A Corporate Compliance Insights article written by Peter Merkulov recently caught my eye because of its breakdown of the hard costs of compliance – and noncompliance. The title is “The True Cost of Compliance,” and the subject is the December 2017 report issued by Globalscape and Ponemon Institute called “The True Cost of Compliance with Data Protection Regulations.” Mr. Merkulov is the chief technology officer at Globalscape, and as of this date I have not made his acquaintance, but he plucked thoughts right out of my brain with this quote:
“Unfortunately, there are organizations who elect to delay compliance efforts because of the associated costs. In so doing, they risk incurring large fines and the loss of customer trust, as well as damage to their reputation, all in an effort to avoid compliance-related expenditures.”
He then backed this statement up with hard numbers. In my effort to share my passion for building effective compliance programs, I have often described their ability to enhance corporate culture. And I do truly believe that a compliance culture is a culture of trust, accountability, and openness for which most companies at least say they are striving. But let’s go ahead and focus on the hard cost data. After all, it takes all kinds to lead on compliance – the “quals” and the “quants,” as it were.
Now, to be crystal clear, the study cited and Mr. Merkulov’s article are focused largely on data compliance. But the overall conclusion – it is significantly more expensive to not comply than comply – is certainly valid across all compliance spectrums.
The cost to comply includes costs associated with personnel, audits, training programs, legal expertise, policy development, incident response plans, technology, and the like. The average cost to comply is pegged at $5.47 million for fiscal year 2017; the average cost of noncompliance, however, is almost three times as much at $14.82 million. Mind you, these numbers are averages, with highly regulated industries such as energy, health care, and financial services skewing high on both the cost of compliance and the cost of noncompliance. However, if you focus on the fact that, on average, the cost of noncompliance is three times that of building a proper compliance framework and culture, the efficacy of focusing on compliance is clear.
If you are not convinced yet, consider these additional data points. Most people focus on the fines, penalties, and other legal costs as the greatest cost of noncompliance, yet the statistics in the Globalscape study show that the costs of business disruption, productivity loss, and revenue loss absolutely dwarf the penalty category.
The good news is that the study also illustrates that a few best practices lower total compliance costs. Deploying a centralized governance program is shown to reduce compliance costs by slightly more than $3 million, while conducting compliance audits reduces total compliance costs by slightly less than $3 million. In all, 12 best practices reduce total compliance costs by more than $18 million.
So, if you are looking for a reason to take your first step or the next step in your organization’s compliance program, and culture is just not quantifiable enough, you will join us in being thrilled to see hard numbers enabling compliance professionals to sell the imperative to act to those who hold the purse strings.
Most encouraging is that many of the best practices are relatively simple to achieve once the imperative is established. In the spirit of spring and my bike that is calling me from the wall where it is gathering dust – there is no reason for any entity at this point in time to recreate the wheel. Rather, today’s compliance professionals need not even grab the fastest wheel. Just grab the wheel at the back of the pack and start moving up the pace line wheel by wheel. Then hang in the middle and enjoy the ride knowing that you have minimized costs to your company.
This alert was written by Jane Lewis-Raymond when she was a partner at the firm.