Compliance Risk Management – Risk analysis (part 4)

Step 4. Allocate weights to each scenario

In order to determine the weight allocated to each consequence scenario of events triggered by compliance risk, historical data, modelling, as well as expert opinions, can all be used, individually or in combination.

Weight of each scenario can involve the following factors:

  • the range of laws, along with enforcement practices and conventions by the relevant regulatory authorities;
  • the improvement of, and compliance with, the existing framework for the management of legal risk, including strategies, governance, internal rules and policies;
  • employees’ and contractors’ demonstrated compliance with laws, and the rules and policies of the organization;
  • the frequency and number of activities related to legal risk occurring within a certain period;
  • failure to record, analyse and learn from previous events;
  • benchmarking the frequency and number of activities related to legal risk occurring within a certain period against other organizations.

Wherever possible historical data on each of the consequence scenarios is collected. When no historical data is available or no claims have been made against the company in the past, we use Bayesian statistics to estimate the weights for the scenario. Depending on the availability and reliability of the data various distributions can be used to estimate the weight of each of the consequence scenarios:

  • Bernoulli or discrete distribution – where there limited historical data and the probability of a single or multiple consequences needs to be estimated.
  • Poison distribution – where we have historical data to estimate the frequency of each of the consequence scenarios.

Academic disciplines

Current controls, their effectiveness and other factors affecting the probability of claims against the company have to be accounted for when allocating weights to each of the scenarios.

To be continued…

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.