Total Cost of Compliance (TCC)?
Conversations about the missteps of highly compensated fast-moving corporate executives have become cliché. Late night talk show hosts and “Gen Y” constituents have made references to corporate swindling part of their parlance. As we remain astonished by the audacity of these miscreants, we are hit with a harsher reality: The dastardly deeds committed by these personalities have resulted in legislation and subsequent regulation to make our corporate lives—a little less fun.
We are, generally, a responsive society. In order to alleviate anxiety caused by upheaval, we respond rapidly and deliberately. To ease investors’ concern over fraudulent accounting practices and general mismanagement, our governmental representatives have introduced compliance oriented measures for many of our nation’s companies. These measures have become looming risk management clouds for your CFOs, CIOs and CEOs. They fear the punitive measures associated with non-compliance. Additionally, undue burden has been placed on your operating managers to institute processes, technology and employee training to ensure compliance. There is no better way to put the “un” in “fun.”
The topic of this paper is not “How to Develop Corporate Strategies for Sarbanes-Oxley.” Strategies to best apply today’s knowledge- or records-management solutions toward a “proactive” corporate regulatory compliance initiative will be left to other experts.
Instead, this paper will focus on a concept called Total Cost of Compliance (TCC). We will explore the operational impact of compliance measures on your organization. The impact of proactive as well as reactive compliance measures and the cost of non-compliance in both scenarios will also be discussed.
Proactive Compliance = Predictable Compliance
Much noise has been made about the impact of compliance mandates such as Sarbanes-Oxley, even more about how to interpret and integrate them into business practice. In spite of their vigor, you have undoubtedly questioned the clarity of these mandates’ “terms and conditions.” However, Sarbanes-Oxley does specifically outline the expectations government regulators have for corporate behavior. With this, your compliance officer can now put a plan in place that enables adherence to the standard. The processes and costs associated with implementing and maintaining such a (proactive) compliance plan are relatively predictable.
Recent reinterpretations of the SEC Act of 1934 targeting data retention policies clearly articulate the processes and procedures that your company must employ to align with these regulations. Again, the cost associated with these types of initiatives is relatively transparent. The penalties associated with non-compliance are also well documented. With this in place, you can now develop an ROI and begin to implement a corporate wide, “proactive” compliance solution to address Sarbanes-Oxley, or any other regulatory mandate.
The cost impact of proactive compliance (or non-compliance) has become relatively predictable.
Reactive Compliance
The reality is that compliance goes beyond these “relatively well-defined and predictable” mandates. This is not meant to trivialize the effort associated with these corporate initiatives. They can be wicked complicated and in most cases require substantial business re-engineering. The requirements are often foreign to those tasked with implementation. The overhead can be burdensome, and the costs significant. Even if you follow the letter of the law, your company’s position as it relates to compliance is in the “eye of the beholder,” since anyone can call it into question. However, ultimately, compliance with these “known” mandates is a (relatively) predictable process with predictable costs.
A large portion of the costs associated with compliance (or non-compliance for some) has to do with components of your business that are not predictable or well defined. These components have been around long before Sarbanes-Oxley, and will remain even after numerous reinterpretations have been authored.
If your business operates in a highly regulated sector, litigation or government investigation is a constant presence. These events, or rather your response to them, quickly become the largest cost component associated with compliance. These events create a “reactionary” environment that disrupt your business and cause your organization to focus on resolving issues otherwise unrelated to normal business operations. This is the world of “reactive compliance.”
Reactive Compliance = Unpredictable Compliance
In the midst of a quarterly strategic planning session your general counsel enters the room. Seems an intellectual property infringement claim has been brought against the company by a competitor. As demonstration of your competitors’ intent to pursue the claim, computer forensic experts will arrive in 48 hours with a court order to begin examination of many computers, including yours. All electronic correspondence related to the technology in question, from all related employees, will be collected, reviewed and delivered to the lawyers filing the suit. Moreover, a preservation order has also been delivered that requires your IT department to immediately cease the OS upgrade critical to your company’s next product release—so that all systems will remain “as is.”
This scenario, although hypothetical, could be an actual account from many Fortune 1000 companies. In this scenario, the introduction of the lawsuit was not predictable (or at least the timing was uncertain) and the scope of activities involved with complying with “requests” was even less predictable. As a result, the process burden and therefore, cost burden on your organization is extremely unpredictable.
