The Future of Compliance Risk Assessments

Tweet  

  

 delicious  

  

The incorporation of legal and regulatory compliance requirements into technology risk assessments, although a relatively new development, is becoming more pervasive in a greater number of industries. 

This is a reflection of the increasing attention that legislators have placed on regulating the collection, disclosure, use, protection, retention, and destruction of information. 

I believe that compliance risk assessments will change in five fundamental ways over the next few years:

1. The scope of compliance risk assessments will expand to support increased regulatory requirements and government scrutiny.  The sheer number of legal and regulatory requirements will continue to grow.  This is especially true in the financial services and healthcare industries.  Tracking changes to legal and regulatory requirements, assessing the impact of these changes on the organization, and updating compliance risk registers will become an ever-increasing burden on companies already strapped with limited resources.  The kicker is that these activities are a ‘must do’ and don’t contribute to corporate revenue streams.

2. The “checklist approach” for performing compliance risk assessments will not survive.  As we saw with the promulgation of PCAOB Accounting Standard 5 in relation to Sarbanes-Oxley § 404, the standards used to measure compliance will continue to evolve from a “one-size fits all” model to become more risk based.  This means that compliance risk assessments based on static checklists will become less and less useful and may even be harmful by not putting responses in a risk context.

3. Compliance risk management will continue to develop as a distinct specialization.  As risks related to compliance with legal and regulatory requirements become a proportionally greater portion of a company’s overall risk portfolio, the need for expertise in the technology compliance space will increase.  Although compliance risk management as a specialization is currently in its infancy, it is likely to gain greater recognition as a standalone profession in the future.

4. The compliance risk assessment activity will evolve into a continuous almost dynamic process.  Many companies currently perform compliance risk assessments once a year.  The compliance risk register is then “shelved” and is not revisited until the following year.  Because the pace of lawmaking is accelerating and the impact of these laws is increasing, leading companies will recognize the need to continually re-assess compliance risks on an ongoing basis.

5. Compliance risk assessments will incorporate more third party risks.  Risk managers often fail to incorporate the legal and regulatory risks created by vendors and outsourcers within their compliance risk assessments.  This is a significant error.  Although companies can outsource services, they cannot outsource their responsibilities to comply with the law.  This lesson was recently learned by companies that provided services to HIPAA covered healthcare entities.  With the recently enacted HITECH Act, these service providers are now subject to the same rules as the companies they served.

Although these developments will increase the prominence of compliance risk elicitation, analysis, and management, it is important to remember that legal and regulatory compliance risks are, and will continue to be, only one category of the many types of risks that should to be managed in a comprehensive enterprise risk management program.

An over-emphasis on managing this category of risks may result in a company being fully compliant with the law but operating with reckless disregard to other types of risk.  That being said, the future looks bright for those who understand the ever increasing level of intersection between technology and the law.

Learn how risk assessments can streamline vendor compliance and score vendor risk.

Shared assessments are an efficient and powerful way to streamline vendor compliance and mitigate risk.  Schedule a free trial of Evantix Risk Manager and start taking control of your supplier compliance today.