Dynamic and Risk-based Compliance Management

The necessity of complying with an evolving set of regulatory requirements is a growing concern to enterprises. Responsible decision makers must continuously decide which measures are appropriate and must be implemented with which priority in order to reach the optimal compliance level. To proactively address external audits, management must also decide on the optimal way to internally inspect whether the taken measures are effective and being followed. In this paper, we propose a quantitative risk-based compliance management approach, which allows management to optimally and dynamically select feasible measures to attain an adequate compliance level and to inspect compliance with a given set of regulatory requirements. We strive to minimize the expected total cost of compliance including the costs of individual measures and inspections, and the audit outcome cost for varying compliance levels. Our approach is based on dynamic programming and naturally accounts for the dynamic evolution of the enterprise with respect to the regulatory landscape governing it. The main merit of our method lies in its use as a scenario-based management support system. Depending on the availability and accuracy of input data, it can even be used as a comprehensive tool to optimally select the desired compliance measures and controls policies. Moreover, our tool lends itself as a policy instrument and may provide valuable guidance to effective rule making.

By: Samuel Mueller; Chonawee Supatgiat

Published in: RZ3656 in 2006

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

rz3656Update.pdf

Questions about this service can be mailed to reports@us.ibm.com .