Risky Business

Article originally appeared in Casino Enterprise Management on 5/15/08

Risky Business

A gaming company’s regulatory compliance program is a key component of how the company manages risk attendant to criminal and regulatory violations by its officers, directors and employees. Before designing the compliance program, companies often err by not first determining the risks, and their likelihood and potential impact, so as to design the most effective compliance program.

Gaming enterprises are subject to a number of risks, ranging from criminal activity and civil regulatory violations to undesirable conduct. The management team for each gaming company must determine the types of risks present and how much risk is acceptable. After that, management should regularly assess the likelihood and potential impact in an effort to prioritize each type of risk. Risk exposure should be evaluated using quantitative and qualitative measures. Through gaming risk assessment, management can prepare, and continually maintain, a well-designed and effective compliance system to reduce risks to acceptable levels.

How Much Risk is Healthy to Swallow?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines corporate risk appetite and tolerance in its publication Enterprise Risk Management – Integrated Framework (www.coso.org).COSO states: “Both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. Risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while risk tolerances are more narrow and set the acceptable level of variation around objectives.” By way of analogy, risk appetite and tolerance are comparable to a diet. Risk appetite is the total number of calories a person can intake in a day to achieve a healthy diet, for example, 2,500 calories. Risk tolerance is the number of calories that make up each meal in the diet. For instance, breakfast is limited to 600 calories, lunch 900 and dinner 1,000. Staying within risk tolerance levels (e.g., eating only the allowed number of calories for each meal) allows management to achieve desired results (e.g., achieve a healthy diet).COSO puts it this way: “Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which, in turn, provides a higher degree of comfort that the company will achieve its objectives.” Much like the recommended calorie intake to achieve a healthy diet will differ for each individual, so will the risk appetite of each company. Some gaming management teams are risk-averse, while others see risk as an opportunity to increase financial returns.COSO frames the issue this way: “The level of risk that an entity is willing to accept is a management decision—and there is no right answer to this question. One company’s management will pursue a higher-risk strategy while another will pursue a lower-risk strategy.”

Evaluation of Risks

Two common methods are used to evaluate risks: quantitative and qualitative. Each method analyzes available information to help management determine the likelihood and significance of a risk. To determine the likelihood of risk requires probability predictions to assess the likelihood that an identified risk will actually be present in the workplace. Significance is usually measured in financial terms and relates to risk size, magnitude and pervasiveness. Quantitative methods rely on the analysis of data, usually large volumes of it, using proven models built on assumptions. Proven models are sound, generally accepted scientific, statistical or mathematical principles. The results are replicable using identical data and assumptions. However, as the “garbage in, garbage out" adage goes, quantitative methods depend heavily on accurate data, in sufficient amounts and obtained from reliable sources. Equally important are the assumptions used. Bad, unreasonable or unsupported assumptions will yield unreliable results for risk assessment. Qualitative methods are more judgmental and subjective. These methods are frequently used in combination with qualitative methods. Alternatively, they may be employed when qualitative measures are inconclusive, when data is unreliable, or when the costs to perform qualitative testing are prohibitive. Qualitative methods may include interviews, focus groups, surveys and questionnaires. The results from qualitative methods are opinions about risk based on experience, knowledge, education, training and skills.

