Structuring Compliance Risk Identification Using the CORAS Approach: Compliance as an Asset

The global scale of modern business and information technology enables companies to trade across borders but at the risk of being subject to laws in diverse jurisdictions. The regulatory requirements with which businesses have to comply are drastically increasing not only in sheer number but also in complexity, confronting businesses with the need to adapt to a complex, evolving regulatory environment. Crucial to a business´s survival and profitability in such environment are understanding and managing legal and compliance risks. This need has spurred significant recent interest in integrated governance, risk, and compliance (GRC) management. A central element in integrated GRC management is following a risk-based approach to compliance which prioritizes compliance requirements based on their level of risk. Despite the need for risk-based compliance, few specific methods or approaches for identifying compliance risks have been developed. This paper presents a structured method for identifying compliance risks from compliance requirements and the business environment.