Attention all risk management professionals! We are proud to announce the publication of our comprehensive guide to compliance risk management. This guide covers the latest industry best practices and provides practical advice for managing compliance risks in your organization. Whether you are new to the field or an experienced professional, this guide is designed to help you effectively identify, assess, and mitigate compliance risks.
Get your copy today and stay ahead of the game in the ever-evolving world of compliance risk management.
Your company is required to comply with laws within all the countries it operates in, the legal and regulatory requirements vary between different regions adding to the need to have the understanding and confidence in the risk management processes in place. Your company faces considerable uncertainty when making decisions and taking actions that may have significant compliance consequences. The management of compliance risks helps your company protect and increase its value.
This document provides guidance on the activities to be undertaken to support decision makers to assess and treat compliance risks efficiently and cost effectively to meet the expectations of a wide range of stakeholders. Failure to meet legal requirements and stakeholder expectations can have considerable and immediate negative consequences that could affect performance, reputation and might lead to criminal prosecution of top management.
2. Structure of the guide
Guide to compliance risk 3
Introduction 3
What is compliance risk 3
Risk identification 4
Risk assessment 5
Allocate weights to each scenarios 5
Risk mitigation and trade-off 6
Reporting and monitoring 7
Examples and case studies 8
Reducing climate change using risk analysis 8
Protecting intellectual property using risk analysis 8
Action plan 9
Additional resources 10
Useful videos on the topic 11
Contact the author 12
3. Guide to compliance risk
Introduction
Your company is required to comply with laws within all the countries it operates in, the legal
and regulatory requirements vary between different regions adding to the need to have the
understanding and confidence in the risk management processes in place. Your company
faces considerable uncertainty when making decisions and taking actions that may have
significant compliance consequences. The management of compliance risks helps your
company protect and increase its value.
This document provides guidance on the activities to be undertaken to support decision
makers to assess and treat compliance risks efficiently and cost effectively to meet the
expectations of a wide range of stakeholders. Failure to meet legal requirements and
stakeholder expectations can have considerable and immediate negative consequences that
could affect performance, reputation and might lead to criminal prosecution of top
management.
What is compliance risk
Compliance risk within this document is broadly defined and is not limited to, for example, risk
related to compliance or contractual matters, including risks from or to third parties where
there may be no contractual relationship but where there may be a possibility of litigation or
other action depending on that third parties’ contractual requirements with their stakeholders. I
had my lawyers word the definition. In reality, whatever you define compliance risks as, we are
certain they can be managed using the methodology provided.
This methodology is developed in line with the requirements of ISO 31022:2020 Risk
management — Guidelines for the management of legal risk and Compliance Risk
Management: Applying the COSO ERM Framework. But unlike both ISO and COSO, this
guide provides a scientific and mathematically sound way to identify, quantify and manage
compliance risks.
In the context of this guide, compliance risk management includes:
• Timely identification and recording of compliance risks
• Risk assessment and prioritization of compliance risk for further analysis
• Detailed risk analysis for most significant compliance risks and identification of suitable
risk mitigation measures
• Monitoring and reporting.
4. Risk identification
The purpose of identifying compliance risks is to find, recognize and describe the risks that
can help or prevent an organization from achieving its objectives.
To have a comprehensive understanding of compliance risks, companies should:
• Review relevant laws and regulations across all of the countries of operation.
• Review claims and incident statistics captured across the organization.
• Review claims against industry peers and other relevant organizations in the countries
of operation.
• Consult with relevant legal and compliance advisors and service providers.
• Review information and guidelines from regulators and government authorities.
Identified compliance risks can be mapped against the legal entities to make sure no
significant risks are missed:
Compliance risks can be documented in a manual or online risk register for further analysis.
Yes, in many senses compliance risk management is RM1, so artifacts like risk registers
apply. Read more on RM1 here.
