Compliance Risk Management – Risk analysis (part 5)

Step 5. Measure the effect of risks on decisions

In order to account for the uncertainty both in the consequences of each scenario and its weight, consequence distributions are multiplied by weight distributions using the Monte-Carlo simulation method. Normally 10000 simulation runs should be sufficient for most compliance risks, however more simulation runs may be required for highly unlikely and catastrophic events.

The output of risk analysis can be represented as a distribution or box plot as shown below:

Actuarial science

The distribution of the possible outcomes shows:

  • Reasonable optimistic scenario (usually minimal or no financial consequences)
  • Expected scenario (50th percentile)
  • Reasonable pessimistic scenario (financial consequences which would not be exceed 95% of the time, 5% probability that impact may be even greater).

An integral part of the risk analysis is a tornado diagram showing which of the consequence scenarios is having the most effect on the overall risk exposure level. An example is shown below:


In the situation where the risk exposure is deemed significant, risk mitigation measures need to be discussed and agreed upon.

Often it may be insufficient to just estimate the compliance risk exposure, instead it may be required to measure how compliance risks would affect an investment decision, a performance target or business plan or budget. In such cases it may be necessary to estimate how compliance risks change the project NPV / other decision making metric or how compliance risks change the probability of successfully finishing the project on time and budget.

Check out other decision making books

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.