Wherever possible companies should apply quantitative risk analysis to measure and prioritize compliance risks. Wait what? We can do better than a compliance heatmap? Apparently :))
The following information should be collected and recorded for each identified risk:
- Possible consequence scenarios as described in the legislation or other regulatory requirements (usually includes fines, 3rd party claims, criminal prosecution, temporary production closure, sanctions and so on)
- Range of possible values for each of the consequence scenario (for example, according to the legislation fines may vary from 100K to 1M, production closure can be for a period between 0 and 90 days, etc.)
- The logical relationship between each consequence scenario (for example, large fines are much more likely once the small fines have been already received or for some risks it could be the opposite, if small fines haven’t been issued over the last 2+ years this could mean that the large fine is imminent and so on)
- Historical incident and claims data, known court cases or other relevant information.
- Risk owner and key stakeholders.
- Current controls and assessment of their effectiveness, if available.
Step 1. Represent each risk as a bow-tie diagram
Each risk can be graphically represented as a bow-tie diagram. A bow tie is a graphical depiction of pathways from the causes of an event or risk to its consequences in a simple cause-consequence diagram. It is a simplified combination of a fault tree that analyses the cause of an event or risk, the left hand side of the diagram, and an event tree that analyses the consequences, the right hand side. I borrowed some diagrams and generic words from a wonderful article by Broadleaf https://broadleaf.com.au/resource-material/bow-tie-analysis/
The focus of bow tie analysis is on the barriers or controls depicted to the left-hand side of the knot that can change the likelihood of the event or circumstance, or on those on the right-hand side that can change its consequences. It is used when assessing the completeness of controls, to check that each pathway from cause to event and event to consequence has effective controls, and that factors that could cause controls to fail (including management systems failures) are recognized:
- The most effective controls usually address causes, generally to stop them arising or leading to the risk (preventive controls). They should match the causes, in extent and nature.
- On the right of the bow tie, controls should provide appropriate responses to consequences being felt or create barriers to the consequences developing. They might either influence the consequences on business objectives directly (corrective or reactive controls), or detect changes quickly and provide triggers for contingency plans (detective controls).
Any compliance risk can be depicted as a bow-tie diagram by following these steps:
- Select the risk to be examined in the bow tie analysis.
- Describe the risk, in the form [something happens] and leads to [a consequence for our objectives], and note the main risk analysis outcomes from the risk register.
- List the causes of the risk on the left and the consequences of the risk on the right, using the information from the regulations as well as through consultation with risk owners and subject matter experts.
- List the existing controls on the causes (preventive controls) below the causes on the left, and the controls on the consequences (corrective controls) below the consequences on the right. If a control acts on both causes and consequences, then show it twice, on each side of the template.
- Identify options for enhancing existing controls, to improve their effectiveness or to fill gaps. This may include enhanced monitoring and more frequent review, for example using control self-assessment.
To be continued…