5. Risk assessment
Wherever possible your company should apply quantitative risk analysis to measure and
prioritize compliance risks. The following information should be collected and recorded for
each identified risk:
• Possible consequence scenarios as described in the legislation or other regulatory
requirements (usually includes fines, 3rd party claims, criminal prosecution, temporary
production closure, sanctions and so on)
• Range of possible effects for each of the consequence scenario (for example,
according to the legislation fines may vary from 100K to 1M, production closure can be
for a period between 0 and 90 days, etc.)
• The logical relationship between each consequence scenario (for example, large fines
are much more likely once the small fines have been already received or for some risks
it could be the opposite, if small fines haven’t been issued over the last 2+ years this
could mean that the large fine is imminent and so on)
• Historical incident and claims data, known court cases or other relevant information.
• Risk owner and key stakeholders.
• Current controls and assessment of their effectiveness, if available.
Represent each risk as a bow-tie diagram
Each risk can be graphically represented as a bow-tie diagram. A bow tie is a graphical
depiction of pathways from the causes of an event or risk to its consequences in a simple
cause-consequence diagram. It is a simplified combination of a fault tree that analyses the
cause of an event or risk, the left hand side of the diagram, and an event tree that analyses
the consequences, the right hand side as shown in the illustration below.
The focus of bow tie analysis is on the barriers or controls depicted to the left-hand side of the
knot that can change the likelihood of the event or circumstance, or on those on the right-hand
side that can change its consequences. It is used when assessing the completeness of
controls, to check that each pathway from cause to event and event to consequence has
effective controls, and that factors that could cause controls to fail (including management
systems failures) are recognized:
6. • The most effective controls usually address causes, generally to stop them arising or
leading to the risk (preventive controls). They should match the causes, in extent and
nature.
• On the right of the bow tie, controls should provide appropriate responses to
consequences being felt or create barriers to the consequences developing. They
might either influence the consequences on business objectives directly (corrective or
reactive controls), or detect changes quickly and provide triggers for contingency plans
(detective controls).
Any compliance risk can be depicted as a bow-tie diagram by following these steps:
1. Select the risk to be examined in the bow tie analysis.
2. Describe the risk, in the form (something happens) and leads to (a consequence for
our objectives), and note the main risk analysis outcomes from the risk register.
3. List the causes of the risk on the left and the consequences of the risk on the right,
using the information from the regulations as well as through consultation with risk
owners and subject matter experts.
4. List the existing controls on the causes (preventive controls) below the causes on the
left, and the controls on the consequences (corrective controls) below the
consequences on the right. If a control acts on both causes and consequences, then
show it twice, on each side of the template.
5. Identify options for enhancing existing controls, to improve their effectiveness or to fill
gaps. This may include enhanced monitoring and more frequent review, for example
using control self-assessment.
Identify causes and consequence scenarios
Causes and consequences for the bow-tie diagram are normally derived from the regulations
as well as through consultation with risk owners and subject matter experts. Common
consequence scenarios for compliance risks include:
7. An example for a bow-tie for a typical compliance risk is presented below:
Where, V - means several events can occur at the same time, and XOR means the variability
of either one event or the other. For example, fines can be either for three days of water
8. pollution (small), or for a year (moderate) or three years (large), and criminal prosecution and
termination of business can occur simultaneously.
Determine the range of consequences for each scenario
In order to quantitatively assess compliance risks the next step involves defining the possible
range of values for each consequence scenario. Typical consequences can involve the
following factors:
Depending on the availability and reliability of the data various severity distributions can be
used:
• Lognormal distribution – where the range of consequences is not bounded and there is
a small probability of catastrophic losses.
• PERT distribution – for simulating consequences based on expert opinions where
historical data may not be available or the range of consequences is bounded by
regulation.
• Discrete distribution – for simulating a select number of well defined scenarios.
• Fitted distributions – wherever historical data is available it can be used to fit a
distribution suitable for the specific loss profile.