Total Cost of Compliance (TCC)
So, what is the point of the examples above? Aside from demonstrating the difference between compliance activities that are predictable and activities that are unpredictable, it is important to understand the entire organizational impact of compliance. Since profitability is “top of mind” for corporations, the impact of compliance is best measured by its impact on organizational costs—or the expense line of the income statement. The formulas in Figure 1 above outline the elements contained in a Total Cost of Compliance (TCC) and a Total Cost of Non-Compliance (TCnC) calculation:
Let’s break down each formula into its “colloquial” components. The TCC formula says that the Total Cost of compliance is the sum of:
- the proactive compliance (p) programs’ technology (software/hardware/IT enabled services) and people (employees and contractors) cost; plus
- the reactive compliance (r) technology (software/hardware/IT enabled services), people (employees and contractors) cost; and
- the opportunity cost associated with re-focusing mission-critical staff on short turnaround time, unpredictable initiatives at the expense of already planned initiatives.
The TCnC formula is equally straightforward. This is the sum of:
- the civil and/or criminal penalties that can be imposed if a company does not comply with proactive (p) mandates; plus
- the reactive (r) civil penalties associated with not complying with a discovery request1 and the larger cost/risk associated with potentially compromising your company’s position to defend itself in a lawsuit.
Predictability sometimes leads to disobedience
In the case of proactive compliance, some organizations choose to disobey the compliance mandates. Why? It is not because they are habitually disobedient. Rather, the costs associated with non-compliance are predictable. There are organizations that weigh the risks of being non-compliant with the (known) costs of compliance and choose to incur the costs of non-compliance. Also, there is a sense that the compliance-happy environment will disappear once the equity markets and investor confidence rises to higher levels. Other organizations are resource constrained, unaware, or believe that the worst will never happen to them. Why not just wait it out and incur known costs without organizational upheaval?
A reactive environment is usually created by a lawsuit or claim against your company, or as a result of an investigation from a regulatory body, such as the federal government. In cases like this, the cost of non-compliance could be a civil penalty or worse, the loss of a lawsuit which could potentially be a “bet the company” scenario. Increasingly, there are impacts to stock prices when correct information is not forthcoming, causing a publicity crisis. Non-compliance is usually not an option in a reactive environment. As a result, the operational costs associated with reactive compliance are unpredictable, but inevitable.
Inevitable costs—Data Collection
In the event of a discovery request, your IT organization is immediately impacted. The discovery request will contain demands for information pertaining to timeframes, people, and topics. Your general counsel, with the assistance from your external law firm, will launch portions of this request into the various organizations affected. In the case of a discovery request associated with electronic information, your IT organization is tasked with locating and aggregating the relevant information. This phase is what is referred to as data collection.
For those who are not well versed in the dynamics of a large IT infrastructure, this is no small feat. Even if you have deployed a knowledge management and data retention system, you will learn that only a subset of the relevant data resides there. Much more resides “live” on the network and on individual computers, while still more is stored on backup tapes. The process of aggregating electronic information in response to a discovery request resembles nothing that your IT team deploys on a typical day. The process requires a scalpel type technique, as data preservation (don’t throw the stuff away) and non-spoliation (don’t tamper with the stuff) rules mandate specific procedures to be followed. Lack of adherence to these processes can translate to immediate penalties, loss of good faith with the decision maker in the matter, or worse.
For this reason, you may choose to outsource data collection. Alternatively, you may train and deploy your own IT department. In the former scenario, the costs of external resources are significant. In the latter, the opportunity cost of re-focusing your in-house team is significant.
TCC and TCnC are about perspective
Total cost of compliance and total cost of non-compliance are concepts that are meant to provide perspective. It is not the intent of this paper to suggest that you embark on a quantitative exercise to calculate your precise TCC and TCnC and make decisions to comply (or not) on the basis of the results.
Rather, the purpose of this paper is to highlight the fact that organizational costs incurred in a reactive compliance situation are unpredictable yet inevitable. In addition, organizations often ignore these costs because the “cost of a lawsuit” is viewed primarily as the legal expenses related to the defense of the suit. Furthermore, courts have not made a habit of asking the requesting party to fund the costs of producing active data, because, by and large, it is assumed that the data requested is easily accessible. Perhaps, but access does not translate to ease of extraction. As a result, for the foreseeable future, you will incur significant costs to comply with a reactive compliance request. The key is to know what your costs are so that you can proactively manage them.
TCC = * (pTechnology +pPeople) + (rTechnology+rPeople+ rOpportunityCost) TCnC = * (pnCCivilPenalties+pnCCriminalPenalties) + (rnCCivilPenalties +rnCLitigationExposure) (Figure 1) 1 a request for information from the opposition to enable “discovery” of “what happened”
Fios provides IT enabled services to simplify electronic discovery and reduce the operational cost of reactive compliance.