Mais conteúdo relacionado

Similar a Model to Quantify Compliance Risks.pdf(20)

Mais de Hernan Huwyler, MBA CPA(20)


Model to Quantify Compliance Risks.pdf

  1. A model to quantify Compliance, Legal and Contractual Risks Prof. Hernan Huwyler, MBA CPA Director Executive Education in Compliance, Risk, Control IE Law and Business Schools Gibraltar Association of Compliance Officers
  2. effect of uncertainty on objectives Risk ISO 31000 Risks ISO 31022 Legal risks
  3. The objectives in compliance are obligations Mandatory Laws and regulations Contracts, permits and licenses Voluntary Social and environmental commitments Business and transformation plans Quality, fraud, ISOs, policies and procedures ISO 37301 Compliance
  4. Compliance register
  5. Heatmaps Risk matrices Common malpractice Scores Escalation matrices
  6. Best available data are not used Biases are not minimized Investment, control, insurance and legal decisions are no made Corporate defense is not efective Qualitative assessments
  7. What is wrong about risk matrices, Tony Cox, 2008 > worse than useless Further thoughts on the utility of risk matrices, David Ball, 2013 > untrustworthy picture Some extensions on risk matrix approach, Huihui Ni, 2010 > defects still left unresolved On the origin of probability consequence diagrams, Ben Ale, 2015 > single factor impacts Problems with scoring methods and ordinal scales, Doug Hubbard, 2010 > arbitrary features of the scoring Recommendations on the use and design of risk matrices, Niels Duijm, 2015 > aggregation is problematical Back to Basics: Risk Matrices and ALARP, Glen Wilkinson, 2010 > unable to compare risks Debunked by science
  8. Understanding that planning compliance actions, controls, liability reserves, legal responses and insurance cannot be done with a wet finger in the air is intuitive Ignorance of probabilistic models is the issue
  9. Compliance risk modeling
  10. US Organizational Sentencing Guideline Prioritize periodically the elements of the program in order to focus on preventing and detecting the criminal conduct identified in the risk assessment process as most likely to occur
  11. US Organizational Sentencing Guideline What is expected? • A reasonable risk based approach • Stronger controls addressing higher risks • Consistent application of controls to risks • Documenting the risk assessment • Periodic review of the risk analysis
  12. Distributions of events Consequences Impact Log-normal > Long tail losses Pareto > Only large losses Normal > Symetrical Causes Frequency Poisson > More than one event per year Bernoulli > Less than one event per year Triangular > Unsual, few data
  13. Chain of events First tier losses Penalties and compensations Fines and sanctions Legal and remediation costs Loss of customers Marketing depreciation Loss of licenses and stock price Second tier losses
  14. Types of losses • Penalties, fines and punitive damages • Private settlements • Legal fees and investigation costs • Product liabilities and recalls • Disadvantage with suppliers • Withdrawal of capital • Increased staff rotation • Increased costs • Lost of revenue by voided contracts • Lost of market capitalization
  15. Inputs and outputs Techniques Decision trees Monte Carlo Simulations Calibrated estimates Histograms Loss exceedance curves Graphs
  16. Sources of risk data Internal Paid compensations, fines and credits Fraud losses, legal fees and complains Investigation and response costs Industry studies Enforcement trackers Case analysis External
  17. Log-normal distribution Min Max Confidence Interval Loss £ Nr Cases
  18. Risk model
  19. Business case A Housing Maintenance Code provides for a civil penalty of a minimum of $1,000 with a maximum of $3,000 for lead violations A Copyright Infringement Law sets penalties of $200 to $150,000 for each work infringed and attorney's fees and court costs
  20. Business case A Privacy Regulation imposes fines in the range from $100 to $50,000 per violation, with a total of $25,000 to $1.5 million for all violations of a single requirement in a calendar year A contractual clause sets a penalty for invoices received beyond the 2 months after a compulsory deadline. It applies an immediate penalty of 5% of the value of the invoice per month of delay with a minimum of $200 penalty up to a maximum of 30% of the value of the invoice
  21. Model demo
  22. /in/hernanwyler @hewyler hewyler Let´s connect