For each consequence scenario a distribution is selected and the range of possible values are
determined, for example minimum, expected loss and maximum loss. Schedule a free call
with the author to find out how to quantify risks if you think you have little or no data available.
9. Allocate weights to each scenarios
In order to determine the weight allocated to each consequence scenario of events triggered
by compliance risk, historical data, modelling, as well as expert opinions, can all be used,
individually or in combination.
Weight of each scenario can involve the following factors:
• the range of laws, along with enforcement practices and conventions by the relevant
regulatory authorities;
• the improvement of, and compliance with, the existing framework for the management
of legal risk, including strategies, governance, internal rules and policies;
• employees’ and contractors’ demonstrated compliance with laws, and the rules and
policies of the organization;
• the frequency and number of activities related to legal risk occurring within a certain
period;
• failure to record, analyse and learn from previous events;
• benchmarking the frequency and number of activities related to legal risk occurring
within a certain period against other organizations.
Wherever possible historical data on each of the consequence scenarios is collected. When
no historical data is available or no claims have been made against the company in the past,
use Bayesian statistics to estimate the weights for the scenario. Depending on the availability
and reliability of the data various distributions can be used to estimate the weight of each of
the consequence scenarios:
• Bernoulli or discrete distribution – where there limited historical data and the probability
of a single or multiple consequences needs to be estimated.
• Poison distribution – where we have historical data to estimate the frequency of each of
the consequence scenarios.
10. Current controls, their effectiveness and other factors affecting the probability of claims
against the company have to be accounted for when allocating weights to each of the
scenarios.
Measure the effect of risks on decisions
In order to account for the uncertainty both in the consequences of each scenario and its
weight, consequence distributions are multiplied by weight distributions using the Monte-Carlo
simulation method. Normally 10000 simulation runs should be sufficient for most compliance
risks, however more simulation runs may be required for highly unlikely and catastrophic
events.
The output of risk analysis can be represented as a distribution or box plot as shown below:
The distribution of the possible outcomes shows:
• Reasonable optimistic scenario (usually minimal or no financial consequences)
• Expected scenario (50th percentile)
• Reasonable pessimistic scenario (financial consequences which would not be exceed
95% of the time, 5% probability that impact may be even greater).
An integral part of the risk analysis is a tornado diagram showing which of the consequence
scenarios is having the most effect on the overall risk exposure level. Tornado diagram is the
correct way to prioritise risks significantly superior to a traditional heatmap.
11. An example is shown below:
In the situation where the risk exposure is deemed significant, risk mitigation measures need
to be discussed and agreed upon.
Often it may be insufficient to just estimate the compliance risk exposure, instead it may be
required to measure how compliance risks would affect an investment decision, a
performance target or business plan or budget. In such cases it may be necessary to estimate
how compliance risks change the project NPV / other decision making metric or how
compliance risks change the probability of successfully finishing the project on time and
budget.
12. Risk mitigation and trade-off
The treatment of compliance risks refers to the corresponding strategies implemented by an
organization to deal with its risks. A risk treatment plan should consider a range of treatment
options, which may include legal remedies as well as financial, operational and reputational
remedies for each prioritized risk.
The following factors should be considered when choosing an appropriate option for the
treatment of compliance risks:
• the organizational risk management policy, strategic objectives, core values and legal
responsibility of the organization;
• a cost benefit analysis of responding to compliance risk;
• the stakeholders’ perception and their values, attitude to risk and tolerance levels, as
well as their preferences on certain compliance risk treatment strategies;
• the availability and allocation of resources needed to manage the risk;
• a legal review (including scope and depth) of laws, contractual commitments and
limiting risk contractually;
• legal opinions;
• the extent to which the compliance risk can under law be transferred, delegated or
insured against;
• the level of risk awareness and maturity level within the organization.
