SlideShare a Scribd company logo

RISK-ACADEMY’s guide on compliance risk in non-financial companies. Free download

Alexei Sidorenko, CRMP
Alexei Sidorenko, CRMP

Attention all risk management professionals! We are proud to announce the publication of our comprehensive guide to compliance risk management. This guide covers the latest industry best practices and provides practical advice for managing compliance risks in your organization. Whether you are new to the field or an experienced professional, this guide is designed to help you effectively identify, assess, and mitigate compliance risks. Get your copy today and stay ahead of the game in the ever-evolving world of compliance risk management. Your company is required to comply with laws within all the countries it operates in, the legal and regulatory requirements vary between different regions adding to the need to have the understanding and confidence in the risk management processes in place. Your company faces considerable uncertainty when making decisions and taking actions that may have significant compliance consequences. The management of compliance risks helps your company protect and increase its value. This document provides guidance on the activities to be undertaken to support decision makers to assess and treat compliance risks efficiently and cost effectively to meet the expectations of a wide range of stakeholders. Failure to meet legal requirements and stakeholder expectations can have considerable and immediate negative consequences that could affect performance, reputation and might lead to criminal prosecution of top management.

Business
1 of 21
Download to read offline
RISK-ACADEMY’S GUIDE ON COMPLIANCE RISK
Structure of the guide Guide to compliance risk 3 Introduction 3 What is compliance risk 3 Risk identification 4 Risk assessment 5 Allocate weights to each scenarios 5 Risk mitigation and trade-off 6 Reporting and monitoring 7 Examples and case studies 8 Reducing climate change using risk analysis 8 Protecting intellectual property using risk analysis 8 Action plan 9 Additional resources 10 Useful videos on the topic 11 Contact the author 12
Guide to compliance risk Introduction Your company is required to comply with laws within all the countries it operates in, the legal and regulatory requirements vary between different regions adding to the need to have the understanding and confidence in the risk management processes in place. Your company faces considerable uncertainty when making decisions and taking actions that may have significant compliance consequences. The management of compliance risks helps your company protect and increase its value. This document provides guidance on the activities to be undertaken to support decision makers to assess and treat compliance risks efficiently and cost effectively to meet the expectations of a wide range of stakeholders. Failure to meet legal requirements and stakeholder expectations can have considerable and immediate negative consequences that could affect performance, reputation and might lead to criminal prosecution of top management. What is compliance risk Compliance risk within this document is broadly defined and is not limited to, for example, risk related to compliance or contractual matters, including risks from or to third parties where there may be no contractual relationship but where there may be a possibility of litigation or other action depending on that third parties’ contractual requirements with their stakeholders. I had my lawyers word the definition. In reality, whatever you define compliance risks as, we are certain they can be managed using the methodology provided. This methodology is developed in line with the requirements of ISO 31022:2020 Risk management — Guidelines for the management of legal risk and Compliance Risk Management: Applying the COSO ERM Framework. But unlike both ISO and COSO, this guide provides a scientific and mathematically sound way to identify, quantify and manage compliance risks. In the context of this guide, compliance risk management includes: • Timely identification and recording of compliance risks • Risk assessment and prioritization of compliance risk for further analysis • Detailed risk analysis for most significant compliance risks and identification of suitable risk mitigation measures • Monitoring and reporting.
Risk identification The purpose of identifying compliance risks is to find, recognize and describe the risks that can help or prevent an organization from achieving its objectives. To have a comprehensive understanding of compliance risks, companies should: • Review relevant laws and regulations across all of the countries of operation. • Review claims and incident statistics captured across the organization. • Review claims against industry peers and other relevant organizations in the countries of operation. • Consult with relevant legal and compliance advisors and service providers. • Review information and guidelines from regulators and government authorities. Identified compliance risks can be mapped against the legal entities to make sure no significant risks are missed: Compliance risks can be documented in a manual or online risk register for further analysis. Yes, in many senses compliance risk management is RM1, so artifacts like risk registers apply. Read more on RM1 here.
Risk assessment Wherever possible your company should apply quantitative risk analysis to measure and prioritize compliance risks. The following information should be collected and recorded for each identified risk: • Possible consequence scenarios as described in the legislation or other regulatory requirements (usually includes fines, 3rd party claims, criminal prosecution, temporary production closure, sanctions and so on) • Range of possible effects for each of the consequence scenario (for example, according to the legislation fines may vary from 100K to 1M, production closure can be for a period between 0 and 90 days, etc.) • The logical relationship between each consequence scenario (for example, large fines are much more likely once the small fines have been already received or for some risks it could be the opposite, if small fines haven’t been issued over the last 2+ years this could mean that the large fine is imminent and so on) • Historical incident and claims data, known court cases or other relevant information. • Risk owner and key stakeholders. • Current controls and assessment of their effectiveness, if available. Represent each risk as a bow-tie diagram Each risk can be graphically represented as a bow-tie diagram. A bow tie is a graphical depiction of pathways from the causes of an event or risk to its consequences in a simple cause-consequence diagram. It is a simplified combination of a fault tree that analyses the cause of an event or risk, the left hand side of the diagram, and an event tree that analyses the consequences, the right hand side as shown in the illustration below. The focus of bow tie analysis is on the barriers or controls depicted to the left-hand side of the knot that can change the likelihood of the event or circumstance, or on those on the right-hand side that can change its consequences. It is used when assessing the completeness of controls, to check that each pathway from cause to event and event to consequence has effective controls, and that factors that could cause controls to fail (including management systems failures) are recognized:
