In business, the calculation of return on investment (ROI) is used for the purpose of evaluating the profitability of an investment compared with its alternatives. ROI is expressed as a percentage computed by dividing an investments’ net profit (or loss) by its initial cost or outlay. This calculation while simple allows for an apples-to-apples comparison to rank projects, assets, along with compliance efforts.
The cost of compliance has traditionally been estimated between 8 and 12% of an organizations operational budget. This cost is considered in much the same way as paying premiums for insurance policies. The return on investment can be calculated as the cost of the premium compared with what the policy pays out.
Using an insurance model approach for compliance ROI is very common but suffers from inherit limitations. One of which is that there is sense that the pay-out should be discounted since it may never be needed. As a result, the benefit from compliance efforts is perceived as low no matter how potential loss might exist.
In the same way that companies work at reducing the cost of insurance premiums they do the same for the cost of their compliance effort. The return on investment isn’t perceived as high enough to consider compliance as a real investment, of course, unless something “bad” happens.
A Comprehensive Definition for Compliance ROI
The insurance model fundamentally considers compliance risk as if it were mostly caused by random events outside a company’s control. This kind of risk is connected to what is known as, “Aleatory Uncertainty” which has to do with chance or natural variation. This kind of risk is best addressed using margins which is what an insurance policy provides.
However, when it comes to achieving broader stakeholder objectives, compliance risk is connected more with operational factors of the organization. These risks are a result of what is called “Epistemic Uncertainty” which has to do with a lack of knowledge or know-how. This risk is reducible and handled by investing in measures to buy-down risk to reduce risk below what the organization tolerates.
Determining return on investment these kinds of risk is done by accumulating the cost of each measure compared with the effectiveness that each measure has on risk prevention and mitigation.
In other words, it is the cost of making certain that obligation goals and objectives are achieved compared with the cost not doing so which is the cost non-compliance, materialized or not.
While traditional compliance ROI is highly discounted and perceived as small, the ROI associated with buying-down risk compared with the savings incurred by avoiding the impact of non-compliance will be much higher. In fact, effective measures might save the entire business itself (e.g. Enron) or the loss of customer and stakeholder trust (e.g. Volkswagen Dieselgate). The loss of trust is often irreparable and worth protecting at any cost.
It is worth noting that insurance does not cover you for not knowing or not having the “know-how” to buy-down operational risk. Instead, organizations need to build capability through risk and compliance programs to adequately buy-down operational risk. The effectiveness of these programs is perhaps the best measure for compliance ROI.
The following diagram outlines common areas to buy-down compliance risk along with essential measures to improve the probability that risk is reduced.
Organizations with effective risk & compliance programs will evaluate the impact that these uncertainties have on meeting all their stakeholder obligations:
|· Not knowing all your obligations|
|· Not managing all your obligations|
|· Not knowing which ones are applicable|
|· Gaps in compliance coverage|
|· Not knowing when the lines have changed|
|· Losing track of your obligations|
|· Not knowing where your gaps are|
|· Not knowing if you are in compliance|
|· Not having sufficient expertise|
|· Not knowing if all obligations are being audited|
|· Not meeting timed obligations|
|· Not getting back into or staying in compliance|
|· Not knowing which obligations matter|
|· Not knowing your compliance status before it’s too late|
They will then establish appropriate measures to buy-down these risks which will include have these capabilities:
|· Access to a large selection of source documents|
|· Manage both internal and external obligations|
|· Automated review and tracking of obligation applicability|
|· Automatic extraction of obligations|
|· Automatic notification of changes to source documents|
|· Track all your obligations in one place|
|· Track compliance status|
|· Connect audits directly to obligations|
|· Access to a rich set of predefined checklists, protocols, and audits|
|· Manage all your audits in one place|
|· Track scheduled obligations|
|· Manage corrective and preventive actions|
|· Connect obligations to physical sites, assets, and processes|
|· Real-time reports|
Many organizations will continue to consider compliance ROI as minimal or non-existent. They will treat their compliance as an expense and a cost of doing business. As a result, they will continue to apply their valuable time to reducing the direct costs related to compliance.
However, Nimonik believes that organizations who truly wish to meet all their obligations will take a more comprehensive approach. They will see compliance efforts as an investment. As with any investment, there needs to be an expected return. An organization that views compliance as an investment should focus on improving compliance effectiveness to ensure mission success and not on simply reducing costs
Which approach do you think creates a better return? How will you evaluate your compliance ROI?
If you need compliance to produce a better return reach out to us at Nimonik. We offer comprehensive solutions to improve your compliance return on investment.
Contact us at firstname.lastname@example.org or at 1-888-608-7511