Dynamic and risk-based compliance management

Abstract

The necessity of complying with an evolving set of regulatory requirements is a growing concern to enterprises. Responsible decision makers must continuously decide which measures are appropriate and must be implemented with which priority in order to reach the optimal compliance level. To proactively address external audits, management must also decide on the optimal way to internally inspect whether the taken measures are effective and being followed. In this paper, we propose a quantitative risk-based compliance management approach, which allows management to optimally and dynamically select feasible measures to attain an adequate compliance level and to inspect compliance with a given set of regulatory requirements. We strive to minimize the expected total cost of compliance including the costs of individual measures and inspections, and the audit outcome cost for varying compliance levels. Our approach is based on dynamic programming and naturally accounts for the dynamic evolution of the enterprise with respect to the regulatory landscape governing it. The main merit of our method lies in its use as a scenario-based management support system. Depending on the availability and accuracy of input data, it can even be used as a comprehensive tool to optimally select the desired compliance measures and controls policies. Moreover, our tool lends itself as a policy instrument and may provide valuable guidance to effective rule making.