No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Outrageous Compliance

by James Bone
March 30, 2016
in Compliance
Outrageous Compliance

This series of articles is an irreverent, tongue-in-cheek look at the serious business of risk management and compliance and the lack of scientific rigor dressed up in charts and graphs, which have an appearance of legitimacy, but tell us little about risks.

First of all, let me say that risk management and compliance are important functions and deserve to be taken as seriously as any other discipline in business and government to ensure efficient operational outcomes.  My point in these articles is to point out where many firms diverge from serious risk management into the realm of mystery cloaked as rigor.

My First Victim: Risk & Compliance Self-Assessments!

image001

Risk & Compliance Self-Assessments (RCSA) have become a handy tool to communicate to management, regulators and others that an organization has conducted an analysis of their risks to understand both the severity and likelihood of the occurrence of an event.  Each risk category is highlighted with its own color-coordinated assessment based on a “Table Top” exercise wherein subject matter experts participate in a facilitated session to list these risks and assign severity and probability based on nothing more than memory!

I can’t remember what I ate for dinner three weeks ago.  Should I trust my memory to document the threat level of risks to an organization based on recall?  Yes, experience matters and yes, experts in their field do have important contributions to make regarding the risks they experience doing their jobs.  However, what does this chart really tell us about risk?  The answer is very little!

Of course, we all understand that RCSAs are subjective but the “risk” in risk self-assessments is the false sense of security we place in believing these exercises are really a representation of risk exposures in an organization.  They are not, and here is why!

Statistically speaking, risks tend to have a shape.  In some cases, the shape of risk is a normal curve.  In other cases, the shape may be skewed to the right or left.  But in an RCSA, the shape of risk is uniform.  Each risk, with slight variation, looks exactly like this chart above.  Intuitively, we understand that risks are not uniform, but we never question charts and graphs that look like some effort went into producing the results.

Additionally, these charts lack the benefit of the law of large numbers.  You might be surprised to learn that risk management is based on scientific laws of statistical analysis.  The RCSA is flawed because it’s based on a small sampling of data (your memory) that is inherently biased by recent events that are easy to recall, not representative of frequencies found in a large stochastic database of risk events.  What does stochastic mean?  Stochastic is a process involving a randomly determined sequence of observations, each of which is considered as a sample of one element from a probability distribution.[i]  In other words, if you are not using a stochastic process for measuring risk, you are guessing!

While sitting in a conference with professional risk managers from a range of industries, I asked my fellow participant how he managed risk and if he used a system to facilitate the process.  His answer did not surprise me.  He jokingly said, “yes I use a system.  It’s called Excel.”  Each year he conducts a table-top exercise with senior management in which they list their Top 20 risks and fill in their assessment of each risk.  He laughed and said he is the Wizard behind the curtain who controls the process.  Once the exercise is completed, an entire year goes by before the Wizard unlocks his Excel file for another year’s list to be documented.

If your risk management program looks like this, you are practicing Outrageous Compliance!  Unfortunately, many risk professionals are taught to perform this exercise, because it is easy to do and senior management feels a false sense of security in the process.  By the way, show this exercise to your Board of Directors, internal or external auditors or regulators and no one will challenge you or the process to understand what it says about your risk profile.  The process appears to be rigorous much like the Wizard of Oz who fears that Toto may someday pull back the curtain to unveil the truth.

RCSAs have some value as a tool for understanding the risks subject matter experts deal with on a daily basis.  These tools are a great starting point, from which you should begin to develop a stochastic database of risk events — they should not be the conclusion.  This brings us to the last point about Outrageous Compliance: the risk repository.

A risk repository represents a third flaw in thinking about risks. Capturing risks in a risk repository is called a deterministic model.  A deterministic model is one in which every set of variable states is uniquely determined by parameters in the model and by sets of previous states of these variables; therefore, a deterministic model always performs the same way for a given set of initial conditions. Conversely, in a stochastic model—usually called a “statistical model”—randomness is present, and variable states are not described by unique values, but rather by probability distributions.[ii]

Why is this wrong? When developing deterministic models (risk repository), you predetermine the outcome. Lots of organizations make this mistake, including insurance actuary models, financial analysts on Wall Street, medical researchers and risk professionals in many organizations.  The reality is that all models are wrong, but some models are useful!  Understanding how to develop useful risk assessment models takes time and patience, but knowing the difference means being able to avoid Outrageous Compliance.

[i] https://en.wikipedia.org/wiki/Stochastic
[ii] https://en.wikipedia.org/wiki/Mathematical_model


Previous Post

TRRI Solution Offers Better Foresight for Risk Management

Next Post

Corporate Directors in the Enforcement Crosshairs

James Bone

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

Phaxis 100 dollars

AML & KYC: Addressing Key Challenges for 2023 and Beyond

by Alex Roberto
March 16, 2023

(Sponsored) In today’s world, financial criminals are often a step ahead of regulators and financial institutions who struggle to effectively...

audit

IIA Survey: Technology Issues Widening Risk Landscape

by Staff and Wire Reports
March 15, 2023

The past year has seen internal audit staffing and budgets continue their recovery to pre-pandemic levels as organizations contend with...

Paul Weiss Economic Sanctions and AML Developments 2022_f

Economic Sanctions and AML Developments

by Corporate Compliance Insights
March 15, 2023

Sanctions start high and stay high 2022 Year in Review Economic Sanctions and AML Developments What’s in this report from...

insider fraud threat

As Layoffs Continue, the Potential for Insider Fraud Is Growing. Are You Ready?

by Chris Gerda
March 15, 2023

From startups to big banks, the technology and financial services sector have already seen tens of thousands of layoffs in...

Next Post
Yates Memo brings focus on audit directors, senior executives

Corporate Directors in the Enforcement Crosshairs

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT