Compliance costs remain a sore point for corporate executives, but consultants say the whirlwind of regulations surrounding businesses these days means skimping on compliance could end up costing a lot if regulators catch you out.

A recent survey of more than 275 C-suite executives and directors conducted by Protiviti and North Carolina State University’s ERM Initiative found that the combination of regulatory change and heightened regulatory scrutiny was the number one risk for corporate executives, for the third year in a row.

“Whatever one believes about the cost of regulation, it is without a doubt top-of-mind for C-level executives,” said Jim DeLoach, a managing director at consultancy Protiviti.

Susan Markel, a managing director in the Washington office of AlixPartners, said that compliance costs are increasing, in part reflecting the impact of the SEC whistleblower program mandated by the Dodd-Frank Act.

Now that employees can blow the whistle on company misconduct and profit from it, companies “have to be prepared that something might go to a regulator sooner,” said Markel. “They’re having to build controls that can help them to prevent potential misconduct or fraudulent activity beforehand.”

More companies are appointing compliance officers, she added, and when the new compliance officers start work, “they may come in and say I need x, y, and z, because those were areas that may not have been considered before.

“Controls do matter, probably more than they ever have in the eyes of the government,” she said. “Companies do have to spend on controls to meet the growing demands of compliance.”

DeLoach said compliance costs were driven by “the proliferation of regulations,” ranging from anti-corruption laws to the post-financial-crisis emphasis on consumer protection and the IT security and privacy issues affecting all industries these days.


FEI Survey

Although executives complain about compliance costs, data differ on whether costs are stabilizing or continuing to mount.

Financial Executives International’s 2014 benchmarking survey showed that 51% of the U.S. executives surveyed felt the cost of compliance was fairly steady, while 48% felt it was rising. But Tom Thompson, a senior research associate at the Financial Executives Research Foundation, noted that a breakdown of the responses by company revenue showed that “as the revenue range went up in value, the idea that the cost was rising went up as well.”

Among executives at companies whose revenue ranged from $1 billion to $5 billion, 58% thought compliance costs were rising, Thompson said, although that portion fell to 48% among executives from companies with revenues above $5 billion.

Companies are facing not only dollar costs, but “the cost in time as well,” he said. “The time they’re spending responding to and monitoring these regulations is increasing.”

Ronnie Kann, CEBRonnie Kann, managing director of legal risk and compliance at consultancy CEB, said that while financial firms and insurers have seen compliance costs go higher, CEB’s research shows compliance spending overall has been stable over the past five years.

“A lot of the pressure of the regulatory environment is borne by how the compliance department gets its work done,” said Kann, pictured at left. “The compliance departments have become much more innovative—it’s not necessarily by adding additional resources but by scaling the resources they have.”

He suggested that companies that are trying to make the most of their compliance spending start with “a very effective risk assessment, to really understand what are the areas that need to be addressed. The better you understand the risks your organization is facing, the better you can target and allocate your resources.”

One way that some companies scale the compliance function is by creating a liaison team of line managers in the business units who perform some of the compliance tasks, Kann said. “For example, they might run training sessions or make sure that people understand how to properly escalate concerns or make sure they complete their training on time.”

The use of technology is another approach. “Those technologies that allow organizations to better sift through their data, whether that’s their hotline calls or expense approval processes or other activities, to look for red flags or anomalies in how people are behaving—that can give them a good sense of what their risks might be or how their risks are changing,” Kann said.


Fragmented Control Environment

Jim DeLoach, ProvitiviDeLoach, pictured at right, said that as compliance has evolved over time in response to new regulations, companies added new procedures and policies in an ad hoc fashion. “So you end up having a fragmented control environment, a proliferation of operating silos, and fragmented reporting,” he said.

“I’m not a fan of cavalierly slicing compliance costs without regard for the risks of noncompliance, because the risk of noncompliance can be very significant,” he said. “The point is, how can we streamline compliance to where we make our focus on compliance more cost-effective and more efficient.”

DeLoach recommends that companies adopt a compliance model that includes a lean central unit and empowers the company’s regional operations.

“The operating model is extremely important,” he said. “You want to drive the accountability for compliance down to the lowest level.”

Governance, risk, and compliance (GRC) software can help big companies manage their compliance efforts by helping find “gaps and overlaps in ownership of control responsibility,” DeLoach said.

A gap might be an internal control activity that’s missing or a risk issue that no one owns, while an overlap is an issue that’s owned by multiple people.

“Overlaps are expensive,” he said. “They’re also not terribly effective. Technology, whether it’s a platform solution or a point solution, can facilitate the identification of missing and duplicative internal controls and assurance activities to fill the gaps and minimize the overlaps and make sure there are clear lines in terms of who’s responsible for what.”