Compliance is the act or process of adhering to rules, particularly those imposed by external or internal authorities.

Types of Compliance

Compliance requirements come from various sources:

• Regulatory – Government agencies impose compliance requirements for organizations operating within their jurisdiction (e.g. SOX).
• Industry – Industry bodies impose compliance requirements on their members (e.g. PCI).
• Internal – Organizations define policies that apply to their internal operating units (e.g. expenditures exceeding $500,000 require CFO approval).

Relationship to Risk Management

Because most laws, standards, and policies are risk-reactive (e.g, they are enacted in response to or as a protection against negative contingencies) compliance is considered an element of business risk management, which may include:

• Legal risks – Compliance failures could result in litigation
• Regulatory risks – Compliance failures could result in regulatory sanctions, including fines
• Reputation risks – Compliance failures could result in reputation damage
• Competitive risks – Compliance failures could result in competitive disadvantages that extend beyond reputation risk

Compliance Trends

Recent years have seen the following trends in corporate compliance:

• Risk-sensitive execution - Risk priorities, including nature, likelihood, and severity, guide compliance program definition, management, and execution
• Integration - Corporate efforts have already largely shifted from checkbox compliance to sustainability and will continue to migrate towards business process integration, in an effort to find better paths to sustainability.
• Complex identity (lifecycle) management - More organizations will accept the need for identity management of people and ther types of resources.
• Mobility - Mobile devices and data will challenge all organizations to improve their security and risk management disciplines.
• Virtualization - As virtual machines gain traction, companies are increasingly facing tricky data protection (particularly PCI) and e-discovery issues
• E-discovery -Records retention practices are changing based on a growing body rulings and court-issued e-discovery protocols
• Green policies - More organizations implement green policies to reduce energy consumption and pollution.
• Cybercrime - Criminals will challenge all organizations to improve their security and risk management disciplines.
• Service Oriented Architecture (SOA) - SOA will continue to make inroads at organizations seeking more adaptable and cost effective IT infrastructures.
• Strategic gaps - Most organizations will continue to have serious gaps in their GRC focus areas, mostly revolving around security.
• SOX - Less stringent and more flexible requirements are leading to less of a single-minded focus on SOX, which requires more knowledge about the internal state and systems environment to properly apply the new rules.

Compliance Technologies

A wide variety of technologies is used to meet compliance challenges. Many of these technologies intersect or offer overlapping capabilities, and some are in the process of converging. The technology categories below are assuming a primary role in the implementation of compliance solutions. These are high-level categories that subsume other technologies sometimes known by different names:

• Data management – Data management technology manages structured data, which often reflects business transactions. Improvements to data management technology are being applied to strengthen compliance solutions, including data encryption, data archiving, Enterprise Information Integration (EII), and Event Stream Processing (ESP), which are separate technologies in their own right but which are being integrated with database engines.
• Content management – Content management technology manages semi-structured and unstructured content such as legal documents and Web content, which may be subject to compliance requirements and may require the maintenance of relationships to structured data.
• Process management – Process management technologies help define and manage end-to-end processes that translate customer requirements into customer deliverables.
• Identity management – The identity of resources involved in business transactions must be known. Identity management disciplines must increasingly be applied not just to people but also to applications, services, processes and devices to ensure rogue resources do not impersonate legitimate resources.
• Security information and event management – Host systems, applications, services, processes and devices generate security related information and events that must be managed and reported on consistent with security policies and compliance requirements.

Governance and Risk Management Implications

Compliance is increasingly part of an integrated governance- and performance-management disciplines; executed as a subset of risk management, as risk management is executed as a subset of governance. Achieving compliance objectives generally requires improved data and content management capabilities through improved data management and content management disciplines.