Integrity is everything to an organization. If I could rebrand the Chief Ethics and Compliance Officer (CECO) I would call it the Chief Integrity Officer, but we already have a CIO in the Chief Information Officer. Ethics and compliance done correctly is the bastion of corporate integrity and corporate ethical culture. That is what compliance and ethics truly is all about.
Too often compliance is not seen in this perspective. Compliance is approached tactically as a series of checkboxes. If we check the boxes, we want our get out of jail free card. It is a tactical approach and not strategic. Alternatively, compliance is done as an afterthought or is seen as the corporate police that is always getting in the way. This leads to greater compliance exposure as compliance and ethics is not seen as a core part of how we do business and the way we do business. Too often it is approached with smoke and mirrors with a focus on the bare minimum to get by or creating an outright fictitious compliance environment.
When it comes to compliance breaches and incidents, too often organizations fail to grasp the full financial impact of non-compliance. In my research and experience, you can break the cost of a compliance incident/breach into the following three areas (with others that I have not measured):
Fines and penalties = 40% of cost of non-compliance. The actual fine or penalty is what we focus on. It draws our attention. Such as Glencore’s recent (2022) $700 million fine for FCPA, or Goldman Sachs Group’s whopping $3.3 billion fine in 2020. This is what draws our attention, and we immediately tag that in our mind as the cost of non-compliance. But in my experience, that is only 40% of the cost across one of three attributes.
Cost of investigation = 40% of non-compliance. What is not seen is the investigation costs of the compliance incident. Organizations can expect to pay an equal amount (sometimes less, sometimes more) on the investigation costs. For example, Siemens in 2008 had the largest FCPA enforcement action at the time of fines equaling $800 million. But Siemens’ also spent approximately $1 billion on investigation costs. However, Avon which had a $135 million FCPA fine in 2014, spent $340 million on investigation costs. In the Avon case, that is a 252% investigation cost compared to fines.
Cost of monitoring = 20% of non-compliance. After fines/penalties and investigation costs, then comes the cost of fixing things and ongoing reporting and monitoring. Many consent decrees, deferred prosecution agreements, non-prosecution agreements, and corporate integrity agreements require an independent monitor to come and provide assurance on compliance over the course of years. There is a cost to this service that I estimate to be the final 20% of the cost of non-compliance.
Using a hypothetical example, let’s say a company has a $100 million fine/penalty for non-compliance. It is easily expected that the cost of investigation will be another $100 million. Then the cost of implementing a compliance program to correct processes and a compliance monitor to provide assurance over the next 10 years can be another $40 million. So, what at the surface looks to be a $100 million penalty really cost the company $240 million.
The model is sound on the cost of compliance, but in reality it is not measuring everything. What is not included is the quantitative impact on opportunity cost, hit on corporate culture and company morale, turnover of employees, and other costs to the organization's brand and reputation.
However, the best plan is to not have a breach of non-compliance, or if you do to cooperate and provide thorough documentation of a system or record of all compliance activities and communications. Organizations that have a strong defensible audit trail that shows ongoing and continued compliance due diligence find that they can work with regulators and get past regulatory scrutiny more quickly with minimal impact. This is why it is necessary to have a strong system of record of compliance documentation and activities in your organization.
To dive deeper into this discussion, join Clausematch's upcoming webinar: