There is often a 'practicality disconnect' between understanding the regulatory
framework within which your business operates (and therefore understanding the
regulatory business risks that you face in a general sense) and what can be done
to mitigate those risks in practice. Put another way, how do you go about
scoping the regulatory risks faced by your business?
First, you need to understand the features of
the sector within which you operate: is it oligopolistic; is sensitive data
important; are contracts with government agencies involved?
Then you should consider the incentives and
training within your business: do employment contracts and promotion/appraisal
criteria incentivise unwanted risk-taking; do sales targets compromise (the
desired level of) compliance?
What are your early warning systems and who
within your business is alerted when, e.g.: others in your sector are under
investigation; the press reports a data breach; business units materially under
or over perform.
And finally, what is the action plan if and
when a breach occurs: who will be responsible for ensuring specific actions are
taken; will you need to review your key contracts; what, if anything, will you
tell customers and employees; should you self-report to the relevant regulatory
authorities; do you need to suspend any staff; and will you need to review IT
systems and document retention policy to ensure that evidence is not