Different mitigation and treatment strategies can be tested to determine which option provides
the best value in risk reduction for the cost involved. Different mitigation strategies can be
graphically represented as on the diagram below:
13.
14. Reporting and monitoring
The monitoring and review of the management of compliance risks includes the following:
• staying abreast of changes in the environment, such as the introduction of new laws
and the enforcement of such laws, in order to adjust the organization’s strategy
accordingly;
• monitoring events triggered by compliance risk, analysing their frequency and patterns,
and drawing conclusions from them (including potential correlation with and
amplification of other risks);
• considering an early warning system with key stakeholders to identify warning signals
for significant compliance risks that could arise;
• monitoring and reviewing:
◦ outcomes following risk treatment;
◦ changes in the environment;
◦ the building of integrated risk treatment plans;
◦ the designation of the responsible and accountable parties;
• comparing progress with the risk treatment plan, reviewing and updating the risk
treatment plan periodically and in a timely manner to seek assurance on its adequacy,
suitability and effectiveness in relation to the management of compliance risk.
An organization should consider the following issues in relation to record-keeping and
reporting:
• legal professional privilege, attorney–client privilege and work product (or their
equivalent concepts and terms under the relevant national law);
• destruction, retention and privacy policies, in accordance with data protection laws;
• the availability and accessibility of documentation for stakeholders to improve decision-
making and for internal or external audit purposes.
• whether the relevant documentation needs to be maintained securely, with a chain of
evidence process documenting that no alterations have been made to the documents,
information or evidence;
• confidentiality and security measures in relation to documentation of a confidential
nature, such as setting up limited and authorized access to such documentation.
An organization should report on the progress of changes in implementing the management of
compliance risks and adherence to the measures.
15. Examples and case studies
Reducing climate change using risk analysis
The environmental team at a large logistical company was struggling to convey the risk
exposure from water pollution to management and get approval for the risk mitigation budget.
The risk team created a quantitative pollution risk calculator to assist the environmental team in
estimated risk exposure, calculating budgets and testing various mitigation options. Stochastic
decision trees is the best way to represent complex environmental risks.
16. The risk calculator allowed:
• Environmental risk comparison between locations, VaR95% estimation for each water
discharge, for any given location or a company.
• Calculating expected losses, unexpected losses and a reasonable budget for
mitigation.
• Assessment the effect from various mitigation actions on the risk reduction, the ability to
compare the effect of mitigation actions against the necessary budget.
Protecting intellectual property using risk analysis
In 2017 $6B telecom company developed an intellectual property (IP) risk methodology.
Company was transforming its business from pure telecom to a tech company, developing
numerous tech startups (telecom of things, cyber security, telemedicine, Big Data analysis
etc.). Significant IP risks have been identified by the management. No in-house methodology
existing for measuring IP risks and integrating risk analysis into decision making.
Large court cases worldwide showed that IP risks can be very expensive (Apple vs
Samsung). Heatmaps used by company’s management didn’t provide prioritization for risk-
factors to be addressed by management and provided no insights into decision making when
selecting, financing and implementing tech startups. Authors, together with Dentons Group,
developed a quantitative risk calculator for IP risks for project decision making based on
17. Monte-Carlo simulations, so company’s management could realize the scale and chances to
lose money on each new project. The analysis showed some projects IP risks were
underestimated and had a large chance of losing money. And in some projects IP risks were
acceptable and it was not cost effective to provide full protection against IP risks. It was also
helped to develop library of intangible assets and sources for verified IP rights.
Key takeaways included:
• Heatmaps don’t allow you to see the real scale and chances of having issues with IP
risks in investment projects, but decision trees together with Monte-Carlo simulation do.
• Many expert mitigations turned out to address the wrong risk factors and didn’t protect
the company, effect of risk mitigation was better simulated using a risk model.
• Sufficient data was available publicly and within the company to quantify even
seemingly complex IP risks.
• Decision trees and bow ties are quite useful in legal decision-making including
decisions to settle or not.
