This Slideshare presentation by Professor Hernan Huwyler discusses a model to quantify compliance, legal, and contractual risks. It highlights the importance of understanding the impact of uncertainty on objectives and identifies mandatory and voluntary compliance objectives. The presentation discusses different techniques to quantify risks, such as heatmaps, risk matrices, common malpractice, scores, and escalation matrices, and the problems with these techniques, such as biases, incomplete data, and aggregation issues. The presentation proposes a compliance risk modeling approach, which involves understanding the distribution of events, consequences, impact, causes, and frequency of risks. It suggests using different probability distributions, such as log-normal, Pareto, normal, Poisson, Bernoulli, and triangular, to model risks. The presentation also discusses the chain of events that can lead to different types of losses, including penalties, compensations, fines, sanctions, legal and remediation costs, loss of customers, marketing depreciation, loss of licenses, and stock price. It explains different techniques to model losses, such as graphs, decision trees, Monte Carlo simulations, and calibrated estimates. Finally, the presentation highlights the importance of using different sources of risk data, including internal and external data, paid compensations, fines, and credits, fraud losses, legal fees, and complaints, and industry studies, enforcement trackers, and case analysis. It also provides examples of business cases related to compliance objectives and contractual clauses that set penalties for non-compliance. The presentation concludes with a demo of the proposed model to quantify compliance, legal, and contractual risks.

1. A model to
quantify
Compliance, Legal and
Contractual Risks
Prof. Hernan Huwyler, MBA CPA
Director Executive Education in Compliance, Risk, Control
IE Law and Business Schools
Gibraltar Association of Compliance Officers

2. effect of
uncertainty
on objectives
Risk
ISO 31000 Risks
ISO 31022 Legal risks

3. The objectives in compliance
are obligations
Mandatory
Laws and regulations
Contracts, permits and licenses
Voluntary
Social and environmental commitments
Business and transformation plans
Quality, fraud, ISOs, policies and
procedures
ISO 37301 Compliance

4. Compliance
register

5. Heatmaps
Risk matrices
Common malpractice
Scores
Escalation matrices

6. Best available data are not used
Biases are not minimized
Investment, control, insurance
and legal decisions are no made
Corporate defense is not efective
Qualitative assessments

7. What is wrong about risk matrices, Tony Cox, 2008
> worse than useless
Further thoughts on the utility of risk matrices, David
Ball, 2013 > untrustworthy picture
Some extensions on risk matrix approach, Huihui Ni, 2010
> defects still left unresolved
On the origin of probability consequence diagrams, Ben
Ale, 2015 > single factor impacts
Problems with scoring methods and ordinal scales, Doug
Hubbard, 2010 > arbitrary features of the scoring
Recommendations on the use and design of risk
matrices, Niels Duijm, 2015 > aggregation is
problematical
Back to Basics: Risk Matrices and ALARP, Glen
Wilkinson, 2010 > unable to compare risks
Debunked by science

8. Understanding that planning
compliance actions, controls, liability
reserves, legal responses and insurance
cannot be done with a wet finger in the
air is intuitive
Ignorance of
probabilistic models is
the issue

9. Compliance
risk
modeling

10. US Organizational Sentencing
Guideline
Prioritize periodically the elements
of the program in order to
focus on preventing and detecting
the criminal conduct
identified in the risk assessment
process as most likely to
occur

11. US Organizational Sentencing
Guideline
What is expected?
• A reasonable risk based approach
• Stronger controls addressing
higher risks
• Consistent application of controls
to risks
• Documenting the risk assessment
• Periodic review of the risk analysis

12. Distributions of events
Consequences
Impact
Log-normal > Long tail losses
Pareto > Only large losses
Normal > Symetrical
Causes
Frequency
Poisson > More than one event per year
Bernoulli > Less than one event per year
Triangular > Unsual, few data

13. Chain of events
First
tier losses
Penalties and compensations
Fines and sanctions
Legal and remediation costs
Loss of customers
Marketing depreciation
Loss of licenses and stock price
Second
tier losses

14. Types of losses
• Penalties, fines and punitive
damages
• Private settlements
• Legal fees and investigation costs
• Product liabilities and recalls
• Disadvantage with suppliers
• Withdrawal of capital
• Increased staff rotation
• Increased costs
• Lost of revenue by voided contracts
• Lost of market capitalization

15. Inputs and outputs
Techniques
Decision trees
Monte Carlo Simulations
Calibrated estimates
Histograms
Loss exceedance curves
Graphs

16. Sources of risk data
Internal
Paid compensations, fines and credits
Fraud losses, legal fees and complains
Investigation and response costs
Industry studies
Enforcement trackers
Case analysis
External

17. Log-normal distribution
Min Max
Confidence Interval
Loss £
Nr
Cases

18. Risk model

19. Business case
A Housing Maintenance Code provides for
a civil penalty of a minimum of $1,000 with
a maximum of $3,000 for lead violations
A Copyright Infringement Law sets
penalties of $200 to $150,000 for each work
infringed and attorney's fees and court
costs

20. Business case
A Privacy Regulation imposes fines in the
range from $100 to $50,000 per violation,
with a total of $25,000 to $1.5 million for all
violations of a single requirement in a
calendar year
A contractual clause sets a penalty for
invoices received beyond the 2 months
after a compulsory deadline. It applies an
immediate penalty of 5% of the value of the
invoice per month of delay with a minimum
of $200 penalty up to a maximum of 30% of
the value of the invoice

21. Model
demo

22. /in/hernanwyler
mastodon.world/
@hewyler
hewyler
Let´s connect