It will come as no surprise to many within highly regulated industries, such as energy or finance, that the cost of compliance always seems to be on the increase. Businesses may find themselves questioning whether the cost is proportionate to the risk and consequences of non-compliance. Unlike other investment decisions, meeting the increasing costs of compliance isn’t easy to equate with an increase in profit and it can prove tricky to write a business case in companies where everything comes back to the bottom line.
If recent global trends are any indication, the return on investment (ROI) of compliance and good governance, risk management and compliance systems (also known as GRC systems) means that they are always worth the cost – regardless of your organization size, current compliance levels or business objectives. RegTech (regulatory technology) is a key tool that enables businesses to implement efficient GRC’s, ensuring a profitable ROI for compliance. With compliance costs sometimes accounting for 5-10% of revenue for many large companies, using technology to reduce these overheads is an easy pathway to pleasing stakeholders.
What benefits make up the ROI for compliance?
In many organizations, compliance is viewed as an exercise in avoiding negative consequences. From that perspective, compliance management systems are effectively seen as insurance policies that only pay out when something goes wrong. While many of the up-sides of a GRC system can be seen as avoided costs when only viewed narrowly, introducing a proactive compliance management culture to an organization has a number of very real and ongoing benefits.
The real benefits and avoided costs of regulatory compliance include:
- Efficiency gains
- Avoidance of non-compliance costs
- Reduced external legal costs
- Reduced internal staff and management involvement
- Minimizing operational downtime
- Improved stock value
- Maintaining stakeholder confidence
Let’s look at each of these in some more detail.
Having a single compliance and risk solution across the breadth and depth of an organization provides gains in efficiency, transparency, and reduces daily operational costs. When compliance controls are performed in silos, the business is unable to benefit from the potential wider applicability of existing work or solutions and may even have units throughout the organizational structure that ‘reinvent the wheel’ on a regular and ongoing basis. Variances in application of people and technical resources in different parts of the business can result in higher risk in certain areas that may not be readily identifiable.
Siloed costs of compliance are often hidden at a low level of budgeting, so businesses may be spending significantly more man-hours and costs on duplicated systems and compliance work than they think. Centralizing information in a single central repository allows individual control measures to be reused or adapted as required, decreases wasted time, improves inefficiency of administration, and creates more up-to-date information that is easily accessible and shared. In a world where time is money, avoiding excess time spent on tasks that could be easily achieved through the use of a good software system is an easy to realize efficiency gain.
Avoidance of non-compliance costs
Making a late filing or breaching a requirement is not an act most organizations would intentionally commit. However, these things happen in the most diligent companies, even with the best of intentions and staff actively working to prevent them.
Constantly changing legal obligations only add to the difficulties of a business working to stay legally compliant – often organizations learn of new laws or regulations with limited time to implement changes in their procedures, which can put their day-to-day operations at risk of being in breach. Investment in a robust compliance and risk management system ensures the business can communicate changed compliance requirements impacting their operations immediately. A system that also makes it easy for appropriate controls to be applied where required throughout the organization makes it easy to avoid the expensive (and unnecessary) fines that often accompany non-compliance.
Reduced external legal costs
External legal costs in any industry have a well-deserved reputation of being analogous to signing a blank cheque. Senior barristers can charge clients around $10,000 per day for court appearances. Those working in a specialized field can charge as much as $25,000 per day. These fees are in addition to all of the preparation fees that go into taking a case to court, which are also significant. Needless to say, prevention is always the best policy when it comes to avoiding excessive legal fees.
Reduced internal staff and management involvement
Compliance failures aren’t just costly for businesses in terms of fines and legal fees – they also take up time of staff and management, usually at the expense of their core duties, to deal with the fallout from the breach and ensuring it doesn’t happen again. Incident reports, paperwork, investigation and remediation costs, loss of business and trying to salvage a business’ reputation are all factors that use up staff time and resources, both immediately following the incident and in the future. The upfront investment in a compliance and risk solution avoids these impacts on core business on an ongoing basis.
Robust GRC systems increase compliance rates and avoid and mitigate risk, but they also reduce both the cost of audits and the chance of finding things that need addressing. When all company compliance information is current, structured and readily accessible, auditors can plan shorter audit cycles, saving you both money and time.
Minimizing operational downtime
In may sectors, compliance failures can lead to downtime in operations or production that can be both unpredictable and costly. It is often impossible to know just how long a site, facility or personnel will be unable to work, yet have to remain on standby, while the breach is being dealt with. Not only can this result in lost production time for the business, but it also means increased (and wasted) operational costs.
Improved stock value
The impacts on both shareholder and other stakeholder confidence and stock value following a compliance breach are easy to predict: the value of the business will undoubtedly drop, particularly if the breach is a major one. What’s really worth noting though is how this drop is expressed: a study that analyzed companies on the New York Stock exchange found that immediately after a breach, stock prices dropped around 0.43%. This is in line with a usual fluctuation in daily prices, so nothing to be too worried about. The real damage to the business came in the long-term – before a breach, the businesses studied experienced an average stock value increase of 45.6% across three years. In the same period following the breach, the businesses only experienced stock value growth of 14.8%.
Investing in a good quality, reliable compliance and risk system can be seen as an essential step in reducing the chances of the kind of catastrophic stock losses that can occur as a result of serious compliance breaches.
Maintaining stakeholder confidence
Although harder to quantify than impacts on stock value, reduced stakeholder confidence can cripple any business following a compliance breach. With social media, the response to a company who fails to maintain its legal and social licence to operate is swift and global.
Any system that a company can implement that allows it to demonstrate to stakeholders that it is serious about avoiding not just compliance breaches and operational risks, but also the potential social or environmental impacts that they entail, goes a long way to generating genuine confidence amongst the company’s stakeholders and the broader public.
Overall effectiveness of GRC systems – are they only for large enterprises?
GRC solutions come in a variety of shapes and sizes. Some can be implemented at any scale, as the systems can be tailored to suit both the size, nature and goals of a company. Both public and private companies and not-for-profit organizations can benefit from allocating resources into a GRC system to manage their legal risk and obligations successfully.
Given the potential for significant penalties, these can be company-breaking for smaller companies and private companies, especially when investor confidence is vital to the company’s success. While the immediate fine may have a proportionally smaller negative impact on the value of a larger company, a negative reputation is much harder to pay off. Once a business has a tarnished reputation for breaching regulations and loses stakeholder confidence, its stock value will decrease growth long-term, and the business profit will drop.
The bottom line: is the ROI worth it?
In industry sectors where there has been an established uptake of GRC systems, the research shows significant financial benefits resulting from their use.
GRC programs are crucial for industries with complex or often-changing legislation, as they introduce efficiencies throughout an organization that are difficult or impossible to achieve through other means.
The ROI from the levels of compliance that compliance and risk systems produce means that they pay for themselves many times over, freeing up personnel from carrying out low level administrative tasks and duplicating effort to spending time on value-add activities. We all witness on a daily basis through the media, the effects that bad compliance and risk management can have on business; it can be financially crippling, have long-term negative effects on stocks, and irreparably damage stakeholder confidence. Businesses introducing GRC systems can be assured that not only are they making a smart competitive move, but their ROI will pay dividends both now and in the future.