Each year, the compliance professionals who act on behalf of MYOBI discuss expectations regarding outcomes of the compliance approach with the management. It is recommended to align the timelines of the compliance approach with the financial and tax accounts. MYOBI offers various tools to organise the accountability process, but a company must operationalise itself.
Agreeing on timelines depends on the effectiveness of the organisation of business activities with business processes, in which management and security measures are included “by design” and are supported by IT. With the help of risk analysis, the management determines the maturity levels and indicates what the ambitions are. Insight into the status quo and ambitions makes it possible to organise the compliance approach in line with other accountabilities.
Making an inventory of business activities and gaining insight into how business activities are effectively organised with business processes can be done quickly and effectively. However, the subsequent execution of risk analysis requires expertise. An analysis can relate to the entire company or be carried out per business unit. We can imagine that one risk analysis is sufficient for a small or medium-sized company to gain insight into the risks. However, in a company with different business activities and different processing of personal data, the choice for multiple risk analyses may be better.
Based on the risk analysis(s), it is determined how frequent the maturity level of a control objective must be defined. The control objectives are included in the assessment frameworks. Therefore, it is advisable to use the assessment frameworks for each risk analysis and determine its frequency.