Compliance Is A Sentence, Not A Word

August 26, 2016

Compliance Is a Sentence, Not a Word

For many the word "compliance" represents the practice of following rules. These rules are generated externally and come as edicts from a monolithic regulatory body. As a result, the relationship between the regulator and the complying organization is seen as adversarial; someone is telling you what to do.

What happens when we change our perspective on this relationship? The digitized world of the 21st century has given rise to more threats. View the overseeing regulatory body as an ally. The nature of the relationship will change. It is no longer one of an onerous master, but rather one of a trusted advisor.

Compliance becomes a proactive approach to risk when we embrace this paradigm shift. However, the fact remains: compliance is expensive. The required resources needed are ample when committing to a holistic approach to risk management. This truth is evident in a 2015 Reuters survey. 600 compliance practitioners provided responses illustrating mounting costs and fatigue. The data reveals that "69 percent of respondents expect the cost of senior compliance professionals to increase in 2015." These costs are not just financial but operational as well. Compliance requires time. Again, the study confirms, "Regulatory matters are consuming disproportionate amounts of board time, from correcting non-compliance and preventing further sanctions to implementing structural changes to meet new rules.Risk management has become its own business.

While the goal of mitigating risk is paramount to the success of a business, we need ways to make it affordable. There are four principles to achieving this affordability.

Consider Compliance a Front-Loaded Cost  

Commit to compliance now and reap the benefits later. This is the essence of a front-loaded cost. When these costs are met upfront, they diminish the far greater future costs emanating from failures later. The statistics reported in The True Cost of Compliance, a report published by Ponemon Institute revealing a sobering truth; the cost on non-compliance eclipses that of compliance. The findings show, "[W]hile the average cost of compliance for the organizations in our study is $3.5 million, the cost of non-compliance is much greater. The average cost of non-compliance related problems is nearly $9.4 million." These results come from their review of 46 multinational organizations.

Manage this with proper budgeting. When compliance is considered at the beginning of the process, there will be less resistance to shouldering the costs. Confronting the true cost will likely necessitate finding ways to cut costs in other areas. This is prioritizing. Make compliance one of your first budgeted figures. Arrive at the necessary bottom line figure by executing cuts elsewhere. Leaving this critical component of business to the end of the process will only result in dangerous constraints.

Leverage Security Capabilities to Manage Compliance Costs

Conscientious behavior carries no cost. This is the concept of employing best practices in security to arrive at a lower compliance cost. This doesn't necessarily mean spending more. Instead, this means behaving differently and approaching daily procedures with greater conscientiousness. Improve security within your corporation and the cost of a disaster falls.

Consider putting pen to paper and building a checklist. Standard operating procedures work when followed with routine. Why keep these steps tangible in written form? It prevents the inevitable drift from consistency. This alone is a risk. Author and surgeon Atul Gawande encapsulated this idea perfectly in his 2009 publication: The Checklist Manifesto. He writes "[W]e are not built for discipline. We are built for novelty and excitement, not for careful attention to detail. Discipline is something we have to work at." Remain cognizant of this truth. Build a system of workflow that is designed to achieve consistency in best practices.

Abiding by a reasonable list of security protocols doesn't increase costs. This is also reflected in the Ponemon Institute findings. They explain, "We determined that the SES [Security Effectiveness Score] is unrelated to compliance costs." Decide what constitutes as best practice in mitigating risk. Put these practices in writing. Require employees to make a regular record of their adherence to these processes.

Create a Culture Around Internal Audits

Become your own police. Ensure risk management by regularly conducting internal compliance audits. We practice fire drills. We drive cars with airbags. We can apply these same principals to risk in the workplace. Conducting internal audits is the broader application of the above concept of following standard operating procedures for the security of the organization.

This drill serves another critical purpose; weak points will become clear. Internal audits elucidate the unseen fissures in a company. No external consultant will understand the nuances of the organization more than those enmeshed in the daily workflow. Outsourcing has become a favorite business term. However, in compliance outsourcing is not always the best answer. Empower your team with internal audits. This will have the added benefit of direct engagement learning. Employees will gain a better understanding of the importance of compliance by engaging in these audits.

The practice may not eliminate unforeseen problems but it will lessen the impact. Additionally, it will better prepare employees to tackle the challenges of an event when they arise.

Don't Wait For The Axe To Come Down

Let the goal of a successful business drive your commitment to compliance. Don't wait for outside regulators to dictate how you conduct corporate affairs. If all companies could be trusted to employ best practices there would be no need for external overseers. Adopt the mindset of the proactive. Manage risk in all the areas you believe to be most pertinent before someone else requires you to do so. A reactive approach only creates unforeseen costs after the budgeting process.

In aggregate, these four concepts could be summarized as "forward thinking." The success of the business today is the result of all we did yesterday. A business doesn't succeed by the virtues of the moment but rather by the overarching ethos driving the future. Mandated compliance rules are designed for the masses and may not address the most salient aspects of your particular business. Many of these concepts can be enacted immediately with little or no cost. The greatest tool in realizing these four recommendations is communication.


Elisabeth Miller

Milava Consulting

Telephone: (844) 464-5282


Elisabeth is a Managing Partner at Milava where she designs operations, technology, and marketing strategies to help financial firms run more efficiently. Milava is a consulting and outsourced services firm that specializes in providing practical strategies to help financial advisors run more effective businesses. With intelligent tools, Milava helps advisors grow successful firms in less time and with less effort. Elisabeth's expertise includes brand development, marketing execution, infrastructure design, process improvement, and technology integrations for financial advisory firms.

Elisabeth has provided marketing guidance for the development of a range of financial services firms, including large broker-dealers and independent RIAs. Her daily practice of speaking to a number of investment advisors gives her a unique perspective to help clients implement tactics that the best performing firms are utilizing. She closely aligns herself as a partner to each of Milava's clients to better understand their businesses and deliver custom fit solutions.  

Before joining Milava, Elisabeth focused on marketing strategy at Dimensional. During her time at the firm, Elisabeth lead initiatives across financial services reporting, performance analytics, and marketing. Elisabeth received a BBA in Finance from Texas A&M University and holds the CIPM designation from the CFA Institute.

NOTE: The views expressed in this Guest Blog are those of the author and do not necessarily reflect those of Blog.