Step 3. Determine the range of consequences for each scenario
In order to quantitatively assess compliance risks the next step involves defining the possible range of values for each consequence scenario. Typical consequences can involve the following factors:
Consequence scenario | Range of consequences |
A. Small fine for violation, for example a fine for three days of water pollution |
|
B. Moderate fine calculated cumulatively for the year using extrapolation of supervisory audit results | |
C. Large fine calculated cumulatively for the three years using extrapolation of supervisory audit results | |
D. Suspension of business |
|
E. Criminal prosecution of company management |
|
Depending on the availability and reliability of the data various severity distributions can be used (only examples, relax, could be others):
- Lognormal distribution – where the range of consequences is not bounded and there is a small probability of catastrophic losses.
- PERT distribution – for simulating consequences based on expert opinions where historical data may not be available or the range of consequences is bounded by regulation.
- Discrete distribution – for simulating a select number of well defined scenarios.
- Fitted distributions – wherever historical data is available it can be used to fit a distribution suitable for the specific loss profile.
For each consequence scenario a distribution is selected and the range of possible values are determined, for example minimum, expected loss and maximum loss.
To be continued…
Check out other decision making books
RISK-ACADEMY offers online courses

Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.