The sophistication with which modern business is carried out and the unprecedented access to a global market means that
businesses are exposed to diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of
regulatory environments. One possibility in this regard is a riskbased approach to compliance where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modeling compliance risks have been developed.
The lack of methodological and tool support means the
compliance risk identification often involves unstructured
brainstorming, with uncertain outcomes. As part of the
integrated method, a structured approach for the identification of compliance risks and their graphical modelling is provided.
The main goal of the structured approach is to facilitate the
identification and assessment of compliance risks and their
subsequent documentation in a consistent and reusable fashion. The method is applied in a case study with the aim of assessing the compliance concerns in adopting cloud services. Our experience in the case study demonstrates that the integrated method enables a better structuring in the identification of compliance risks and yields reusable results. As well, the method facilitates communication among different expertise and mitigates subjectivity in making compliance decisions.