Skip to main content

Modelling compliance risk: a structured approach


This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7


  1. This is a working group composed of national data protection authorities.

  2. This is not merely a hypothetical claim. The authors have experienced a situation in which a 3-h meeting resulted in the identification of only one compliance risk. This problem stems from the lack of a structured approach for identifying compliance risks.


  • Article 29 Data Protection Working Party (2012) Opinion 05/2012 on cloud computing adopted on 1 July 2012, WP 196

  • Australian Better Regulation Office (2008) Risk-based compliance. Guide for risk-based compliance approach. Australian Better Regulation Office, Sydney

  • Bing J (1982) Rettslige kommunikasjonsprosessor: Bidrag til en generell teori. Dissertation, University of Oslo

  • Bing J (ed) (1984) International handbook in legal information systems. North-Holland, Amsterdam

    Google Scholar 

  • Bing J (2003) The policies of legal information services: a perspective of three decades. In: Bygrave LA (eds) Yulex 2003. Norwegian Research Centre for computers and law. University of Oslo, Oslo, pp 37–55

  • Bing J (2010) Let there be LITE: a brief history of legal information retrieval. Eur J Law Technol 1(1)

  • Bing J, Harvold T (1975) Legal decisions and information systems. Scandinavian University Press, Oslo

    Google Scholar 

  • Bonazzi R, Hussami L, Pigneur Y (2010) Compliance management is becoming a major issue in IS design. In: D’Atri A, Saccà D (eds) Information systems: people, organizations, institutions, and technologies. Springer, Berlin, pp 391–398

    Google Scholar 

  • Breaux TD, Antón AI (2005) Mining rule semantics to understand legislative compliance. In: Proceedings of the 2005 ACM workshop on privacy in the electronic society (WPES). ACM, New York, pp 51–54. doi:10.1145/1102199.1102210

  • Committee on Civil Liberties, Justice and Home Affairs (2013) Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Accessed 10 March 2015

  • COSO (2004) Enterprise risk management: an integrated framework. Committee of Sponsoring Organizations of the Treadway Commission

  • Darimont R, Lemoine M (2006) Goal-oriented analysis of regulations, REMO 2V06: international workshop on regulations modelling and their verification and validation, Luxemburg. Accessed 21 March 2015

  • Deng M, Kim W, Riccardo S, Bart P, Woute J (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16(1):3–32. doi:10.1007/s00766-010-0115-7

    Article  Google Scholar 

  • ENISA (2009) Cloud computing: benefits, risks and recommendations for information security. In: Catteddu D, Hogben G (eds) European Network and Information Security Agency

  • Esayas S, Mahler T, Seehusen F, Bjørnstad F, Brubakk V (2015) An integrated method for compliance and risk assessment: experiences from a case study. In: Paper to be presented at the IEEE conference on communications and network security, Florence, 28–30 Sept 2015

  • European Data Protection Supervisor (2012) Opinion of the European data protection supervisor on the data protection reform package, European Data Protection Supervisor, Brussels.

  • Ghanavati S, Daniel A, Peyton L (2008) Comparative analysis between document-based and model-based compliance management approaches. In: Requirements Engineering and Law, RELAW’08, pp 35–39. doi:10.1109/RELAW.2008.2

  • Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (REALM). In: Proceedings on legal knowledge and information systems: the eighteenth annual conference, IOS Press, pp 37–48

  • Greenleaf G (2004) Jon Bing and the history of legal research—some missing links. In: Torvund O, Bygrave L (eds) Et tilbakeblikk på fremtiden (“looking back at the future”). Institutt for rettsinformatikk, Oslo

    Google Scholar 

  • Hohfeld WN (1913) Fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):710–770

    Article  Google Scholar 

  • ISO (2009) International standard ISO 31000. Risk management—principles and guidelines on implementation. ISO, Switzerland

  • Jorshari FZ, Mouratidis H, Islam S (2012) Extracting security requirements from relevant laws and regulations. In: Research challenges in information science (RCIS), sixth international conference, pp 1–9. doi:10.1109/RCIS.2012.6240443

  • Kiyavitskaya N, Zeni N, Cordy JR, Breaux TD, Mich L, Antón AI, Mylopoulos (2007) Extracting rights and obligations from regulations: toward a tool-supported process. In: ASE 2007, 22nd IEEE/ACM, conference on automated software engineering, pp 429–432

  • Lund MS, Solhaug B, Stølen K (2011) Model-driven risk analysis: the CORAS approach. Springer, Berlin

    Book  Google Scholar 

  • Mahler T (2010a) Tool-supported legal risk management: a roadmap. Eur J Legal Stud 2(3):175–198

    Google Scholar 

  • Mahler T (2010b) Legal risk management: developing and evaluating elements of a method for proactive legal analyses, with a particular focus on contracts. Dissertation, University of Oslo

  • Mahler T, Bing J (2006) Contractual risk management in an ICT context—searching for a possible interface between legal methods and risk analysis. Scand Stud Law 49:339–357

    Google Scholar 

  • Peterson EA (2012) Compliance and ethics programs: competitive advantage through the law. J Manag Gov 17(1):1027–1045

    Google Scholar 

  • Ponemon Institute (2011) The role of governance, risk management and compliance in organizations study of GRC practitioners. Research Report, Sponsored by RSA, Security Division of EMC, Bedford

    Google Scholar 

  • RASEN Deliverable 5.3.2 (2014) Methodologies for legal, compositional, and continuous risk assessment and security testing v.2. Accessed 21 March 2015

  • Sartor G (2005) Legal reasoning—a cognitive approach to the law. Springer, Dondrecht

    Google Scholar 

  • Standards Australia (2006) Compliance programs AS 3806-2006, 2nd edn. Australia, Sydney

    Google Scholar 

  • Vraalsen F, Lund MS, Mahler T, Parent X, Stølen K (2005) Specifying legal risk scenarios using the CORAS threat modelling language: experiences and the way forward. In: Herrmann P et al (eds) iTrust, LNCS, vol 3477. Springer, Heidelberg, pp 45–60

    Google Scholar 

Download references


This work has been funded by the European Commission via the RASEN (316853) project. Thanks are also due to our colleagues in the RASEN project for their comments throughout the project. We express special gratitude to our colleagues Fredrik Seehusen, Bjørnar Solhaug and Ketil Stølen at SINTEF ICT.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Tobias Mahler.

Additional information

In Honour of Jon Bing.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Esayas, S., Mahler, T. Modelling compliance risk: a structured approach. Artif Intell Law 23, 271–300 (2015).

Download citation

  • Published:

  • Issue Date:

  • DOI:


  • Compliance
  • Risk identification
  • Legal risk
  • Graphical modelling
  • Compliance management
  • Natural language patterns