Step 3. Determine the range of consequences for each scenario
In order to quantitatively assess compliance risks the next step involves defining the possible range of values for each consequence scenario. Typical consequences can involve the following factors:
|Consequence scenario||Range of consequences|
|A. Small fine for violation, for example a fine for three days of water pollution||
|B. Moderate fine calculated cumulatively for the year using extrapolation of supervisory audit results|
|C. Large fine calculated cumulatively for the three years using extrapolation of supervisory audit results|
|D. Suspension of business||
|E. Criminal prosecution of company management||
Depending on the availability and reliability of the data various severity distributions can be used (only examples, relax, could be others):
- Lognormal distribution – where the range of consequences is not bounded and there is a small probability of catastrophic losses.
- PERT distribution – for simulating consequences based on expert opinions where historical data may not be available or the range of consequences is bounded by regulation.
- Discrete distribution – for simulating a select number of well defined scenarios.
- Fitted distributions – wherever historical data is available it can be used to fit a distribution suitable for the specific loss profile.
For each consequence scenario a distribution is selected and the range of possible values are determined, for example minimum, expected loss and maximum loss.
To be continued…