18. Action plan
This checklist is designed to help organizations identify and manage their compliance risks:
Establish a working group together with compliance or legal team
Review existing risk appetites or consult RISK-ACADEMY guide on risk appetite
Working within the joint compliance/legal/risk team identify all relevant compliance
risks and map them against the legal entities
Prioritize compliance risks based on the quantitative risk analysis
Calculate expected and unexpected losses for the most significant risks to
determine the most appropriate mitigation strategy and budget available for
mitigation
Compare different mitigation strategies to see how much they reduce the risk
profile
Back test and update the methodology in case of new incidents or fines
Speak with the guide author if you have questions.
19. Additional resources
Deep dive into advanced risk
management using this online
course
This course gives guidance, motivation, critical
information, and practical case studies to move beyond
traditional risk governance, helping ensure risk
management is not a stand-alone process but a change
driver for business.
https://courses.dcroi.org/courses/alex-sidorenko
Automate your quantitative risk
analysis using Archer Insight and
support business decision making
Archer Insight is a suite of enterprise-wide risk
quantification capabilities for business leaders designed to
deliver a complete view of enterprise risks, improve
resilience, and ensure achievement of strategic goals.
This innovative solution provides business leaders with
more precision in an aggregated view of risks that allows
them to ensure compliance and better protect your
business from disruption.
Using Archer Insight, organizations can conduct risk
quantification analysis, monitor, and report on their risk
management programs and then provide business leaders
and decision-makers with quantitative, transparent, and
actionable information needed to make strategic business
decisions.
https://www.archerirm.com/insight-risk-academy
20. Useful videos on the topic
Alex Sidorenko talks with David Tattam about the use and
application of bow-ties for compliance risks. Can this simple
and graphical technique significantly improve decision
making? https://youtube.com/live/PM3wfJLVKLc
Hernan Huwyler - Quantify legal and compliance risks from
zero to hero #RAW2021. Learn how to use simple MS Excel
formulas to model risks based on common distributions and
how to collect and validate risk data on legal assessments.
https://youtu.be/LGlSxQ_RSjQ
Hernan Huwyler - Data-driven decisions for smart legal and
compliance professionals. This presentation will allow
improving your techniques to better use data to assess
compliance and legal risks for regulatory and contractual
requirements. You will learn how to perform smart quantitative
analyses for managing penalty risks in a business case based
on a concession contract. https://youtu.be/8D8gBlXONT0
21. Contact the author
Book a free no
obligations call
with Alex
ALEX SIDORENKO, CRMP.RR, CT31000,
CTA31000
Alex Sidorenko is an expert with over 16 years of risk management
experience in private equity, sovereign funds, investment
authorities and venture capital firms across Australia, CIS, GCC.
Successfully implemented changes to quantitative risk analysis, risk-
based decision making and neuroscience as a CRO at EuroChem
(global fertilizer $10B) and RUSNANO (private equity fund $3B).
Saved more than $13 million per year in premiums on cargo,
liability and PD/BI insurance through industry leading quantitative risk
analysis without changing deductibles and while doubling the limits.
Successfully defending corporate risk profile at the Ministry of
finance and securing more than $1B in extra funding.
Author of the most popular free risk management book in the
world, more than 200K downloads in 3 languages.
Risk manager of the year, FERMA, 2021, Honourable mention
2021, RIMS, Risk manager of the year, RUSRISK, 2014, Best
ERM Implementation, RUSRISK, 2014, Best risk management
training, RUSRISK, 2013, 2014, 2015, finalist in risk management
awards in 2018 and 2019.
Since 2012 Alex runs RISK-ACADEMY, a highly successful
company, focused on providing risk management integration
services, risk modeling, training and auditing to private equity firms
(direct investment and funds) as well as sovereign wealth funds.
Alex’s specialization is risk management integration, risk-based
investment decision making, value creation and asset
management.