Compliance Risk Management – Risk analysis (part 3)

Step 3. Determine the range of consequences for each scenario

In order to quantitatively assess compliance risks the next step involves defining the possible range of values for each consequence scenario. Typical consequences can involve the following factors:

Consequence scenario Range of consequences
A.     Small fine for violation, for example a fine for three days of water pollution
  • Analysis of legislation in terms of violation of the quality of the spillway
  • Analysis of the structure of the drainage system of the entity
  • Analysis of the volatility of the discharge indicators for supervisory and internal inspections of water quality.
  • Statistics of court decisions (sanctions) in similar cases


B.     Moderate fine calculated cumulatively for the year using extrapolation of supervisory audit results
C.    Large fine calculated cumulatively for the three years using extrapolation of supervisory audit results
D.    Suspension of business
  • Statistics of business suspensions adjusted for our company
  • Calculate the cost of a plant’s downtime per day multiplied by the range of days
E.     Criminal prosecution of company management
  • Expert legal assessment of the cost of legal defense and possible reputational losses due to criminal prosecution or disqualification of management.

Depending on the availability and reliability of the data various severity distributions can be used (only examples, relax, could be others):

  • Lognormal distribution – where the range of consequences is not bounded and there is a small probability of catastrophic losses.
  • PERT distribution – for simulating consequences based on expert opinions where historical data may not be available or the range of consequences is bounded by regulation.
  • Discrete distribution – for simulating a select number of well defined scenarios.
  • Fitted distributions – wherever historical data is available it can be used to fit a distribution suitable for the specific loss profile.

For each consequence scenario a distribution is selected and the range of possible values are determined, for example minimum, expected loss and maximum loss.

Academic disciplines

To be continued…

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.