• The most effective controls usually address causes, generally to stop them arising or leading to the risk (preventive controls). They should match the causes, in extent and nature. • On the right of the bow tie, controls should provide appropriate responses to consequences being felt or create barriers to the consequences developing. They might either influence the consequences on business objectives directly (corrective or reactive controls), or detect changes quickly and provide triggers for contingency plans (detective controls). Any compliance risk can be depicted as a bow-tie diagram by following these steps: 1. Select the risk to be examined in the bow tie analysis. 2. Describe the risk, in the form (something happens) and leads to (a consequence for our objectives), and note the main risk analysis outcomes from the risk register. 3. List the causes of the risk on the left and the consequences of the risk on the right, using the information from the regulations as well as through consultation with risk owners and subject matter experts. 4. List the existing controls on the causes (preventive controls) below the causes on the left, and the controls on the consequences (corrective controls) below the consequences on the right. If a control acts on both causes and consequences, then show it twice, on each side of the template. 5. Identify options for enhancing existing controls, to improve their effectiveness or to fill gaps. This may include enhanced monitoring and more frequent review, for example using control self-assessment. Identify causes and consequence scenarios Causes and consequences for the bow-tie diagram are normally derived from the regulations as well as through consultation with risk owners and subject matter experts. Common consequence scenarios for compliance risks include:
An example for a bow-tie for a typical compliance risk is presented below: Where, V - means several events can occur at the same time, and XOR means the variability of either one event or the other. For example, fines can be either for three days of water
pollution (small), or for a year (moderate) or three years (large), and criminal prosecution and termination of business can occur simultaneously. Determine the range of consequences for each scenario In order to quantitatively assess compliance risks the next step involves defining the possible range of values for each consequence scenario. Typical consequences can involve the following factors: Depending on the availability and reliability of the data various severity distributions can be used: • Lognormal distribution – where the range of consequences is not bounded and there is a small probability of catastrophic losses. • PERT distribution – for simulating consequences based on expert opinions where historical data may not be available or the range of consequences is bounded by regulation. • Discrete distribution – for simulating a select number of well defined scenarios. • Fitted distributions – wherever historical data is available it can be used to fit a distribution suitable for the specific loss profile. For each consequence scenario a distribution is selected and the range of possible values are determined, for example minimum, expected loss and maximum loss. Schedule a free call with the author to find out how to quantify risks if you think you have little or no data available.
Allocate weights to each scenarios In order to determine the weight allocated to each consequence scenario of events triggered by compliance risk, historical data, modelling, as well as expert opinions, can all be used, individually or in combination. Weight of each scenario can involve the following factors: • the range of laws, along with enforcement practices and conventions by the relevant regulatory authorities; • the improvement of, and compliance with, the existing framework for the management of legal risk, including strategies, governance, internal rules and policies; • employees’ and contractors’ demonstrated compliance with laws, and the rules and policies of the organization; • the frequency and number of activities related to legal risk occurring within a certain period; • failure to record, analyse and learn from previous events; • benchmarking the frequency and number of activities related to legal risk occurring within a certain period against other organizations. Wherever possible historical data on each of the consequence scenarios is collected. When no historical data is available or no claims have been made against the company in the past, use Bayesian statistics to estimate the weights for the scenario. Depending on the availability and reliability of the data various distributions can be used to estimate the weight of each of the consequence scenarios: • Bernoulli or discrete distribution – where there limited historical data and the probability of a single or multiple consequences needs to be estimated. • Poison distribution – where we have historical data to estimate the frequency of each of the consequence scenarios.
Current controls, their effectiveness and other factors affecting the probability of claims against the company have to be accounted for when allocating weights to each of the scenarios. Measure the effect of risks on decisions In order to account for the uncertainty both in the consequences of each scenario and its weight, consequence distributions are multiplied by weight distributions using the Monte-Carlo simulation method. Normally 10000 simulation runs should be sufficient for most compliance risks, however more simulation runs may be required for highly unlikely and catastrophic events. The output of risk analysis can be represented as a distribution or box plot as shown below: The distribution of the possible outcomes shows: • Reasonable optimistic scenario (usually minimal or no financial consequences) • Expected scenario (50th percentile) • Reasonable pessimistic scenario (financial consequences which would not be exceed 95% of the time, 5% probability that impact may be even greater). An integral part of the risk analysis is a tornado diagram showing which of the consequence scenarios is having the most effect on the overall risk exposure level. Tornado diagram is the correct way to prioritise risks significantly superior to a traditional heatmap.
An example is shown below: In the situation where the risk exposure is deemed significant, risk mitigation measures need to be discussed and agreed upon. Often it may be insufficient to just estimate the compliance risk exposure, instead it may be required to measure how compliance risks would affect an investment decision, a performance target or business plan or budget. In such cases it may be necessary to estimate how compliance risks change the project NPV / other decision making metric or how compliance risks change the probability of successfully finishing the project on time and budget.
Risk mitigation and trade-off The treatment of compliance risks refers to the corresponding strategies implemented by an organization to deal with its risks. A risk treatment plan should consider a range of treatment options, which may include legal remedies as well as financial, operational and reputational remedies for each prioritized risk. The following factors should be considered when choosing an appropriate option for the treatment of compliance risks: • the organizational risk management policy, strategic objectives, core values and legal responsibility of the organization; • a cost benefit analysis of responding to compliance risk; • the stakeholders’ perception and their values, attitude to risk and tolerance levels, as well as their preferences on certain compliance risk treatment strategies; • the availability and allocation of resources needed to manage the risk; • a legal review (including scope and depth) of laws, contractual commitments and limiting risk contractually; • legal opinions; • the extent to which the compliance risk can under law be transferred, delegated or insured against; • the level of risk awareness and maturity level within the organization. Different mitigation and treatment strategies can be tested to determine which option provides the best value in risk reduction for the cost involved. Different mitigation strategies can be graphically represented as on the diagram below:
