Compliance costs remain a sore point for corporateexecutives, but consultants say the whirlwind of regulationssurrounding businesses these days means skimping on compliancecould end up costing a lot if regulators catch you out.

A recent survey of more than 275 C-suite executives anddirectors conducted by Protiviti and North Carolina StateUniversity's ERM Initiative found that the combination ofregulatory change and heightened regulatory scrutiny was the numberone risk for corporate executives, for the third year in a row.

“Whatever one believes about the cost of regulation, it iswithout a doubt top-of-mind for C-level executives,” said JimDeLoach, a managing director at consultancy Protiviti.

Susan Markel, a managing director in the Washington office ofAlixPartners, said that compliance costs are increasing, in partreflecting the impact of the SEC whistleblower program mandated bythe Dodd-Frank Act.

Now that employees can blow the whistle on company misconductand profit from it, companies “have to be prepared that somethingmight go to a regulator sooner,” said Markel. “They're having tobuild controls that can help them to prevent potential misconductor fraudulent activity beforehand.”

More companies are appointing compliance officers, she added,and when the new compliance officers start work, “they may come inand say I need x, y, and z, because those were areas that may nothave been considered before.

“Controls do matter, probably more than they ever have in theeyes of the government,” she said. “Companies do have to spend oncontrols to meet the growing demands of compliance.”

DeLoach said compliance costs were driven by “the proliferationof regulations,” ranging from anti-corruption laws to thepost-financial-crisis emphasis on consumer protection and the ITsecurity and privacy issues affecting all industries thesedays.

|

FEI Survey

Although executives complain about compliance costs, data differon whether costs are stabilizing or continuing to mount.

Financial Executives International's 2014 benchmarking surveyshowed that 51% of the U.S. executives surveyed felt the cost ofcompliance was fairly steady, while 48% felt it was rising. But TomThompson, a senior research associate at the Financial ExecutivesResearch Foundation, noted that a breakdown of the responses bycompany revenue showed that “as the revenue range went up in value,the idea that the cost was rising went up as well.”

Among executives at companies whose revenue ranged from $1billion to $5 billion, 58% thought compliance costs were rising,Thompson said, although that portion fell to 48% among executivesfrom companies with revenues above $5 billion.

Companies are facing not only dollar costs, but “the cost intime as well,” he said. “The time they're spending responding toand monitoring these regulations is increasing.”

Ronnie Kann, managing director of legalrisk and compliance at consultancy CEB, said that while financialfirms and insurers have seen compliance costs go higher, CEB'sresearch shows compliance spending overall has been stable over thepast five years.

“A lot of the pressure of the regulatory environment is borne byhow the compliance department gets its work done,” said Kann,pictured at left. “The compliance departments have become much moreinnovative—it's not necessarily by adding additional resources butby scaling the resources they have.”

He suggested that companies that are trying to make the most oftheir compliance spending start with “a very effective riskassessment, to really understand what are the areas that need to beaddressed. The better you understand the risks your organization isfacing, the better you can target and allocate your resources.”

One way that some companies scale the compliance function is bycreating a liaison team of line managers in the business units whoperform some of the compliance tasks, Kann said. “For example, theymight run training sessions or make sure that people understand howto properly escalate concerns or make sure they complete theirtraining on time.”

The use of technology is another approach. “Those technologiesthat allow organizations to better sift through their data, whetherthat's their hotline calls or expense approval processes or otheractivities, to look for red flags or anomalies in how people arebehaving—that can give them a good sense of what their risks mightbe or how their risks are changing,” Kann said.

|

Fragmented Control Environment

DeLoach, pictured at right, saidthat as compliance has evolved over time in response to newregulations, companies added new procedures and policies in an adhoc fashion. “So you end up having a fragmented controlenvironment, a proliferation of operating silos, and fragmentedreporting,” he said.

“I'm not a fan of cavalierly slicing compliance costs withoutregard for the risks of noncompliance, because the risk ofnoncompliance can be very significant,” he said. “The point is, howcan we streamline compliance to where we make our focus oncompliance more cost-effective and more efficient.”

DeLoach recommends that companies adopt a compliance model thatincludes a lean central unit and empowers the company's regionaloperations.

“The operating model is extremely important,” he said. “You wantto drive the accountability for compliance down to the lowestlevel.”

Governance, risk, and compliance (GRC) software can help bigcompanies manage their compliance efforts by helping find “gaps andoverlaps in ownership of control responsibility,” DeLoach said.

A gap might be an internal control activity that's missing or arisk issue that no one owns, while an overlap is an issue that'sowned by multiple people.

“Overlaps are expensive,” he said. “They're also not terriblyeffective. Technology, whether it's a platform solution or a pointsolution, can facilitate the identification of missing andduplicative internal controls and assurance activities to fill thegaps and minimize the overlaps and make sure there are clear linesin terms of who's responsible for what.”