Risky business: Expert insights on risk management in compliance 

With the ever-growing list of online and offline threats organizations face today, it can be difficult to know the best ways to approach risk management for your organization. Yet, if left mismanaged or unaddressed, businesses could face legal penalties, financial losses, and reputational damage.

To help, We asked four infosec compliance experts at Thoropass to share their top tips and best practices to keep in mind.

Meet the experts

  • Cristina Bartolacci, Senior Compliance Strategist: An early Thoropass employee, Cristina is well-versed in everything Thoropass and information security. With specialties across frameworks and broader interests in privacy and cybersecurity, she guides customers through building scalable and audit-proof programs that will be continuously compliant.
  • Dana Mueller, Strategic Compliance Evangelist: Dana is an accomplished leader with experience shepherding organizations through growth-centric challenges, building diverse teams and complex systems, and fostering rapid iteration. He focuses on ensuring security, risk, and privacy are at the forefront of thought leadership and innovation and cost-efficiently meet business objectives.
  • Jay Trinkces, Director of Compliance/CISO/DPO: Jay has two decades of experience in cybersecurity and privacy. He advises organizations on security and privacy issues and specializes in privacy, healthcare, medical devices, government, banking and credit unions, and regulatory requirements, including HITRUST, HIPAA, GDPR, and CCPR/CCPA.
  • Kevin Siriyarn, Product Manager: Dedicated product manager for the Risk Register product offered at Thoropass with deep technical knowledge of how risk management works behind-the-scenes.

What is risk in compliance?

First, let’s set a foundation to underscore the interconnected nature of compliance and risk within an organizational context. Risk associated with the infosec compliance space has to do with “regulatory, contractual, or other obligations,” According to Thoropass Director of Compliance, CISO, and DPO, Jay Trinckes.

However, recognizing risk extends beyond technical aspects to encompass broader dimensions is crucial for a comprehensive risk management strategy. According to Cristina Bartolacci, Senior Compliance Strategist, “Risk is a very broad term, but one that is absolutely critical to the compliance space. You cannot be secure or compliant without considering risk—and this isn’t just limited to technical or security risks! Compliance risk is a holistic, 360-degree view, including business risk, governance risk, regulatory risk, etc, AND security risk. You must consider all forms of risk when it comes to compliance.”

Dana Mueller is formerly Thoropass’ Strategic Compliance Evangelist. He reiterates that “compliance risk isn’t standalone. Risk Management encompasses all aspects of a business and technology.”

How does risk vary across industries?

The discussion on industry-specific variations in compliance risk emphasizes the nuanced nature of risk across diverse sectors. It highlights the critical link between the nature of the industry, the sensitivity of the data involved, and the corresponding levels of inherent risk and risk appetite.

Cristina pointed out that “risk varies from industry to industry…For example, if you operate in a highly regulated industry such as healthcare, you may come into contact with the most sensitive types of data as part of running your business. This means your inherent risk and risk appetite are larger than someone operating in a less sensitive space.”

Beyond your organization’s risk landscape, you must also consider regulations for your unique space. As Jay Trinckes explains, “Each industry may have different regulatory requirements. For example, healthcare has HIPAA regulations requiring compliance with certain administrative, physical, and technical safeguards.”


A compliance team smiles as they collaborate
Recommended for you
Compliance and risk management go hand-in-hand

Learn more about how to Implement policies, procedures, risk assessment and monitoring

A comprehensive guide to compliance risk management icon-arrow-long

Expert tips for risk management

Building on the foundational understanding of compliance risk, these best practices serve as actionable steps for effective risk management. Regular assessments, identification of risk owners, and the adoption of established compliance frameworks are essential components for mitigating and managing compliance-related risks.

As Thoropass’s dedicated Risk Register Product manager, Kevin Siriyarn has the benefit of hindsight. He impresses the importance of keeping your finger on the pulse regarding risk management and offers this advice: “Meet regularly to address previous risks, mitigation activities, and discuss new risks.”

Cristina has seen many customers learn from their successes (and failures) and echoes what Kevin had to say, adding that “Best practices for compliance risk management include a consistent and period assessment of risk, risk owners based on the area of the business, and implementation of a compliance framework, such as SOC2 or ISO27001, which will help mitigate risk.”

As always, Jay hones in on the importance of remembering the specific needs of your industry. He advises that you “understand the industry you work in. Understand the regulatory (and/or contractual) obligations your organization is required to meet. Understand standards, frameworks, and industry best practices. Develop good policies/procedures to maintain compliance and evidence of implementation to demonstrate compliance.

Future challenges to anticipate for risk management

While we don’t have a crystal ball to gaze into, we can offer you our best expert predictions for what’s to come for risk management. Looking ahead, the experts point out future challenges in the form of potential blind spots and evolving security landscapes. The imperative to gain a comprehensive view of organizational risk and the dynamic nature of security and privacy concerns underscores the need for continual vigilance and adaptability in risk management practices.

Cristina’s prediction: “I have always believed that not having a clear understanding or view of your whole risk picture is your greatest weakness as an organization. This allows for surprises and unforeseen problems that could have oftentimes been prevented should more due diligence be practiced.”

Jay’s prediction: “Always remember: You don’t know what you don’t know, especially in an ever-evolving security and privacy environment.” Don’t forget to stay connected, informed, and always assume there’s room to improve.



Share this post with your network:

LinkedIn