Reporting and monitoring The monitoring and review of the management of compliance risks includes the following: • staying abreast of changes in the environment, such as the introduction of new laws and the enforcement of such laws, in order to adjust the organization’s strategy accordingly; • monitoring events triggered by compliance risk, analysing their frequency and patterns, and drawing conclusions from them (including potential correlation with and amplification of other risks); • considering an early warning system with key stakeholders to identify warning signals for significant compliance risks that could arise; • monitoring and reviewing: ◦ outcomes following risk treatment; ◦ changes in the environment; ◦ the building of integrated risk treatment plans; ◦ the designation of the responsible and accountable parties; • comparing progress with the risk treatment plan, reviewing and updating the risk treatment plan periodically and in a timely manner to seek assurance on its adequacy, suitability and effectiveness in relation to the management of compliance risk. An organization should consider the following issues in relation to record-keeping and reporting: • legal professional privilege, attorney–client privilege and work product (or their equivalent concepts and terms under the relevant national law); • destruction, retention and privacy policies, in accordance with data protection laws; • the availability and accessibility of documentation for stakeholders to improve decision- making and for internal or external audit purposes. • whether the relevant documentation needs to be maintained securely, with a chain of evidence process documenting that no alterations have been made to the documents, information or evidence; • confidentiality and security measures in relation to documentation of a confidential nature, such as setting up limited and authorized access to such documentation. An organization should report on the progress of changes in implementing the management of compliance risks and adherence to the measures.
Examples and case studies Reducing climate change using risk analysis The environmental team at a large logistical company was struggling to convey the risk exposure from water pollution to management and get approval for the risk mitigation budget. The risk team created a quantitative pollution risk calculator to assist the environmental team in estimated risk exposure, calculating budgets and testing various mitigation options. Stochastic decision trees is the best way to represent complex environmental risks.
The risk calculator allowed: • Environmental risk comparison between locations, VaR95% estimation for each water discharge, for any given location or a company. • Calculating expected losses, unexpected losses and a reasonable budget for mitigation. • Assessment the effect from various mitigation actions on the risk reduction, the ability to compare the effect of mitigation actions against the necessary budget. Protecting intellectual property using risk analysis In 2017 $6B telecom company developed an intellectual property (IP) risk methodology. Company was transforming its business from pure telecom to a tech company, developing numerous tech startups (telecom of things, cyber security, telemedicine, Big Data analysis etc.). Significant IP risks have been identified by the management. No in-house methodology existing for measuring IP risks and integrating risk analysis into decision making. Large court cases worldwide showed that IP risks can be very expensive (Apple vs Samsung). Heatmaps used by company’s management didn’t provide prioritization for risk- factors to be addressed by management and provided no insights into decision making when selecting, financing and implementing tech startups. Authors, together with Dentons Group, developed a quantitative risk calculator for IP risks for project decision making based on
Monte-Carlo simulations, so company’s management could realize the scale and chances to lose money on each new project. The analysis showed some projects IP risks were underestimated and had a large chance of losing money. And in some projects IP risks were acceptable and it was not cost effective to provide full protection against IP risks. It was also helped to develop library of intangible assets and sources for verified IP rights. Key takeaways included: • Heatmaps don’t allow you to see the real scale and chances of having issues with IP risks in investment projects, but decision trees together with Monte-Carlo simulation do. • Many expert mitigations turned out to address the wrong risk factors and didn’t protect the company, effect of risk mitigation was better simulated using a risk model. • Sufficient data was available publicly and within the company to quantify even seemingly complex IP risks. • Decision trees and bow ties are quite useful in legal decision-making including decisions to settle or not.
Action plan This checklist is designed to help organizations identify and manage their compliance risks: Establish a working group together with compliance or legal team Review existing risk appetites or consult RISK-ACADEMY guide on risk appetite Working within the joint compliance/legal/risk team identify all relevant compliance risks and map them against the legal entities Prioritize compliance risks based on the quantitative risk analysis Calculate expected and unexpected losses for the most significant risks to determine the most appropriate mitigation strategy and budget available for mitigation Compare different mitigation strategies to see how much they reduce the risk profile Back test and update the methodology in case of new incidents or fines Speak with the guide author if you have questions.
Additional resources Deep dive into advanced risk management using this online course This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business. https://courses.dcroi.org/courses/alex-sidorenko Automate your quantitative risk analysis using Archer Insight and support business decision making Archer Insight is a suite of enterprise-wide risk quantification capabilities for business leaders designed to deliver a complete view of enterprise risks, improve resilience, and ensure achievement of strategic goals. This innovative solution provides business leaders with more precision in an aggregated view of risks that allows them to ensure compliance and better protect your business from disruption. Using Archer Insight, organizations can conduct risk quantification analysis, monitor, and report on their risk management programs and then provide business leaders and decision-makers with quantitative, transparent, and actionable information needed to make strategic business decisions. https://www.archerirm.com/insight-risk-academy
Useful videos on the topic Alex Sidorenko talks with David Tattam about the use and application of bow-ties for compliance risks. Can this simple and graphical technique significantly improve decision making? https://youtube.com/live/PM3wfJLVKLc Hernan Huwyler - Quantify legal and compliance risks from zero to hero #RAW2021. Learn how to use simple MS Excel formulas to model risks based on common distributions and how to collect and validate risk data on legal assessments. https://youtu.be/LGlSxQ_RSjQ Hernan Huwyler - Data-driven decisions for smart legal and compliance professionals. This presentation will allow improving your techniques to better use data to assess compliance and legal risks for regulatory and contractual requirements. You will learn how to perform smart quantitative analyses for managing penalty risks in a business case based on a concession contract. https://youtu.be/8D8gBlXONT0
Contact the author Book a free no obligations call with Alex ALEX SIDORENKO, CRMP.RR, CT31000, CTA31000 Alex Sidorenko is an expert with over 16 years of risk management experience in private equity, sovereign funds, investment authorities and venture capital firms across Australia, CIS, GCC. Successfully implemented changes to quantitative risk analysis, risk- based decision making and neuroscience as a CRO at EuroChem (global fertilizer $10B) and RUSNANO (private equity fund $3B). Saved more than $13 million per year in premiums on cargo, liability and PD/BI insurance through industry leading quantitative risk analysis without changing deductibles and while doubling the limits. Successfully defending corporate risk profile at the Ministry of finance and securing more than $1B in extra funding. Author of the most popular free risk management book in the world, more than 200K downloads in 3 languages. Risk manager of the year, FERMA, 2021, Honourable mention 2021, RIMS, Risk manager of the year, RUSRISK, 2014, Best ERM Implementation, RUSRISK, 2014, Best risk management training, RUSRISK, 2013, 2014, 2015, finalist in risk management awards in 2018 and 2019. Since 2012 Alex runs RISK-ACADEMY, a highly successful company, focused on providing risk management integration services, risk modeling, training and auditing to private equity firms (direct investment and funds) as well as sovereign wealth funds. Alex’s specialization is risk management integration, risk-based investment decision making, value creation and asset management.

