Calculating the return on investment (ROI) for a corporate compliance program isn’t easy. Clearly the potential damage from a cybersecurity threat can be severe: disrupted operations, tarnished reputation, customers who flee to the competition, monetary penalties from regulators.
But those are potential costs that can be severe. Compliance program investments, meanwhile, are actual costs that many times are severe, at least to the senior executives approving the budget.
So how does a compliance officer identify the ROI of compliance? How does one quantify an argument that says, essentially, “Look at all the costs we avoided from a hypothetical disaster that never happened!”
If your organization is struggling to determine compliance ROI, here are three strategies to get you started.
Involve Key Business Leaders
First, when evaluating businesses risks and compliance investments to address them, involve the right leaders in your organization.
Some of those leaders will be from risk oversight functions in the so-called “Second Line of Defense.” Those executives include the chief financial officer (who knows how much money the organization has) and the general counsel (who knows the legal obligations the company has), and possibly others: perhaps a chief technology officer or a head of internal control, if your business has those roles.
You also need to include leaders from the “First Line of Defense,” otherwise known as the business operating units. These leaders would include the heads of sales, manufacturing, customer service, or research & development — that is, people who know how the business operates. They have a much better sense of which risks are most likely to strike your company, and which compliance counter-measures are most likely to be accepted, ignored, or misunderstood by employees.
Bring those leaders together, and solicit their opinions about probable compliance risks and feasible compliance solutions.
Evaluate Costs and Threats
Work with those business leaders to understand the most significant compliance risks that your organization faces from its routine operations.
For example, all publicly traded companies must comply with the Foreign Corrupt Practices Act, which prohibits companies from bribing officials of foreign governments to win business. Part of FCPA compliance is to perform due diligence on any overseas agents or resellers who might work on your firm’s behalf, since those agents are a common conduit for bribes. If your business performs no due diligence on its agents at all, or only performs minimal due diligence with methods that might be unreliable, you’re at high risk for FCPA violations — and all the monetary fines, profit disgorgement, and legal costs that come with it.
In that case, determining the ROI of a compliance program becomes a cost versus benefit analysis: How much does the company want to spend on technology to automate due diligence activities, versus the potentially high risk of FCPA enforcement and its attendant costs?
Compliance officers should analyze those costs and benefits carefully. For example, if each sales rep spends four hours per week performing manual due diligence procedures, that’s 10 percent of each employee’s salary and overhead costs, devoted to something that isn’t about sales. You can calculate that number from data provided by the HR department, and include it as part of your cost-benefit analysis.
Moreover, remember that once you invest in automated compliance solutions, those sales execs can then devote more time to sales — which means the company’s revenues can increase more quickly. When you consider the total costs and benefits of compliance, the ROI quickly starts to tilt in favor of effective, automated compliance programs.
We used FCPA compliance as one example, but you can find many more. Data security, accurate financial reporting, supply chain risk management, environmental safety, and many more — you should calculate the costs and benefits of compliance for all those risks. They all factor into the ROI of your compliance program.
Automated Software Is Your Solution
As you can see, measuring the ROI of compliance is difficult. The more a company can rely on automation software to perform compliance tasks, the better insights you have into whether your investments are achieving their full potential — or if not, how to wring maximum efficiency out of those investments before asking the board for another spending approval.
GRC compliance software is the easiest way to guarantee your return on investment through reliable compliance automation software.
With ZenGRC, stakeholders, employees, and your compliance team have access to a single source of truth that covers all of your current and future risk areas. The ability to gather documents rapidly and to monitor compliance saves man-hours and reduces the possibility for human error.
Additionally, ZenGRC’s user-friendly dashboards show you at a glance which risks need mitigation; track workflows; collect and store the documents you’ll need at audit time; and more.
Set up a demo today and start making your compliance plan and increase your return on investment.