The economy is not good these days. It’s likely to remain in that state for many months, at least. That poses a serious threat to compliance officers trying to preserve the resources you need to run compliance programs, in the face of CFOs either holding down expenditures or cutting budgets outright.
We can’t fault the CFOs. It’s logical for them to consider budget cuts as revenues fall or other costs rise in unexpected ways.
That said, your compliance program capabilities still matter. A weak program invites risk and regulatory trouble, but more to the point — a strong compliance program helps a business thrive, and is worth the resources even in today’s difficult climate.
So compliance officers need to marshal all the arguments they can to justify that business case. Let’s consider how to do that.
Consider the CFOs’ Perspective
Right now, above all, CFOs want to preserve cash. Close behind, they want to support the operations that generate cash, and ideally, nurture those operations to generate even more cash.
Now, compliance programs don’t generate cash. They never will. Every compliance officer already knows this. Accept that complaint about your program (because rest assured, others will voice it) and focus instead on the compliance program’s strategic value.
The arguments to make are more about how a strong compliance program enhances the company’s resilience and responsiveness to risk. That is, a strong compliance program alters the traits that the rest of the company’s operations have, to make those operations more sturdy and reliable — even during a time of crisis.
That’s what CFOs want: operations that can either preserve or generate cash even in today’s difficult, volatile economy. So a strong compliance capability really puts the company in a stronger strategic position overall. That’s the business case for investing in compliance, even when it hurts.
The Arguments to Make
Beyond that strategic framing, compliance officers will still need to provide specific examples of how a strong compliance program benefits the enterprise. Thankfully, you have an array of examples to cite.
Regulatory need. A business doesn’t get to ignore regulatory compliance and IT security demands just because money is tight. Audits, regulatory filings, privacy protections — those tasks will still be done. A company that lets its compliance function atrophy will just do them less efficiently, with more risk of error, litigation, or regulatory enforcement sometime in the future.
So the company might save cash today on direct expense, but ultimately will still sacrifice more in man-hours, lost productivity, and employee turnover. In the worst case, the company might also pay far more money responding to regulatory enforcement actions, complete with monetary penalties and outrageously expensive outside counsel.
Financial prudence. A compliance officer can quantify the practical ROI of automating compliance processes with better technology. For example, you can measure the time employees spend fulfilling a compliance task, and the average personnel costs for those employees. That gives you an estimate of the “cost of compliance” for the task in question.
Then you can estimate the cost of your compliance technology investment, to show how quickly that investment will pay for itself by eliminating those manpower costs. (And remember to include how much additional revenue employees could generate by spending their time on sales rather than compliance operations.)
The math can be a bit complicated to calculate, but it’s still just math. Frame the investment in those ROI terms: investment costs, ongoing expenses, labor costs saved — and most important, human capital redeployed to more productive purposes. That is music to the C-suite’s ears.
Related Content: See how much time and money your compliance team spends on administrative tasks related to compliance: Calculate the costs with The Cost of Compliance Calculator
Strategic advantage. Strong compliance and security programs don’t just fulfill regulatory obligations. They help the business to identify and intercept emerging risks before those risks metastasize into serious problems. That’s the assurance that senior executives (and their bosses in the boardroom) want during difficult times.
For example, today’s sluggish economy drives up the risk of fraud: perhaps employees fabricating transactions so they won’t lose their jobs, or scam artists targeting employees working remotely who might fall for a business email exploit. Those are new conditions (sluggish economy, Covid-19) changing your company’s normal fraud risk profile.
A strong compliance program can help companies anticipate those changed risks. It can monitor segregation of duties to identify invoice fraud, or tighten approval processes for wire transfers in our work-from-home world. Strong analytics capability can show you how well those controls are working, and whether the company’s risk management efforts are matching the new risks the world has forced upon us.
That ability to identify and intercept risk, and in turn, your ability to respond to changing business conditions more confidently — that’s the strategic advantage. Take it, before your competitors do.
Reality bites. There’s also the plain truth that employees will still try new business processes and IT systems anyway, with or without proper governance. That’s not a bad thing unto itself; companies should embrace innovation. They should just embrace it wisely, rather than recklessly.
For example, third-party SaaS applications can be great tools. They’re cheap and easy to use, so it’s no wonder that employees flock to them. In today’s world, where CFOs want low cost and employees working from home want ease of use, SaaS tools become even more appealing.
Without sufficient vetting and due diligence, however, the company has little idea of the data privacy and security risks those SaaS tools might bring as employees use them to handle sensitive or confidential data. The employees certainly won’t.
That’s the challenge: it’s getting easier for employees to use technology in a risk-oblivious manner. A “traditional” compliance program, rooted in manual processes and sporadic review of employee activity, won’t be sufficient for that threat.
In other words, your compliance technology needs to keep up with all the other technology your organization adopts. Otherwise the company is inviting more risk — including compliance and security risks that nobody even realizes are there.
The Long Term
Aside from the compelling arguments about regulatory demands, financial prudence, and strategic advantage, one irrefutable point is this: for compliance to become less important, the world will need to grow less risky and interdependent.
Well, somebody explain how that world could come to pass by 2025 or 2030. Because if anything, the world unfolding before us today is growing more risky and interdependent, which will mean more complex compliance and risk management requirements.
So even if the CFO hesitates at investing in compliance today, the business will need to invest in compliance eventually. Building a strong compliance program is really about building an ability to respond to risks with agility and precision. In the fullness of time, those with that capability will thrive. Others won’t.
That’s a point that CEOs and CFOs appreciate, too.
For more guidance on how to build a strong compliance program, check out this article: The Four Signs of an Effective Compliance Program.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Matt Kelly. Read the original post at: https://hyperproof.io/resource/business-case-for-compliance/?utm_source=rss&utm_medium=rss&utm_campaign=business-case-for-compliance