Recommended

topic5 (2).ppt
topic5 (2).ppttopic5 (2).ppt
topic5 (2).pptKameswara Rao Poranki
 
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptx
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptxPRINCIPLES-OF-RISK-AND-MANAGEMENT.pptx
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptxGraciaSuratos
 
The five structural columns of risk analysis techniques
The five structural columns of risk analysis techniquesThe five structural columns of risk analysis techniques
The five structural columns of risk analysis techniquesUniversidade Federal Fluminense
 
RISK-ACADEMY’s guide on risk appetite in non-financial companies. Free download
RISK-ACADEMY’s guide on risk appetite in non-financial companies. Free downloadRISK-ACADEMY’s guide on risk appetite in non-financial companies. Free download
RISK-ACADEMY’s guide on risk appetite in non-financial companies. Free downloadAlexei Sidorenko, CRMP
 
world_vision-cva_-_risk_presentation.pptx
world_vision-cva_-_risk_presentation.pptxworld_vision-cva_-_risk_presentation.pptx
world_vision-cva_-_risk_presentation.pptxZainUlAbidinRana1
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Risk management
Risk managementRisk management
Risk managementSazzad Hossain, ITP, MBA, CSCA™
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 

Recommended

topic5 (2).ppt
topic5 (2).ppttopic5 (2).ppt
topic5 (2).pptKameswara Rao Poranki
 
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptx
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptxPRINCIPLES-OF-RISK-AND-MANAGEMENT.pptx
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptxGraciaSuratos
 
The five structural columns of risk analysis techniques
The five structural columns of risk analysis techniquesThe five structural columns of risk analysis techniques
The five structural columns of risk analysis techniquesUniversidade Federal Fluminense
 
RISK-ACADEMY’s guide on risk appetite in non-financial companies. Free download
RISK-ACADEMY’s guide on risk appetite in non-financial companies. Free downloadRISK-ACADEMY’s guide on risk appetite in non-financial companies. Free download
RISK-ACADEMY’s guide on risk appetite in non-financial companies. Free downloadAlexei Sidorenko, CRMP
 
world_vision-cva_-_risk_presentation.pptx
world_vision-cva_-_risk_presentation.pptxworld_vision-cva_-_risk_presentation.pptx
world_vision-cva_-_risk_presentation.pptxZainUlAbidinRana1
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Risk management
Risk managementRisk management
Risk managementSazzad Hossain, ITP, MBA, CSCA™
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxwalterl4
 
topic5.ppt
topic5.ppttopic5.ppt
topic5.pptghgc1
 
Risk assessment
Risk assessmentRisk assessment
Risk assessmentAhmedAbdelHalimAhmed
 
topic5 (1).ppt
topic5 (1).ppttopic5 (1).ppt
topic5 (1).pptHedi Ben Mohamed
 
consultation consumer protection
consultation consumer protectionconsultation consumer protection
consultation consumer protectionJames (Jim) Callon
 
CYBOK: Risk Management Governance KA Webinar slides.pdf
CYBOK: Risk Management Governance KA Webinar slides.pdfCYBOK: Risk Management Governance KA Webinar slides.pdf
CYBOK: Risk Management Governance KA Webinar slides.pdfHari319621
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment.AIR UNIVERSITY ISLAMABAD
 
Topic5
Topic5Topic5
Topic5yousifmagdi
 
G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016Kathleen Hamm
 
5 steps to a comprehensive aml programme
5 steps to a comprehensive aml programme5 steps to a comprehensive aml programme
5 steps to a comprehensive aml programmeSILO Compliance Systems
 
