nach oben

Artificial Intelligence and Law

Erschienen in:

01.09.2015

Modelling compliance risk: a structured approach

verfasst von: Samson Esayas, Tobias Mahler

Erschienen in: Artificial Intelligence and Law | Ausgabe 3/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.

Vorheriger Artikel The open agent society: retrospective and prospective views

Nächster Artikel On transparent law, good legislation and accessibility to legal information: Towards an integrated legal information system

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

This is a working group composed of national data protection authorities.

This is not merely a hypothetical claim. The authors have experienced a situation in which a 3-h meeting resulted in the identification of only one compliance risk. This problem stems from the lack of a structured approach for identifying compliance risks.

Article 29 Data Protection Working Party (2012) Opinion 05/2012 on cloud computing adopted on 1 July 2012, WP 196

Australian Better Regulation Office (2008) Risk-based compliance. Guide for risk-based compliance approach. Australian Better Regulation Office, Sydney

Bing J (1982) Rettslige kommunikasjonsprosessor: Bidrag til en generell teori. Dissertation, University of Oslo

Bing J (ed) (1984) International handbook in legal information systems. North-Holland, Amsterdam

Bing J (2003) The policies of legal information services: a perspective of three decades. In: Bygrave LA (eds) Yulex 2003. Norwegian Research Centre for computers and law. University of Oslo, Oslo, pp 37–55

Bing J (2010) Let there be LITE: a brief history of legal information retrieval. Eur J Law Technol 1(1)

Bing J, Harvold T (1975) Legal decisions and information systems. Scandinavian University Press, Oslo

Bonazzi R, Hussami L, Pigneur Y (2010) Compliance management is becoming a major issue in IS design. In: D’Atri A, Saccà D (eds) Information systems: people, organizations, institutions, and technologies. Springer, Berlin, pp 391–398

Breaux TD, Antón AI (2005) Mining rule semantics to understand legislative compliance. In: Proceedings of the 2005 ACM workshop on privacy in the electronic society (WPES). ACM, New York, pp 51–54. doi:10.1145/1102199.1102210

Committee on Civil Liberties, Justice and Home Affairs (2013) Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A7-2013-0402+0+DOC+PDF+V0//EN. Accessed 10 March 2015

COSO (2004) Enterprise risk management: an integrated framework. Committee of Sponsoring Organizations of the Treadway Commission

Darimont R, Lemoine M (2006) Goal-oriented analysis of regulations, REMO 2V06: international workshop on regulations modelling and their verification and validation, Luxemburg. http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-241/paper9.pdf. Accessed 21 March 2015

Deng M, Kim W, Riccardo S, Bart P, Woute J (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16(1):3–32. doi:10.1007/s00766-010-0115-7 CrossRef

ENISA (2009) Cloud computing: benefits, risks and recommendations for information security. In: Catteddu D, Hogben G (eds) European Network and Information Security Agency

Esayas S, Mahler T, Seehusen F, Bjørnstad F, Brubakk V (2015) An integrated method for compliance and risk assessment: experiences from a case study. In: Paper to be presented at the IEEE conference on communications and network security, Florence, 28–30 Sept 2015

European Data Protection Supervisor (2012) Opinion of the European data protection supervisor on the data protection reform package, European Data Protection Supervisor, Brussels. https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2012/12-03-07_EDPS_Reform_package_EN.pdf

Ghanavati S, Daniel A, Peyton L (2008) Comparative analysis between document-based and model-based compliance management approaches. In: Requirements Engineering and Law, RELAW’08, pp 35–39. doi:10.1109/RELAW.2008.2

Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (REALM). In: Proceedings on legal knowledge and information systems: the eighteenth annual conference, IOS Press, pp 37–48

Greenleaf G (2004) Jon Bing and the history of legal research—some missing links. In: Torvund O, Bygrave L (eds) Et tilbakeblikk på fremtiden (“looking back at the future”). Institutt for rettsinformatikk, Oslo

Hohfeld WN (1913) Fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):710–770CrossRef

ISO (2009) International standard ISO 31000. Risk management—principles and guidelines on implementation. ISO, Switzerland

Jorshari FZ, Mouratidis H, Islam S (2012) Extracting security requirements from relevant laws and regulations. In: Research challenges in information science (RCIS), sixth international conference, pp 1–9. doi:10.1109/RCIS.2012.6240443

Kiyavitskaya N, Zeni N, Cordy JR, Breaux TD, Mich L, Antón AI, Mylopoulos (2007) Extracting rights and obligations from regulations: toward a tool-supported process. In: ASE 2007, 22nd IEEE/ACM, conference on automated software engineering, pp 429–432

Lund MS, Solhaug B, Stølen K (2011) Model-driven risk analysis: the CORAS approach. Springer, BerlinCrossRef

Mahler T (2010a) Tool-supported legal risk management: a roadmap. Eur J Legal Stud 2(3):175–198

Mahler T (2010b) Legal risk management: developing and evaluating elements of a method for proactive legal analyses, with a particular focus on contracts. Dissertation, University of Oslo

Mahler T, Bing J (2006) Contractual risk management in an ICT context—searching for a possible interface between legal methods and risk analysis. Scand Stud Law 49:339–357

Peterson EA (2012) Compliance and ethics programs: competitive advantage through the law. J Manag Gov 17(1):1027–1045

Ponemon Institute (2011) The role of governance, risk management and compliance in organizations study of GRC practitioners. Research Report, Sponsored by RSA, Security Division of EMC, Bedford

RASEN Deliverable 5.3.2 (2014) Methodologies for legal, compositional, and continuous risk assessment and security testing v.2. http://www.rasenproject.eu/deliverables/. Accessed 21 March 2015

Sartor G (2005) Legal reasoning—a cognitive approach to the law. Springer, Dondrecht

Standards Australia (2006) Compliance programs AS 3806-2006, 2nd edn. Australia, Sydney

Vraalsen F, Lund MS, Mahler T, Parent X, Stølen K (2005) Specifying legal risk scenarios using the CORAS threat modelling language: experiences and the way forward. In: Herrmann P et al (eds) iTrust, LNCS, vol 3477. Springer, Heidelberg, pp 45–60

Titel: Modelling compliance risk: a structured approach
verfasst von: Samson Esayas
Tobias Mahler
Publikationsdatum: 01.09.2015
Verlag: Springer Netherlands
Erschienen in: Artificial Intelligence and Law / Ausgabe 3/2015
Print ISSN: 0924-8463
Elektronische ISSN: 1572-8382
DOI: https://doi.org/10.1007/s10506-015-9174-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2015

Looking back to see ahead: the changing face of users in European e-commerce law

On transparent law, good legislation and accessibility to legal information: Towards an integrated legal information system

A fourth law of robotics? Copyright and the law and ethics of machine co-production

Introduction

The open agent society: retrospective and prospective views