Abstract
This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
This is a working group composed of national data protection authorities.
This is not merely a hypothetical claim. The authors have experienced a situation in which a 3-h meeting resulted in the identification of only one compliance risk. This problem stems from the lack of a structured approach for identifying compliance risks.
References
Article 29 Data Protection Working Party (2012) Opinion 05/2012 on cloud computing adopted on 1 July 2012, WP 196
Australian Better Regulation Office (2008) Risk-based compliance. Guide for risk-based compliance approach. Australian Better Regulation Office, Sydney
Bing J (1982) Rettslige kommunikasjonsprosessor: Bidrag til en generell teori. Dissertation, University of Oslo
Bing J (ed) (1984) International handbook in legal information systems. North-Holland, Amsterdam
Bing J (2003) The policies of legal information services: a perspective of three decades. In: Bygrave LA (eds) Yulex 2003. Norwegian Research Centre for computers and law. University of Oslo, Oslo, pp 37–55
Bing J (2010) Let there be LITE: a brief history of legal information retrieval. Eur J Law Technol 1(1)
Bing J, Harvold T (1975) Legal decisions and information systems. Scandinavian University Press, Oslo
Bonazzi R, Hussami L, Pigneur Y (2010) Compliance management is becoming a major issue in IS design. In: D’Atri A, Saccà D (eds) Information systems: people, organizations, institutions, and technologies. Springer, Berlin, pp 391–398
Breaux TD, Antón AI (2005) Mining rule semantics to understand legislative compliance. In: Proceedings of the 2005 ACM workshop on privacy in the electronic society (WPES). ACM, New York, pp 51–54. doi:10.1145/1102199.1102210
Committee on Civil Liberties, Justice and Home Affairs (2013) Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A7-2013-0402+0+DOC+PDF+V0//EN. Accessed 10 March 2015
COSO (2004) Enterprise risk management: an integrated framework. Committee of Sponsoring Organizations of the Treadway Commission
Darimont R, Lemoine M (2006) Goal-oriented analysis of regulations, REMO 2V06: international workshop on regulations modelling and their verification and validation, Luxemburg. http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-241/paper9.pdf. Accessed 21 March 2015
Deng M, Kim W, Riccardo S, Bart P, Woute J (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16(1):3–32. doi:10.1007/s00766-010-0115-7
ENISA (2009) Cloud computing: benefits, risks and recommendations for information security. In: Catteddu D, Hogben G (eds) European Network and Information Security Agency
Esayas S, Mahler T, Seehusen F, Bjørnstad F, Brubakk V (2015) An integrated method for compliance and risk assessment: experiences from a case study. In: Paper to be presented at the IEEE conference on communications and network security, Florence, 28–30 Sept 2015
European Data Protection Supervisor (2012) Opinion of the European data protection supervisor on the data protection reform package, European Data Protection Supervisor, Brussels. https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2012/12-03-07_EDPS_Reform_package_EN.pdf
Ghanavati S, Daniel A, Peyton L (2008) Comparative analysis between document-based and model-based compliance management approaches. In: Requirements Engineering and Law, RELAW’08, pp 35–39. doi:10.1109/RELAW.2008.2
Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (REALM). In: Proceedings on legal knowledge and information systems: the eighteenth annual conference, IOS Press, pp 37–48
Greenleaf G (2004) Jon Bing and the history of legal research—some missing links. In: Torvund O, Bygrave L (eds) Et tilbakeblikk på fremtiden (“looking back at the future”). Institutt for rettsinformatikk, Oslo
Hohfeld WN (1913) Fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):710–770
ISO (2009) International standard ISO 31000. Risk management—principles and guidelines on implementation. ISO, Switzerland
Jorshari FZ, Mouratidis H, Islam S (2012) Extracting security requirements from relevant laws and regulations. In: Research challenges in information science (RCIS), sixth international conference, pp 1–9. doi:10.1109/RCIS.2012.6240443
Kiyavitskaya N, Zeni N, Cordy JR, Breaux TD, Mich L, Antón AI, Mylopoulos (2007) Extracting rights and obligations from regulations: toward a tool-supported process. In: ASE 2007, 22nd IEEE/ACM, conference on automated software engineering, pp 429–432
Lund MS, Solhaug B, Stølen K (2011) Model-driven risk analysis: the CORAS approach. Springer, Berlin
Mahler T (2010a) Tool-supported legal risk management: a roadmap. Eur J Legal Stud 2(3):175–198
Mahler T (2010b) Legal risk management: developing and evaluating elements of a method for proactive legal analyses, with a particular focus on contracts. Dissertation, University of Oslo
Mahler T, Bing J (2006) Contractual risk management in an ICT context—searching for a possible interface between legal methods and risk analysis. Scand Stud Law 49:339–357
Peterson EA (2012) Compliance and ethics programs: competitive advantage through the law. J Manag Gov 17(1):1027–1045
Ponemon Institute (2011) The role of governance, risk management and compliance in organizations study of GRC practitioners. Research Report, Sponsored by RSA, Security Division of EMC, Bedford
RASEN Deliverable 5.3.2 (2014) Methodologies for legal, compositional, and continuous risk assessment and security testing v.2. http://www.rasenproject.eu/deliverables/. Accessed 21 March 2015
Sartor G (2005) Legal reasoning—a cognitive approach to the law. Springer, Dondrecht
Standards Australia (2006) Compliance programs AS 3806-2006, 2nd edn. Australia, Sydney
Vraalsen F, Lund MS, Mahler T, Parent X, Stølen K (2005) Specifying legal risk scenarios using the CORAS threat modelling language: experiences and the way forward. In: Herrmann P et al (eds) iTrust, LNCS, vol 3477. Springer, Heidelberg, pp 45–60
Acknowledgments
This work has been funded by the European Commission via the RASEN (316853) project. Thanks are also due to our colleagues in the RASEN project for their comments throughout the project. We express special gratitude to our colleagues Fredrik Seehusen, Bjørnar Solhaug and Ketil Stølen at SINTEF ICT.
Author information
Authors and Affiliations
Corresponding author
Additional information
In Honour of Jon Bing.
Rights and permissions
About this article
Cite this article
Esayas, S., Mahler, T. Modelling compliance risk: a structured approach. Artif Intell Law 23, 271–300 (2015). https://doi.org/10.1007/s10506-015-9174-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10506-015-9174-x