Step 5. Measure the effect of risks on decisions
In order to account for the uncertainty both in the consequences of each scenario and its weight, consequence distributions are multiplied by weight distributions using the Monte-Carlo simulation method. Normally 10000 simulation runs should be sufficient for most compliance risks, however more simulation runs may be required for highly unlikely and catastrophic events.
The output of risk analysis can be represented as a distribution or box plot as shown below:
The distribution of the possible outcomes shows:
- Reasonable optimistic scenario (usually minimal or no financial consequences)
- Expected scenario (50th percentile)
- Reasonable pessimistic scenario (financial consequences which would not be exceed 95% of the time, 5% probability that impact may be even greater).
An integral part of the risk analysis is a tornado diagram showing which of the consequence scenarios is having the most effect on the overall risk exposure level. An example is shown below:
In the situation where the risk exposure is deemed significant, risk mitigation measures need to be discussed and agreed upon.
Often it may be insufficient to just estimate the compliance risk exposure, instead it may be required to measure how compliance risks would affect an investment decision, a performance target or business plan or budget. In such cases it may be necessary to estimate how compliance risks change the project NPV / other decision making metric or how compliance risks change the probability of successfully finishing the project on time and budget.