How a risk-based approach could cut your compliance costs

Combining a risk-based approach with the benefits of automation could help compliance teams handle the arrival of new rules more effectively
Istock 1146472948

A deluge of new regulations is increasing pressure on global compliance teams. From the European Union’s General Data Protection Regulation (GDPR) and Digital Operational Resilience Act (DORA) to the UK’s Telecommunications Security Act (TSA), keeping up with the volume and pace of regulatory change has never been tougher. In 2022, there were more than 61,000 regulatory alerts issued globally – equivalent to 234 regulatory updates every day, according to Thomson Reuters.

And the risks of non-compliance are growing. For the most serious GDPR infractions, for example, fines can be as steep as €20m or 4% of annual revenue, whichever is higher. This intensifying regulatory backdrop, coupled with the threat of severe financial penalties, is making it more important than ever for companies to improve the way they manage compliance.

“There’s a lot of overlap between these different regulations, but quite often they will go to different parts of the organisation,” says Simon Marvell, co-founder and director of Acuity Risk Management. “So they tend to be looked at independently, and that takes an awful lot of effort with an awful lot of duplication.”

Many organisations take what Marvell calls a bottom-up view of compliance, where managers or audit teams run down a checklist of controls and requirements and tick yes or no as to whether the control is in place.

“If it’s not in place, then they will usually ask: ‘What’s the potential consequence? How likely is it to happen?’ And then they give it a red, amber or green flag based on how concerned they are about it from a risk point of view,” says Marvell. “That means every requirement and every regulation is treated in the same way as you go down the checklist, which is pretty inefficient and costly. That approach doesn’t work very well because the auditor or person asking those questions often isn’t someone who understands risk or can understand what the wider implications of the control failing would be.”

Where organisations have complex regulatory compliance requirements, technology can streamline and automate the risk management process

A more efficient and effective way is to take a top-down, risk-based approach that starts by looking at the objectives that organisations are seeking to achieve, Marvell says. Take an organisation’s supply chain, for example. Some new regulations, such as TSA and DORA, expect companies to manage risk across their supply chains. To manage that third-party risk, companies often take a bottom-up approach and send out questionnaires to their suppliers asking them about the policies and controls they have in place.

“Again, it’s a checkbox exercise and people can be a little liberal with the truth, so it’s a time-consuming process that doesn’t really tell us anything about risk at all,” says Marvell.

A risk-based approach instead looks at what the material risks are to the business within their supply chain. For instance, if a business objective is to grow market share, that could be threatened if, say, a product design supplier suffered a data breach and the company’s intellectual property (IP) was stolen, says Marvell.

“That’s the starting point – what is really important to the business, and then narrowing down and focusing on the areas where there could be a material impact. So, if the concern is about IP theft, then that’s the risk you need to protect against,” he says.

This risk-based approach also helps companies to prioritise when attempting to deal with multiple regulations at the same time, making it easier to develop risk mitigation strategies, says Kerry Chambers, CEO at Acuity Risk Management.

This is where technology and automation can help, by enabling organisations to manage overlapping compliance requirements via a framework which maps the policies and controls that organisations already have in place against the relevant regulations. Done well, that could significantly reduce duplicated effort.

Technology can also allow compliance teams to quantify the potential financial cost of certain risks instead of categorising threats with a vague ‘low’, ‘medium’ or ‘high’ impact assessment.

“When you look at risks such as loss of IP, for example, there are severe financial implications to that,” says Marvell. “By using technology to assess that risk and understand the potential financial loss profile, you can then have a discussion with senior leadership about what level of financial risk is tolerable to the organisation. And if you can understand the levels of financial risk, that can help you to make ROI-type (return on investment) decisions about what you’re prepared to spend to mitigate those risks.”

Given the pace of regulatory change, automation in particular can make it easier for organisations to ensure their compliance efforts are up to date, while also maintaining a catalogue of evolving risks and mitigations. That can drastically reduce manual effort, making compliance teams more efficient.

“Where organisations have complex regulatory compliance requirements – particularly global organisations that have cross-border compliance concerns – using technology can streamline and automate the risk management process,” says Chambers. “It also allows organisations to look at risk in real time across their entire business, enabling them to make much more informed business decisions.”

Technology can also help when it comes to capturing and storing evidence for auditors and regulators to demonstrate compliance. That’s particularly important if there is an adverse event, such as customer data being stolen by hackers. Effective evidence storage can make the difference between a big fine or a lighter sanction.

“Regulators recognise that you can’t avoid risk altogether, so you may still have a data breach,” says Marvell. “But if you’ve got evidence that shows you’ve been diligent and considered this risk and implemented certain processes and controls to manage it, there’s a very realistic prospect that there will be no fine or a much smaller fine than otherwise would have been the case.”

Companies that are not investing in technology to help them manage regulatory change will ultimately continue to struggle under the weight and pace of new compliance requirements, elevating the risk of non-compliance.

“If you’re not using technology, then as an organisation you will have limited efficiency. That will make your decision-making processes slower, and there’s increased risk of human error. That will hinder you when it comes to making good decisions for the organisation,” says Chambers.

Find out more at