The approach used to manage compliance in a large percentage of organizations was not designed – it evolved, sometimes over a span of many decades in response to a multitude of internal and external factors, often without the use of any systematic...
The approach used to manage compliance in a large percentage of organizations was not designed – it evolved, sometimes over a span of many decades in response to a multitude of internal and external factors, often without the use of any systematic approach. Very few organizations in the world today have approached the task of designing an entity level compliance framework using a true risk-based approach.
A risk-based approach to compliance requires that the key risks to the objective of complying with specific laws and regulations be formally identified, measured in terms of likelihood and consequence and, only after those steps are taken, are decisions made on the best way to “treat” the compliance risks identified and design and write corporate policy to implement the risk treatment options selected. The effectiveness of the risk treatment design for any given set of laws, regulations, or area of compliance impacts directly on the current and potential risk of non-compliance.