Compliance may be viewed as an adherence to the laws, regulations, standards, guidelines, and other specifications relevant to an organization’s business.106 Subsequently compliance risk—or perhaps more accurately the risk of noncompliance—is associated with civil punishment, either through regulatory penalties or possible tort action as the result of negligence due to a general failure to comply with applicable requirements. Typical compliance requirements include legislation such as the Dodd-Frank Act, regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification,107 and industry specifications such as the Payment Card Industry Digital Security Standard (PCI-DSS). And, in some cases, there may be a risk of criminal punishment, as with Sarbanes-Oxley (SOX).
Subsequently, organizations manage the risk of noncompliance simply by complying with the requirements. For example, if a covered entity is required to have a privacy officer, then it either has one or it does not. It is essentially a ‘Yes or No’ proposition. For more complex requirements, such as with the encryption of portable devices that contain sensitive information, an organization could very well be partially compliant if, for example, it cannot demonstrate that all devices that contain such information are encrypted.
When considering whether or not to comply with a law, regulation, standard, guideline, or specification, most organizations typically weigh the operational and financial impact from implementing the requirement against the likelihood of noncompliance being discovered and the subsequent operational, financial, and reputational impact that would result.
Other types of risk—such as the operational, financial, and reputational financial risks from an actual loss of confidentiality, integrity, and availability—are simply not a normal part of the compliance equation. And this explains why compliance risk is considered as a separate, specific risk in many if not most enterprise risk management models.
HITRUST addresses compliance risk by including control segments (formerly known as industry segments) in the HITRUST CSF that address specific regulatory requirements such as those found in the HIPAA Security Rule, which may then be incorporated into a HITRUST CSF control specification or HITRUST assessment by selecting the appropriate regulatory risk factor.
Another aspect of compliance has to do with the idea that some assessments are not risk-based, i.e., the requirements are generally static or ‘one size fits all,’ which could result in a ‘check-box’ type of assessment if applied blindly to any organization regardless of their circumstance. Obvious exceptions include static assessments that are specifically meant to address specific types of assurance requirements, e.g., an assessment meant to be used to evaluate an organization’s implementation of good cybersecurity hygiene practices as part of a third-party qualification process.108 However, any assessment where the control requirements are generated based on risk—such as an assessment based on a completely tailored NIST SP 800-53 security control baseline or a HITRUST control specification—cannot be construed as a compliance assessment even though each control is assessed for compliance to a standard with respect to its implementation. This is because the assessment is simply meant to determine the amount of deviation—i.e., excessive residual risk—that exists from an organization’s risk target as defined by its target profile.
106 For more information on compliance and compliance-related risk, see Cline, B. (2018, Apr). Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection: Why framework-based risk analysis is crucial to HIPAA compliance and an effective information protection program. Frisco, TX: HITRUST. Although the discussion centers around HIPAA compliance, the concepts in the paper can be applied to any type of regulatory compliance.
107 HHS (2013, Mar). HIPAA Administrative Simplification Regulation Text: 45 CFR Parts 160, 162, and 164.
108 See Cline, B. (2022, Feb). HITRUST Third-Party Risk Management (TPRM) Methodology: The Qualification Process – A streamlined approach to qualifying a third party for a business relationship leveraging the HITRUST CSF and Assurance Program. Frisco, TX: HITRUST.