a bit more difficult to assess.
Our employees, as well as the employees of certain third parties, play a key role in compliance, and their impact on likelihood goes far beyond a simple measure of how many opportunities they might have for a noncompliance risk event. Individual behavior can be subject to significant change over time, and these changes directly affect the likelihood of noncompliance.
The most common behavioral change is a natural degradation of internal controls over time as people become less focused and more complacent. The value of periodic reminders in the form of training and other communications should not be overlooked. All workers are subject to internal controls fatigue over time, even in the absence of other disruptive events.
But don’t overlook these other disruptive events that affect workers’ ability to remain focused either. There are many possible events that can distract employees or otherwise interfere with their ability to perform their work in a compliant manner. A wide range of events can be disruptive, from discontent over wages or working conditions, to high-pressure environments and short-term absences that result in increased workloads for the remaining employees.
These softer human factors play an important role in the likelihood for errors leading to noncompliance. They are also more difficult to identify and factor into the likelihood measurement. But it is critical to attempt to consider these factors in order to accurately identify changes in likelihood.