10 Compliance Risk Assessment Mistakes and how really effective compliance officers prevent them Prof. Hernan Huwyler, MBA CPA They use biased subjective opinions They use red, yellow, and green… They disregard business objectives They have different assessments for privacy, corruption and local laws They use a list of questions or controls to assess risks They only work for compliance They assess implausible inherent risks to “justify” their value They create their own “tools” They perform static assessments They are afraid to change

1. 10 Compliance Risk
Assessment Mistakes
and how really effective
compliance officers prevent them
Prof. Hernan Huwyler, MBA CPA

2. They use biased
subjective opinions
using internal and external data on
penalties, breaches, disputes,
claims and other risk events
instead of

3. In risk, the use of
adjectives as
catastrophic, high
and probable has the
same scientific value
than astrology

4. What is wrong about risk matrices, Tony Cox,
2008 > worse than useless
Further thoughts on the utility of risk matrices,
David Ball, 2013 > untrustworthy
picture
Back to basics: risk matrices and ALARP, Glen
Wilkinson, 2009
The risk of using risk matrices, Philip Thomas,
2013
Summarizing risk using risk measures and risk
indices, Cameron MacKenzie, 2014
Cognitive and motivational biases in decision
and risk analysis, Gilberto Montibeller, 2015
The interdiscursive appeal of risk matrices,
Silvia Jordan, 2016

5. Using non-
scientific methods
is a professional
malpractice

6. They use red,
yellow, and green…
and even blue!
using scientific quantitative
techniques such as decision trees,
Monte Carlo Simulations and
scenario planning
instead of

7. Only international
risk methodologies
such as the ISO
31000 are effective
for corporate
defense

8. They disregard
business objectives
linking the compliance risks to
decision-making in business
plans, models and budgets
instead of

9. Can your compliance
risk assessment
support the business?
Is this bidding price covering the
liabilities of this contact?
How much should the legal reserve
be for this new service?
Is this insurance coverage enough?

10. What is the threshold to
escalate this approval?
Should this potential supplier
be selected at this price?
What is the best strategy to
deal with this customer claim?
How much should be invested
in this compliance control per
year?

11. They have different
assessments for privacy,
corruption and local laws
using a consistent and holistic
methodology from contractual to
integrity risks
instead of

12. They use a list of
questions or controls to
assess risks
facilitating discussions on specific
contractual to regulatory
requirements
instead of

13. They only work for
compliance
understanding the strategical
commercial and business objectives
to support informed decisions
instead of

14. They assess
implausible inherent
risks to “justify” their value
focusing on managing from
current to target risk exposures
instead of

15. They create their
own “tools”
adding the compliance risks into
the planning tools already
developed by the business
instead of

16. They perform static
assessments
reassessing risks and strategies
while identifying emerging threats
and learning from incidents
instead of

17. They are afraid to
change
improving legacy procedures and
methodologies to provide
consolidated exposures
instead of