Modelling compliance risk: a structured approach

This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

• Get 10 units per month
• Download Article/Chapter or eBook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime

Buy Now

Price includes VAT (France)

Instant access to the full article PDF.

Rent this article via DeepDyve

Similar content being viewed by others

Automated Reasoning for Regulatory Compliance

Collection and Elicitation of Business Process Compliance Patterns with Focus on Data Aspects

Modeling Regulatory Compliance in Requirements Engineering

Explore related subjects

• Artificial Intelligence
• Medical Ethics

Notes

This is not merely a hypothetical claim. The authors have experienced a situation in which a 3-h meeting resulted in the identification of only one compliance risk. This problem stems from the lack of a structured approach for identifying compliance risks.

References

• Article 29 Data Protection Working Party (2012) Opinion 05/2012 on cloud computing adopted on 1 July 2012, WP 196
• Australian Better Regulation Office (2008) Risk-based compliance. Guide for risk-based compliance approach. Australian Better Regulation Office, Sydney
• Bing J (1982) Rettslige kommunikasjonsprosessor: Bidrag til en generell teori. Dissertation, University of Oslo
• Bing J (ed) (1984) International handbook in legal information systems. North-Holland, Amsterdam Google Scholar
• Bing J (2003) The policies of legal information services: a perspective of three decades. In: Bygrave LA (eds) Yulex 2003. Norwegian Research Centre for computers and law. University of Oslo, Oslo, pp 37–55
• Bing J (2010) Let there be LITE: a brief history of legal information retrieval. Eur J Law Technol 1(1)
• Bing J, Harvold T (1975) Legal decisions and information systems. Scandinavian University Press, Oslo Google Scholar
• Bonazzi R, Hussami L, Pigneur Y (2010) Compliance management is becoming a major issue in IS design. In: D’Atri A, Saccà D (eds) Information systems: people, organizations, institutions, and technologies. Springer, Berlin, pp 391–398 Google Scholar
• Breaux TD, Antón AI (2005) Mining rule semantics to understand legislative compliance. In: Proceedings of the 2005 ACM workshop on privacy in the electronic society (WPES). ACM, New York, pp 51–54. doi:10.1145/1102199.1102210
• Committee on Civil Liberties, Justice and Home Affairs (2013) Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A7-2013-0402+0+DOC+PDF+V0//EN. Accessed 10 March 2015
• COSO (2004) Enterprise risk management: an integrated framework. Committee of Sponsoring Organizations of the Treadway Commission
• Darimont R, Lemoine M (2006) Goal-oriented analysis of regulations, REMO 2V06: international workshop on regulations modelling and their verification and validation, Luxemburg. http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-241/paper9.pdf. Accessed 21 March 2015
• Deng M, Kim W, Riccardo S, Bart P, Woute J (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16(1):3–32. doi:10.1007/s00766-010-0115-7ArticleGoogle Scholar
• ENISA (2009) Cloud computing: benefits, risks and recommendations for information security. In: Catteddu D, Hogben G (eds) European Network and Information Security Agency
• Esayas S, Mahler T, Seehusen F, Bjørnstad F, Brubakk V (2015) An integrated method for compliance and risk assessment: experiences from a case study. In: Paper to be presented at the IEEE conference on communications and network security, Florence, 28–30 Sept 2015
• European Data Protection Supervisor (2012) Opinion of the European data protection supervisor on the data protection reform package, European Data Protection Supervisor, Brussels. https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2012/12-03-07_EDPS_Reform_package_EN.pdf
• Ghanavati S, Daniel A, Peyton L (2008) Comparative analysis between document-based and model-based compliance management approaches. In: Requirements Engineering and Law, RELAW’08, pp 35–39. doi:10.1109/RELAW.2008.2
• Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (REALM). In: Proceedings on legal knowledge and information systems: the eighteenth annual conference, IOS Press, pp 37–48
• Greenleaf G (2004) Jon Bing and the history of legal research—some missing links. In: Torvund O, Bygrave L (eds) Et tilbakeblikk på fremtiden (“looking back at the future”). Institutt for rettsinformatikk, Oslo Google Scholar
• Hohfeld WN (1913) Fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):710–770 ArticleGoogle Scholar
• ISO (2009) International standard ISO 31000. Risk management—principles and guidelines on implementation. ISO, Switzerland
• Jorshari FZ, Mouratidis H, Islam S (2012) Extracting security requirements from relevant laws and regulations. In: Research challenges in information science (RCIS), sixth international conference, pp 1–9. doi:10.1109/RCIS.2012.6240443
• Kiyavitskaya N, Zeni N, Cordy JR, Breaux TD, Mich L, Antón AI, Mylopoulos (2007) Extracting rights and obligations from regulations: toward a tool-supported process. In: ASE 2007, 22nd IEEE/ACM, conference on automated software engineering, pp 429–432
• Lund MS, Solhaug B, Stølen K (2011) Model-driven risk analysis: the CORAS approach. Springer, Berlin BookGoogle Scholar
• Mahler T (2010a) Tool-supported legal risk management: a roadmap. Eur J Legal Stud 2(3):175–198 Google Scholar
• Mahler T (2010b) Legal risk management: developing and evaluating elements of a method for proactive legal analyses, with a particular focus on contracts. Dissertation, University of Oslo
• Mahler T, Bing J (2006) Contractual risk management in an ICT context—searching for a possible interface between legal methods and risk analysis. Scand Stud Law 49:339–357 Google Scholar
• Peterson EA (2012) Compliance and ethics programs: competitive advantage through the law. J Manag Gov 17(1):1027–1045 Google Scholar
• Ponemon Institute (2011) The role of governance, risk management and compliance in organizations study of GRC practitioners. Research Report, Sponsored by RSA, Security Division of EMC, Bedford Google Scholar
• RASEN Deliverable 5.3.2 (2014) Methodologies for legal, compositional, and continuous risk assessment and security testing v.2. http://www.rasenproject.eu/deliverables/. Accessed 21 March 2015
• Sartor G (2005) Legal reasoning—a cognitive approach to the law. Springer, Dondrecht Google Scholar
• Standards Australia (2006) Compliance programs AS 3806-2006, 2nd edn. Australia, Sydney Google Scholar
• Vraalsen F, Lund MS, Mahler T, Parent X, Stølen K (2005) Specifying legal risk scenarios using the CORAS threat modelling language: experiences and the way forward. In: Herrmann P et al (eds) iTrust, LNCS, vol 3477. Springer, Heidelberg, pp 45–60 Google Scholar

Acknowledgments

This work has been funded by the European Commission via the RASEN (316853) project. Thanks are also due to our colleagues in the RASEN project for their comments throughout the project. We express special gratitude to our colleagues Fredrik Seehusen, Bjørnar Solhaug and Ketil Stølen at SINTEF ICT.

Author information

Authors and Affiliations

1. Norwegian Research Center for Computers and Law, St. Olavs Plass 5, 0130, Oslo, Norway Samson Esayas & Tobias Mahler

1. Samson Esayas