Ehs risk mgmt-1-4
Ehs risk mgmt-1-4Ehs risk mgmt-1-4
Ehs risk mgmt-1-4Sunil Arora
 
Risk management osh
Risk management oshRisk management osh
Risk management oshjaycatubig
 
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docxaryan532920
 
How to assess risk for a company
How to assess risk for a companyHow to assess risk for a company
How to assess risk for a companyOECDglobal
 
How to Assess Integrity Risks for a Company ?
How to Assess Integrity Risks for a Company ?How to Assess Integrity Risks for a Company ?
How to Assess Integrity Risks for a Company ?iohann Le Frapper
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTFred Travis
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk ManagementChris Teniswood
 
Table of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxTable of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxmattinsonjanel
 
Risk And Threat Assessment
Risk And Threat AssessmentRisk And Threat Assessment
Risk And Threat AssessmentJessica Cannella
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)Data Analytics Company - 47Billion Inc.
 

More Related Content

Similar to RISK-ACADEMY’s guide on compliance risk in non-financial companies. Free download

An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxwalterl4
 
topic5.ppt
topic5.ppttopic5.ppt
topic5.pptghgc1
 
consultation consumer protection
consultation consumer protectionconsultation consumer protection
consultation consumer protectionJames (Jim) Callon
 
CYBOK: Risk Management Governance KA Webinar slides.pdf
CYBOK: Risk Management Governance KA Webinar slides.pdfCYBOK: Risk Management Governance KA Webinar slides.pdf
CYBOK: Risk Management Governance KA Webinar slides.pdfHari319621
 
G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016Kathleen Hamm
 
5 steps to a comprehensive aml programme
5 steps to a comprehensive aml programme5 steps to a comprehensive aml programme
5 steps to a comprehensive aml programmeSILO Compliance Systems
 
Ehs risk mgmt-1-4
Ehs risk mgmt-1-4Ehs risk mgmt-1-4
Ehs risk mgmt-1-4Sunil Arora
 
Risk management osh
Risk management oshRisk management osh
Risk management oshjaycatubig
 
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docxaryan532920
 
How to assess risk for a company
How to assess risk for a companyHow to assess risk for a company
How to assess risk for a companyOECDglobal
 
How to Assess Integrity Risks for a Company ?
How to Assess Integrity Risks for a Company ?How to Assess Integrity Risks for a Company ?
How to Assess Integrity Risks for a Company ?iohann Le Frapper
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTFred Travis
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk ManagementChris Teniswood
 
Table of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxTable of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxmattinsonjanel
 
Risk And Threat Assessment
Risk And Threat AssessmentRisk And Threat Assessment
Risk And Threat AssessmentJessica Cannella
 

Similar to RISK-ACADEMY’s guide on compliance risk in non-financial companies. Free download (20)

An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
 
topic5.ppt
topic5.ppttopic5.ppt
topic5.ppt
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
topic5 (1).ppt
topic5 (1).ppttopic5 (1).ppt
topic5 (1).ppt
 
consultation consumer protection
consultation consumer protectionconsultation consumer protection
consultation consumer protection
 
CYBOK: Risk Management Governance KA Webinar slides.pdf
CYBOK: Risk Management Governance KA Webinar slides.pdfCYBOK: Risk Management Governance KA Webinar slides.pdf
CYBOK: Risk Management Governance KA Webinar slides.pdf
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Topic5
Topic5Topic5
Topic5
 
G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016
 
5 steps to a comprehensive aml programme
5 steps to a comprehensive aml programme5 steps to a comprehensive aml programme
5 steps to a comprehensive aml programme
 
Ehs risk mgmt-1-4
Ehs risk mgmt-1-4Ehs risk mgmt-1-4
Ehs risk mgmt-1-4
 
Risk management osh
Risk management oshRisk management osh
Risk management osh
 
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
Compliance Risk Assessment Fall 2016 Class 4 Stephen Paine.docx
 
How to assess risk for a company
How to assess risk for a companyHow to assess risk for a company
How to assess risk for a company
 
How to Assess Integrity Risks for a Company ?
How to Assess Integrity Risks for a Company ?How to Assess Integrity Risks for a Company ?
How to Assess Integrity Risks for a Company ?
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENT
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk Management
 
Table of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxTable of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docx
 
Risk And Threat Assessment
Risk And Threat AssessmentRisk And Threat Assessment
Risk And Threat Assessment
 

Recently uploaded

VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxAbhayThakur200703
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 

Recently uploaded (20)

VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptx
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 

RISK-ACADEMY’s guide on compliance risk in non-financial companies. Free download

