Truths About Compliance

The ultimate aim of compliance is to deliver a safer, more honest and fairer world – something we all want but there are practical limitations that limit what we can do to achieve total compliance.

Compliance costs money: In the 10 years since the tragic events of 9/11and the collapse of Enron the business world has become increasingly more regulated. From anti-money laundering to anti-bribery, from data protection to diversity, from sexual harassment to risk management – the costs of achieving compliance and the impact of breaching compliance are forever increasing.

Thomson Reuters Cost of Compliance Survey 2011 reports that 71% of the global compliance professionals who responded to the survey said they foresaw that an increase in time and resource would be required to work with regulators…to ensure they were adequately prepared to meet regulatory requirements; 79% of respondents expect that the cost of senior compliance staff will increase in the next year; and 86% of respondents believe that the focus on managing regulatory risk will at least increase in 2011 with 42% expecting the focus to increase significantly.

The Ponemon Institute and Tripwire, Inc, conducted the True Cost of Compliance study to determine the full economic impact of compliance activities for a representative sample of 46 multinational organizations.

The extrapolated average cost of compliance for 46 organizations in the study is more than US$3.5 million, with a range of $446,000 to over $16 million. Adjusting total cost by organizational headcount (size) yields a per capita compliance cost of $222 per employee. Whereas the extrapolated average cost of non-compliance for 46 organizations is nearly $9.4 million, with a range of $1.4 million to nearly $28 million. Adjusting total cost by organizational headcount (size) yields a per capita non-compliance cost of $820 per employee.

Regulatory breach reduces stakeholder value: The Thomson Reuters survey also reports that 73% of respondents expect the total compliance team budget to increase in 2011. This is in clear contrast to the situation two years ago at the height of the financial crisis when only 43% of respondents expected an increase. This presumably is in recognition of the intensified regulatory activity and rising operational, reputational and financial costs of failing to comply not to exclude the loss of business and potential criminal liability.

The Ponemon study reveals that business disruption and productivity losses are the most expensive consequences of non-compliance. The least expensive consequences are fines, penalties and other settlement costs. On average, non-compliance cost is 2.65 times the cost of compliance for the 46 organizations. With the exception of two cases, non-compliance cost exceeded compliance cost.

At the October 2011 MLROs Summit Daren Allen, Partner, Corporate & Commercial Disputes at Berwin Leighton Paisner advised that the FSA expects Compliance Officers and MLROs to have sufficient resources and if they don’t , then they should ask for more! If only it was that easy. The Ponemon study suggested that the gap between the costs of compliance and non-compliance provides evidence that organizations do not spend enough resources on core compliance activities. In other words, if companies spent more on compliance in areas such as audits, enabling technologies, training, expert staffing and more, they would recoup those expenditures and possibly more through a reduction in non-compliance cost.

We all want to know that what you are doing is 'good enough': Many regulations intentionally provide vague or limited definitions. As with the new Outcome Focused Regulation regulators wanting to provide flexibility deliver confusion and uncertainty. Individual Risk Managers and Compliance Officers are left alone to try and determine what are the best processes, procedures, controls and tools to adopt and implement.

Out of necessity, Risk Directors, Risk and Compliance Partners and Officers are creating new models like the Online Compliance Consortium to share knowledge and establish industry standards and best practice. In 2004, driven by the possibility of criminal liability, 14 of the world’s leading law firms (facilitated by VinciWorks) collaborated in an unprecedented manner to jointly develop a better, standard setting AML training solution, at a lower cost to each firm. Today over 150 of the world’s leading firms work together to design and build compliance tools that deliver the optimal return at the lowest cost per firm.

There is no competitive advantage in being the best at compliance: As Fraser Ashman, former Partnership Secretary at CMS Cameron McKenna, put it, "People are sometimes amazed by the idea of a group of senior lawyers and others from major firms coming together to co-operate…However, we realised that there is no competitive advantage in being the most compliant.

For example, the Ponemon Study reported that almost all of the 46 organizations experienced some size of data breach. The number of lost or stolen records varied widely, ranging from a low of zero to a high of 167,000, and having an average of nearly 40,000. However, none of these firms, even if competitive, would in advance of these failures have recognised data security as an area of competitive advantage. There may be a short term advantage in being the worst at compliance but it would most likely be a short term advantage! As Peter Burrell at Herbert Smith put it, "If there is no competitive advantage in compliance then we may as well share!".