There is often a 'practicality disconnect' between understanding the regulatory framework within which your business operates (and therefore understanding the regulatory business risks that you face in a general sense) and what can be done to mitigate those risks in practice. Put another way, how do you go about scoping the regulatory risks faced by your business?
- First, you need to understand the features of the sector within which you operate: is it oligopolistic; is sensitive data important; are contracts with government agencies involved?
- Then you should consider the incentives and training within your business: do employment contracts and promotion/appraisal criteria incentivise unwanted risk-taking; do sales targets compromise (the desired level of) compliance?
- What are your early warning systems and who within your business is alerted when, e.g.: others in your sector are under investigation; the press reports a data breach; business units materially under or over perform.
- And finally, what is the action plan if and when a breach occurs: who will be responsible for ensuring specific actions are taken; will you need to review your key contracts; what, if anything, will you tell customers and employees; should you self-report to the relevant regulatory authorities; do you need to suspend any staff; and will you need to review IT systems and document retention policy to ensure that evidence is not compromised.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