  • 2. Structure of the guide Guide to compliance risk 3 Introduction 3 What is compliance risk 3 Risk identification 4 Risk assessment 5 Allocate weights to each scenarios 5 Risk mitigation and trade-off 6 Reporting and monitoring 7 Examples and case studies 8 Reducing climate change using risk analysis 8 Protecting intellectual property using risk analysis 8 Action plan 9 Additional resources 10 Useful videos on the topic 11 Contact the author 12
  • 3. Guide to compliance risk Introduction Your company is required to comply with laws within all the countries it operates in, the legal and regulatory requirements vary between different regions adding to the need to have the understanding and confidence in the risk management processes in place. Your company faces considerable uncertainty when making decisions and taking actions that may have significant compliance consequences. The management of compliance risks helps your company protect and increase its value. This document provides guidance on the activities to be undertaken to support decision makers to assess and treat compliance risks efficiently and cost effectively to meet the expectations of a wide range of stakeholders. Failure to meet legal requirements and stakeholder expectations can have considerable and immediate negative consequences that could affect performance, reputation and might lead to criminal prosecution of top management. What is compliance risk Compliance risk within this document is broadly defined and is not limited to, for example, risk related to compliance or contractual matters, including risks from or to third parties where there may be no contractual relationship but where there may be a possibility of litigation or other action depending on that third parties’ contractual requirements with their stakeholders. I had my lawyers word the definition. In reality, whatever you define compliance risks as, we are certain they can be managed using the methodology provided. This methodology is developed in line with the requirements of ISO 31022:2020 Risk management — Guidelines for the management of legal risk and Compliance Risk Management: Applying the COSO ERM Framework. But unlike both ISO and COSO, this guide provides a scientific and mathematically sound way to identify, quantify and manage compliance risks. In the context of this guide, compliance risk management includes: • Timely identification and recording of compliance risks • Risk assessment and prioritization of compliance risk for further analysis • Detailed risk analysis for most significant compliance risks and identification of suitable risk mitigation measures • Monitoring and reporting.
  • 4. Risk identification The purpose of identifying compliance risks is to find, recognize and describe the risks that can help or prevent an organization from achieving its objectives. To have a comprehensive understanding of compliance risks, companies should: • Review relevant laws and regulations across all of the countries of operation. • Review claims and incident statistics captured across the organization. • Review claims against industry peers and other relevant organizations in the countries of operation. • Consult with relevant legal and compliance advisors and service providers. • Review information and guidelines from regulators and government authorities. Identified compliance risks can be mapped against the legal entities to make sure no significant risks are missed: Compliance risks can be documented in a manual or online risk register for further analysis. Yes, in many senses compliance risk management is RM1, so artifacts like risk registers apply. Read more on RM1 here.
  • 5. Risk assessment Wherever possible your company should apply quantitative risk analysis to measure and prioritize compliance risks. The following information should be collected and recorded for each identified risk: • Possible consequence scenarios as described in the legislation or other regulatory requirements (usually includes fines, 3rd party claims, criminal prosecution, temporary production closure, sanctions and so on) • Range of possible effects for each of the consequence scenario (for example, according to the legislation fines may vary from 100K to 1M, production closure can be for a period between 0 and 90 days, etc.) • The logical relationship between each consequence scenario (for example, large fines are much more likely once the small fines have been already received or for some risks it could be the opposite, if small fines haven’t been issued over the last 2+ years this could mean that the large fine is imminent and so on) • Historical incident and claims data, known court cases or other relevant information. • Risk owner and key stakeholders. • Current controls and assessment of their effectiveness, if available. Represent each risk as a bow-tie diagram Each risk can be graphically represented as a bow-tie diagram. A bow tie is a graphical depiction of pathways from the causes of an event or risk to its consequences in a simple cause-consequence diagram. It is a simplified combination of a fault tree that analyses the cause of an event or risk, the left hand side of the diagram, and an event tree that analyses the consequences, the right hand side as shown in the illustration below. The focus of bow tie analysis is on the barriers or controls depicted to the left-hand side of the knot that can change the likelihood of the event or circumstance, or on those on the right-hand side that can change its consequences. It is used when assessing the completeness of controls, to check that each pathway from cause to event and event to consequence has effective controls, and that factors that could cause controls to fail (including management systems failures) are recognized:
  • 6. • The most effective controls usually address causes, generally to stop them arising or leading to the risk (preventive controls). They should match the causes, in extent and nature. • On the right of the bow tie, controls should provide appropriate responses to consequences being felt or create barriers to the consequences developing. They might either influence the consequences on business objectives directly (corrective or reactive controls), or detect changes quickly and provide triggers for contingency plans (detective controls). Any compliance risk can be depicted as a bow-tie diagram by following these steps: 1. Select the risk to be examined in the bow tie analysis. 2. Describe the risk, in the form (something happens) and leads to (a consequence for our objectives), and note the main risk analysis outcomes from the risk register. 3. List the causes of the risk on the left and the consequences of the risk on the right, using the information from the regulations as well as through consultation with risk owners and subject matter experts. 4. List the existing controls on the causes (preventive controls) below the causes on the left, and the controls on the consequences (corrective controls) below the consequences on the right. If a control acts on both causes and consequences, then show it twice, on each side of the template. 5. Identify options for enhancing existing controls, to improve their effectiveness or to fill gaps. This may include enhanced monitoring and more frequent review, for example using control self-assessment. Identify causes and consequence scenarios Causes and consequences for the bow-tie diagram are normally derived from the regulations as well as through consultation with risk owners and subject matter experts. Common consequence scenarios for compliance risks include:
  • 7. An example for a bow-tie for a typical compliance risk is presented below: Where, V - means several events can occur at the same time, and XOR means the variability of either one event or the other. For example, fines can be either for three days of water
