An Integrated Method for Compliance and Risk Assessment Experiences from a Case Study

This paper presents an integrated method for risk and compliance assessment and its evaluation in a case study. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modeling compliance risks have been developed. The lack of methodological and tool support means the compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. As part of the integrated method, a structured approach for the identification of compliance risks and their graphical modelling is provided. The main goal of the structured approach is to facilitate the identification and assessment of compliance risks and their subsequent documentation in a consistent and reusable fashion. The method is applied in a case study with the aim of assessing the compliance concerns in adopting cloud services. Our experience in the case study demonstrates that the integrated method enables a better structuring in the identification of compliance risks and yields reusable results. As well, the method facilitates communication among different expertise and mitigates subjectivity in making compliance decisions.