Compliance Management is Becoming a Major Issue in IS Design
This article aims at improving the information systems management support to Risk and Compliance Management process, i.e. the management of all compliance imperatives that impact an organization, including both legal and strategically self-imposed imperatives. We propose a process to achieve such regulatory compliance by aligning the Governance activities with the Risk Management ones, and we suggest Compliance should be considered as a requirement for the Risk Management platform. We will propose a framework to align law and IT compliance requirements and we will use it to underline possible directions of investigation resumed in our discussion section. This work is based on an extensive review of the existing literature and on the results of a four-month internship done within the IT compliance team of a major financial institution in Switzerland, which has legal entities situated in different countries.
KeywordsBusiness Process Information System Compliance Requirement Organizational Infrastructure Compliance Management
Unable to display preview. Download preview PDF.
- 1.IT Policy Compliance Group (2008) 2008 Annual Report: IT Governance, Risk and Compliance Improving Business Results and Mitigating Financial Risk. Retrieved May20, 2008 from http://www.itpolicycompliance.com/research_reports/it_governance/
- 2.Purdy, R. M. (2006) Compliance Initiatives Can Yield IT Opportunities. U.S. Banker. Retrieved from http://www.americanbanker.com/article.html?id=20060601WEM27QCJ&queryid=189565628&hitnum=1
- 3.Volonino, L., Gessner, G.H., Kermis, G.F. (2004) Holistic Compliance with Sarbanes-Oxley. Communications of the Association for Information Systems. 14(11): 219–233.Google Scholar
- 4.Rasmussen, M (2005) Seven habit of highly effective compliance programs. Retrieved from http://www.forrester.com/Research/PDF/0,5110,37240,00.pdf.
- 5.Gasser, U., Hausermann, D. M. (2007) E-compliance: Towards A Roadmap For Effective Risk Management. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=971848.
- 6.Kark, K., Othersen, M. & McClean, C. (2007) Defining IT GRC. Retrieved from http://www.forrester.com/Research/PDF/0,5110,43341,00.pdf.
- 7.McClean, C., Rasmussen, M. (2007). Topic Overview: Governance, Risk, And Compliance. Retrieved from http://www.forrester.com/Research/PDF/0,5110,39611,00.pdf.
- 8.Her Majesty Treasury (2004). The Orange Book. Management of Risk – Principles and Concepts. Retrieved from http://www.hm-treasury.gov.uk/media/3/5/FE66035B-BCDC-D4B3-11057A7707D2521F.pdf.
- 9.Giblin, C., Liu, A. Y., Müller, S., Pfitzmann, B., & Zhou, X. (2005) Regulations Expressed As Logical Models (REALM). 18th Annual Conference on Legal Knowledge and Information Systems (JURIX 2005), IOS Press, Amsterdam.Google Scholar
- 10.Sheth, A. (2005) Enterprise Applications of Semantic Web: The Sweet Spot of Risk and Compliance. IFIP International Conference on Industrial Applications of Semantic Web (IASW2005), Jyvaskyla, Finland.Google Scholar
- 11.El Kharbili, M., Stein, S., Markovic, I., Pulvermueller, E. (2008) Towards a Framework for Semantic Business Process Compliance Management. GRCIS’08 Workshop at 20th International Conference, CAISE 2008, Montpellier, France.Google Scholar
- 12.Security And Exchange Commission (1993) Reporting Requirements for Brokers or Dealers under the Security Exchange Act of 1934. Retrieved from http://www.sec.gov/rules/final/34-38245.txt.
- 13.Federal Rules of Civil Procedure (2007) Rule 34 (a) Retrieved from http://www.law.cornell.edu/rules/frcp/Rule34.htm.
- 15.COSO (2004) Enterprise Risk Management Integrated Framework- Executive Summary.. Retrieved from www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf.
- 16.Lau, G. T., Kerrigan, S., Law, K. H. & Wiederhold, G. (2004) An E-Government Information Architecture for Regulation Analysis and Compliance Assistance. 6th International Conference on Electronic Commerce (ICEC), Delft, The Netherlands.Google Scholar
- 17.Maher, M. M. (2005) “Tips for Managing Relationship with Regulators.” ABA Bank Compliance 26(3): 24-28.Google Scholar
- 18.ISACA (2007) Control Objectives for Information and related Technology (COBIT) 4.1. Retrieved from http://www.isaca.org.
- 19.Rifaut, A. (2005) Goal-Driven Requirements Engineering for Supporting the ISO 15504 Assessment Process. Software Process Improvement, 12th European Conference, EuroSPI 2005, Budapest, Hungary, Springer.Google Scholar
- 20.Governatori, G., Milosevic, Z., Sadiq, S: (2006) Compliance Checking between Business Processes and Business Contracts. 10th IEEE Conference on Enterprise Distributed Object Computing.Google Scholar
- 21.Lezoche, M., Missikoff, M., Tininini, L. (2008) Business Process Evolution: a Rule-based Approach. 20th International Conference, CAISE 2008, Montpellier, France.Google Scholar
- 22.Namiri, K., Stojanovic, N. (2007) A Semantic-based Approach for Compliance Management of Internal Controls in Business Processes. CAiSE Forum 2007.Google Scholar
- 23.Agrawal, R., Johnson, C., Kiernan, J., Leymann, F. (2006) Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. 22nd international Conference on Data Engineering., Washington, DC, USA, IEEE Computer Society.Google Scholar
- 24.Zur Muehlen, M., Rosemann, M. (2005) Integrating Risks in Business Process Models. Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia.Google Scholar
- 25.Heiser, J., Perkins, E., Witty, R.J., Williams, B., Miklovic, D., De Lotto, R.J., Vining, J., Van Decker, J.E., Colville, R.J., Nicolett, M., Stevens, L., McKibben, D., Furlonger, D., Caldwell, F., Proctor, P.E., Chin, K., Logan, D., Ouellet, E., Wheatman, J., DiCenzo, C., McDonald, N., Bace, J., Knox, R.E., Noakesfix, K., Allan, A., Eld, T., Kreizman, C., Brittain, K., McNee, S (2008) “Hype Cycle for Governance, Risk and Compliance Technologies, 2008.”. Retrieved from Gartner, Inc.Google Scholar
- 26.Gangemi, A., Prisco, A., Sagri, M.T., Steve, G., Tiscornia, D. (2003) Some ontological tools to support legal regulatory compliance, with a case study. Workshop on Regulatory Ontologies and the Modeling of Complaint Regulations (WORM CoRe 2003), Catania, Italy, Springer LNCS Catania.Google Scholar
- 27.Hoekstra, R., Breuker, J., Di Bello, M. & Boer, A. (2007) The LKIF Core ontology of basic legal concepts. Workshop on Legal Ontologies and Artificial Intelligence Techniques (LOAIT 2007).Google Scholar
- 28.Skinner, C. (2008) Forensically evolving regulations. Retrieved from http://www.thefinanser.co.uk/2008/09/forensically-ev.html.
- 29.Hevner, A., March, S., Park J., Ram, S. (2004) “Design Science in Information Systems Research,” MIS Quarterly, Vol. 28 No. 1, pp. 75-105.Google Scholar
- 30.Gangemi A. (2007). Design Patterns for Legal Ontology Construction. In P. Casanovas, P. Noriega, D. Bourcier, F. Galindo (Ed.), Trends in Legal Knowledge: The Semantic Web and the Regulation of Electronic Social Systems. European Press Academic publishing.Google Scholar