There are a lot of misconceptions about risk and compliance. The assumptions from organizations are that if you’re compliant, you’re automatically able to combat potential risks. On the flip side there is a similarly incorrect assumption that if you’re risk program is already in place, your organization is already compliant by default.
First, what is the difference between risk and compliance? The Information Systems Audit and Control Association® (ISACA) defines risk as “the probability of an event and its consequence,” whereas compliance is conforming with requirements set forth by a regulatory body.
Risk drives strategic decisions whereas compliance is a tactical decision.
The risk approach is predictive, and compliance is prescriptive. An organizations approach to risk changes are typically proactive, whereas new compliance requirements can take on a reactive approach. The viewpoint of risk is there are gray areas that can be addressed, however in the compliance realm issues are seen in black and white:
- The adaption to threats in risk is typically fast and the adaption rate in regulatory agencies is typically slow.
- Compliance is often seen as a starting point for security, while risk can take on continuous improvement.
- Risk activities are often tied to processes – compliance is tied to a set of requirements.
- The focus area of risk is uncertainty, and compliance focuses on adherence.
- The control of the risk program is intrinsically internal to the organization, whereas compliance is tied to external regulatory bodies.
While risk and compliance may be viewed differently and people within each area prefer to distance themselves from one another, an organization should understand the downfalls of isolating the programs from each other. Risk departments need to understand the consequence and risk of non-compliance. Compliance departments need to understand the risk appetite the organization is willing to take, to meet its strategic goals. Separation of these complementary and symbiotic areas into silos can lead to redundancy and fragmentation.
The areas of risk and compliance meet in the areas of technology, reporting, training, taxonomies, and governance. They blend in people, processes, and policies.
Thank you for reading!
Complete this form to speak with a SecureTrust representative and learn how we can help your business achieve and maintain compliance as threats to data and privacy evolve.
Jason Wulf is an information assurance expert interacting with information and cyber security domains focusing on risk and compliance in the financial industry. Jason’s previous roles primarily consisted of management of enterprise level infrastructure, service desks, and help desks. Miscellaneous responsibilities included project management, agile development, and system administration.
At SecureTrust, Jason leads engagements with clients to assess, test, and perform onsite PCI-DSS compliance validations with CDEs (Cardholder Data Environments). He performs scoping, PCI GAP assessments, risk and remediation consulting for practical and actionable steps in improving their security stance with a mindset of governance, compliance, and organizational privacy.