How to map regulatory risks
- First, you need to understand the features of the sector within which you operate: is it oligopolistic; is sensitive data important; are contracts with government agencies involved?
- Then you should consider the incentives and training within your business: do employment contracts and promotion/appraisal criteria incentivise unwanted risk-taking; do sales targets compromise (the desired level of) compliance?
- What are your early warning systems and who within your business is alerted when, e.g.: others in your sector are under investigation; the press reports a data breach; business units materially under or over perform.
- And finally, what is the action plan if and when a breach occurs: who will be responsible for ensuring specific actions are taken; will you need to review your key contracts; what, if anything, will you tell customers and employees; should you self-report to the relevant regulatory authorities; do you need to suspend any staff; and will you need to review IT systems and document retention policy to ensure that evidence is not compromised.