Compliance risk refers to the financial, legal, reputational, or business impact on an organization of any size or structure of not adhering to a set standards, laws, or frameworks. Most organizations think of risk in terms of a negative outcome. For example, in the context of information security, you could have a risk of financial fines and penalties by not complying with privacy regulations.
What is compliance risk management?
Compliance risk management is the collection of management processes that identify, assess, address, and monitor risks. A typical program will consider the impacts of risks to an organization that include:
- Legal — A failure to comply with laws can lead to fines, penalties, even jail time
- Financial — Risks that impact the bottom line, such as investor confidence or share price
- Reputational — How the organization is perceived in the marketplace
- Business — Risks that impact operations or people management
Types of compliance risk
Compliance risk can be broken down into the following high level categories:
- Regulatory risks are risks associated with non-compliance to laws and regulations. Examples include General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes Oxley Act (SOX). By not adequately addressing regulatory risk, a company can be exposed to fines or even jail time.
- Industry standards, like ISO, NIST or other best practices, also introduce risks. Failure to comply with industry standards can lead to a loss of business and revenue.
- Internal policies and practices represent another component of compliance risk. Policies are put in place to govern the activities of the organization. Non compliance with expected policies, procedures, processes, and controls can introduce a myriad of risks, from data handling to breaches of IT security.
Implementing a compliance risk management program
Typically run by a risk officer or compliance manager, a strong risk management program will consider risks across the organization, including its assets. It will also incorporate both quantitative and qualitative measures, assign risk ownership, have a well defined risk treatment process, and continuously monitor risks. To implement a strong compliance risk management program, consider how and who will participate, how results will be reported, and how often risks will be reassessed.
There are a number of popular compliance frameworks. When it comes to IT and data security, the following should be top of mind:
- ISO 27001 — The international, industry standard for meeting information security objectives.
- HIPAA — The Health Insurance Portability and Accountability Act is the regulatory standard for organizations that touch electronic healthcare records.
- SOC 2 — A US-based industry standard for demonstrating information security (availability, confidentiality, processing integrity and privacy) principles.
- GDPR — The General Data Protection Regulation is the law governing the privacy rights of EU citizens
- CCPA - The California Consumer Privacy Act is a law governing the rights of California residents to bar the selling of their data.
- NIST - The National Institute of Standards and Technology provides industry standards for entities that do business with the US federal, state and local government entities. May be adopted by those not doing business with governments.