Risk management helps organizations to assure that they continuously comply with all applicable laws, regulations, and operational standards. But to manage that compliance risk, one must first conduct a risk assessment—and that requires the ability to quantify risk. So how do you quantify compliance risk?
First it’s important to understand that there are two types of risk in compliance: quantitative risk and qualitative risk.
Qualitative risks are defined as uncertain events that could have a range of possible outcomes, from harmless to severe. For example, a business might assess the risk of a major IT system failure in terms of potential likelihood (remote, unlikely, possible, almost certain) and its potential harm (none, mild, medium, severe). A qualitative risk assessment would map those factors along an x- and y-axis, so managers could identify which risks (high likelihood and high severity) should take top priority.
This type of risk analysis is more subjective and experience-based than quantitative risk analysis. It is a good way to bring executives not steeped in formal risk management practices into the process.
Quantitative risks can have an actual numerical value assigned to them, using algorithms and actuarial data. For example, when assessing the chance of severe weather disrupting a data center, managers can consult historical weather records to gauge the likelihood of a hurricane or tornado in certain locations. Another example: when estimating the potential financial losses of an IT system outage, the company could review financial records to model, say, lost revenue per hour or day.
While quantitative risk assessment determines that numerical value, qualitative analysis is often also required to determine the full impact of business risk.
Risk Evaluation Criteria
Risks can be quantified with what’s known as the PERT equation: Risk = Event x Probability x Loss. Be warned, however: this model can still lead to uncertainty because the calculations are typically based on historical corporate data. If that data isn’t complete and accurate, the risk profile may be inaccurate too.
A better approach is instead to have a continuous risk management process, to mitigate and even prevent those risks that could inflict the biggest harm to your business. This involves:
- Identifying all significant risks
- Determining the potential severity of those risks and the chances of the risks happening
- Putting risks into a suitable priority of importance
- Developing risk mitigation strategies that can address the largest number of risks with the most efficient use of available resources
- Implementing risk management processes that are cost-effective
Identifying risks and their associated severity can be difficult. How can you tell which risk events are of the highest priority? How much financial resources should be allocated to each risk? This often requires input and consideration from your project team to sort out risk priorities. That is, you need a qualitative risk assessment.
Next question: How should risk managers define and measure “impact”? Usually executives answer that question in terms of financial and legal liability—but that’s not always the case, and the answer can depend on several variables. Once risk managers do arrive at an answer, they can use statistical models to assign a numerical value to the risk and resources to manage it can be allocated accordingly.
This can be a complex process. That’s why many risk management professionals use the Monte Carlo Analysis to support their quantification process.
Risk Quantification Model
Monte Carlo analysis was created by mathematician Stanislaw Ulam in the 1940s, to give decision-makers a method to handle the uncertainty involved in risk analysis. If executed accurately, a Monte Carlo simulation can provide a high confidence level for resource allocation to mitigate individual risks.
The Steps of Monte Carlo Simulations
Step 1: Awareness
This involves informing your project team, stakeholders, vendors, and other relevant parties of the simulation and the risk management process. (It’s wise to include a risk management professional in the process, too.)
Step 2: Risk Management Process
The risk management lifecycle involves planning, identifying, assessing, scoring, prioritizing, analyzing, treating, and monitoring risks. All the parameters for risks should be kept in a risk register, a record of information about identified risks.
As part of your risk assessment, the monetary value of any potential harm should be estimated and recorded. This may include a range of values depending on the severity of potential outcomes. Any risk with a variable outcome should include a best, worst, and most probable value.
Finally, continuous monitoring of risk is vital to the success of any risk management model.
Step 3: Initial Estimations
Cost estimates to address best, worst, and most probable outcomes (otherwise known as three-point estimate) are the next step in executing a Monte Carlo simulation.
Step 4: Determine Correlations
Next, determine the correlations that exist between cost estimates and possible outcomes. Correlations are typically measured on a range from 0 to 1. Positive correlations indicate that as cost increases, so does risk. Negative correlations indicate that as either cost or risk increases, the other decreases.
Step 5: Mitigation Model
Monte Carlo simulation models should represent both the value at risk (“How much will we lose if this happens?”) as well as the cost to mitigate the risk. A baseline simulation will indicate the cost factor for best, worst, and most probable scenarios; and the correlations between cost and risk factors.
A “pre-mitigated” model (that is, one without any mitigation whatsoever) will include risk events as well as the full impact of cost. This helps decision-makers to allocate the appropriate budget toward the necessary risk treatments and mitigation methods. Finally, a post-mitigated model will include risk events and as well as all risk treatments applied.
Step 6: Run Monte Carlo Simulations
Monte Carlo simulation software will typically run 1,000 iterations to determine what your risk management project requires. When determining contingency, generally 80 percent of the total project value will be used to determine the final total project cost. Your software will allow you to configure your charts to reflect the appropriate amounts.
Step 7: Produce and Communicate Results
Once the result of the Monte Carlo simulation is achieved, it’s important to study the differences between the post-mitigation and the baseline Monte Carlo simulation to understand what the true impact of your risk management protocols will be, and whether or not they’re sufficient to ensure compliance.
Preparing for a Monte Carlo Simulation
When preparing to conduct a Monte Carlo simulation, a risk assessment, or even maintaining your compliance risk overall, it’s important to be prepared with thoroughly documented information. Attempting to manage your compliance data manually via spreadsheet is simply not sustainable for large organizations in the long term.
That’s why we recommend ZenGRC’s risk management and compliance software. ZenGRC’s user-friendly dashboards show you in a glance which risks need mitigating and how to do it, track workflows, collect and store the documents you’ll need at audit time, and more.
To learn more about how ZenGRC can help you prepare for a Monte Carlo Simulation, contact us now for your free consultation and demo.