Abstract
This article aims at improving the information systems management support to Risk and Compliance Management process, i.e. the management of all compliance imperatives that impact an organization, including both legal and strategically self-imposed imperatives. We propose a process to achieve such regulatory compliance by aligning the Governance activities with the Risk Management ones, and we suggest Compliance should be considered as a requirement for the Risk Management platform. We will propose a framework to align law and IT compliance requirements and we will use it to underline possible directions of investigation resumed in our discussion section. This work is based on an extensive review of the existing literature and on the results of a four-month internship done within the IT compliance team of a major financial institution in Switzerland, which has legal entities situated in different countries.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
IT Policy Compliance Group (2008) 2008 Annual Report: IT Governance, Risk and Compliance Improving Business Results and Mitigating Financial Risk. Retrieved May20, 2008 from http://www.itpolicycompliance.com/research_reports/it_governance/
Purdy, R. M. (2006) Compliance Initiatives Can Yield IT Opportunities. U.S. Banker. Retrieved from http://www.americanbanker.com/article.html?id=20060601WEM27QCJ&queryid=189565628&hitnum=1
Volonino, L., Gessner, G.H., Kermis, G.F. (2004) Holistic Compliance with Sarbanes-Oxley. Communications of the Association for Information Systems. 14(11): 219–233.
Rasmussen, M (2005) Seven habit of highly effective compliance programs. Retrieved from http://www.forrester.com/Research/PDF/0,5110,37240,00.pdf.
Gasser, U., Hausermann, D. M. (2007) E-compliance: Towards A Roadmap For Effective Risk Management. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=971848.
Kark, K., Othersen, M. & McClean, C. (2007) Defining IT GRC. Retrieved from http://www.forrester.com/Research/PDF/0,5110,43341,00.pdf.
McClean, C., Rasmussen, M. (2007). Topic Overview: Governance, Risk, And Compliance. Retrieved from http://www.forrester.com/Research/PDF/0,5110,39611,00.pdf.
Her Majesty Treasury (2004). The Orange Book. Management of Risk – Principles and Concepts. Retrieved from http://www.hm-treasury.gov.uk/media/3/5/FE66035B-BCDC-D4B3-11057A7707D2521F.pdf.
Giblin, C., Liu, A. Y., Müller, S., Pfitzmann, B., & Zhou, X. (2005) Regulations Expressed As Logical Models (REALM). 18th Annual Conference on Legal Knowledge and Information Systems (JURIX 2005), IOS Press, Amsterdam.
Sheth, A. (2005) Enterprise Applications of Semantic Web: The Sweet Spot of Risk and Compliance. IFIP International Conference on Industrial Applications of Semantic Web (IASW2005), Jyvaskyla, Finland.
El Kharbili, M., Stein, S., Markovic, I., Pulvermueller, E. (2008) Towards a Framework for Semantic Business Process Compliance Management. GRCIS’08 Workshop at 20th International Conference, CAISE 2008, Montpellier, France.
Security And Exchange Commission (1993) Reporting Requirements for Brokers or Dealers under the Security Exchange Act of 1934. Retrieved from http://www.sec.gov/rules/final/34-38245.txt.
Federal Rules of Civil Procedure (2007) Rule 34 (a) Retrieved from http://www.law.cornell.edu/rules/frcp/Rule34.htm.
Henderson, J. C., Venkatraman, H. (1993) “Strategic alignment: Leveraging information technology for transforming organizations.” IBM Systems Journal 32(1): 472–484.
COSO (2004) Enterprise Risk Management Integrated Framework- Executive Summary.. Retrieved from www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf.
Lau, G. T., Kerrigan, S., Law, K. H. & Wiederhold, G. (2004) An E-Government Information Architecture for Regulation Analysis and Compliance Assistance. 6th International Conference on Electronic Commerce (ICEC), Delft, The Netherlands.
Maher, M. M. (2005) “Tips for Managing Relationship with Regulators.” ABA Bank Compliance 26(3): 24-28.
ISACA (2007) Control Objectives for Information and related Technology (COBIT) 4.1. Retrieved from http://www.isaca.org.
Rifaut, A. (2005) Goal-Driven Requirements Engineering for Supporting the ISO 15504 Assessment Process. Software Process Improvement, 12th European Conference, EuroSPI 2005, Budapest, Hungary, Springer.
Governatori, G., Milosevic, Z., Sadiq, S: (2006) Compliance Checking between Business Processes and Business Contracts. 10th IEEE Conference on Enterprise Distributed Object Computing.
Lezoche, M., Missikoff, M., Tininini, L. (2008) Business Process Evolution: a Rule-based Approach. 20th International Conference, CAISE 2008, Montpellier, France.
Namiri, K., Stojanovic, N. (2007) A Semantic-based Approach for Compliance Management of Internal Controls in Business Processes. CAiSE Forum 2007.
Agrawal, R., Johnson, C., Kiernan, J., Leymann, F. (2006) Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. 22nd international Conference on Data Engineering., Washington, DC, USA, IEEE Computer Society.
Zur Muehlen, M., Rosemann, M. (2005) Integrating Risks in Business Process Models. Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia.
Heiser, J., Perkins, E., Witty, R.J., Williams, B., Miklovic, D., De Lotto, R.J., Vining, J., Van Decker, J.E., Colville, R.J., Nicolett, M., Stevens, L., McKibben, D., Furlonger, D., Caldwell, F., Proctor, P.E., Chin, K., Logan, D., Ouellet, E., Wheatman, J., DiCenzo, C., McDonald, N., Bace, J., Knox, R.E., Noakesfix, K., Allan, A., Eld, T., Kreizman, C., Brittain, K., McNee, S (2008) “Hype Cycle for Governance, Risk and Compliance Technologies, 2008.”. Retrieved from Gartner, Inc.
Gangemi, A., Prisco, A., Sagri, M.T., Steve, G., Tiscornia, D. (2003) Some ontological tools to support legal regulatory compliance, with a case study. Workshop on Regulatory Ontologies and the Modeling of Complaint Regulations (WORM CoRe 2003), Catania, Italy, Springer LNCS Catania.
Hoekstra, R., Breuker, J., Di Bello, M. & Boer, A. (2007) The LKIF Core ontology of basic legal concepts. Workshop on Legal Ontologies and Artificial Intelligence Techniques (LOAIT 2007).
Skinner, C. (2008) Forensically evolving regulations. Retrieved from http://www.thefinanser.co.uk/2008/09/forensically-ev.html.
Hevner, A., March, S., Park J., Ram, S. (2004) “Design Science in Information Systems Research,” MIS Quarterly, Vol. 28 No. 1, pp. 75-105.
Gangemi A. (2007). Design Patterns for Legal Ontology Construction. In P. Casanovas, P. Noriega, D. Bourcier, F. Galindo (Ed.), Trends in Legal Knowledge: The Semantic Web and the Regulation of Electronic Social Systems. European Press Academic publishing.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Physica-Verlag Heidelberg
About this chapter
Cite this chapter
Bonazzi, R., Hussami, L., Pigneur, Y. (2009). Compliance Management is Becoming a Major Issue in IS Design. In: D'Atri, A., Saccà, D. (eds) Information Systems: People, Organizations, Institutions, and Technologies. Physica-Verlag HD. https://doi.org/10.1007/978-3-7908-2148-2_45
Download citation
DOI: https://doi.org/10.1007/978-3-7908-2148-2_45
Published:
Publisher Name: Physica-Verlag HD
Print ISBN: 978-3-7908-2147-5
Online ISBN: 978-3-7908-2148-2
eBook Packages: Business and EconomicsBusiness and Management (R0)