Assessment of Risks

An assessment of the likelihood and significance of risks caused by unacceptable or illegal conduct should be performed regularly.The frequency depends on a company’s business cycle, objectives and strategies.Obtaining feedback from management and key personnel is fundamental for an accurate assessment. In addition, the assessment should consider the company’s past experiences, current trends and any plans for the future. It should also factor in gaming industry, international and cultural considerations.Once gathered, information is analyzed using qualitative and quantitative methods to estimate exposure to the business. Knowledgeable personnel are a good starting point to identify risks. Gaming companies should engage management and employees in the risk identification process by interviewing, surveying or paneling focus groups.Management should be sure to involve executives and key line positions in business units, such as accounting, human resources and internal audit.This has the dual benefit of uncovering potential conduct risks and training personnel to be aware of such risks. Management also should consider past company experiences, industry information, business trends, plans, and international and cultural norms when identifying behavioral and conduct risks.Many gaming enterprises maintain a repository of lessons learned from prior violations and investigations.This corporate history is a great place to find risks requiring continued attention.Keeping abreast of the gaming industry and business trends is important, as changes in the form of legislation, labor shortages or technology could create new risks while eliminating others.Of course, gaming companies should consider their own business plans, too.Plans for future expansion, the launch of information systems, or changes in senior management, just to name a few, can all impact risk.Finally, management must be mindful of any international operations and the unique risks that may arise from differences in political, legal and cultural behavior norms as compared to the United States. Once identified, the likelihood of a conduct risk is measured by determining the expectancy of a criminal, unethical or noncompliant act happening in the workplace.The trick is not simply to list every possible risk, but instead to identify only those risks that are the most probable. That requires management to look at risk from two viewpoints: inherent risk and residual risk. Risk is inherent with most bad acts because virtually everyone is capable of performing them under the right circumstances. In other words, even a good employee may violate behavioral standards when confronted with both pressure and opportunity.Residual risk, however, requires the consideration of company controls that are intended to prevent or deter inherent risks from occurring.When evaluating residual risk, management needs to ask if its controls are appropriate and sufficient to reduce inherent risks to acceptable levels. For risk events that are determined to be likely, management must estimate the significance of the risk to the company using both qualitative and quantitative methods noted. In some cases, this may be as simple as calculating the monetary impact of a single improper invoice or expense report on the company’s financial statements.For others, it may require a subjective prediction about possible adverse consequences and costs to the enterprise if, for example, a senior official violates gaming laws. In any event, management should estimate the significance of the impact of each risk, usually in monetary terms. Total exposure measures the combination of likely and significant conduct risk exposure to the gaming company.Exposure is created when risks are expected to have a significant adverse impact on the organization and are likely to occur.Of course, exposure is affected if risks are interdependent or correlated.Corporate risk exposure should be quantified by management.This is accomplished by multiplying a probability percentage assigned to risk likelihood by the monetary significance of the risk. (See below.) In other words, exposure is the result of how likely it is that a risk will occur in the workplace and its financial impact to the company.  The assessment of the likelihood, significance and exposure risk to each gaming company should be performed periodically to coincide with short- and long-term business cycles, objectives and strategies. The ebbs and flows of economic activity create business cycles.Typical cycles include seasonal retail sales patterns or peaks in gaming visits during holidays, summer breaks or around the time of notable sports events.From a short-term perspective, each spike in activity is a cycle related to a strategy that should be assessed. In the longer-term, risk assessments could be linked to three- to five-year business plans or overall business objectives.At a minimum, management should perform such an assessment at least annually to coincide with budgeting and financial statement preparation activities.

Prioritization of Risks

Once exposure to criminal, unethical, inappropriate or noncompliant conduct risks is established, they should be prioritized by management. Some risks will be classified as top priorities; however, it is important that only truly critical risks receive this rating to prevent overloading management with too many matters at one time. During this process, it will become apparent that some risks, regardless of priority, require immediate action. Others will be handled over time with action strategically taken only after a study of costs versus benefits. Successfully addressing high exposure risks will no doubt require investments, resources, organizational changes, strengthening of controls or personnel changes. Risks classified as high priority should be addressed and monitored to ensure they are appropriately managed to acceptable levels. However, no risk should be ignored indefinitely. All other risks should be periodically reconsidered for possible reprioritization.


Management of gaming enterprises is responsible for identifying, assessing and prioritizing potential adverse consequences from the risk of criminal, unethical, undesirable and noncompliant behavior and conduct in the workplace. This requires an understanding of the gaming company’s risk appetite and periodic activities to measure conduct risk using objective and subjective methods. Once complete, management can prioritize risks and take informed actions to manage risk to acceptable levels.

Click here for a PDF of original article