Step 4. Allocate weights to each scenario
In order to determine the weight allocated to each consequence scenario of events triggered by compliance risk, historical data, modelling, as well as expert opinions, can all be used, individually or in combination.
Weight of each scenario can involve the following factors:
- the range of laws, along with enforcement practices and conventions by the relevant regulatory authorities;
- the improvement of, and compliance with, the existing framework for the management of legal risk, including strategies, governance, internal rules and policies;
- employees’ and contractors’ demonstrated compliance with laws, and the rules and policies of the organization;
- the frequency and number of activities related to legal risk occurring within a certain period;
- failure to record, analyse and learn from previous events;
- benchmarking the frequency and number of activities related to legal risk occurring within a certain period against other organizations.
Wherever possible historical data on each of the consequence scenarios is collected. When no historical data is available or no claims have been made against the company in the past, we use Bayesian statistics to estimate the weights for the scenario. Depending on the availability and reliability of the data various distributions can be used to estimate the weight of each of the consequence scenarios:
- Bernoulli or discrete distribution – where there limited historical data and the probability of a single or multiple consequences needs to be estimated.
- Poison distribution – where we have historical data to estimate the frequency of each of the consequence scenarios.
Current controls, their effectiveness and other factors affecting the probability of claims against the company have to be accounted for when allocating weights to each of the scenarios.
To be continued…
Check out other decision making books
RISK-ACADEMY offers online courses

Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.