  • 8. pollution (small), or for a year (moderate) or three years (large), and criminal prosecution and termination of business can occur simultaneously. Determine the range of consequences for each scenario In order to quantitatively assess compliance risks the next step involves defining the possible range of values for each consequence scenario. Typical consequences can involve the following factors: Depending on the availability and reliability of the data various severity distributions can be used: • Lognormal distribution – where the range of consequences is not bounded and there is a small probability of catastrophic losses. • PERT distribution – for simulating consequences based on expert opinions where historical data may not be available or the range of consequences is bounded by regulation. • Discrete distribution – for simulating a select number of well defined scenarios. • Fitted distributions – wherever historical data is available it can be used to fit a distribution suitable for the specific loss profile. For each consequence scenario a distribution is selected and the range of possible values are determined, for example minimum, expected loss and maximum loss. Schedule a free call with the author to find out how to quantify risks if you think you have little or no data available.
  • 9. Allocate weights to each scenarios In order to determine the weight allocated to each consequence scenario of events triggered by compliance risk, historical data, modelling, as well as expert opinions, can all be used, individually or in combination. Weight of each scenario can involve the following factors: • the range of laws, along with enforcement practices and conventions by the relevant regulatory authorities; • the improvement of, and compliance with, the existing framework for the management of legal risk, including strategies, governance, internal rules and policies; • employees’ and contractors’ demonstrated compliance with laws, and the rules and policies of the organization; • the frequency and number of activities related to legal risk occurring within a certain period; • failure to record, analyse and learn from previous events; • benchmarking the frequency and number of activities related to legal risk occurring within a certain period against other organizations. Wherever possible historical data on each of the consequence scenarios is collected. When no historical data is available or no claims have been made against the company in the past, use Bayesian statistics to estimate the weights for the scenario. Depending on the availability and reliability of the data various distributions can be used to estimate the weight of each of the consequence scenarios: • Bernoulli or discrete distribution – where there limited historical data and the probability of a single or multiple consequences needs to be estimated. • Poison distribution – where we have historical data to estimate the frequency of each of the consequence scenarios.
  • 10. Current controls, their effectiveness and other factors affecting the probability of claims against the company have to be accounted for when allocating weights to each of the scenarios. Measure the effect of risks on decisions In order to account for the uncertainty both in the consequences of each scenario and its weight, consequence distributions are multiplied by weight distributions using the Monte-Carlo simulation method. Normally 10000 simulation runs should be sufficient for most compliance risks, however more simulation runs may be required for highly unlikely and catastrophic events. The output of risk analysis can be represented as a distribution or box plot as shown below: The distribution of the possible outcomes shows: • Reasonable optimistic scenario (usually minimal or no financial consequences) • Expected scenario (50th percentile) • Reasonable pessimistic scenario (financial consequences which would not be exceed 95% of the time, 5% probability that impact may be even greater). An integral part of the risk analysis is a tornado diagram showing which of the consequence scenarios is having the most effect on the overall risk exposure level. Tornado diagram is the correct way to prioritise risks significantly superior to a traditional heatmap.
  • 11. An example is shown below: In the situation where the risk exposure is deemed significant, risk mitigation measures need to be discussed and agreed upon. Often it may be insufficient to just estimate the compliance risk exposure, instead it may be required to measure how compliance risks would affect an investment decision, a performance target or business plan or budget. In such cases it may be necessary to estimate how compliance risks change the project NPV / other decision making metric or how compliance risks change the probability of successfully finishing the project on time and budget.
  • 12. Risk mitigation and trade-off The treatment of compliance risks refers to the corresponding strategies implemented by an organization to deal with its risks. A risk treatment plan should consider a range of treatment options, which may include legal remedies as well as financial, operational and reputational remedies for each prioritized risk. The following factors should be considered when choosing an appropriate option for the treatment of compliance risks: • the organizational risk management policy, strategic objectives, core values and legal responsibility of the organization; • a cost benefit analysis of responding to compliance risk; • the stakeholders’ perception and their values, attitude to risk and tolerance levels, as well as their preferences on certain compliance risk treatment strategies; • the availability and allocation of resources needed to manage the risk; • a legal review (including scope and depth) of laws, contractual commitments and limiting risk contractually; • legal opinions; • the extent to which the compliance risk can under law be transferred, delegated or insured against; • the level of risk awareness and maturity level within the organization. Different mitigation and treatment strategies can be tested to determine which option provides the best value in risk reduction for the cost involved. Different mitigation strategies can be graphically represented as on the diagram below:
  • 13.
  • 14. Reporting and monitoring The monitoring and review of the management of compliance risks includes the following: • staying abreast of changes in the environment, such as the introduction of new laws and the enforcement of such laws, in order to adjust the organization’s strategy accordingly; • monitoring events triggered by compliance risk, analysing their frequency and patterns, and drawing conclusions from them (including potential correlation with and amplification of other risks); • considering an early warning system with key stakeholders to identify warning signals for significant compliance risks that could arise; • monitoring and reviewing: ◦ outcomes following risk treatment; ◦ changes in the environment; ◦ the building of integrated risk treatment plans; ◦ the designation of the responsible and accountable parties; • comparing progress with the risk treatment plan, reviewing and updating the risk treatment plan periodically and in a timely manner to seek assurance on its adequacy, suitability and effectiveness in relation to the management of compliance risk. An organization should consider the following issues in relation to record-keeping and reporting: • legal professional privilege, attorney–client privilege and work product (or their equivalent concepts and terms under the relevant national law); • destruction, retention and privacy policies, in accordance with data protection laws; • the availability and accessibility of documentation for stakeholders to improve decision- making and for internal or external audit purposes. • whether the relevant documentation needs to be maintained securely, with a chain of evidence process documenting that no alterations have been made to the documents, information or evidence; • confidentiality and security measures in relation to documentation of a confidential nature, such as setting up limited and authorized access to such documentation. An organization should report on the progress of changes in implementing the management of compliance risks and adherence to the measures.
