Methodology

How we generate the findings — in plain language.

Trust starts with knowing how the numbers on the page were produced. This is the same methodology described in the appendix of every paid report.

How findings are generated

Every finding is produced by a documented rule set, not a black-box model. Each rule specifies the data conditions that must be met, the population it applies to, and the sample it produces.

A finding is only surfaced when the rule fires with sufficient population and confidence. Weak signals are downgraded or suppressed rather than presented as findings.

How exposure is quantified

Exposure is expressed as a range, not a point estimate. The low bound is the sum of directly observable impact within the analysed window. The high bound extrapolates that impact across the annualised transaction volume using observed frequency.

Exposure ranges are labelled with confidence — High, Medium, or Low — reflecting rule specificity, data quality, and the size of the observed population.

How the Operational Health Score is composed

The composite score is a weighted average of four sub-scores: Findings Density, Aggregate Exposure vs Revenue, Control Coverage, and Data Quality. Weights are fixed and disclosed in each report appendix.

A score of 80+ is Good. 60–79 is Fair. Below 60 is Elevated Risk. The banding is deliberately conservative so that scores are meaningful across industries and dataset sizes.

How data quality is assessed

Every dataset is profiled on completeness, referential integrity, distribution normality, and outlier density. The Data Quality Score gates finding confidence — where data quality is Low, findings default to Medium or Low confidence regardless of rule specificity.

The report always states data-quality caveats explicitly. We would rather present fewer findings with high confidence than a longer list of noise.

What we do not claim

This is an analytical assessment, not a statutory audit. Findings identify risk indicators from data patterns; they do not adjudicate legal liability or replace internal audit function.

Estimated exposures are ranges based on observed patterns and industry benchmarks. Actual realised exposure may be lower or higher depending on remediation timing and organisational factors.