Compliance management in many organisations starts with understanding the regulatory obligations you have and any standards you want to adhere to that apply to your business. The level of regulations and standards that your organisation face can vastly change from industry to industry and country. For example, PCI DSS focuses on businesses in the retail sector, and GDPR needs to be considered by organisations operating or doing business within the European Union.
Once businesses have identified the regulations and standards they need to adhere to, they will often;
After the regulatory controls have been defined, the organisation audit or compliance function; depending on their size will test the controls, undertake compliance monitory and provide on-going advice to the business.
Compliance management is usually owned and operated by what is referred to as the ‘Second Line of Defence’
There are various strategies to address compliance. Often organisations rely on the lines of defence model as seen above. This strategy gives the board and senior management three clear line functions to rely on, ensuring its compliance program is reviewed, tested and challenged independently by the second and then the third line of defence.