Every ethics and compliance professional confronts the (mis)perception that compliance is bad for business, a fuzzy function that sucks up precious resources without providing any clear financial value. Compliance executives can convert detractors into supporters by demonstrating a positive return on investment (ROI).
Here are five practical ways to calculate ROI on compliance.
Engage key business leaders
Assessing ROI first requires the active engagement of business personnel. Begin with company leaders who already acknowledge that compliance generates some value and ask them to quantify the value of the organization’s professional reputation.
Approaching them in this way will immediately stimulate a shift in mindset towards the business value of compliance.
Rather than trying to develop a single, comprehensive ROI metric for an entire compliance function, start with the most pressing and significant risks. Then identify and quantify potential returns and investment for each one of them
Assign a financial value to qualitative costs and benefits
ROI is a ratio that compares benefit (“return”) to cost (“investment”). The formula typically applies to pursuing new business opportunities (e.g., new product or service, acquisition of a competitor, purchase of stock).
Compliance ROI, by contrast, considers risk and is more analogous to insurance. Companies and individuals purchase insurance to protect against all sorts of risks. The insurance analogy, however, only goes so far. Insurance “shares” the risk; compliance typically “reduces” the risk.
But getting executives to accept the cost of reducing the risk can be challenging. Compliance professionals must overcome an “it won’t happen to me” attitude. Business people also minimize compliance risk, in part, because quantifying the value of avoiding risk (e.g., avoiding fines and penalties) is not straightforward.
Compliance “return” comprises quantitative and qualitative elements. Quantifiable returns include increased earnings and cost savings. Qualitative benefits include brand value, professional reputation and the ability to pursue new business opportunities.
Qualitative, however, does not mean unquantifiable. Companies routinely valuate intangible assets (e.g., patents and trademarks). Similarly, management can assign financial values to qualitative costs and benefits of mitigating compliance risk, such as protecting professional reputation.
Compliance “investment” also comprises quantitative and qualitative elements. Quantitative investments include the salary of compliance officers, additional resources to perform controls and investments in technology. Qualitative costs or investments include, for example, business opportunities lost because of too much perceived risk.
Compliance leaders need to engage the first line of defense to quantify costs and benefits of compliance from business leaders’ individual perspectives. It is one thing to consider compliance risk in the abstract, it is quite another to ask individuals to assign a financial value (e.g., financial value of their professional reputation, financial impact on their careers if the organization suffers a compliance failure).
Evaluate ROI risk-by-risk
Some compliance departments seek to apply ROI to the compliance function as a whole. These assessments can be useful during annual budget setting and to gain additional (or not lose existing) resources. They typically rely, however, on metrics that do not easily translate to ROI.
If your organization’s compliance program is mature enough to consider ROI, it likely will have already performed a robust risk assessment of the probability and impact of fraud and other compliance breaches.
Rather than trying to develop a single, comprehensive ROI metric for an entire compliance function, start with the most pressing and significant risks. Then work hand-in-hand with business personnel to identify and quantify potential returns and investment for each one of them.
Establish benchmarks and track progress
Define the markers by which you will measure “return” and “investment.” How do you quantify whether the compliance program is yielding tangible and intangible benefits? Specifying what success looks like and tracking progress against those benchmarks are crucial elements in the process.
Some risks will undoubtedly yield a negative ROI on compliance. The exercise nonetheless is useful for business, legal and compliance personnel
To do this well you should focus on the following steps:
Make sure you know your audience and areas of interest. Proactively anticipating these areas of focus will prove more successful than trying to recreate them after the fact.
Employ positive benchmarks whenever possible. For example, the Chief Financial Crimes Compliance Officer at one global firm reports on the number of successful regulatory inspections.
Inspectors General, which are akin to compliance departments, calculate ROI as a ratio of rewards recovered to agency costs. A Brookings Institution study reported more than a 13.4 ROI over the period 2010-2014 for Federal IGs.
Consider both direct and indirect benchmarks. Case in point: Some years ago, a multinational financial services firm deployed compliance experts to underperforming business units.
The business units had not reported any misconduct, yet executive management reasoned that something must be amiss and measured the success of the program by comparing business results before and after the deployment of the compliance teams. The result was an outstanding 15:1 ROI.
Use technology to automate collection and tracking of benchmarks. Then employ data analytics to slice and dice the results. Once you determine how you will collect the data and which pieces of information are most crucial to collect, establish a dashboard to measure progress.
You will then have significant data points to communicate the value of compliance efforts across the organization.
Forensic auditors, data analytics experts, and compliance risks and controls experts can help compliance officers to identify potential data sources, develop analytics procedures and employ statistical packages to categorize and design rational scoring methodologies to grade results.
Develop Plan B
Some risks will undoubtedly yield a negative ROI on compliance. The exercise nonetheless is useful for business, legal and compliance personnel.
Even if negative, ROI on compliance will assist first-line-of-defense risk takers and owners to develop a risk response based on the likelihood of occurrence, detection and potential losses.
The second line of defense can use the assessment to refine preventive and detective controls against the probability and impact of the risks.
If you were to visit a factory and ask the plant manager how its safety program would be affected if the government abolished safety laws, chances are no or few changes would be made, as manufacturers largely accept that safety compliance is good for business.
Can the same be said for your compliance program?
Just as humans release antibodies to fight disease, corporations innately battle any perceived impediments to profit. If developed in conjunction with business personnel, ROI on compliance can go a long way in shifting the negative perception of the function.
About the Author
Jonny Frank founded and leads the New York office and Compliance Controls & Monitoring practice of StoneTurn, a forensic accounting, corporate compliance and expert services firm. This article was made available by Dow Jones Risk & Compliance.