Impact of Legislation/Regulation on Your Approach to Risk

Last year, we saw a significant advance in legislation/regulation surrounding data privacy and protection, (e.g. the GDPR and DPA 18) and cyber security, (e.g. the EU Network and Information Systems (NIS) directive). The new legislation will, undoubtedly, have an impact on your risk tolerance and balancing your ‘position’ against the impact of such legislation/regulation will require some harmonisation.

For many organisations, it is likely that risks falling outside of their risk appetite will increase based on the financial impacts arising from legislation such as the GDPR. Equally, the societal shift towards greater awareness and expectation around data privacy may also have an impact on reputational risk.

Without question, however, all organisations will need to take on board the fact that there are greater penalties associated with the introduction of new legislation/regulation which means that risks previously deemed acceptable, or within a tolerance limit, may no longer be. Even in organisations which have a ‘high-risk tolerance’, these impacts are now likely to be unacceptable.

One thing is for sure, with a changing regulation/legislative environment, let alone factoring in ‘Brexit’, risks must be revisited periodically to ensure that any that have been previously accepted are still acceptable or now require some form of treatment. Furthermore, in some cases, even periodic reviews of risks may not be sufficient. Monitoring for changes to legislation/regulation should trigger a process, over and above the standard review cycle, so that impacts can be considered promptly and the appropriate risk decisions made.



How can we help