Today, many businesses must comply with various policies, regulations, and guidelines, whether established internally, by a regulatory entity, or as a result of legislation. One example is the increasing privacy-related regulations that must be complied with by businesses. Recent U.S. national laws, for example, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996, provide for regulations which require that risk assessment and management controls be implemented across an enterprise in a consistent manner to protect consumer personal information. The regulations implementing the GLBA, for example, can be found at 12 C.F.R. part 30 et al. and are incorporated herein by reference. Because these regulations place responsibility on the Board of Directors of many institutions for overseeing consistent compliance, there is an increasing need for a comprehensive governance process to assure the compliance and visibility into the status of compliance efforts across an entire business organization. For very large and geographically diverse organizations, these requirements can create a significant challenge and resource expenditure.
Historically, efforts to accomplish risk assessment and compliance monitoring have centered around separate systems without readily available and current enterprise activity reporting that tracks compliance across an enterprise. Additionally, compliance testing can at times uncover areas where improvements or remedial actions must be implemented. Generally, these efforts can lack currency and are sometimes not adequately monitored and tracked over time to demonstrate continuous improvements within the enterprise. Therefore, there is a need for an integrated process and system for efficiently accomplishing and monitoring enterprise risk assessments and providing management with consistent compliance monitoring.