How to map regulatory risks
There is often a 'practicality disconnect' between understanding the regulatory framework within which your business operates (and therefore understanding the regulatory business risks that you face in a general sense) and what can be done to mitigate those risks in practice. Put another way, how do you go about scoping the regulatory risks faced by your business?
- First, you need to understand the features of the sector within which you operate: is it oligopolistic; is sensitive data important; are contracts with government agencies involved?
- Then you should consider the incentives and training within your business: do employment contracts and promotion/appraisal criteria incentivise unwanted risk-taking; do sales targets compromise (the desired level of) compliance?
- What are your early warning systems and who within your business is alerted when, e.g.: others in your sector are under investigation; the press reports a data breach; business units materially under or over perform.
- And finally, what is the action plan if and when a breach occurs: who will be responsible for ensuring specific actions are taken; will you need to review your key contracts; what, if anything, will you tell customers and employees; should you self-report to the relevant regulatory authorities; do you need to suspend any staff; and will you need to review IT systems and document retention policy to ensure that evidence is not compromised.
If you would like to discuss these issues please do not hesitate to contact John Cassels at firstname.lastname@example.org