Few compliance officers will be surprised by a new survey out from Thomson Reuters that finds compliance departments at financial firms are struggling under a heavy workload stemming from new regulatory demands. What is surprising is just how burdened they are.
A recent survey of 337 compliance practitioners from financial services firms conducted by Complinet Thomson Reuters GRC found that almost one third of all compliance teams spend more than one day every week tracking and analyzing regulatory developments. And 15 percent spend more than one day per week creating and amending compliance reports for the board.
“Compliance officers not only need to track regulatory change but also to stay up-to-date with where that change is coming from and how best to influence it on behalf of their firm, which creates further demands on resources,” noted Stacey English, head of regulatory affairs team at Thomson Reuters and author of the study.
That rapid pace of change cascades into other compliance functions. Almost 40 percent of respondents said they spend at least half a day every week updating and amending their policies and procedures to reflect the latest regulatory requirements. That activity produces more additional work, such as associated communication and training, plans to monitor compliance with new policies, and the need to maintain an audit trail of changes.
“The amendments driven by rule changes will only be one part of the ongoing updates to policies and procedures, with other amendments being driven by new business activities or lines as well as the actions that arise out of monitoring work,” said English.
While financial firm compliance departments report that they are swamped, they see little relief in sight. The majority of respondents (83 percent) expect the amount of regulatory information published by regulators to increase. That will only push costs higher. Indeed, 79 percent of respondents are planning for an increase in the cost of senior compliance staff in the next year. “At the end of the day when a decision needs to be made, you want someone in the role who understands the risks associated with making that decision,” says Trevor Hughes, president and CEO of the International Association of Privacy Professionals.
Additionally, 73 percent of respondents expect the total compliance team budget to rise this year, which signifies the intensified regulatory activity and rising operational, reputational, and financial costs of failing to comply. Two years ago, even at the height of the financial crisis, only 43 percent of respondents expected an increase.
Non-Compliance Cost
With the cost of compliance going up, some companies might be tempted to cut corners. Bad idea. That's because a separate study found that the cost of non-compliance is even higher.
“Many would try to characterize compliance as a cost center, as a necessary evil within organizations, as a hurdle, and as something that just has to be done. I think that is an unsophisticated view of compliance.”
—Trevor Hughes,
President and CEO,
International Association of Privacy Professionals
IT services provider, Tripwire, and the Ponemon Institute, a data protection research organization, interviewed 160 functional leaders at 46 multinational companies to determine the full economic impact of compliance activities. The study found that companies spend an average of $3.5 million on compliance and an average $9.4 million on problems caused by non-compliance—a dramatic $5.8 million difference. The study's authors say the findings demonstrate the value of investing in compliance activities to prevent non-compliance issues such as business disruption, productivity and revenue loss, fines, penalties, and legal costs.
“Many would try to characterize compliance as a cost center, as a necessary evil within organizations, and as something that just has to be done,” says Hughes. “I think that is an unsophisticated view of compliance.”
Business disruption and productivity losses are the most expensive consequences of non-compliance, while the least are fines, penalties, and other settlement costs. The most costly compliance activities were data protection and enforcement activities, while policy development and communications resulted in the lowest expenses.
The Ponemon study also found that increased auditing is correlated with lower compliance costs. “When you do audits and you do them well, you're basically more proactive in managing your risk, and so the end result is that the total cost you spend on compliance is less,” says Larry Ponemon, chairman and founder of the Institute that bears his name.
The findings also show a positive correlation between the percentage difference between compliance and non-compliance costs and number of lost or stolen records during a 12-month period. “While data breaches themselves are not really directly related, they are certainly a large portion of the non-compliance cost for these companies,” says Rekha Shenoy, Tripwire's vice president of strategy.
COST OF COMPLIANCE
The following chart from the Ponemon Institute shows the total compliance cost by industry in millions of USD:
Industry
Compliance Cost
Energy
$24.09
Transportation
$17.98
Industrial
$17.44
Financial Services
$16.01
Pharmaceutical
$12.77
Consumer Products
$12.44
Technology
$11.89
Public Sector
$10.20
Communications
$9.97
Retail
$9.24
Healthcare
$8.86
Education & Research
$6.83
Source: Ponemon Institute Report.
Results also showed that compliance costs varied by industry. Those in heavily regulated industries, not surprisingly, tend to spend more on compliance cost. In the survey, energy ($24 million), transportation ($17.9 million), and industrial ($17.4 million) spent the most on compliance. Healthcare and education spend the least.
In the survey, respondents reported that they view compliance with legal and regulatory requirements as more important than compliance with internal policies and procedures. Shenoy says they may have it backwards: “What they really should be doing is building their own internal policies, and mapping them to all these different compliance initiatives so that they are doing the right thing for security, and compliance is a byproduct.” Shenoy says that companies that tend to take a checkbox approach with regulations usually put more emphasis on legal requirements than internal policies, doing only the basic minimum to comply.
Compliance with PCI DSS, various state privacy and data protection laws, the European Union Privacy Directive, and Sarbanes-Oxley ranked the highest on the list of laws and regulations companies struggle with most.
“They are struggling with the fact that compliance is not black and white right now,” says Hughes. Between the number of laws and regulations, the complexity of them, and the reality that they are constantly being changed and updated all translates into an “incredibly unpredictable environment when it comes to public policy and compliance,” he says.
Ponemon says a focus on security can help, and he says companies with a strong security posture have lower non-compliance costs. “Most people immediately think it's technology, but the reality is it's technology and people and process and even policies that actually lead to a higher security effectiveness score,” he says.
Companies that take the time to audit, manage, monitor, and better control their data inevitably find either inefficiencies to fix, or efficiencies that can be gained, says Hughes. “The process of compliance ultimately results in the process of self-examination and better management,” he says.
No comments yet