In Part 1 of this trilogy, we laid the foundation. An integrated risk and control framework with many-to-many connections. But a framework that exists only on paper is a paper tiger (origami). In this second part, I will show you how you can keep your compliance efforts continuously effective. Using a PDCA cycle. For the sake of readability, I have divided this into three blog sections: Intro and Plan, Do and Check, and Act and Summary.
An Ecosystem Instead of a Document
Think of your risk and control framework as an ecosystem. A healthy forest depends on the right balance between trees, plants, animals, water, and sunlight. In the same way, sustainable compliance depends on the interconnection between governance, risks, controls, culture/people, and processes.
Remove one element or neglect to maintain it and the system falls out of balance. A control that fails affects multiple risks. An employee leaving without transferring knowledge leaves a gap. New legislation that you do not integrate disrupts existing measures. And a second line that doesn’t communicate with the first misses the signals of what is going wrong. And a last-minute scramble to fix things just before the audit signals an unhealthy ecosystem.
From Recording to Understanding
Many organizations have something resembling a framework, but it is often nothing more than a registration system. Risks are documented, controls are marked as “present,” a policy document is uploaded, and a checkmark turns green. When something goes wrong, you realize that the checkmark did not reflect reality.
Sustainable compliance requires (continuous) understanding: why does a control exist, what changed that has rendered your risk register outdated, and how do changes in one part affect the whole.
The PDCA Cycle: The Engine for a Living Ecosystem
The key to a healthy ecosystem is the PDCA cycle: Plan, Do, Check, Act. It functions as the regeneration cycle of the forest. The continuous process that keeps every component in balance and the whole alive.
Plan: Risk Appetite as the Forest Path
The hardest part is often the beginning: where do you start and what do you prioritize when everything seems important?
The solution lies in an established risk appetite and tolerance. How much risk (per type) is an organization willing to take to achieve strategic goals? Describe this in statements based on the organization's strategy, objectives, and then the types of risks (strategic, operational, financial, and compliance). Specify and exemplify this with scenarios.
An example: at a medium-sized healthcare institution, an employee accidentally sends a patient file to the wrong address. This happens on average twice a year. The financial impact likely falls within the risk appetite, as fines up to €100,000 can be absorbed. The reputational risk, however, calls for action. The institution therefore invests in email DLP tooling or a secure patient portal.
Risk statements strengthen risk awareness, sharpen focus, and guide resource allocation. They also support decision-making and provide structure to risk management. In addition, they contribute to compliance with legislation, standards, and customer requirements.
For consistent prioritization, you need a risk methodology. Probability and impact are the core elements, but also consider objective indicators for impact categories (financial, reputational, legal), scaling, and context. A healthcare institution, for example, assesses patient safety differently than a software company assesses system availability.
Together, methodology and risk appetite mark the path forward through the forest, enabling more detailed planning: what needs to be done, who will execute it, when, and with what priority. By weighing risks in a consistent manner, you can also display them in one overview for management. Often, difficult conversations will be held about prioritization and resource allocation. Choices will have to be made, and with a consistent approach, it becomes clear to management which risks can be addressed later. This insight also helps you anticipate risks and respond quickly when they materialize.
It is important to work with a rolling roadmap (possibly using agile methods) that you review each quarter, with prioritization, capacity planning, and built-in trigger events for new legislation or incidents. The future lies in continuous monitoring rather than periodic control execution. A forest stays alive through the balance of all its elements. Sustainable compliance works the same way. It thrives when governance, risks, controls, people, and processes keep reinforcing each other.
In the next blog, I will further elaborate on the Do and Check steps.
Curious to read more about sustainable risk and compliance management?
Discover our other blog to explore the bigger picture.