  • 15. Examples and case studies Reducing climate change using risk analysis The environmental team at a large logistical company was struggling to convey the risk exposure from water pollution to management and get approval for the risk mitigation budget. The risk team created a quantitative pollution risk calculator to assist the environmental team in estimated risk exposure, calculating budgets and testing various mitigation options. Stochastic decision trees is the best way to represent complex environmental risks.
  • 16. The risk calculator allowed: • Environmental risk comparison between locations, VaR95% estimation for each water discharge, for any given location or a company. • Calculating expected losses, unexpected losses and a reasonable budget for mitigation. • Assessment the effect from various mitigation actions on the risk reduction, the ability to compare the effect of mitigation actions against the necessary budget. Protecting intellectual property using risk analysis In 2017 $6B telecom company developed an intellectual property (IP) risk methodology. Company was transforming its business from pure telecom to a tech company, developing numerous tech startups (telecom of things, cyber security, telemedicine, Big Data analysis etc.). Significant IP risks have been identified by the management. No in-house methodology existing for measuring IP risks and integrating risk analysis into decision making. Large court cases worldwide showed that IP risks can be very expensive (Apple vs Samsung). Heatmaps used by company’s management didn’t provide prioritization for risk- factors to be addressed by management and provided no insights into decision making when selecting, financing and implementing tech startups. Authors, together with Dentons Group, developed a quantitative risk calculator for IP risks for project decision making based on
  • 17. Monte-Carlo simulations, so company’s management could realize the scale and chances to lose money on each new project. The analysis showed some projects IP risks were underestimated and had a large chance of losing money. And in some projects IP risks were acceptable and it was not cost effective to provide full protection against IP risks. It was also helped to develop library of intangible assets and sources for verified IP rights. Key takeaways included: • Heatmaps don’t allow you to see the real scale and chances of having issues with IP risks in investment projects, but decision trees together with Monte-Carlo simulation do. • Many expert mitigations turned out to address the wrong risk factors and didn’t protect the company, effect of risk mitigation was better simulated using a risk model. • Sufficient data was available publicly and within the company to quantify even seemingly complex IP risks. • Decision trees and bow ties are quite useful in legal decision-making including decisions to settle or not.
  • 18. Action plan This checklist is designed to help organizations identify and manage their compliance risks: Establish a working group together with compliance or legal team Review existing risk appetites or consult RISK-ACADEMY guide on risk appetite Working within the joint compliance/legal/risk team identify all relevant compliance risks and map them against the legal entities Prioritize compliance risks based on the quantitative risk analysis Calculate expected and unexpected losses for the most significant risks to determine the most appropriate mitigation strategy and budget available for mitigation Compare different mitigation strategies to see how much they reduce the risk profile Back test and update the methodology in case of new incidents or fines Speak with the guide author if you have questions.
  • 19. Additional resources Deep dive into advanced risk management using this online course This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business. https://courses.dcroi.org/courses/alex-sidorenko Automate your quantitative risk analysis using Archer Insight and support business decision making Archer Insight is a suite of enterprise-wide risk quantification capabilities for business leaders designed to deliver a complete view of enterprise risks, improve resilience, and ensure achievement of strategic goals. This innovative solution provides business leaders with more precision in an aggregated view of risks that allows them to ensure compliance and better protect your business from disruption. Using Archer Insight, organizations can conduct risk quantification analysis, monitor, and report on their risk management programs and then provide business leaders and decision-makers with quantitative, transparent, and actionable information needed to make strategic business decisions. https://www.archerirm.com/insight-risk-academy
  • 20. Useful videos on the topic Alex Sidorenko talks with David Tattam about the use and application of bow-ties for compliance risks. Can this simple and graphical technique significantly improve decision making? https://youtube.com/live/PM3wfJLVKLc Hernan Huwyler - Quantify legal and compliance risks from zero to hero #RAW2021. Learn how to use simple MS Excel formulas to model risks based on common distributions and how to collect and validate risk data on legal assessments. https://youtu.be/LGlSxQ_RSjQ Hernan Huwyler - Data-driven decisions for smart legal and compliance professionals. This presentation will allow improving your techniques to better use data to assess compliance and legal risks for regulatory and contractual requirements. You will learn how to perform smart quantitative analyses for managing penalty risks in a business case based on a concession contract. https://youtu.be/8D8gBlXONT0
  • 21. Contact the author Book a free no obligations call with Alex ALEX SIDORENKO, CRMP.RR, CT31000, CTA31000 Alex Sidorenko is an expert with over 16 years of risk management experience in private equity, sovereign funds, investment authorities and venture capital firms across Australia, CIS, GCC. Successfully implemented changes to quantitative risk analysis, risk- based decision making and neuroscience as a CRO at EuroChem (global fertilizer $10B) and RUSNANO (private equity fund $3B). Saved more than $13 million per year in premiums on cargo, liability and PD/BI insurance through industry leading quantitative risk analysis without changing deductibles and while doubling the limits. Successfully defending corporate risk profile at the Ministry of finance and securing more than $1B in extra funding. Author of the most popular free risk management book in the world, more than 200K downloads in 3 languages. Risk manager of the year, FERMA, 2021, Honourable mention 2021, RIMS, Risk manager of the year, RUSRISK, 2014, Best ERM Implementation, RUSRISK, 2014, Best risk management training, RUSRISK, 2013, 2014, 2015, finalist in risk management awards in 2018 and 2019. Since 2012 Alex runs RISK-ACADEMY, a highly successful company, focused on providing risk management integration services, risk modeling, training and auditing to private equity firms (direct investment and funds) as well as sovereign wealth funds. Alex’s specialization is risk management integration, risk-based investment decision making, value creation and asset management.