Struggling to articulate the cost of non-compliance? An auditor’s view on how to champion regulatory technologies

Building a business case for compliance tech? All the information you need on why non-compliance ends up costing your organization more than compliance.
Date posted
18 May 2022
Reading time
6 minutes

In today’s increasing regulatory environment, an organization’s cost of achieving and maintaining compliance is significant…

But did you know the cost of non-compliance is higher?   

In this article, Kainos’ Head of Audit Nick Stone looks at the total cost of non-compliance to your business, why it goes beyond just the fines, and how to better communicate a business case for compliance technology in your organization.

Have you ever tried to explain the importance of something that might happen? Leave 30 minutes earlier because the security line might be long.  Pack an umbrella because it might rain.

Influencing others to take present action to manage possible future events is not easy. 

As an auditor of over 20 years, I think navigating this challenge is the heart of effective risk management – and the heart of budgeting for effective risk management.

In this series of articles, I explore how to communicate the need for compliance technology, an increasingly important component of progressive risk planning. 

Compliance technology can mitigate risks and improve audit outcomes with lower effort. But how does the cost of compliance stack up to potential risk events?  How can we build a compliance technology business case and influence budget owners? 

In my approach, I leverage industry metrics and accepted benchmarks to measure costs of non-compliance to start a conversation. 

But ultimately, risk management is about more than just cost – culture, competition and trust are also important. 

image

Compliance Requirements are on the rise

Compliance is the outcome of following the rules. And regulatory compliance relates to local, state, federal, and international laws and regulations relevant to an organization’s operations. In my opinion, compliance can be, and arguably should be, the byproduct of effective risk management

As a rule of thumb, regulatory risks and compliance requirements are rising across the board. Regulations increase with business size and complexity, evolving business technology and changes in the political landscape. But even though regulations vary significantly by industry, the rising regulatory tide is now affecting most organizations. 

In the US alone, evidence of the rise is clear in the Federal Register (which publishes new federal regulations.) For the past 20 years, over 3,000 rules were added annually – that’s a 7.6% annual growth rate. 

And recent regulator activity indicates that the trend is expected to continue. To highlight just a few examples:

  • European data protection authorities issued a total of nearly EUR 1.1 billion (USD 1.2) in 2021 - a sevenfold increase over prior year. 
  • New privacy regulations similar to GDPR are currently in place in 4 US states (CA, VA, UT, CO) and are proposed in the majority of other US states 
  • In fiscal year 2021, the SEC obtained judgments and orders for USD 2.4 billion in disgorgement and USD 1.4 billion in penalties - a 33 percent increase over prior year penalties.
  • In fiscal year 2021 the OCC issued USD1.1B in civil penalties - the highest amount in five years.

What does the cost of compliance entail?

An organization’s cost of compliance refers to the summation of all the expenses incurred to adhere with industry regulations. Top categories are:

  • Information systems and compliance technology
  • Incident response
  • Audit (external and internal)
  • Public relations & communications
  • Program management and training

Since the financial crisis of 2008, operating costs spent on compliance increased over 60 percent for certain industries. Some studies place the cost of compliance at $10K per employee for the average organization, but that is now likely understated based on today’s regulatory landscape. 

Without a holistic view of non-compliance risk, organizations may focus too much on near-term compliance costs.

How well organizations manage compliance risks (and costs) is increasingly a competitive differentiator, affecting revenues, margins, reputation and customer experience. Therefore, articulating the relationship between current period costs and future risk impact is at the core of effective risk management.

 

image

Using Cost of Non-Compliance in your Business Case

 If compliance is good for business, that suggests non-compliance is not.

Due to increasing compliance costs, organizations must frame the value of compliance and the cost of non-compliance when making investment decisions that mitigate compliance risk.  From my perspective, costs of non-compliance include those that are both direct and indirect. 

  • Direct non-compliance costs include: fines, fees, and penalties, losses due to fraud, increased audit costs, lost financing, increased cost of capital, and lower stock value.
  • Indirect non-compliance costs that are harder to quantify, but likely more significant, stem from: lost productivity, business disruption, reputation damage (customer, supplier, and employee), lost revenue, people costs (retention and recruiting), increased cost of sales (goods, services, supplier relationships), and damage to corporate culture/identify.

Some metrics suggest that costs associated with regulatory non-compliance can be almost  3 times the cost of compliance.

While hard to prove, just consider the following data points:

  • The estimated, fully loaded cost for data security and privacy non-compliance incidents is USD 15 million – driven by indirect costs of business disruption and lost productivity.
  • The average GDPR privacy fine in 2021 was EUR 2.9 million
  • The average SEC enforcement action amount (penalty or disgorgement) was USD 6.7 million in fiscal 2021 
  • Average audit fees increased to USD 2.5 million, driven by M&A activity, COVID and emerging risks – and external audit fees are expected to further increase at 62% of organizations this year
  • A single internal control deficiency can cost over USD 20K in auditor costs, consulting costs and diverted productivity

Understanding these direct costs of non-compliance is a critical first step in defining a business case for making compliance investments. 

image

The Case for Compliance Technology

Changes in systems, processes and internal controls are needed to make compliance efforts more efficient and more effective. Simply keeping up with regulatory requirements will result in a linear increase in compliance costs.

Key trends in the industry helping to enable compliance at scale include data analytics, data manipulation (ETL) and data visualization technologies.

Governance, risk and compliance platforms (GRC) are also being successfully deployed to thread common controls across regulatory requirements to optimize effectiveness of control systems, limit risk of non-compliance and streamline the audit process. While internal control automation is also playing an important role in helping organizations design and efficiently execute key internal controls in their core business systems.

 

So, when it's time to make your case to transform your internal risk function, it’s worth bringing to the fore that while the cost of compliance is high, the cost of non-compliance is simply higher.

Why not try our ROI calculator to help you start a realistic conversation about the business case for Workday compliance technology? Find out how much you could save, or avoid, per year by investing in Workday control automation.